E-Commerce Guidelines Security...e-Commerce Guidelines: Security 6 1.1 Background E-commerce...

E-Commerce Guidelines

Security

Prepared by:

Ministry of Transport and Communications(MOTC)

State of Qatar

e-Commerce Guidelines: Security

2

2018/2019

About the DocumentThis document contains recommended guidelines for managing security of e-commerce ecosystem in Qatar. The primary objective is to ensure that e-commerce businesses, financial institutions, IT service providers and logistics partners adopt best security practices for their businesses. These guidelines should be used as a framework and adhered to.


3

Table of Contents1. Introduction ...............................................................................................................................................................5

1.1 Background .....................................................................................................................................................6

1.2 E-Commerce ...................................................................................................................................................6

1.3 Key Stakeholders ...........................................................................................................................................6

2. Security Guidelines .................................................................................................................................................7

2.1 Data Protection and Privacy ......................................................................................................................8

2.2 Customer Validation .....................................................................................................................................8

2.3 Customer History and Proprietary Data Analysis .............................................................................9

2.4 Aggregated Transactions from Third Parties Analysis ....................................................................9

2.5 Purchase Device Tracking ...........................................................................................................................9

2.6 Others ................................................................................................................................................................9

3. Detailed Guidelines ...............................................................................................................................................11

3.1 Data Protection and Privacy ....................................................................................................................12

3.2 Customer Validation ...................................................................................................................................16

3.3 Customer History and Proprietary Data Analysis ...........................................................................17

3.4 Aggregated Transactions from Third Parties Analysis ..................................................................18

3.5 Purchase Device Tracking .........................................................................................................................19

3.6 Others ..............................................................................................................................................................19

Appendix 1: Terms and Definitions ...................................................................................................................34

Appendix 2: List of Sources....................................................................................................................................38


4


5

1. Introduction


6

1.1 BackgroundE-commerce (electronic commerce) is becoming more of a business imperative than ever before as consumer awareness and expectations evolve. The proliferation of high-speed broadband and the availability of a sophisticated Internet infrastructure and Web-enabled mobile devices present increased economic opportunities for government, businesses, and individuals that could have profound impact on how future business-to-business (B2B) and business-to-consumer (B2C) commerce is conducted.

For the owner of an e-Commerce store, nothing is more important than e-Commerce security. Cyber attackers often specifically target and exploit weaknesses in e-Commerce websites. Such a breach of security quickly erodes the trust that customers place in business. The businesses that have fallen victim to hacking and data breaches due to insufficient security measures, have undergone irreparable damage to reputation, and financial consequences. Alternatively, a secure online shopping experience promotes sales, as consumers naturally choose to make purchases from a website that is secure. By learning more about the importance of e-Commerce security as well as how to improve it, ensures the financial security and business growth.

1.2 E-Commerce e-commerce is the direction of business activity when the process of providing customers with goods or services is done by means of electronic devices and the Internet. This sort of communication and finalization of sales adds some new aspects to data management, sales channels, advertising, presenting goods and services and moreover — enabling full cycle of commerce operations, including payments, delivery and refunds.

1.3 Key Stakeholders With growing use of technology and information, Organizations should envisage the need for security and safeguarding the interests of following key -stakeholders:

• Customers/subscribers who need confidence in the organization’s network and the services offered, that includes availability of services, and protection of their personally identifiable information;

• Regulatory authorities who demand security by legislation and/or directives, in order to ensure availability of e-commerce services and privacy protection;

• Vendors (such as IT Service providers, logistics partners, payment service providers, etc.) who need information security to safeguard the day to day operations related to the job functions and to meet their obligations to the customers; and

• E-commerce merchants and financial institutions who need to ensure that the business objectives are fulfilled, the overall posture of the organisation highlights information security as a culture, the overall investors’ confidence is bolstered, the vendors and customers feel a goodwill and comfort with the services.


7

2. Security Guidelines


8

2.1 Data Protection and Privacy Data is a valuable asset that all the e-commerce merchants, financial institutions, logistics partners and IT Service Providers (hereafter referred to as Organizations) must manage and protect. Organizations collect, use and store a wide range of personal data, such as personal information records of employees and customers, national ID information, demographic details, contact details, financial information etc. in order to provide services to the customers.

Personal data can be collected when consumers or other individuals sign in on a website, when they want to order a product or service, want to receive newsfeeds, enter for a quiz, etc. Every time when an individual provides personal data a record is made in a database concerning that individual. All information about an individual who is identified or who can be reasonably identified by a combination of information (such as an IP address) must be considered as personal data. Data concerning an individual can also be collected in a less direct or less explicit manner, e.g. through the use of cookies that collect data concerning a website visitor. Such kind of data collection is also considered personal data processing if the relevant individual (the data subject) can be identified. The effective use of this data within and across organizations is critical to enhance the ability to formulate policies and to deliver convenient and customer-centric services. Hence, it becomes a need for organizations to define and implement procedures to ensure the Confidentiality, Integrity, Availability and Consistency of all personal data stored in different forms. This guideline document aims at establishing data protection and privacy processes across the organizations for managing personal data across its lifecycle.

Organizations shall recognize that the efficient management of its data privacy is necessary to support its core functions, to comply with its statutory and regulatory obligations and to contribute to the effective overall management. This guideline explains how customer personal data is protected within and outside organizations.

This guideline is applicable to all personal information/records/data created, received or maintained by the organization and third party vendors of the organization who have access to the customer personal data, wherever these data records are stored and whatever form they are in, in the course of carrying out their designated duties and functions. Data has a natural lifecycle, from creation and origination through storage, processing, use and transmission to its eventual destruction or decay. The value of, and risks to, data assets may vary during their lifetime, however data protection and privacy remain important at all stages.

2.2 Customer ValidationCustomers form the core of any business, therefore it becomes even more important to ensure that the customers registering with e-commerce merchant are authenticated and validated. This ensures that the merchant is secure from online frauds and frauds while shipping the purchase devices. Customer validation is a critical step that needs to be undertaken before any e-commerce merchants allow customers to avail any services online.

The objective of this guideline is to provide with best practices for Customer Validation for e-commerce merchants to secure them from e-commerce frauds. The merchants shall be committed to safeguard their business from e-commerce frauds and losses. The guideline is applicable to all the e-commerce merchants and financial institutions in Qatar.

Customer validation is becoming crucial as the complexity of e-commerce attacks are increasing every day. While registering the customers the organizations shall undertake various security measures to that are applicable to their ecosystem.


9

2.3 Customer History and Proprietary Data AnalysisCustomer transaction history and the data analysis helps organizations optimize customer experience by offering better products. Data analysis helps in tracking the customer order velocity, return order rate, average amount of transaction etc.. This data can be useful in providing insights about fraudulent customer behavior, any online threat etc. This guideline is for ensuring security for e-commerce merchants and financial institutions in the State of Qatar.

2.4 Aggregated Transactions from Third Parties Analysis Enabling access to data for all relevant participants of the market creates an opportunity for each hem to build a superior offering as well as for consumers to make better choices of products. This guideline aims for ensuring analyzing aggregated customer data from third parties and customer transactions. This guideline is applicable to all the e-commerce merchants, financial institutions and other third parties.

2.5 Purchase Device TrackingEcommerce marketers need a clearer understanding of device paths that drive revenue, devices customers use to browse your store, and devices used to make purchases. The objective of this guideline is for tracking the devices used by the customers for purchasing goods/ services online. This helps merchants to secure themselves against fraudulent consumer behavior.

2.6 OthersØE-Wallet Usage

Access to multiple payment methods and an efficient e-payment process is vital for increased e-commerce adoption. Currently, merchants in Qatar are subject to multiple processes through national banks in order to set up e-payments. An e-wallet refers to an electronic account that allows a consumer to make electronic transactions in a more faster and efficient manner. The Government intends to promote QPAY Gateway to enable the use of prepaid cards, debit cards, and wage cards for secure online payments. The objective of this guideline is for ensuring security of transactions that are being carried out through e-wallets and prepaid cards. This guideline is applicable to all Organizations that are permitted to provide e-wallets (prepaid payment instruments or PPI) and preloaded gift cards in the State of Qatar.

Ø Network Security

The network security guideline defines requirements to secure network communication links and information assets being transferred within and from the organization. It helps organizations to ensure that access to both internal and external network services is controlled and user access to networks and networked services shall not compromise the security of the networked services. It creates the technical security requirements at the standards level (e.g. networking equipment, information exchange with third parties, internal and external information transfer, e-mail protection and confidentially/non-disclosure agreements). The objective of this guideline is to prevent unauthorized access to networked services. The guideline explains organization on various parameters relevant to securing its network and controls that should be implemented to ensure the security of information in networks and the protection of connected services from unauthorized access.


10

Ø Infrastructure Security

Infrastructure security management guideline enables organizations to design and implement the infrastructure in a way that ensures appropriate security controls are in place to commensurate with data classification levels and business criticality. It helps organization’s to recommend effective security controls, based on risks, which meets the intent of MOTC and organization’s policies and creates accountability within the network and other computing resources in which individuals have access to these systems.

The objective of this guideline is to establish a framework for infrastructure security management across e-commerce merchants, IT service providers, logistics partners and financial institutions in Qatar. This process should allow organizations to ensure that all critical functions of infrastructure are documented and have operational processes and disaster recovery plans to provide continuity of operation.

Ø Vulnerability Management

Security assessment is the process in which vulnerabilities in Information Technology (hereafter referred as IT) systems are identified manually or by tools and the risk of these vulnerabilities getting exploited are evaluated. This evaluation assists to help in identifying the next steps for correcting the vulnerabilities and mitigating the risk by corrective actions. Vulnerability management consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Patch Management process provides means and ways of identifying, timely acquiring security patches, testing applicable patches, deploying patches, maintenance, and reporting.

The purpose of this guideline is to establish a framework for vulnerability management, patch management and other security assessments across e-commerce merchants and financial institutions in Qatar. This process will allow us to obtain a continuous overview of vulnerabilities in organization’s IT environment and the risks associated with them.

Ø Log Management

Logging is a crucial component for security of systems and network devices. Monitoring and analysing logs are critical activities as log files are often the best and/or only record of suspicious behaviors. The Log Management guideline addresses the collection and analysis of logs, retention of the logs, and the corrective actions taken to assure that any business threat that exist can be identified and mitigated. The objective of this guideline is to ensure all events relevant to security of businesses and of business data are logged and appropriate evidences are generated for the same. The guideline aims to highlight necessary controls and steps that are required to ensure appropriate logging and monitoring of system activities.


11

3. Detailed Guidelines


12

3.1 Data Protection and PrivacyThe collection, storage, use and transfer of the personal data of consumers (as well as suppliers and other contacts) by merchants or service providers, is regulated by Law no 13/2016 concerning Privacy and Protection of Personal Data. The general activities of collecting, receiving, registering, arranging, saving, preparing, amending, recovering, using, disclosing, publishing, transferring, blocking, deleting, or cancelling personal data are considered as “processing” of personal data.

The following guidelines are important in order to respect the legal provisions and obligations of due care:

Ø Online merchants should be aware that, if they process data related to customers who are national persons, they are acting as “controllers” as defined by Art. 1 of the Law No. 13/2016 concerning Privacy and Protection of Personal Data. They decide on the purpose and the method of the data processing. They will instruct a processor of the data to actually process the personal data on their behalf. Being considered as a controller or a processor will imply certain legal obligations and general obligations of due care.

Ø Personal data may not be processed except with transparency, integrity and respect for human dignity and acceptable practices, as per the provisions of the Law.

Ø Sensitive personal data may only be processed after authorization from the MOTC department (the procedure is however not yet enacted). Such sensitive personal data are the data related to ethnic origin, children, health, physical or psychological condition, religion, marital relations or criminal history.

Ø The collection and processing of personal data must be relevant for the lawful purposes. Data that are not relevant cannot be processed. Furthermore, the data can only be kept during a period that is necessary for the relevant purpose. Thus, data that have become obsolete should be deleted.

Ø When the controller instructs a processor to process the data (such as a IT-service provider, website administrator), who is not his employee, he must ensure that the processor shall respect the necessary rules and procedures. The controller and the processor must ensure that personal data are sufficiently protected against loss, damage, modifications, disclosures, access by unauthorized persons, or illegal use of the data; and such precautions must be fit for the nature and importance of the data.

Ø The processor must immediately inform the controller about any breach or violation of the safety precautions (“data breach”). The controller must inform the relevant individual and the MOTC department if such a breach is likely to cause serious damages to the privacy of individuals. Where data protection is particularly at risk, the controller can be expected to audit the procedures of a processor.

Ø An administrator of a website focusing on children, must post a notice on the website about the nature of the data related to children, the method of using the data and the policies of disclosure. Furthermore, the children’s data can only be collected after explicit approval from their parent via electronic communication or otherwise, and the processing must be stopped (and the data deleted) if the parent requests so. The participation of a child in any game, offer of prizes or any other activity should not depend on a requirement to submit personal data beyond the necessary limits of what is needed for this participation. Upon request of a parent, information must be given about the type of data that is processed, the purpose thereof, as well as a copy of the collected and stored data.

Ø Personal data can only be used for direct marketing trough electronic communication if the individual gave a prior consent for such use of his data. It would be a good practice to present


13

an empty checkbox next to any form for data collection, stating “I agree that my data can be used for direct marketing purposes through electronic means”. The individual who wants to express his consent to receive direct marketing communications can then tick the checkbox, and this consent should be stored as personal information related to him.

Ø Direct marketing communications must indicate the identity of the initiator of the marketing, and must include an address that can be easily accessed and through which the individual can send a request to stop further commercial communications, or can withdraw his previous consent thereto.

Please note that the Terms and Conditions guideline contains a model Privacy Policy that can be used to inform the visitors of the merchant’s website and his customers about the principles and warranties that the merchant will respect concerning the processing of personal data.

ØData Governance • Organizations shall define a data protection and privacy governance framework;• The management should assign a senior official, whose responsibility is to oversee the

management and control of the data protection and privacy. The official should be appointed basis professional qualities, relevant experience in and knowledge of data protection and privacy;

• Following should be the responsibilities of the official:o Should be involved in all issues relating to protection of personal data and privacy

requirements;o Ensure proper information lifecycle management processes and procedures are in

place to create, store, manage and process data that is accurate, timely and complete.o Inform and advise controller and processor and employees who perform processing

activities;o Monitor compliance with applicable regulation such as GDPR, OECD etc.o Undertake training and awareness on processing operations, data protection and

privacy; ando Liaise and cooperate with Qatar Government.

