In the third and final part in this series, we discuss one last area of improvement that plays a pivotal role in restoring digital consumers’ confidence. In our previous posts, we looked at the benefits of mandatory reporting and why we need to move information security into the mainstream—not just in the media but also our own workplace.
Last but not least, we need for secure e-commerce infrastructures.
The Payment Card Industry Data Security Standard, or PCI DSS, is 10 years old this year, giving companies and organisations a framework to work towards. Now, the PCIDSS is not without its critics but it is a fantastic idea, setting minimum controls required to work with the payment card industry.
There are several secure e-commerce infrastructures, including Google Play, Google Wallet and PayPal, which all enable users to limit their liability whilst paying for things securely in an environment where their data will be held securely and not abused.
Now, the newly implemented feature on the iPhone 6 sounds like a very promising development in the realms of secure e-commerce systems, allowing users to pay at cash points in store more securely than with credit cards.
By replacing credit card information with a 16-digit proxy number stored on the iPhone’s security chip, this number is then sent by the retailer to the credit card provider who then returns the authorisation to the point of sale, while never actually revealing the card details to the retailer.
This conversion actually happens within the payment network, deep below retailers’ payment systems that have been the target of many high profile hacks in the last year or so. This method of payment, critics claim, would appear to have prevented the Target and Home Depot data breaches, as additional metadata uniquely created for each transaction and the user are incorporated to stop tokens from being reused if they are stolen. Finally, this conversion process happens only when the iPhone 6 user’s biometric security test has been passed, adding an extra layer of security.
Although the Apple Pay feature is still in the early stages, it’s not the only program that could help make the payment process more secure.
For example, the British government implemented a revolutionary idea with their G-cloud infrastructure in 2012. The G-cloud is essentially an online marketplace where companies of all sizes can offer their cloud services to semi-state and governmental buyers.
In order to gain entry to this platform, you need to have passed a security assessment and demonstrate to the potential government buyers that your systems are secure. Furthermore, in order to be considered for levels 2 or 3, you need to have an information security management system in place, like ISO 27001.
“While it’s a not a framework that will fit all scenarios, it does introduce us to a model of doing business whereby a group of people who want to buy certain services, can be assured that a corresponding group of people who want to sell the services have been pre-vetted by ‘experts’ and meet a high baseline of security requirements,” said Paul O’Donovan, lead auditor at Certification Europe. “Although whether this could be applied to some publicly available group schemes remains to be seen.”
I’m not saying that this will be an easy fix. I’m not even saying that we have all the answers yet, but it occurs to me that we need a radical change in culture, thinking and attitudes to data breaches. Digital threats and technology are always developing, and so should our education programs and understanding of what we face.
We really want to hear your opinions. If you have first-hand experience of any of the issues discussed or would like to share your insight, please leave your comments below.
About the Author: Michael Brophy is Founder and CEO of Certification Europe – a group of accredited certification bodies founded in 2001, which provides ISO Certification and Inspection services to organisations globally. Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, Telco, financial, IT and security printing sectors). Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Restoring Digital Consumers’ Confidence – Part I
- Restoring Digital Consumers’ Confidence – Part II
- Retail and Financial Sectors Overly Confident About Breach Detection
- Five Ways to Avoid Wasting Time During a Breach Investigation
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.