Rebecca Westbrook, IT 255, Section 02, Unit 4.

Rebecca Westbrook
IT-255 Section 02,
Unit 4 Project

E-Commerce Site Security Plan

Security is the most important component of an e-commerce web site. If customers are not confident their private information, identity and data is secure, they will not use the site. Necessity dictates that you only gather that information from your customers that you absolutely need to in order to complete the transaction. Privacy is a big issue among e-commerce site users and they will avoid your site if you gather unnecessary personally identifying information from them.

Secrecy is an important part of security. Secure Socket Layers, or SSL, encrypt the information on a page between the server and the customer so that the sensitive information in the transaction, such as the credit card number, remains secret. HTTPS, or HTTP over Secure Socket Layers, accomplishes this. Vendors such as Microsoft, Netscape, MasterCard and Visa have been promoting secure electronic transaction protocol or SET as a way of using public and private keys shared between the customer, merchant, and customer’s bank. (SearchFinancialSecurity.com, 2008)

Integrity is ensuring that the customers’ data is correct and valid and that each transaction stays linked with the proper customer. Using third party shopping cart and payment processing entities with a proven track record of security and integrity is advisable for maintaining integrity.

Firewalls are an important part of ecommerce security and can be software or hardware based. They only allow communication between authorized connections on specific ports. They maintain session information over the length of the entire transaction, so that a different computer using a different IP address cannot hijack a transaction after the credit card number has been entered and steal that information. They also prevent unauthorized access to the web site itself so that hackers cannot write malicious code on the web site.

On my e-commerce site, I will implement user ids and passwords for authentication and authorization. I will create a secure page that allows the users to create an account by using their email address as their user ID and select their own password. I will then set up an .htaccess file that governs who is allowed to access the downloadable files.

I will use an SSL certificate for encryption. Godaddy.com offers a standard SSL certificate for $14.99 per year. This is the lowest cost third party issued SSL certificate I have found. I will use HTTPS for any pages that have user ID and password or credit card information on them.

I will use a transaction tracking mechanism to account for all the transactions on the site for accounting purposes. There are many prewritten PHP scripts that interact with databases to handle this, there is no need to reinvent the wheel and author one myself. I have not decided which script I will implement.

I plan to use PayPal to process all monetary transactions. PayPal has a proven track record of security and customer recognition.

At my ISP, I will implement a tool called leech protection that prevents users from giving out their password to protected areas of the web site and disables any account with a compromised password. I will use their SSL tools for generating private keys and certificate signing requests to send to procure my Godaddy.com SSL certificate.

I will include graphics in very prominent places on my web pages indicating the security measures and trust authorities that secure the pages, so that the users will be confident their data is safe.

SearchFinancialSecurity.com (2007). What is Secure Electronic Transaction? - a definition from Whatis.com. Retrieved August 26, 2008 from http://searchfinancialsecurity.techtarget.com/sDefinition/0,,sid185_gci214194,00.html