• All issues related to data management, protection, privacy and sharing shall be escalated to the Management. The Management shall oversee, ensure alignment and provide overall guidance and advice on data protection issues to facilitate data sharing across data controllers and processors within the current legislative framework.

ØData Controller and Processor

• A data controller may collect and process personal data when the individual (the data subject) gives his consent, unless the processing is deemed necessary for realizing a lawful purpose for the controller or for the third party to whom the personal data is transferred.

• Before processing any personal data, the data controller must inform the data subject about:

o The details of the data controller or the processor who acts for the data controller.o The lawful purpose for which the data controller or a third party wants to process

the personal data (eg. customer management, marketing).o A comprehensive and accurate description of the processing activities and the

degrees of disclosure of personal data for the lawful purpose. o Any other information necessary for the lawful processing.

• Data Controllers and processors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. They shall ensure:


14

o Processing is performed in accordance with applicable regulations such as Data protection law- Law No. (13) of 2016 Qatar, EU General Data Protection Regulation (EU GDPR) etc.;

o These controls are reviewed and updated in case of any changes to processes or where necessary;

o Implementation of appropriate data protection policies; o Compliance with the applicable policies for data protection;o Adopt privacy by design principles;o Adopt measures such as pseudonymisation, encryption, data protection principle,

and data minimization techniques;o Obtain consent from data subjects at the time of data collection, the consent shall

be explicit, specific and shall be maintained for the duration for which the processing is required.

o Access to personal data shall be limited to authorised personnel only;o Only necessary personal data is processed for specific purpose only;o Ensure Confidentiality, Integrity and Availability of personal data;o Periodically test, assess and evaluate effectiveness of technical and organizational

measures;o Ensure resilience of processing system and services restore availability and access

to data in a timely manner in event of an incident; ando Prevent accidental or unlawful destructions, loss, alteration, disclosure, and access

to data.

• Processors acting on behalf of controllers should ensure sufficient technical and organizational measures are guaranteed for protection of personal data of data subject;

• Processor should not engage another processor without written authorization from controller;

• Any changes in data processors should be notified to the data controller;• When processor further sub-contracts to another processor, same data protection

obligations shall be applicable;• Processor who has access to data must process data only on instruction of the controller

unless required by Qatar law;• Data Controllers and Processors shall publish a Privacy Statement on their website; and• Data Controllers and Processors shall implement processes to dispose of or destroy Data

securely when no longer needed so as to prevent unauthorized parties from gaining access to these data.

• Data Collection:o Data Controller or a Processor, who is in possession of the data of a data subject

should be able to demonstrate Consent (for the collection, use or disclosure of Personal Data to a Third Party or another organization for the purpose of service transactions processing) has been obtained from data subject;

o Data controllers and processors shall ensure that all information or records are stored physically or electronically in their systems, be classified and secured in line with the National Information Assurance Policy v2.0. Organizations shall also establish and maintain a register of such key data and information assets;

o Data controllers and processors shall ensure that data is collected by lawful and fair means, and is limited to that which is necessary to fulfil its statutory or business requirements; and


15

o Data Controllers shall conduct reviews to identify services where document submissions and form filling by data subjects and businesses can be eliminated or reduced to a minimum.

ØData Sharing

• Data Controllers shall obtain consent from data subjects in the hard-copy or online service application form, allowing re-use and sharing of personal data for the purpose of provision of services to them. Such consent may be in the form of a statement that by applying for the requested service, the applicant henceforth allows for sharing and re-use of his or her personal data between Organizations in the State of Qatar, solely for the purpose of provision of current and future requested services to them;

• For sensitive personal data, the Data Controllers shall work with the Data Processor to determine the minimum data necessary to meet the user requirements while ensuring adequate safeguards are in place to protect the data; for example, by determining if the objective can be achieved by anonymizing data; and

• Data to be shared should be limited to what may be necessary for the fulfilment of purposes of the service requested.

• Purpose of Data Sharing: Organizations shall share data with another organization only for the determined purpose of fulfilment of the service request; and where appropriate, data sharing agreements should be established to bind all parties involved in the sharing initiative. Such a data sharing agreement should include: purpose of data sharing, organizations involved, datasets/ items to be shared, rules for retention and deletion of shared data items, procedures for dealing with termination of data sharing agreement.

• Regarding the transfer of personal data to third persons, it must be noted that such transfer is considered data processing and thus the requirement of consent or the necessity to achieve a lawful purpose applies as well. The law does not state specific requirements for data transfer, within Qatar or abroad. However, it is stated that the controller may not take any decision or procedure that may block the flow of personal data cross borders, unless the processing of such data is an infringement of the provisions of the Privacy Law or may cause serious damages to the personal data or privacy of the individual.

ØRights of Data Subjects

• At the time of obtaining information, the controller should provide the data subject contact details of controller, and the senior official for data protection, purpose for collecting data, recipients of the data, transfer to third country or international organization;

o For fair and transparent processing, the controller should additionally provide:o Period for storage of datao Provision for rectification or erasure, Right to lodge a complaint with a competent

authority. Logic of automated profiling, significance, and impact to the data subject, if any;

o Data subject is entitled to obtain the following information from the controller when data is being processed;

o Copy of personal data;o Reasonable fee, for repetitive requests by data subject;o Purpose of processing;o Period for storage of the data and criteria used to determine that;o Recipients of the disclosed data;o Provision for rectification or erasure;o Right to lodge a complaint with a competent authority;o Logic of automated profiling, significance, and impact to the data subject, if any; and


16

o Transfer to third country or international organization, and applicable safeguards Source of data when not collected from data subjects.

• Data subject can request erasure of the personal data only if data is no longer required for the purpose it was obtained by the data controller; and

• Controller needs to communicate any rectification or erasure to each recipients to whom personal data has been disclosed, unless it takes unproportioned effort data without undue delay.

• A data subject may at any time: o Withdraw his prior consent regarding the processing of his personal data. o Object against the processing if it is unnecessary for the indicated purposes, or when

it is discriminative, harmful or in breach of the law. o Request the deletion of his personal data pursuant to these conditions.o Submit a request to obtain access to his personal data, to be informed about the

processing and the purposes thereof, and obtain a copy thereof (possibly after paying reasonable charges), and to submit a request for correcting the data, with supporting documents.

o The controller may refuse to comply with requests if he discloses the reasons thereof. However, if national security, the international State relations, the national economic or financial interests, or crime prevention are at stake, such reason must not be disclosed. Access to an individual’s data must not be granted if the commercial interests of another person may be prejudiced, or if this would lead to the disclosure of personal data of another person who did not consent to that, or if it may cause material or moral damages to such person.

o The data controller must set internal rules for receiving and studying complaints, data access requests, requests for data correction or deletion, and make these rules available to the individuals (eg. in the Privacy Policy).

o The rules and procedures concerning the individual’s rights are to be determined under a resolution which is not yet enacted.

