The hot topic today is on-line or web-based transactions and how the public interrupts the issue of security. At the center of the debate is the “user interface” and how secure is that interface. Many people wonder who is watching my activity and gathering userid’s and passwords, fearing giving away access to their accounts. Some say – who cares, I only use ‘X’ credit card for on-line activities and that carrier protects me from fraud and account crediting. Others are opting for protection from Insurance companies – like Allstate’s new Identity Theft Protection policy.
All of these ideas are practical but the industry needs to respond with platforms for safe on-line commerce. For example, credit card companies and on-line transaction processor must comply with an evolving set of principles called Payment Card Industry (PCI) Data Security Standard. Announced as a joint MasterCard/Visa security standard December 2004, applies to any entity that ‘processes, transmits, or stores’ cardholder information. PCI mandates that third-party (i.e. PWC) audits and scanning for violations within largest merchants and service providers -- fines of up to $500,000 per incident.
The top 12 principles;
- Install, maintain a firewall configure to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmission of cardholder and sensitive information across public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access by business need-to-know.
- Assign a unique ID to each person.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
So, what is Microsoft doing about security and on-line transaction processing products – plenty! One item in particular, the new Internet Explorer (IE 7.0) on Windows Vista includes a more secure version of IE. Among the many new features IE 7 will support “protected browsing” mode, which prohibits the browser and any controls (i.e. malware) running within the browser from writing to areas outside the temporary Internet files folder without user consent (user gullibility still is an issue!). Some of the features within IE 7.0 like anti-Phishing, will be available on Windows XP SP2/R3, however “protected mode” browsing will only be available with the Vista release.
Financial Services enterprises wishing to provide a “protected mode” and zero-touch to thier existing IE “user-interface” for applications like "on-line banking services" try looking at one of Microsoft's partners Permeo. They have a very cool process for securing IE sessions against key loggers, browser cache theft, and having a very cool demo of an on-line banking transaction that detects and protects the session. Again, it’s a zero-touch solution that's deployed by the Financial Services institution when entering the banks website dynamically.
This is the second article on Vista road map click here for first.