Online payment processing has come a long way in a short time. What was once a rarefied technology used only by the most visionary companies is now a linchpin of the global e-business economy, handling billions of dollars’ worth of transactions each year. But to keep the payment pipeline active, CTOs must ensure the security of their customers’ data. After all, it only takes one incident of a hacker manipulating funds to undo years of hard-won goodwill.
Thankfully, some companies, such as financial institutions, have been conducting online transactions for years, and in that time they have established a set of best practices that many enterprises would do well to follow.
According to the accepted wisdom, the first thing a business should secure is its communications channel. Whether transactions are sent across the Internet or via a dedicated connection, the goal is to ensure that data can only be read by the sender and the intended recipient. The best way to achieve this goal is to encrypt all data. Modern encryption technologies protect confidential information from being “sniffed” while in transit extremely well, rendering data illegible (and more or less totally untranslatable) to would-be hackers and spies.
If your company is accepting payments over the Internet, 128-bit SSL (Secure Sockets Layer) encryption should be the minimum security standard between your Web server and payment gateway. Messages sent using the ISO 8583 standard (the protocol used to exchange data with financial institutions) should be encrypted with Triple-DES (Data Encryption Standard) and digitally signed by the vendor when travelling between the payment gateway and financial institution.
Granted, implementing encryption and digital signature processes is easier said than done. Most quality transaction processing systems already come with encryption features, but digital signatures are another matter – in most cases, this technology is only deployed as part of an enterprise PKI (public key infrastructure) system, which can be a very complex and expensive undertaking. On the other hand, the costs of not sealing your communications pipe can be far greater.
The next area to consider is your access control policy, which specifies who has access to what information. Many access control rules are guided by simple common sense: A payment-processing provider should not have access to the merchant’s product and pricing information; nor should the merchant have access to the bank’s data, or even their clients’ credit card information.
Locking down access also reduces the opportunities for data thieves to steal information. For example, Web servers are notorious for being vulnerable to hackers, but if customers’ credit card data is never stored on a merchant’s site in the first place, customers need not fear that their information will be stolen in the event of an attack launched against the merchant’s Web server.
Know Thy Customer
The third part of the established best practices program is to firm up client authentication, ensuring that customers are who they say they are. To this end, many online businesses do not serve customers who use e-mail addresses from free providers, such as Yahoo Mail or Hotmail, because any common thief can open an account with those services. Furthermore, certain types of customer information, such as IP addresses and log-in times, should be logged in a database to refer to if discrepancies in transactions ever arise. Finally, all credit card numbers should be verified with the issuing bank.
More stringent techniques are required for high-value transactions; some businesses require at least two members of the purchasing organization to approve multimillion dollar deals. At a minimum, a big-ticket transaction should be governed by stronger authentication methods than a user ID and password. Smart cards, tokens, digital certificates, and biometrics are all useful methods in these cases.
It’s worth considering that hackers are not the only sources of concern: A sad fact of life is that your business partners may not always be entirely scrupulous. CTOs should implement nonrepudiation mechanisms to prevent customers or business partners from denying their involvement in online transactions.
The Weakest Link
Transaction security is only half the battle. Merchant Web sites and payment gateways all run on servers connected to a network, and those servers – along with the applications running on them – must also be secured. The best way to ensure the security of your systems and applications is to perform periodic audits and security assessments. Check that system patches are up-to-date, user accounts current, and unnecessary services removed from all systems.
Ensuring security is a difficult process that hinges not on a single “magic bullet” piece of technology, but rather on an interwoven blend of complementary technologies and practices. Yet the costs of a security breach can be devastating; your revenue streams and reputation can go up in smoke in a single day. If you can’t keep your own systems secure, how will your customers feel about doing business with you?
THE BOTTOM LINE
Secure Payment Processing
Executive Summary: No CTO can expect customers to use an online payment mechanism unless they can be assured of its security. Weighed against the costs of lost revenue and customer trust, the time and money required to secure payment-processing systems is a small price to pay.
Test Center Perspective: System hardening, application security, communication encryption, access control, and authentication are among the minimum requirements for a secure payment processing system. Although adequate security measures add a few steps to the purchasing process, most customers will appreciate the additional security.
Contributing Editor Mandy Andress is a network security engineer for Tivo. E-mail her at[email protected].