3.2 Customer ValidationWhile registering the customers that organizations shall undertake the following as applicable for their ecosystem:

• Conduct a postal address verification, wherever feasible, by verifying the address and accordingly provide with options of payment instruments;

• Conduct verification through personal identifiers such as email ID, mobile phone number. This could be done by sending a verification link on email or a passcode that a user shall be required to provide to the Organization before creating the account;

• Opt for Address Verification Service (AVS): AVS is a service that allows merchants accepting non-face-to-face transactions to compare the billing address provided by a customer with the one on the card issuer’s file prior to processing a transaction. A non-match is seen as a strong fraud indicator. This is done as part of the merchant’s request for authorization of the credit card transaction. The credit card processor sends a response code back to the merchant indicating the degree of address matching, depending on which the credit card transaction may be accepted or rejected;

• Use Geo location Lookup: With the Geo location Lookup tool, organizations can quickly determine the approximate postal address of any location on the world map;

• Validate the customer through Card Verification Number (CVN/CVV). It helps to authenticate a user / card by comparing the verification number printed on the signature strip on the back of the card with the information on file with the cardholder’s issuing bank;


17

• Use multi-factor authentication: Organizations shall undertake multi-factor authentication and ensure that all financial transactions follow the same process;

• Authenticate Payers: Implement 3D Secure (Verified by Visa and SecureCode by MasterCard) to prevent fraudulent transactions with credit and debit cards online. It is a three-part process and the parties involved are the seller, the buyer (the bank that processes the payment) and card issuers (i.e., Visa or MasterCard);

• Use Telephone number verification/reverse lookup for making sure when invalid entries are keyed in by the user;

• Implement multi-factor phone authentication for authenticating customers. This can be done by one-time-valid, dynamic passcode, typically consisting of 4 to 6 digits. The code can be sent to their mobile device by SMS or push notification or can be generated off-line by a one-time-passcode-generator (app);

• Wherever feasible, authenticate users through biometric indicators. The most commonly used methods are through fingerprints and voice recognition;

• Wherever feasible, Organizations should conduct a credit history check for high value transactions; and

• Enable option for customers to login through/ link the social media accounts to the e-commerce account.

3.3 Customer History and Proprietary Data AnalysisThe organizations shall use following mechanisms to analyze customer history and data to track any fraudulent behavior:

• Customer order historyo Customer order history shall be accessible only for analysis purposes and shall not

be shared with anyone beyond internal usage;o Customer order history shall be maintained on a secure database;o Customer order data shall be encrypted;o The data shall be accessible only to the authorised personnel after appropriate

approvals; ando Password settings, server and firewall configuration shall be regularly reviewed.

• Negative Listso A process shall be defined to categorize a customer into a positive or negative list

based on predefined attributes;o Customers with a certain “return order rate” should be categorized into negative

list;o Customer should not be able to place orders with the same email/ phone number

which have been blacklisted;o After exceeding the authentication failure threshold, the customers ID shall be locked

and shall require additional authentication; ando Customers shall be assessed basis their device’s IP addresses and should be blocked

if they lie in the spam IPs. • Order Velocity Monitoring

o The company shall perform a periodic basic velocity check to detect any fraudulent transactions. The intent of velocity of use is to look for suspicious behaviour based on the number of associated transactions a consumer is attempting. It works based on counting the number of uses of a data element within a predetermined timeframe

o Merchants should track how many transactions have originated from a single device in a particular day; and


18

o Merchants should conduct advanced Velocity Check such as How Many Accounts Have Been Seen on This IP Address in the Last 30 days etc.

• Fraud scoring modelo E-commerce merchants shall develop internal transaction fraud-scoring procedures/

system or framework. A well designed fraud scoring system enables merchants to assigns points for different elements of a fraudulent transaction. Such elements typically include the following: IP address, email address, time of day the order is placed, AVS result code, sales amount, type of merchandise, shipment method, different shipping and billing addresses and ZIP codes;

o Organizations shall clearly define responsibilities for fraud detection and suspect transaction review;

o Organizations shall track fraud control performance to understand the impact of fraud on the business;

o Organizations shall record all key elements of fraudulent transactions such as names, e-mail addresses, shipping addresses, customer identification numbers, passwords, telephone numbers, and card numbers used.

• Customer website behavioural analysiso Organizations shall continually monitor transactions and apply behavioural analytics

to detect any fraudulent transaction;o Organizations shall monitor regular order lifecycle to ensure seamless service to the

customers;o Organizations shall analyse past customer orders to provide better products and

services;o A consent shall be obtained from the customer prior to analysing their data; ando A privacy policy, clearly stating what all customer data shall be used for analysis,

shall be published on the website.

3.4 Aggregated Transactions from Third Parties AnalysisEnabling access to data for all relevant participants of the market creates an opportunity to build a superior offering as well as for consumers to make better choices of products.

• Multi Merchant Purchase velocity:o It is recommended that Organizations should analyze their customer transaction

using APIs. APIs allow to monitor a current transaction and forecast a customer’s future transactions and provide better products for their next transactions.

• Shared Negative lists and shared hotlistso It is recommended that Organizations should track the fraudulent customers based

on APIs;o It is recommended that the e-commerce merchants and financial institutes use

plugins that check the “blacklist” during every purchase transaction, and block any customer that matches the email address and/or IP address in the negative list;

o E-commerce merchants and financial institutes shall maintain event logs that provides information about purchase attempts made by a customer from the negative list; and

o E-commerce merchants and financial institutes should blacklist the customers with a certain “return order rate”.


19

3.5 Purchase Device Tracking• It is recommended that the e-commerce merchant track the IP address and Geolocation

of the purchase device; • It is recommended that the e-commerce merchants should track the customer basis on a

combination of User ID and client ID. User ID is the value that a customer sends to Google Analytics, which identifies the customer as an authenticated user;

• It is recommended that session unification should be turned on by default. Session unification is a User ID setting that enables the collection of hits before a User ID is assigned or automatically associated with a User ID; and

• The organizations shall implement controls in place which help to identify if the customer / user has logged from a new device and the same should be highlighted to the user immediately;

• The organizations shall provide customer / user an option to remember the devices that he frequently uses;

• It is recommended that the purchase devices shall be tracked based on the device fingerprints.

3.6 OthersØE-Wallet Usage

• Banks that have been permitted to provide Mobile Banking Transactions by the Regulator/ Government shall be permitted to launch mobile based prepaid payment instruments (e-wallets);

• Banks shall issue an open pre-paid payment instrument (PPI) after full Know Your Customer (KYC);

• Open system prepaid payment instruments issued by banks in Qatar, cash withdrawal at Point Of Sale shall be permitted for a pre-defined limit per day;

• As a good practice, Non-Banking Financial Companies (NBFCs) should be permitted to issue only semi-closed system payment instruments, including mobile phone based pre-paid payment instruments;

• Banks, NBFCs and other non-banking entities that are permitted to issue semi-closed and closed pre-paid gift instruments shall be subject to the following conditions:

o The maximum validity of the pre-paid gift instruments shall be defined;o Maximum value of each such payment instrument shall defined;o These instruments shall not be reloadable;o Cash withdrawal shall not be permitted for such instruments; o Full KYC documents of the purchasers of such instruments shall be maintained above

a pre-defined limit ; o The issuer shall maintain the details of the persons to whom such instruments have

been issued and make available the same on demand. The issuer shall also ensure that full details of the ultimate beneficiary are obtained for furnishing to the regulator or Government, as and when requested; and

o Entities may adopt a risk based approach, duly approved by their Top Management, in deciding the number of such instruments which can be issued to a customer, transaction limits etc.

