CyberSource Corp., a provider of risk management and real-time payment systems for businesses that specializes in fraud detection, has released a list of 10 tips to help e-businesses secure private consumer information and credit card data.
The tips come from a white paper written by CyberSource chief technology officer Tom Arnold and published by the Software & Information Industry Association (SIIA), a trade group for the software and digital content industries.
CyberSource says the following tips should be considered a starting point in the battle to secure customer data and credit card information:
1. Approach security as a system. Security is more than just a firewall or a user-name and password login. There are numerous interacting systems involved including access control through encryption of sensitive data.
2. Establish policy. Have a clear policy related to security and the handling of sensitive data.
3. Communicate internally. Make everyone aware of their responsibility for security. This includes conducting policy education for all facets of security, from facility instructions to reporting breeches.
4. Implement a “layered” security model, where internal assets are secured, partitioned, and monitored. Most organizational security models can be described as an egg shell; hard on the outside, soft in the center, and thus susceptible to security breaches from within.
5. Use secure message digest. For security of credit card numbers, use the secure hashing algorithm (known as SHA-1) in order to make a unique surrogate value that can be referenced, but not used to charge against the account.
6. Use advanced encryption. When encrypting sensitive data like credit card numbers, use at least the Triple-DES algorithm with a 168-bit key.
7. Manage encryption keys. Use either a hardware device or secure key storage system to store encryption keys. Rotate the keys frequently and provide physical control over who can access these keys.
8. Destroy data when no longer needed. Physically destroy disks or use a wipe algorithm to completely destroy sensitive data that is no longer needed. Where encrypted data no longer needs to be recovered, completely destroy the key.
9. Look for new developments. Criminal behavior and attacks on company data have become increasingly complex and deceptive because of new tools readily available to cyber criminals. Subscribe to information services and react to new developments as they are reported.
10. Monitor compliance. Track compliance against security policy and report exceptions to senior executives of the company.
The complete white paper is available free of charge at: