Securing Your Payment Processing Environment

While SET reduces the risk of theft of payment card information while en route between end-entities, it does nothing to ensure the security of the environments in which it''s installed. It''s the Merchant''s responsibility to define a security policy for any hardware or software they install. Here are some things you should consider when developing such a policy:

• Dedicate a server and a firewall to your Merchant Server and POS software, insulating them both from the Internet and from other domains within your organization. Remove all unnecessary server software that''s not specifically for operational purposes. This may include language compilers, Perl libraries, administrative utilities, and factory-supplied log-ins and passwords.
• Only open SET-defined protocol ports to computers outside your firewall.
• The firewall should not allow FTP or telnet or remain open on other ports.
• Don''t operate software such as FTP, telnet, or e-mail systems on the Merchant Server and POS hardware.
• Whenever remote operations (telnet, xterm, etc.) are needed, make sure the Secured Socket Handler (SSH) and Secure Copy (SCP) are used.
• HTTPD and/or Merchant Server software connections should never be made directly into the POS software (use the APIs instead).
• HTTPD and/or Merchant Server software should be protected against hostile browsers.

In addition to the security of the POS software and the Merchant Server software, webmasters or security administrators should also ensure that all transaction-related information is not vulnerable to outside attacks.

In many purchase transactions, Payment Gateways can be instructed to return the Cardholder''s account number for payment reconciliation, auditing, and dispute processing. It is critical that these data be securely stored. Databases should be password-protected, and the system should be configured to guarantee that unauthorized access is not possible.

Once the SET POS software and requisite Merchant Digital Certificates are successfully installed, your Merchant Server is prepared for Phase 0 of the on-line payment card transaction, as discussed in Chapter 2.

In Chapter 11, we begin to connect the pieces of SET into a series of processing steps to perform useful work. There you''ll find specific protocols to obtain all types of digital certificates, normal and optional payment processing flows, and a discussion of how batch administration work is conducted.

By Mark S. Merkow, James Breithaupt, and Ken Wheeler, Building SET Applications For Secure Transactions (Introduction, Chapters 1, 9, 10). Copyright © 1998 Wiley Computer Publishing. Reproduced with permission of Wiley Computer Publishing. All Rights Reserved. No further copying of this material is allowed without the prior written permission of the publisher.