E-commerce Security: Trading Partner Identification, Registration and Enrollment - Table of Contents 

 

e-Commerce Security - Trading Partner Identification, Registration and Enrollment

Table of Contents

EXECUTIVE SUMMARY
ABSTRACT
PREFACE

3
3
INTRODUCTION
The Banking Analogy
The Security Process
Trusted Third Parties (TTP)
Business Objectives
5
5
6
9
10
KNOWING THE CUSTOMER
Identification Policy
Recognizing Enterprises
News Publishers
Travel Expense Card
Leading Providers of Business-to-Business (B2B) Credit Information Services
New Credit Card Merchant
Online Stock Trading Accounts
11
11
11
12
13
13
13
13
ESTABLISHING A SECURE RELATIONSHIP
First Contact
The Need for Trust
Trust Levels
Individual Consumers
Organizations
15
15
15
16
17
18
THE ROLE OF TRUSTED THIRD PARTIES
Financial Intermediaries
Holders
Mail Services and Couriers
Internet Service Providers and Telecommunications Carriers
Guarantors
Verifiers
Credit Bureaus
Point of Sale Systems
Certificate Authorities
The Use of Escrow
20
21
22
22
24
27
28
28
30
30
31
CARRYING IDENTIFICATION FORWARD
32 Identification and Authentication
32 Recording the Identity of Trading Partners
33 Creating a Record
34 Sharing a Secret
35 Characteristics of a Shared Secret
35 Distribution of a Shared Secret
36 Creating a Public Key
38 Exchanging a Public Key
39 Obtaining a Digital Certificate
40 Exchanging a Certificate
42 "Cookies"
42 Virtual Wallets
43 Other Credentials
44
32
32
33
34
35
35
36
38
39
40
42
43
44
SIGNATURES
Traditional Concept of a Signature
Limitations of Signatures
Repudiation
Reversibility
Public Key Cryptography
Electronic Signatures
Digital Signatures
Digital Certificates
E-mail Addresses
Directories
IP Addresses
Certificate Authorities
Certification Practices
46
46
47
47
48
48
49
50
51
53
53
54
55
57
COMPENSATING CONTROLS
Infrastructural Controls
Capabilities of the Internet
Limitations of the Internet
Business Process Controls
E-commerce in Context
Time-of-sale Controls
Periodic Controls
59
59
59
60
61
61
63
63
MAINTAINING ANONYMITY – ELECTRONIC CASH
The Need for e-Cash
Anonymity versus Security
Online And Off-Line Systems
Smart Cards
E-Credit
Online E-Cash
65
65
66
66
67
68
69
GLOSSARY
FREQUENTLY ASKED QUESTIONS (FAQ)
SELF ASSESSMENT QUESTIONNAIRE
Policy for Selecting Trading Partners
Controls over the Identification of Trading Partners
Controls over Creation of Trading Partner Records
Controls over the Distribution of Credentials
Results
72
76
78
78
78
78
79
79
RECOMMENDATIONS FOR THE AUDIT PROFESSIONAL
APPENDIX A: RECOMMENDED READING MATERIALS
APPENDIX B: VERISIGN CERTIFICATE PRACTICES STATEMENT
APPENDIX C: SELECTION AND IDENTIFICATION OF TRADING PARTNERS
APPENDIX D: CREATION, STORAGE AND MAINTENANCE OF TRADING PARTNER RECORDS
FOOTNOTES

80
82
83