Information Assurance and Secure Online Payments - Coursework Example

Secure E-Payment Secure e-Payment One of the vital and critical features of the e-commerce enabled websites is to make sure thatthe customers are confident and satisfied while making financial transactions over the website. The different forms of the online payments made by the customers have already been discussed earlier in the paper. One of the methods/forms for online payment is the bank account based systems including the credit cards, debit cards, mobile payments, etc. There are diverse security features and functions that need to be implemented by the website’s owner to ensure safe financial transactions keeping in view the e-payment method adopted by the website owner. The customer would not hesitate to provide / enter personal as well as financial (Credit Card, PayPal, etc.) information on any website which has a strict privacy policy and which implements Secure Sockets Layer (SSL), verified by Visa, MasterCard SecureCode, CPI Security Auditor and Trustwave trusted commerce services with respect to the payment methods the website offers. The privacy policy of the website should ensure data confidentiality by stating that the customer’s information will never be disclosed intentionally to the un-trusted third parties. However, if the website/company requires using the personal information (name, address, country, email) of the customers to improve the services, market research, and statistical purposes, the company should specify explicitly in the privacy policy. It is pertinent to mention here that irrespective of which method/form of payment is being used by the customer, the e-commerce enabled website has to follow the steps given below to complete the financial transaction. Moreover, the following points also provide guidelines for the company to implement the security features so that the customers make the financial transactions safely and securely. i. A customer places an order on the e-commerce enabled website by providing the credit card or financial information. The hackers usually use the Cross-Site Scripting (XSS) which is a common hack for web applications, particularly found in web browsers to hack sensitive or financial information. By utilizing the XSS, a hacker sends a malicious code (JavaScript) through the browser or web application in the form of a browser side script to the other end user. The code enables the hacker to access the sensitive information contained in the web browser in the particular website; moreover, the malicious code accesses the cookies and session token. There are certain rules and guidance for avoiding the XSS including: do not allow inserting un-trusted data except in the allowed locations; avoid inserting special characters like , #, @, etc.; it is always recommended to severely authenticate before putting in the un-trusted data into HTML, i.e. cascading style sheets etc. ii. When the customer has finished the registration done by entering all the required financial information, the web browser of the customer encrypts all the sensitive information to the company’s web server. In order to provide secure financial transaction to the customers, the company needs to implement the secure sockets layer (SSL), which encrypts the input data in the browser and send the encrypted data to the server for further processing. It ensures that the information is protected to some extent against unauthorized access (Onyszko, 2004). iii. The web server of the company forwards the transactions information to the payment gateway (server) by using encrypted connection so that the sensitive information cannot have unauthorized access. Moreover, the payment gateway forwards the information to the bank of the Grainger so that payment can be processed. The same technique of SSL can be used for encryption of the sensitive data to avoid unauthorized access. iv. If the customer has chosen the credit card payment method, the company offers payment through diverse credit cards including the MasterCard, Visa and American Express. If the credit card is American Express, then the card association has rights to approve or decline the payment after authorizing the credit card information. But if the credit card is either Visa or MasterCard, the information needs to be sent to the card issuing bank (customer bank). In order to proceed securely at this step, the company needs to implement various security features. For example, if the company accepts the above given credit cards, then the company needs to implement certain cervices; for instance, the verified by Visa service is utilized to avoid, detect and resolve deception by asking the customer to input extra password while making online transaction (Visa, n.d). In order to validate the MasterCard (credit card), the company requires implementing the MasterCard SecureCode that compels the customers to enter the private code of the credit card for avoiding unauthorized access to the financial information (MasterCard, n.d). v. In case of Visa/MasterCard, the customer bank validates the information (along with the four digit number) and replies either approved or denied (along with reasons of refusal) to the payment gateway processor. The payment gateway forwards the results or response of the processor to the web server of the company so that it can be displayed on the website and conveyed accordingly to the customer. Usually, this whole process takes three seconds. In order to complete the financial transaction safely, the company has to implement the Trustwave seal – the website security shield; it provides the highest level of encryption and layered protection to the data against security breaches and frauds (Trustwave, n.d). vi. If the order completed successfully and the credit card information has been validated by the customer’s bank, then the e-commerce enabled website re-initiates the above given whole process to charge the price of the order. But this time, the company’s website also provides all information of the order (item name, number, etc.) to the customer’s bank. The customer’s bank makes a settlement with the company’s bank in terms of money. Conclusion The protection of the digital information, especially over the Internet, is still an immature area. Therefore, it can be stated that there are huge numbers of threats to data, and the vulnerability of data / information is becoming a hindrance and barriers particularly to the e-commerce. Moreover, there are diverse forms of data threats based on the data storage medium, and threats to data could be from the internal resources of an organization as well as external ones. Some of the security threats to e-commerce websites include: the data interception, unauthorized access to stored data, the integrity of data / information, and accidental loss of data. The data interception refers to the data over the Internet which always travels or routed through the Internet Service Providers (ISPs); therefore, unauthorized data accessing from the ISP should be prevented by implementing data encryption techniques. It is sure, if the data gathering and storing process is malfunctioning, the established data will be incorrect as well; this process is known to be as Garbage in Garbage out (GIGO). Data integrity refers to the validity and accuracy of the information; data could be incomplete, erroneous or/and outdated, which would only result in incorrect information that could harm any company. The data integrity is crucial for e-commerce websites that can only be achieved by implementing high quality database along with validation rules. Moreover, there are certain steps to make e-commerce transaction, and implementing security features at each step is highly important. It is pertinent to mention here that each step of financial transaction over the Internet involves diverse security techniques. Some of the significant security techniques (XSS, SSL, MasterCard SecureCode, verified by Visa, TrustWave, etc.) have been discussed in this paper. They are required to be implemented by any company having e-commerce enabled website; moreover, the company needs to follow the information security best practices. References Onyszko, T. (2004). Secure Socket Layer. Retrieved from: http://www.windowsecurity.com/articles/secure_socket_layer.html Visa. (n.d). Verified by Visa. Retrieved from: https://usa.visa.com/personal/security/vbv/index.jsp MasterCard. (n.d). MasterCard SecureCode. Retrieved from: http://www.mastercard.us/securecode.html Trustwave. (n.d). Web Site Seal, Why should you display a Trustwave Seal? Retrieved from: https://ssl.trustwave.com/support/siteseal.php Read More