ecommerce security

Security in payment data for e-commerce applications

Every day a new e-commerce application is published on Internet and more people are using these applications to acquire any kind of products, at the end that is the goal, but to get there you need to introduce some of your information, from personal information to payment information. You need to type in your address, your name, your age sometimes and your credit card (CC) information of course.

In Card Not Present transactions the information must be protected in a different way than card present transactions, that is because the information processed is in fact different.

Many of these web and mobile applications don’t follow protocols and rules to protect the customer information, not even moderately. In this post I will focus on the best practices for protecting this kind of critical information.

1) Use a good HTTPS configuration for the whole platform.

  • You need to acquire the correct digital certificate for your site: SSL Plus, Wildcard, Multidomain, EV, etc. and buy it from an approved Certification Authority. Here you have a relatively good list. Just try to avoid Symantec and its subsidiaries.
  • Install it correctly. You’ll be surprised about how many certificates are incorrectly installed on public servers. This pollutes the Internet and difficult the new technologies to be adopted. Here is a helpful link for verifying the installation of digital certificates and HTTPS configuration.
  • Redirect all the typical HTTP requests to their HTTPS counterpart or, if its possible, don’t even enable the HTTP protocol, just HTTPS.

Hint: It is a good practice not to rely only on the security of the HTTPS protocol, so try to encrypt, at application layer for example using javascript, the payment information with algorithms like RSA just for this information. There are good libraries that will help you with this task in the client-side.

2) Mask or hide all the payment information while displaying on screen.

  • For credit card number almost the whole number must be hidden on the screen and just show the last four digits. Usually each digit to hide is replaced with an asterisk.
  • The verification code must be hidden on the screen. The only number that must be completely hidden is the verification code in any of their representations: CVV, CVV2, CVC2, CID. It means you must not let the application to print the code while typing it. Also you can show asterisks instead.
  • The expiration date can be shown, it is not sensitive by itself.
  • Name, Address and personally identifiable information can also be shown on screen but be careful because you could be breaking some federal or international laws when saving it.

3) Once data leaves the client side don’t let it be printed or stored in any place unless you really really have to.

  • Usually applications use different kind of logs to track the data flow and to troubleshoot any problem that might arise. Using logs is good for that, what it is not good is to print the credit card (CC) information in the logs. You must clean the logs and guarantee that no credit card information will be printed in the logs or any configuration or temporary file. Remember, CC information must be ephemeral within your environment. The more time you have the CC information the more exposed you are on Internet. As an attacker it is easy to detect whether a website or application is storing sensitive information, the only thing left is to reduce the time the information is processed and stored.

Hint: Think of this: Is it really neccesary for my business purposes to store this information inside my platform or I do it because of a unmeasured hunger of data presumably for statistical purposes ? and how much of all this information do I really use for such statistical purposes?

4) Use a recognized payment processor or payment service provider.

  • There are many payment service providers but only a few take the information security seriously. If you detect your service provider is breaking any of the simple rules mentioned here you should go away and look for another one. They must use HTTPS in every exposed service, they must hide the information when displaying on screen, they must store the minimal amount of information and not everything, they must use current cryptographic protocols and algorithms when protecting data, they must also verify that your site or application sticks to these minimum requirements.

5) Check your systems frequently. Remember, not having sensitive information doesn’t mean you won’t have it.

  • Any time an attacker could plant a virus or malware or change your configuration in order to store sensitive information on behalf of your application or website and you probably don’t even noticed.

6) If you must store sensitive information like the card number it must be encrypted or tokenized.

  • Most of the times you won’t need the complete credit card number, you will only need the last 4 digits or the BIN, but if, for business purposes, you need to have the complete card number you must store it encrypted with an approved encryption algorithm or tokenized using a tokenization service or tokenization hardware. If you decide to use encryption you must protect encryption keys and encryption/decryption processes. Tokenization has become an easier way to protect this kind of data because of its simplicity for the client.

These were just a few recommendations for protecting card information in e-commerce web sites and applications. If you would like to get deep into one of the topics or you have another one to mention just leave a comment below.