• Organizations that are issuing pre-paid payment instruments shall maintain a log of all the transactions undertaken using these instruments. This data should be available for


20

scrutiny by the Qatar Central Bank or any other agency / agencies as may be advised by the Government / Regulator;

• The pre-paid payment instrument issuers shall put in place adequate information and data security infrastructure and systems for prevention and detection of frauds. It should be necessary to have a centralized database/ Management Information System (MIS) by the issuer to prevent multiple purchase of payment instruments at different locations, leading to circumvention of limits, if any, prescribed for such payment instruments;

• All pre-paid payment instrument issuers shall disclose all important terms and conditions in clear and simple language (preferably in English and Arabic) comprehensible to the consumers while issuing the instruments. These disclosures shall include:

o All charges and fees associated with the use of the instrumento The expiry period and the terms and conditions pertaining to expiration of the

instrument.o The customer service telephone numbers and website URL

• PPI issuers are also required to report frauds, if any, involving the PPIs issued by them on a quarterly basis (or earlier) to the Government/Regulator;

• To reduce losses associated with risk exposure, PPI issuers must implement internal fraud detection and prevention measures and controls that are applicable to business environment;

• PPI issuers shall enable authentication mechanism of the user before making any transactions through the e-wallet. This can be ensured by issuing security code, a strong password, biometric etc.;

• PPI issuers shall appoint a dedicated fraud control individual or group should provide the direction that organization needs to deter fraud; and

• The PPI issuers shall ensure an annual security review of e-wallets is conducted for the following controls but not limited to the below:

o IT General Controls (Change Management, User Access Management, Incident and Problem Management, Patch Management and Log Management);

o Business Process Controls (Organizational Policies and Procedures etc.);o Application(Web and Mobile) Security Assessment;o Security Configuration Review; o Infrastructure Security Review; ando Compliance with any International Standard such as NIST Cybersecurity Framework,

TCG Framework.• Best Practices for Consumers

o Enable Passwords On Devices: Strong passwords should be enabled on the user’s phones, tablets, and other devices before e-wallets can be used. Additional layers of security provided by these devices should be used;

o Use Secure Network Connections: It’s important to be connected only to the trusted networks. Avoid the use of public Wi-Fi networks. More secure and trusted Wi-Fi connections identified as “WPA or WPA2” requiring strong passwords should be used;

o Install Apps From Trusted Sources: The user must check for the e-wallet provider to be showing strong legacy of securely, reliably and conveniently handling sensitive financial data and providing customer support (in the event of card loss or account fraud);

o Keep Login Credential Secure: Avoid writing down information used to access the digital wallets in plain view or storing them in an unprotected file to avoid their misuse;

o Create a Unique Password for e-wallet: Use hard-to-guess password unique to the digital wallet to prevent against the risk of unauthorized access;


21

o Stay vigilant and aware of mobile phone’s network connectivity status and register for Alerts through SMS and emails;

o Identify Points of Contact in case of Fraudulent Issues: For any fraudulent activity occurring on the user’s account in the scenarios like when mobile phone is lost or stolen, an individual card stored in the wallet is lost or account has been hacked, appropriate points of contact for resolving the issues should be understood by the user. The user must completely understand the e-wallet providers’ contract terms and conditions.

Ø Network Security

• Network monitoring and controlso The organization shall be closely coordinate management activities to optimize

the services to the organization and to ensure that controls are consistently applied across the information processing infrastructure;

o Dedicated network connectivity between organization’s network and any external party should be implemented only after appropriately addressing the risks arising by the connectivity. These risks shall be identified by performing security scans on organization network regularly;

o The organization shall restrict the use of system utility software on live systems, such as that which facilitates remote access, manages event logging and management of group policies to system administrators and computer support staff only. Master copies of such software are to be held securely;

o Organization shall ensure that for systems running the Simple Network Management Protocols (SNMP) agents SNMP read/write community strings shall be securely configured and all default community string shall be changed by the administrator;

o Appropriate security measures shall be in place to safeguard the confidentiality and integrity of data passing over public networks, LAN and wireless networks, and all the connected systems and applications. Use of non-secure protocols like, ftp, and telnet should be strictly prohibited;

o For all systems, which are mandated to be accessed from internet such as, but not limited to, email servers, web servers, and proxy servers shall be placed in the De-militarized Zone (DMZ);

o All internet facing systems/routers shall be audited on regular intervals as per benchmark security parameters to ensure proper network access control and safety of data transmitted through them;

o Technical parameters required for secured connection with the network services shall be established in accordance with the security and network connection rules;

o Technology such as authentication, encryption and network connection controls shall be applied for security of network services;

o Procedures for the network service usage to restrict access to network services or applications shall be established and documented, where necessary;

o It shall be ensured that all unused or unwanted network services, not in use within organization network are removed or disabled;

o A documented list of services and ports required for business purpose shall be maintained and updated regularly;

o Insecure file transfer uploads and downloads to/ from the Internet shall not be allowed;

o Any new internet service shall be assessed to evaluate the risks associated to it and necessary approvals from authorized personnel within the organization shall be taken before adoption of any such service. All connections between organization’s network and Internet (Public Network) shall include an approved firewall and associated access control;


22

o To ensure that the systems are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions, following controls shall be implemented: - All the systems supporting business operations shall be hardened in accordance

to the industry best practices before connecting to organization network: Center for Internet Security; National Institute of Standards and Technology (NIST); and SANS Institute.

o Network devices such as Wireless access points, firewalls, routers, etc. with its latest updates shall be configured in accordance with the necessary and applicable security configurations;

o The organization should consider implementation of Intrusion detection system / Intrusion prevention system (IDS/ IPS) system once the base security system is in place. While evaluating the IDS/ IPS and recommending the same, following shall be considered;- Detection of all kinds of security attacks on the system including denial of usage,

masquerading etc.;- Detection of network intrusions;- Monitoring of network traffic and defending against attacks by matching the

pattern against an updateable pattern file;- The system shall be able to generate different alerts such as: Event Log, Email,

Fax, Sound, Pager, User defined, etc.;- Password shall be changed be changed on regular basis;- Latest configurations of IDS/IPS shall be backed up regularly; and- Copies of configuration files shall be restricted to authorized individuals.

o All important documents which describe relevant processes and procedures for managing network equipment such as routers, switches, firewalls shall be maintained and controlled properly. Organization shall clearly document and make necessary updates to reflect changes to the network architecture. Access to network architecture documentation shall be restricted to authorized personnel only within the organization;

o Network configuration details must be maintained securely to ensure that they are available when required, such as in times of system failure. They must be protected as they store critical information about the network of organization;

o The network configuration details must include:- Wide Area Network (WAN) diagrams;- Local Area Network (LAN) diagrams;- Router and switch configurations;- Firewall Configuration;- Device details;- IP addressing used within organization; and- Configuration details for other important network devices.

• Authenticationo Appropriate equipment authentication mechanisms shall be applied for users and

information systems connecting to organization’s network. All portable computers that connect to the organization’s network must be registered on its domain.- A warning banner should be displayed at login to any system within the organization

network. - The system is to be used only by authorized users;- The user represents that he/she is an authorized user by continuing to use the system;

and- The use of this system constitutes consent to monitoring.


23

o The banner must not include any system or application identifiers, which could provide valuable information to a would-be intruder, for example: hardware and operating system on the host, information about the organization or other internal matters; and

o The warning banner shall be enabled for the network devices (routers, switches, etc.) and servers.

