Top 10 Tips for E-Businesses to Secure Consumer Information and Credit Card
Data
CyberSource(R) and The Software & Information Industry Association (SIIA)
Introduce New Security White Paper for Businesses Selling Online
MOUNTAIN VIEW, Calif., May 21 --
CyberSource Corporation (Nasdaq: CYBS), a leading provider of payment risk
management and real-time payment solutions for enterprise businesses, and a
pioneer in Internet fraud detection, today released tips to help e-businesses
protect themselves and the personal and private information of their online
consumers.
While more and more shoppers are making the move to the Internet, concern
about security and protection of their private information remains one of the
top barriers to making online transactions. Three in five Internet shoppers
fear their credit card number could be stolen when used to make online
purchases, and shoppers still prefer to give credit card numbers by phone,
according to a recent report*. In order for businesses selling online to make
the most of the growing business to consumer market, they need to have the
best possible security in place.
To that end, CyberSource recommends the following precautions and best
practices as a starting point for businesses selling online to secure customer
data and credit card information:
1. Approach security as a system. Security is more than just a firewall or
a user-name and password login. There are numerous interacting systems
involved including access control through encryption of sensitive data.
2. Establish policy. Have a clear policy related to security and the
handling of sensitive data.
3. Communicate internally. Make everyone aware of their responsibility for
security. This includes conducting policy education for all facets of security
from facility instructions to reporting breeches.
4. Implement a "layered" security model. Most organizational security
models can be described as an egg shell; hard on the outside, soft in the
center. According to a 2000 FBI and Computer Security Institute survey report,
over 70 percent of the loss of confidential information comes from within. The
security model must be layered, where internal assets are secured,
partitioned, and monitored.
5. Use secure message digest. For security of credit card numbers, use the
secure hashing algorithm (known as SHA-1) in order to make a unique surrogate
value that can be referenced, but not used to charge against the account.
6. Use advanced encryption. When encrypting sensitive data like credit
card numbers, use at least the Triple-DES algorithm with a 168-bit key.
7. Manage encryption keys. Use either a hardware device or secure key
storage system to store encryption keys. Rotate the keys frequently and
provide the physical control over who can access these keys.
8. Destroy data when no longer needed. Physically destroy disks or use a
wipe algorithm to completely destroy sensitive data that is no longer needed.
Where encrypted data no longer needs to be recovered, completely destroy the
key.
9. Look for new developments. Criminal behavior and attacks on company
data have become increasingly complex and deceptive because of new tools
readily available to cybercriminals. Subscribe to information services and
react to new developments as they are reported.
10. Monitor compliance. Track compliance against security policy and
report exceptions to senior executives of the company.
Further details about each of these tips and more are provided in a white
paper authored by CyberSource Chief Technology Officer Tom Arnold and
published by the Software & Information Industry Association (SIIA), the
principal trade association of the software code and information content
industries (see related press release issued May 21, 2001: "SIIA Releases
White Paper on New Method of Securing Consumer and Credit Card Data). The
white paper, titled "An Electronic Citadel -- A Method for Securing Credit
Card and Private Consumer Data in E-business Sites" can be downloaded in its
entirety free of charge from http://www.cybersource.com and
http://www.siia.net/sharedcontent/divisions/ebus/citadel.pdf . CyberSource
experts are also available to the press for in-depth commentary.
About Tom Arnold
Tom Arnold joined CyberSource in March 1996. AS CTO, Mr. Arnold is
responsible for the design, development and deployment of CyberSource`s risk
management architecture and solutions. Prior to CyberSource, Mr. Arnold
managed applications development at Silicon Graphics, Inc., building the next
generation of electronic sales and service systems. Prior to Silicon Graphics,
Mr. Arnold led the development of online database systems for NASA/Ames
Research Center.
Mr. Arnold serves as a board member for the National White Collar Crime
Center, and is the chairperson for the Technology Working Group, E-business
Division, Software & Information Industry Association. He has testified before
the U.S. House of Representatives Commerce Committee and U.S. Senate Banking
Committee on topics related to Internet commerce and Internet fraud.
About SIIA
The Software & Information Industry Association (SIIA) is the principal
trade association of the software code and information content industry. SIIA
represents more than 1,000 leading high-tech companies that develop and market
software and electronic content for business, education, consumers and the
Internet. For further information, visit http://www.siia.net .
About CyberSource
CyberSource Corporation is a leading provider of payment risk management
and real-time payment solutions for enterprise businesses. CyberSource
solutions are specially designed for multiple sales channels, such as Web and
call center/IVR, and include professional services to assist customers with
the design, integration and optimization of enterprise-wide commerce
transaction systems. CyberSource serves over 3,000 businesses, including over
half of the Dow Jones Industrial companies. The company is headquartered in
Mountain View, Calif., and has sales and service facilities in Japan, the
United Kingdom, and various other locations in the United States. For more
information, please visit CyberSource`s web site at http://www.cybersource.com
or email info@cybersource.com.
NOTE: CyberSource is a registered trademark in the U.S. and other
countries. CyberSource eCommerce Transaction Suite is a service mark of
CyberSource Corporation. All other brands and product names are trademarks or
registered trademarks of their respective companies.
* Statistics Source: eMarketer, the eCommerce B2C Report, March 2001
CONTACT:
Jennifer Jennings of CyberSource Corporation
650-965-6042
jjennings@cybersource.com
or
Liz Haas of atomic tech pr
415-703-9454
liz@atomicpr.com
Back...
