It happens all too often: a business owner gets an anonymous letter containing a sampling of his online customers’ credit card numbers and a demand for payment if the business owner wants the thief to keep quiet and not post the stolen information online. If you’re new to the e-commerce game, you’ll quickly find that keeping customers satisfied with your products and customer service includes making sure that their personal information is kept secure. What can you do to help ensure that your Webmaster, IT manager, or third-party hosting service is taking precautions? Start with the basics: encryption, authentication, firewalls, and certificates, says Joan S. Hash, director of the security management and guidance group for the Information Technology Laboratory, National Institute of Standards & Technology (NIST) in Gaithersburg, Maryland.
- Encryption scrambles data before it travels from the customer’s browser to your site. The customer sees a gold key or lock at the bottom of his or her browser that lets them know SSL (secure sockets layer) or another encryption method is active. "Authentication is a scheme to make sure you know who you’re dealing with, such as an account number and password," says Hash. Complex authentication schemes include fingerprint readers and devices that generate new passwords every few seconds. But because these methods aren’t practical for consumer e-commerce, strong passwords (a combination of numbers and letters at least eight characters long) are a good start, as is logging the user out of the secure checkout area after a few minutes of inactivity.
- Firewalls, both hardware and software, prevent certain types of data from getting in or out of particular areas. This creates some measure of security between the outside world and your network. A hardware firewall should stop all unrequested data from entering your PC or your network. If someone inside a company does a search from a Web browser or polls for e-mail, the requested information can come in, but if a cracker scans for chinks in your company’s armor or tries to send in unsolicited codes, a hardware firewall blocks the attempts. But hardware firewalls won’t necessarily stop information from leaking out. A good software firewall can prevent software applications from sending information back to their makers invisibly, without even going through your e-mail program.
- Certificates verify legitimacy. Certificates like those issued by a government-approved certificate authority (CA), such as VeriSign Inc. (www.verisign.com) or Thawte Consulting (www.thawte.com), can tell you which Websites are the real McCoy. "You don’t want your customers to be subjected to someone who sets up a bogus site and collects [their] sensitive information," says Hash. "The most popular browsers today employ standard techniques supporting the use of server certificates. Users can check for the presence of a server certificate by looking for the browser tool (try the Tools menu) that includes options for displaying this information. Private information, such as credit card numbers, should not be transmitted to sites where server certificates are not used."
It may seem that your customers