• Network Segregationo The organizations shall follow- a risk based approach to undertake network segregation;o The security of organization network shall be divided into separate logical network

domains, e.g. internal network domains, external network domains, etc. Each of these domains shall be protected by a defined security perimeter. A set of controls shall be applied in different logical network domains to further segregate network security environments;

o Virtual Local Area Networks (VLAN’s), shall be designed to logically segregate networks. While designing VLAN’s, it shall be ensured that sensitive/critical information systems are isolated from other systems and are on a separate VLAN, depending on data segregation, confidentiality and other business requirements. Access to this VLAN shall be controlled and it shall be ensured that access is given only on a need-to-know basis; and

o Network zones shall be defined in order to classify and subdivide the group of users and services depending on considerations such as business criticality, IT health integrity, data information classification, user trust levels, business agreements and security considerations. Network Zoning limits the complexity of available choices in granting access to network resources, while meeting the majority of security needs. The network shall be divided into the following zones:- Public Zone - The Public Zone shall be entirely open and shall include public

networks such as the public internet, the public switched telephone network, and other public carrier backbone networks and services. Restrictions and requirements shall be difficult or impossible to place or enforce on this Zone because it shall be outside the control of organization. Any systems delivered in, or interfacing with, the Public Zone shall be hardened against attack;

- Operations Zone - An Operations Zone shall be the standard environment for routine operations of organization. It is the environment in which most end-user systems and workgroup servers shall be installed. Even with appropriate security controls at the end-systems, this Zone shall be unsuitable for large repositories of sensitive data or critical applications without additional strong, trustworthy security controls;

- Restricted Zone - A Restricted Zone shall provide a controlled network environment generally suitable for business-critical IT services (i.e., those having medium reliability requirements, where compromise of the IT services would cause a business disruption) or large repositories of sensitive information (e.g., in a data center). All network-layer entities in restricted zone shall be authenticated, either explicitly through the implementation of a peer-entity authentication service or implicitly through a combination of physical security and configuration control. The restricted zone shall reduce the threats from system insiders by limiting access and through administrative monitoring;

- Special Access Zone - A Special Access zone shall be a tightly controlled network environment suitable for special processing needs. Requirements for special access zone shall be developed on a case-by-case basis to meet the special processing needs of the environment. For example, a team working on a confidential research project might require setting up a special access zone;

- Demilitarized Zone - Organization shall limit incoming access to data and systems from the Internet. This limit shall be implemented via use of a Demilitarized Zone (DMZ), which is a part of the firewall architecture. In no case will access be


24

granted to the public to access data directly on servers on organization’s trusted network, which are inside of the firewall system. Some of the things which shall be considered when taking a call on DMZ are: The slight decrease in performance; and the lowered level of accessibility to an attacker.

• Network Securityo Logical access to the network shall be restricted to authorized users only to ensure

that only users who are allowed can access the network segments and services;o Automatic equipment identification shall be considered as a means to authenticate

connections from specific locations and equipment;o Access to diagnostic ports within organization; shall be securely controlled; o Access to local system control utilities (e.g. Batch Files, Unix Scripts etc.) shall be

controlled. Access to these utilities shall be limited to authorized personnel only;o Other than the maintained standard list of services and ports if any other service or

port needs to be enabled on the server as per the business requirement, it shall follow a change management process and shall be authorized, tested and implemented along with the necessary/compensating controls, if required;

o The details of this test and approval process shall be documented;o As a best practice, a risk assessment should be done prior to allowing information

flow between different business information systems or granting access to third parties;

o Appropriate logging and monitoring shall be applied to enable recording and detection of actions that may affect, or are relevant to, information security. All actions such as, but not limited to login/logout of administrative accounts, router interface or link up/down events, system start/shutdown events, audit trails, and attack attempts shall be logged properly; and

o The log files shall be secured from unauthorized access or modification. Regular review shall be conducted on the log files to identify any malicious or abnormal activity.

o The following security controls (such as technical controls, contracts / agreements) shall be implemented to exchange business information with stakeholders. - Phone calls, voice mail, faxes, teleconference and any other voice confidential

communication systems shall be provided by organization for use in connection with organization’s business. Any other use, except for reasonable and occasional personal use, shall be prohibited; and

- All information transferred between the organization’s network and its partners/ third parties through Internet as the medium shall be adequately protected with an approved encryption technique

o The organization shall identify all its the network components maintained an inventory along with details;

o The organization shall assess and implements are necessary controls to restrict use of network components; and

o Access to sensitive information processing functions shall be secured by limiting the terminals from which these functions can be executed and physically and/ or logically restricting these terminals.

• Network loggingo Organization shall maintain a record of all successful as well as unsuccessful login

attempts and log of such attempts shall be reviewed by system administrators within the organization periodically;

o The organization shall limit the access to utilities that reconfigure logging mechanisms to authorized users only;


25

o The organization shall define and implement a process to periodically monitor the logs being collected;

o The log files shall be protected from being accessed, modified or deleted by unauthorized users either by encrypting the logs or by defining the access levels;

o File integrity monitoring and change detection software on logs to be implemented to ensure that existing log data cannot be changed without generating alerts; and

o Audit trails shall be backed up on a regular basis and shall be stored on a location which has limited access.

Ø Infrastructure Security

• Perimeter defence security FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46o The organization shall define network architecture and ensure that is adequately

protected;o It should implement intelligent logging at a level that is enough to trace back the

attack;o The organization shall set up a process to trace Intrusions, if any, and analyse them

in detail to take corrective measures to harden the security infrastructure;o The organization shall maintain detailed documentation of the filter (router and proxy)

configurations and follow change management for any changes to configurations; o The organization shall install appropriate filters. Below are references for organization:

- Access-list number deny ICMP any-any redirect to disallow ICPM packets; and- Anti-spoofing to control access through router and would stop packets with

source address with internal IP addresses from coming in.o The organization shall control and monitor filter configurations in terms of privileges

and their use: who can modify, who modified, when was it modified, why was it modified etc.;

o Organizations shall conduct a risk assessment before deploying any device into a network. The identified risks shall be communicated to the top management;

o The organization should set up a mechanism to update filters whenever it is required to implement network changes, install new software releases and prevent future attacks that may exploit existing or newly discovered vulnerabilities;

o The organization shall configure Anti-virus software for real time scanning at the gateway;

o These filters should be tested periodically and for break testing to ensure that rules are still working; and

o Periodic network security assessment such as vulnerability assessment, penetration test etc. shall be conducted

• OS and application server security

o Organizations shall periodically assess the OS and Database against IT General Controls and other system level controls;

o The logical access rights (read/write/modify) shall be strictly controlled and the access shall only be provisioned after appropriate approvals from information system owner or Top Management;

o The access rights shall be issues with “LEAST PRIVILEGES”;o The organization shall ensure that its servers are physically secure. The physical

access shall be restricted to authorized personnel only. Unauthorized users who require physical access to, or in the vicinity of a network server must be escorted by an authorized personnel;


26

o Organization shall implement and monitor audit trails to identify irregularities of physical access or unauthorized access at defined frequencies;

o All Servers (operating systems, the application servers, web servers and mail servers) in organization network must be located in a secure area that provides appropriate environmental controls, including air handling & conditioning, uninterruptible power protection (UPS) & conditioning, and fire suppression;

o The organization shall appropriately manage and monitor its server at defined frequencies;

o The organization shall take into considerations the following practices to secure its server hardware :- Avoid using server consoles as much as possible;- Match hardware compatibility while buying/installing the server; and- Disable CD-ROM or floppy disk boot.

o Appropriate access control shall be configured and in place on all network devices with remote login capability; and

o Network devices shall be located, wherever possible, within a suitable network or telecommunication closet, or in a designated server room;

o Default user ids shall be disabled;o Use of default passwords shall be strictly controlled; ando System account activities shall be monitored.

