A recent survey by our sister publication InformationWeek and PricewaterhouseCoopers found that revenue loss is seven times more likely to strike Web commerce sites than those without commerce functions. It's also clear that some very basic steps, like screening e-mail for viruses, sometimes get lost in the rush to start taking orders. In the study, about 65 percent of merchants with commercial sites reported computer viruses, versus 50 percent with non-commerce sites (see chart on page 72).
 Forrester analyst Ted Julian says the best thing a merchant can do to ensure security is hire a third-party firm to audit and attack its CSP site regularly. Indeed, most major accounting firms, such as PricewaterhouseCoopers, are eyeing regular certification of CSP security as a lucrative new business. Merchants with tight budgets may prefer to use freeware, such as Satan, to run their own security audits. In either case, it's still too early to determine how effective and pervasive such audits might become.
About half of the CSPs responding to our infrastructure survey (see survey, online) were willing to discuss at least some of the basics regarding their security philosophies. For example, Cisco's PIX and Check Point's Firewall-1 tend to be the most popular firewalls among the CSPs we queried. At least half of the CSPs serving medium-sized to large merchants report they rely on VeriSign to authenticate transactions.
Our survey also indicated that the much-touted Secure Electronic Transactions (SET) specification looks like a bust. Only about a dozen of the CSPs that responded to our Guide to CSPs survey told us that they support the specification. That's primarily because products based on the specification are excruciatingly slow (unless expensive hardware accelerators are added) and client support is nonexistent.
While Europay, MasterCard and Visa have been rumored to be establishing minimum e-commerce security specifications, a spokesperson for Visa says this is most likely to happen in the context of SET. Visa's own "suggested requirement" is a minimum of SSL support. Individual banks may set their own security requirements, and Visa reserves the right to halt service to any merchant, online or off, that exceeds given fraud and chargeback thresholds.
According to our survey, SSL is being used in lieu of SET by about 80 percent of those responding to security questions--even though it lacks the customer authentication that SET specifies and, therefore, puts the merchant at greater risk of attack. Among those serving midsize to large companies, we found only one CSP that didn't offer SSL. CSPs that offer encryption tend to offer 64-bit, although a handful of CSPs said they use 128-bit in the United States. About 40 percent of the CSPs elaborating on security reported that they offer no encryption at all--which probably means they don't realize their SSL-supporting products contain encryption.
|
REPORTS
ANALYTICS
Follow 
