Over the years, E Commerce security has become an important aspect of businesses worldwide, particularly the aspects of Information Security and Computer Security. With technological advantages, we are able to eliminate ‘Human touch’ and improve efficiency in a number of areas, but with the added fear and risk that some part of the entire value chain might be compromised, leading to financial loss, and more importantly loss of private information.
According to a Gartner report, e commerce is over the days becoming more of a mobile phenomenon, with 298 million mobile device users and 30 % purchase things online.
Though a benefit, this is being exploited for financial gain, and this criminal business alone is worth a staggering $388 billion each year. Verizon has reported that in 2011, over 174 million records were compromised with 95% of those involving personal information. With respect to financial institutions, they try to shift the liability away from themselves, and if the consumer is liable, they provide a more balance approach.
Costs associated with E commerce Security breach:
According to a Ponemon report, an average incident causes a loss of 1.9 million pounds in Britain and $5.5 million in the US. Regulation Standard Breach costs will include privacy breached and pending legal action. There are requirements both legally and from the business that the consumer is informed and the cost would be variable depending on the type and size of business. Clean up costs would involve coming with a revamp of the system, bringing in specialist IT professionals to mitigate and prevent further damage. Loss of critical data will put a business online for several days, and if there is no backup, the sustainability is uncertain. This would lead to loss of confidence from the investor and shareholder side too.
- 85 % will take business elsewhere.
- 47% will take legal action.
- 64 % will expose it in a public forum.
Payment Card Industry Data Security Standard:
Was set up by the credit card industry to combat online fraud, and move the risk away from the credit card companies. If there is a breach of credit card information and if the organisation is not part of the PCI-DSS, then it will be subject to a penalty. According to this evolving standard, controls are provided, and each card sets its own compliance and formal validation is not mandatory for all entities. There are various levels of attainment. The standard is more focussed on the backend controls and there is a lack of stated controls around the front end companies that collect the details such as websites, call centers and interactive voice agents.
- Digital business
- Stay Smart Online
- Safe Buy
- Digital Europe
- Stop Think Connect
- Stay Safe Online
- APEC Electronic Commerce Steering Group
- International Consumer Protection and Enforcement Network ( ICPEN )
Organisations are also making use of Third Party Assurances to increase the consumer confidence, but that does not happen in most cases. Also consumers, about 58 % of them don’t realise seeing a 3rd party seal in the purchase site. Companies are also using third party payment gateways to mitigate their involvement and move the risk to another organisation. Nowadays, Digital Certificates are also being issued as a means of electronic verifiacation of the authencity of the site, but does not make any assessment about the credibility of the site as such.
- Integrity : ability to ensure that information being displayed as a website or transmitted , received over the net has not been altered in any way by unauthorised party.
- Non repudiation : ability to ensure that e commerce participants do not deny online actions
- Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the net.
- Confidentiality : ability to ensure messages and data are available only to those who are authorised to view them.
- Privacy : ability to control use of information a consumer provides about humility self or herself to a merchant.
- Availability : ability to ensure e commerce site continues to function as intended
Points of Vulnerability:
- Communication Channel
- Malicious code
- Hacking and Cyber Vandalism
- Credit Card theft
- Denial of Service
- Insider Jobs
So how could we address such a threat effectively
A diagrammatic representation of the potential process is added as a much needed food for thought.