What are the major security challenges today with regard to e-commerce and m-commerce payments?
As e-commerce and m-commerce solutions are providing real-time accessibility and new opportunities, security threats like fraud, theft, viruses and spam have become more numerous and aggressive. Hackers are able to access sensitive information, such as, account details or PIN codes used for mobile banking, confidential company information or personal details, as well as steal data, install or remove programs, inject malicious worms and even access internal carrier network resources.
There are three major vulnerabilities that comprise these attacks. The first allows the hackers to gain access to the server. Once access has been established, the second vulnerability involves the modification of certain registry keys and code that on restart allows the hackers to disable key security measures. The third vulnerability involves malicious codes that allow unauthorised actions to be taken on the database.
Data theft has emerged as one of the major crimes related to credit cards. What steps is the industry taking to minimise the risk of data theft incidents?
Any real-time security event requires real-time response. The dynamic threat environment demands that security information and event management solutions provide integrated and automated security capabilities. Automated security processes can play a major role to respond to events in real-time, without the need for unnecessary human intervention.
Some of the key measures may be automatic resolution or escalation of security events such as password resets or privilege changes. Integrated analysis of security events is also critical by including assessment reports and entitlement reports from configuration assessment tools, automatically available in a single display, relevant to the event. Rapid and targeted escalation of monitoring for privileged user activity associated with insider threats may also be a key factor.
Automation helps reduce the costs of securing hosts and achieving compliance, enables more scalable, repeatable compliance programs and streamlines any organisation's compliance efforts.
Can you tell us a little about Payment Card Industry Data Security Standard (PCI DSS) compliance? How is this compliance important for security?
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council, to help organisations that process card payments prevent credit card fraud. PCI-DSS has been hotly debated since its second incarnation in 2006. As the cost of implementing it overweighs proposed fines, many retailers were reluctant to implement PCI-DSS. Recently, credit card companies have hardened up their approach, forcing retailers to ensure compliance. However, after a spate of companies, such as Heartland Systems in the US, experienced security breaches despite complying with regulations, there is a growing undercurrent of discontent around such mandates.
Sign up for Computerworld eNewsletters.