Welcome to the fourth edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to ISO 17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Guidance and information included in this issue:
CREDIT CARD TRANSACTIONS: MINIMIZE THE RISKS
The use of credit and debit cards to purchase goods and services has become an everyday convenience that we take for granted, but there are associated information security risks which we should pause to consider, especially when making payments over the Internet.
Web sites are becoming an increasingly popular means of purchasing goods and services, but they have also become popular targets for cyber criminals, who often use stolen credit card numbers to purchase goods, which can then be easily exchanged for cash. There are also relatively simple technologies now readily available which could be used by hackers to surreptitiously steal vast amounts of money, a few pounds at a time, from millions of people. A survey by the IT research company Gartner (http://www.gartner.com) predicted that Internet crime involving the "mass victimization" of consumers could take place by the end of this year.
We recommend the following best practice guidelines to minimize the risks involved in credit card transactions:
- Ensure that credit cards used to purchase goods or services on the Internet have a low credit limit, or if debit cards are used, that they have limited funds and are only topped up to cover specific Internet purchases.
- Lost or stolen credit card details may be used for Internet transactions. Inform the card issuer and relevant person within your organization immediately if a company credit card is lost or stolen.
- All expenses incurred through Internet transactions should be carefully audited on a regular basis for any anomalies.
- If the security of a Web site is in doubt, any confidential information posted to it may be exposed to malicious intent. Be extremely cautious when posting confidential details on any site where the Internet Service Provider hosting the site is not verified. Note that we have pre-checked all sites referenced in this newsletter for security!
- If ordering by telephone using a credit card, ensure that you are talking to the correct person. If you are unsure whether the organization you are dealing with will handle your details sensitively, pay by some other means.
- Only enter credit card details on a Web site if you are confident as to its authenticity and that the connection is secure - the prefix https (as opposed to the usual http) in the Web Site address indicates a secure connection.