• Host security

o Risk Assessment: Organization shall conduct security risk assessment(s) in relation to all the elements of its infrastructure. The risk assessments will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability;

o Physical and environmental security: All equipment’s of organization shall be housed in a controlled and secure environment. - Critical or sensitive infrastructure equipment shall be housed in secure areas,

protected by a secure perimeter, with appropriate security barriers and entry controls;

- Critical or sensitive infrastructure equipment will be housed in an environment that is monitored for temperature, humidity and power supply;

- The organization shall ensure that all visitors getting access to infrastructure areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out; and

- The organization shall ensure that all responsible staff are made aware of procedures for visitors and that visitors are monitored, when necessary.

o Access to network: Access to the infrastructure within organization shall be provisioned via a secure log-on procedures which are designed to minimise the opportunity for unauthorised access;

o Organization shall maintain a formal, documented user registration and de-registration procedure for access to the network;

o Data backup and Restoration: Organization shall ensure that appropriate configuration information is recorded to allow the restoration of core systems; and

o Some of the key characteristics related to workstation security are listed below.- Formulate User Access Policy and implement the same;- Regularly update the patches/hotfixes for the workstation operating system and

applications;


27

- Limit the Network Resources Access from workstations. Assign only what is a “MUST REQUIRED”;

- Install anti-virus software and update it regularly on all the workstations; and- Ensure workstation data is included in backup policy and schedule of organization.

• Disaster Recovery :To mitigate the impact of a local or total loss of network connectivity, and facilitate the quick recovery of network services in the event of a disaster, the organization requires the following of all computing facilities:

- Document plans, response and recovery procedures shall be developed and approved, detailing how the organization should manage a disruptive event and maintain its business continuity to a predetermined level, based on management-approved objectives;

- Organizations should identify business requirements for the availability of data;- All data considered “critical” to the operation of the organization as a whole or to

the services provided by a department, shall be routinely backed up by the party responsible for that data, with archives being stored off-site at regular intervals; and

- Backed up data shall be tested periodically to ensure that the media and restoration procedures are in working order, and that the data is in fact retrievable.

• Cloud management o Use of cloud services for work purposes must be formally authorized by the

organization.o A cloud vendor due diligence shall be conducted before finalising the service provider;o Necessary approvals shall be taken from all personnel within organization on security,

privacy and all other IT management requirements which are to be adequately addressed by the cloud computing vendor;

o For any cloud services that require users to agree to terms of service, such agreements must be reviewed and approved by the organization’s management;

o The use of such services must comply with organization’s existing Acceptable Usage Policy/Computer Usage Policy/Internet Usage Policy/Bring Your Own Device(BYOD) Policy;

o The organization shall identify risks regarding the failure to comply with internal directives, Qatar e-commerce laws and regulations from QCERT, which could result in fines, impaired reputations or other losses;

o The organization shall identify risks regarding the change of the level of control in security governance;

o The organization shall identify risks regarding delivery of service and continuity as well as defensive controls such as malware protection, vulnerability management, denial of service, data protection due to failures, lack of processes, controls, methodology, etc.;

o Training and awareness programs focussed on management of cloud service and the risks associated with it shall be conducted for all cloud service administrators, users and responsible employees and contractors. Training and awareness shall include:- Standards and procedures for the use of cloud services;- Information security risks relating to cloud services and how those risks are

managed;- System and network environment risks with the use of cloud services; and- Applicable legal and regulatory compliances.

o The organization’s inventory of assets shall account for information and associated assets stored in the cloud computing environment. The records of the inventory


28

shall indicate the location where the assets are maintained, e.g. Identification of the cloud service;

o The organization shall ensure to label information and associated assets maintained in the cloud computing environment in accordance with the organization ‘s adopted procedures for labelling;

o The organization shall define its requirements for event logging and verify that the cloud service meets those requirements;

o If a privileged operation is delegated to organization, the operation and performance of those operations shall be logged. Organization shall determine whether logging capabilities provided by the cloud service provider are appropriate or whether it shall implement additional logging capabilities;

o Capacity management plan shall be created, implemented and maintained by organizations;

o Sufficient capacity shall be provided by cloud service providers to fulfil agreed capacity and performance requirements;

o Cloud data shall be identified for backup along with the frequency and retention period by the organizations;

o The organization shall implement cryptographic controls for the use of its cloud services if required after performing the risk assessment. The controls shall be of sufficient strength to mitigate the identified risks, whether those controls are applied by organization or by the cloud service provider;

o The organization shall identify the cryptographic keys for each cloud service, and implement procedures for key management; and

o The organization shall ensure that access to information in the cloud service is restricted in accordance with its access control policy. This includes restricting access to cloud services, cloud service functions, and organization data maintained in the service.

• Integration with merchant and bankso It is recommended that the organizations should comply with PCI DSS requirements

while integrating with merchants and banks;o The organization should take into considerations the following points while integrating

its platforms/systems with merchants and banks :- The encryption technique used by payment gateways;- Usage of dynamic IP Address;- Involvement of firewalls that are robust enough to be effective without causing

undue inconvenience to cardholders or vendors and- Usage of digital signatures.

o The organization shall implement strong access control measures in integrated systems;

o The organization shall regularly monitor and test its networks; ando The organization shall maintain a vulnerability management program and initiate

periodic scans and implement remediation.o Additional security measures for organizationso Malicious Software: The organization shall ensure that sufficient technical measures

are in place to minimise the risk of intrusion from malicious software. All users shall be trained and alerted to their responsibility not to take any actions which may result in malicious software entering the system;

o Data Loss: The organization shall ensure that sufficient technical measures are in place to minimise the risks of data loss. All users shall be trained and alerted to their responsibility with regard to data loss;


29

o Zero day vulnerabilities: The organization shall ensure that sufficient technical measures are in place to minimise the risks of zero day vulnerabilities;

o Unauthorised software: The organization shall ensure that sufficient technical measures are in place to minimise the risks of unauthorised software. All users shall be trained and alerted to their responsibility with regard to unauthorised software;

o System misconfiguration: The organization shall ensure that sufficient technical and operational measures are in place to minimise the risks due to misconfiguration of systems; and

o Any other identified risk: The organization shall ensure that, where warranted, technical measures shall be implemented to detect and protect its infrastructure systems as they are identified.

