T4.3.1 - ELETRONIC COMMERCE Implementation Guidance
The entity shall protect information involved in electronic commerce passing over public networks from fraudulent activity, contract dispute, and unauthorized disclosure and modification.
Back to T4.3.1 - P2 - ELETRONIC COMMERCE
Security considerations for electronic commerce should include the following:
- A. The level of confidence each party requires in each other’s claimed identity, e.g. through authentication
- B. Authorization processes associated with who may set prices, issue or sign key trading documents
- C.Ensuring that trading partners are fully informed of their authorizations
- D. Determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents, and the non-repudiation of contracts, e.g. associated with tendering and contract processes
- E. The level of trust required in the integrity of advertised price lists
- F. The confidentiality of any sensitive data or information
- G. The confidentiality and integrity of any order transactions, payment information, delivery address details, and confirmation of receipts
- H. The degree of verification appropriate to check payment information supplied by a customer
- I. Selecting the most appropriate settlement form of payment to guard against fraud
- J. The level of protection required to maintain the confidentiality and integrity of order information
- K. Avoidance of loss or duplication of transaction information;
- L. LIability associated with any fraudulent transactions;
- M. Insurance requirements.
Many of the above considerations can be addressed by the application of cryptographic controls taking into account compliance with legal requirements.
Electronic commerce arrangements between trading partners should be supported by a documented agreement which commits both parties to the agreed terms of trading, including details of authorization (see b- above). Other agreements with information service and value added network providers may be necessary.
Public trading systems should publicize their terms of business to customers. Consideration should be given to the resilience to attack of the host(s) used for electronic commerce, and the security implications of any network interconnection required for the implementation of electronic commerce services.
Back to T4.3.1 - P2 - ELETRONIC COMMERCE
