You are on page 1of 3

W A T S O N

H A L L

Financial services e-commerce case study
website and web application security

Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com

Developing a new web application provides an opportunity to implement security best practice from the start. Management of the complete development lifecycle from requirements analysis through to configuration, deployment and operations should continually address security issues to ensure a safe and risk-minimised project.

Background
A financial organisation in the City of London was looking to develop a small number of e-commerce applications for their customers. These would reference their internal customer systems which were developed by a development house with whom they had a good working relationship over a number of years. However, the necessary standards and regulations which had to be met were different for the internal processing systems than for the new web enabled application. The organisation is subject to regulation by the Financial Services Authority (FSA)1 and also wished to move towards implementing ISO/IEC 177992 and was concerned about the best way to undertake development and manage the process. The new web e-commerce applications would include taking online payments using debit and credit cards, and setting up and amending paperless direct debit mandates. These processes were to be implemented on the organisation’s own hosting facilities, but required interaction with remote services for payment card authorisation. Thorough consideration of the Payment Card Industry Data Security Standard3 (PCI DSS), issued by the PCI Security Standards Council4, had to be made to ensure compliance.

Approach
The organisation’s in-house information systems and communications staff were managing the development and implementation, working with colleagues in the marketing and customer service departments who had worked jointly to define the new e-commerce processes required. Work was already underway in the creation of the functional specification by in-house staff and a member of the offshore development company. Advice was primarily given on the development methodology and security best practice for application coding and testing. This required working with the project manager, the offshore developers’ representative, senior

S1-2009-1.1

1

The changes which had most effect were: Cross checking that system component configurations met best practice published by US organisations such as SysAdmin Audit Network Security Network (SANS)5. network penetration testing. Cost minimisation – With a relatively small time input from consultants.Case study Financial services e-commerce IT management.1 of the PCI DSS was issued and the changes had to be reviewed to check if existing decisions needed to be altered to ensure compliance. it was possible to build a project with full compliance but which also met with the requirements and expectations of stakeholders. application penetration testing.3. reducing the number of issues which needed to be addressed by the offshore development team. a consensus view was achieved more quickly. information on systems architecture.2) Review the effect of hosting provider requirements (PCI DSS requirement 2. helping to keep the participants in the project motivated and avoiding cost-increasing delays.10) Management of connected entities to ensure they are PCI DSS complaint (PCI DSS requirement 12. Reduced security risks – Tackling security from the start designed out many potential risks and mitigated others. code review. 2 . speeding the development cycle. systems configuration and monitoring were also provided. Reduced delays – The application delivered for initial acceptance testing and code review was at a much higher security standard than which might have been received otherwise.10) Benefits The development phase benefited from the following. National Institute of Standards Technology (NIST)6 and Center for Internet Security (CIS)7 (PCI DSS requirement 2. Compliance with regulations – By assessing the application against regulations. other stakeholders within the organisation and external parties such as service providers and auditors. version 1. During the development process.4) Disabling transfer of cardholder data to remote devices (PCI DSS requirement 12. As part of the appointment.

iso. Network.gov/ The Center for Internet Security (CIS) http://www. Why Watson Hall? Watson Hall provides independent supportive advice to existing teams. Security) Institute http://www. NE48 1NG.org/tech/ download_the_pci_dss. 3 . telephone us on 020 7183 3710 or use the enquiry form on our website at http://www.cisecurity.Case study Financial services e-commerce References 1.org/iso/en/prods-services/popstds/ informationsecurity.fsa. Financial Services Authority (FSA) http://www. 7.com/form/ Watson Hall Ltd is a limited company registered in England no 6004969 at North Bastle.uk/ ISO/IEC 17799:2005 Information technology . United Kingdom.org/ The National Institute of Standards Technology (NIST) http://www. 5.Security techniques Code of practice for information security management http://www. Gatehouse.org/ The SANS (SysAdmin.pcisecuritystandards.nist.htm PCI Security Standards Council https://www.pcisecuritystandards.org/ 3.html Payment Card Industry Data Security Standard (PCI DSS).1 September 2006 (version 1.2 is now applicable) https://www. 4. 2. and can facilitate the internal dialogue between technical and nontechnical teams assisting with balancing the security risk and business needs.gov. Northumberland. Version 1. To discuss any security matters in confidence and without obligation. Audit. 6.watsonhall.sans.