|
B-Cognizance IIITA's E-Magazine |
|
Indian Institute of Information Technology - Allahabad |
|
E-Secure Article 1 |
|
By Nelima Tople & Suchi Chandra MSCLIS (2007-09) Indian Institute of Information Technology, Allahabad
Moving ahead in the technological compliance in the IT industry it is really a hard path to adhere with the standards and build up trust and faith in the so addressed click world. Commercial lines today are just running on the scope and admissibility of standards which provides it a baseline to enter in the globe of ecommerce and I-banking. Growth of technology arena has given birth to the concept of e-commerce. E-commerce can be stated as new business paradigm where commercial transaction of services is performed in an electronic format such as telephone, ATM, fax, e-payment systems like- EDI, prepaid cards and internet. Looking ahead at the threats of identity theft and commercial frauds the requirement of some uniform standard purged out. Thus there came the evolution of a new standard Known as Payment Card Industry data security Standard which was the result of combined effort of five well known companies in the area of E-commerce Vista Card Information Security Program, Master Card Site Data Protection and American Express Data Security Operating Policy Discovery Information Compliance and the JCB Data Security Program to create an additional level of fortification for customers by ensuring that merchants bare minimum level of security when they store process and transmit cardholder data. PCIDSS is one of the more comprehensive data security standards in cluster of regulations like: Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act 2000(SOX), California State Bulletin 1386 and Gramm Leach Bliley Act (GLBA) and Basel II.
* Regulatory Issues of Compliance of PCIDSS: The current version of the standard (1.1) specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives":
1. Build and maintain a secure network · Prerequisite 1: Install and maintain a firewall configuration to protect cardholder data · Prerequisite 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect cardholder data · Prerequisite 3: Protect stored cardholder data · Prerequisite 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a vulnerability management program · Prerequisite 5: Use and regularly update anti-virus software or programs · Prerequisite 6: Develop and maintain secure systems and applications
4. Execute well-built access control mechanism · Prerequisite 7: Control access to cardholder data by business need-to-know · Prerequisite 8: Allot a unique ID to each person with computer access · Prerequisite 9: Control physical access to cardholder data
5. Regularly monitor and test networks · Prerequisite 10: Track and monitor all access to network resources and cardholder data · Prerequisite 11: Regularly test security systems and processes
6. Maintain an information security policy · Prerequisite 12: Maintain a policy that addresses information security for employees and contractors
In the issue of wireless environment following are the prerequisites provided by the standard: The PCI DSS identifies wireless LANs as public networks and automatically presumes them to be exposed to vulnerabilities and threats. In relation to this PCI DSS provides two specific security guidelines to avoid breaches coming in from wireless networks used in any environments containing credit card data. They are:
· Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with Personal information of card holders.
· Use of wireless analyzers to detect intrusion of unauthorized wireless devices and attacks.
Importance of Compliance : PCI DSS is a global urgency for all entities handling cardholder data. It’s in the own benefit of acquiring banks to guarantee that their merchants are aware and compliant to PCI DSS. The reason is quite logical –:
· Acquiring banks are the main doers that build up the line of confidence between card companies and merchants – consequently they are also the ones that end up directly in the line of fire of credit/debit card companies whenever one or more of their merchants endure a infringe.
· To maintain a successful and vigorous business relationship with card companies, acquiring banks must make certain that their merchants are adequately shielded; and PCI DSS is the tool that weighs cardholder data security on the merchant’s side.
· Similarly, merchants and service providers are look ahead to exhibit their level of compliancy to PCI DSS. This helps maintain a healthy business relationship with acquiring banks and avert non-compliance liabilities.
Consequences of Not Complying the Standard:
· Card companies may penalize their member banking institutions when merchants are found to be non-compliant with PCI DSS.
· Acquiring banks may in turn contractually compel merchants to indemnify and reimburse them for such penalties. In the worst scenario, merchants could also risk trailing the authority to process customers' credit card dealings.
· Businesses from which cardholder data has been compromised are forced to notify legal authorities and are expected to offer free credit-protection services to those potentially affected.
· Cardholder data loss, whether accidental or through theft, may also result to legal consequence being taken by cardholders. Such a step might result in degradation of goodwill of the concern, which may in turn lead to question of survival to the concern.
Guidelines for customers for responsible disclosure of e-scam : · Customers should share the security issue with the company before making it public on message boards, mailing lists, and other forums.
· Customers should permit company levelheaded time to retort to the issue before making the matter public.
· Customers should provide full disclosure of security parameters.
Conclusion: E-commerce has changed the way consumers view their purchasing power and helped the economy attain the new heights by achieving faster transactions, more market places, more competitions and more advanced technologies to make activities between customers and producers more active. To sum up consumers trust is the only way-out to survive in today’s consumer oriented market and so various e-payment systems had been evolved every now and then to satisfy the priorities laid down by consumers. To achieve compliance in companies providing e-commerce related services some techniques will help like implementing software tools for log management, vulnerability management, security scanning, event manager and end point security. Although hundreds percent security cannot be guaranteed yet technology is evolving to provide optimum security and minimum risk. *References:
· http://www.itsoverview.its.dot.gov/EPS.asp
· http://www.eps-na.com/
· http://www.knowledgestorm.com/search/keyword/Electronic+Payment+Systems/BDC/Electronic+Payment+Systems |
|
PCIDSS - A New Paradigm to world of E- Commerce |
