T4.3.2 - ON-LINE TRANSACTIONS Implementation Guidance
The entity shall protect information involved in on-line transactions against incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Back to T4.3.2 - P3 - ON-LINE TRANSACTIONS
Security considerations for on-line transactions should include the following:
- A. The use of electronic signatures by each of the parties involved in the transaction
- B. All aspects of the transaction, i.e. ensuring that
1- User credentials of all parties are valid and verified
2- The transaction remains confidential
3- Privacy associated with all parties involved is retained
- C. Communications path between all involved parties is encrypted
- D. Protocols used to communicate between all involved parties is secured
- E. Ensuring that the storage of the transaction details are located outside of any public accessible environment, e.g. on a storage platform existing on the organizational Intranet, and not retained and exposed on a storage medium directly accessible from the Internet
- F. Where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures and/or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process
