E-commerce merchants need to ensure that encryption occurs in their credit-card transactions with the consumer, as well as in any back-end transactions that forward credit-card information to banks or directly to the merchant (since the bulk of online orders are still processed manually or re-entered at the merchant's location).
Credit-card information also needs to be secured if it is stored on the CSP's server; many security experts recommend using a dedicated black box. Given that internal theft is more prevalent than over-the-wire theft, credit-card information tends to be most vulnerable right at the server. For this reason, it makes sense to restrict physical access to such servers--for example, placing them in a locked room with controlled access, or at least running automatic audits of server maintenance changes as a deterrent to internal theft. Ideally, credit-card numbers would be treated with the same level of care as passwords--always encrypted and never stored in the clear. But few CSPs seem to take such measures. On the contrary, many CSPs--if not most--run commerce servers that contain credit-card information alongside other equipment without adding any other physical security.
Exodus, on the other hand, is a co-location service provider (leaving the task of developing and maintaining commerce applications to customers and select partners) that prides itself on offering one-of-a-kind security. Exodus is upgrading its aluminum vaults to provide 3.5-inch, steel-lined, hermetically sealed, 8-x-12-foot vaults at each of its eight hosting facilities. The existing vaults, which can be used by a merchant for a fee of $12,500 a month each, include a fire-suppression system, motion and heat detectors, redundant power, a dedicated camera, biometric handprint scanners capable of discerning a live hand, locked-down floor tiles, a metal conduit for wiring and a "faraday cage-like" effect to attenuate radio frequencies or electromagnetic pulses.
One of Exodus' first vault customers is NextCard Visa, which is one of the largest distributors of Visa credit cards online.
You won't find anything like this, however, at most CSPs. "There is no question that in the rush to throw something together [to cash in on the e-commerce frenzy], security has gotten lost in the shuffle," says Forrester's Julian. "There are certain things that are fundamental and inexcusable, though--like not securing the servers and failure to use encryption."
Send your comments about our special report on e-commerce to Christy Hudgins-Bonafield at cbonafield@ nwc.com.
|
REPORTS
ANALYTICS
Follow 
