Transactions
Sensitive information has to be protected through at least three transactions:
- credit card details supplied by the customer, either to the merchant or payment gateway. Handled by the server's SSL and the merchant/server's digital certificates.
- credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway.
- order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates (and payment gateway sometimes).
Practical Consequences
1. The merchant is always responsible for security of the Internet-connected PC where customer details are handled. Virus protection and a firewall are the minimum requirement. To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage service. Always keep multiple back-ups of essential information, and ensure they are stored safely off-site.
2. Where customers order by email, information should be encrypted with PGP or similar software. Or payment should be made by specially encrypted checks and ordering software.
3. Where credit cards are taken online and processed later, it's the merchant's responsibility to check the security of the hosting company's webserver. Use a reputable company and demand detailed replies to your queries.
4. Where credit cards are taken online and processed in real time, four situations arise:
1. You use a service bureau. Sensitive information is handled entirely by the service bureau, which is responsible for its security. Other customer and order details are your responsibility as in 3. above.
2. You possess an ecommerce merchant account but use the digital certificate supplied by the hosting company. A cheap option acceptable for smallish transactions with SMEs. Check out the hosting company, and the terms and conditions applying to the digital certificate.
No comments:
Post a Comment