Ø Vulnerability Management • Vulnerability Management

o The organizations shall define and implement a vulnerability management framework covering all internal and external systems;

o The organizations shall perform vulnerability assessment cycle encompassing the following stages:- Preparation Phase: To identify and categorize its IT assets;- Initial Scan phase : To Scan all the vulnerabilities associated with its networks,

network devices and systems;- Remediation Phase : To prioritize remediation effort based on risk;- Implement closure Action : To apply patch or install necessary upgrades to systems;

and

- Re-scan phase: To re-scan and validate risk mitigation.o Organizations can refer to guidelines from OWASP, NIST etc. for conducting such

scans;o The organizations shall maintain a complete and up to date asset inventory with

specific information like details of software/ hardware vendor, version numbers, current state of deployment (e.g. what software is installed on what systems or hardware is deployed) and the person(s) within the organization responsible for the software for effective technical vulnerability management;

o The organizations shall take appropriate and timely action in response to the potential technical vulnerabilities identified within its systems and networks;

o The organization shall define and establish the roles and responsibilities associated with technical vulnerability management;

o The vulnerability management shall include vulnerability monitoring, vulnerability risk assessment, patching, asset tracking and any coordination responsibilities required ;

o Necessary timelines shall be defined to react to notifications of potentially relevant technical vulnerabilities;

o The vulnerabilities shall be classified into severity levels as high, medium or low on the basis of factors such as scope of extent, impact on system, risks associated with vulnerabilities etc.; and

o The organizations shall define and implement a process to ensure that vulnerabilities are identified during the lifecycle of software development and ensure that all major changes include a component of vulnerability management;

o The organizations should define a procedure to address the situation where a vulnerability has been identified however there is no suitable countermeasure. In such cases, the organization shall evaluate risks relating to the known vulnerability and define appropriate detective and corrective actions.


30

• Audit Loggingo An audit log shall be maintained for all activities undertaken and necessary records

are maintained to ensure effectiveness and efficiency of vulnerability management process.

• Patch managemento All organizations shall define a framework and document applicable policies; o Implement patch schedule which includes : Advisory notifications and mitigation advice

schedule from original equipment manufacturer (OEM) release date, exceptions to be sought prior to patch implementations, periodic reports on patch management within the organization;

o Organizations shall define a criteria for assigning severity rating to the patches. This will help determine the urgency of addressing vulnerabilities and deploying related updates;

o Change Management process should be initiated before deploying patches on live systems. It should include impact analysis on downstream and upstream application/devices, roll back plan, backup plan, predefined implementation timeline, approved downtime and downtime notification plan etc.;

o Risks associated with installing the patch shall be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch); and

o Patches shall be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:

- Turning off services or capabilities related to the vulnerability;- Adapting or adding access controls, e.g. firewalls, at network borders;- Increased monitoring to detect actual attacks; and- Raising awareness of the vulnerability.

• Other Security Assessmento A penetration test, or pen-test, is an attempt to evaluate the security of an IT

infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, services and application flaws, improper configurations or risky end-user behaviour;

o Penetration testing provides a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s);

o A regular scheduled penetration testing of Network, Servers, and Databases from outside network should be carried out periodically by organizations to determine existing vulnerabilities;

o Organizations shall analyse all vulnerabilities and send it to technical domain experts within the organization for remediation recommendations and for determining false positives (Justification needs to be provided for false positives);

o Once the fix has been deployed, technical domain experts within the organization shall submit a confirmation within the time frame assigned in remediation plans defined by organization;

o Organizations shall run a rescan to validate the remediation of vulnerabilities and share the rescanning results with technical domain owners and might also share it with the management in their units as appropriate;

o Organizations shall conduct a periodic configuration review and ensure that the system configuration are in line with leading security practices; and

o It is recommended that the organizations shall conduct a periodic application security assessments for critical applications.


31

Ø Log Management

• Log Monitoringo Event logs recording user activities, exceptions, faults and information security events

shall be produced, and stored securely;o The organizations shall define and implement process and technical controls to

safeguard the logging facilities and log information should be protected against tampering and unauthorized access;

o Event logs should include, when applicable: user IDs; system activities; dates, times and details of key events, e.g. log-on and log-off; device identity or location if possible and system identifier; records of successful and rejected system access attempts; records of successful and rejected data and other resource access attempts; changes to system configuration; use of privileges; use of system utilities and applications; files accessed and the kind of access; network addresses and protocols; alarms raised by the access control system; activation and de-activation of protection systems, such as anti-virus systems and intrusion detection systems, records of transactions executed by users in applications.. The following set of technical capabilities should be considered to ensure log management for all such controls:

- Monitor files that require higher privileges- Capabilities for killing system processes- Installation of unauthorized or potentially damage software (backdoors, Trojan

horse, etc.)- Modification or deletion of sensitive information- Exploiting a security vulnerability to gain higher or different privileges

o All logs shall be categorized and reviewed. Following are some examples for reference:- In case of windows operating system : System logs for error & warnings for

hardware failure ; Security log for success & failure attempts shall be reviewed- In case of non- windows OS : Administrator’s activity logs, Authentication logs,

Error logs residing in the directory /var/logs, System start & shutdown logs, Audit logs etc. shall be reviewed

- Network devices logs: Logs from firewall, Intrusion detection/prevention system which captures following details shall be reviewed periodically

i. The inbound and outbound packetsii. Information about particular servers e.g. web serveriii. Audit logs, authorized and un-authorized login attemptsiv. Administrator activity - Privileged user logs for changes in the system e.g.

route add/delete and any other configuration changes.v. Packets which have been droppedvi. Probing to systemvii. Critical logs generated by devices (Alerts on suspicious packets, determining

probes, attack statistics)- Application Server Logs : The following set of logs for various application servers

shall be reviewed periodically:i. Web Server Logs: Example : Error Logs, Access logsii. Mail Server Logs: Example: Connection status , SMTP Queues , Protocol

Status (SMTP, POP3)iii. FTP Server Logs : Example: Current logins , Command executed , File

uploaded and downloadediv. Database Server logs : Example :User Activity logs , Audit Logs of backend

(table creation, deletion, modification, searches etc.) , Object accessed


32

o Event logs can contain sensitive data and personally identifiable information. Appropriate privacy protection measures should be taken.

• Storageo Logs are the primary record keepers of system and network activities. When security

experience failures, log are particularly helpful to determine event chronology. Hence, all logging facilities and log information should be protected against tampering and unauthorized access.

o Controls shall be in place to protect against unauthorized changes to log information and operational problems with the logging facility including:

- alterations to the message types that are recorded;- log files being edited or deleted;- Storage capacity of the log file media being exceeded, resulting in either the

failure to record events or over-writing of past recorded events.o The log retention period shall be defined for all infrastructure devices and applications,

mail server, financial data, any specific applicable Legal-Regulatory and compliance requirements. The logs shall be archived as part of the record retention policy or in accordance to the requirements for collecting and retaining evidence

o The following set of controls can be considered for securing log storage and protection:- All log collection and consolidation efforts should be performed on an independent

and dedicated server- Contents of log data should be properly encrypted for protection an digitally

signed to ensure integrity- Log files shall be set to ‘append only’ to avoid deletions, purges, and overwrites- Regular backup of all log files should be conducted at periodic intervals and

appropriate naming convention should be in place to capture information about date, time, type, and server

- Log backup should be integrated with overall corporate backup- Necessary tools should be in place to filter out key events from logs of all events.

It will help to manage storage capacity costs and compliance issues which require immense audit trail

- Organizations should define secure disposal policies for wiping and shredding of log data and media.

• Administrator and operator logso The activities of all system administrator and system operator activities shall be logged

and the logs shall be protected and regularly reviewed to maintain accountability of privileged users

o An intrusion detection system managed outside of the control of system and network administrators can be used to monitor system and network administration activities for compliance-.

• System considerationso In setting up logging mechanisms the following should be considered:

- Use a centralized sys log server- Alert mechanisms to alert administrator in case of any malicious activity detected

in logs- Use combined log format for storing the transfer log - Establish different log file names for different virtual Web sites that may be

implemented as part of single physical web server- Ensure procedures are in place so that log files do not fill up hard drives- Ensure log files are regularly archived, secured and analysed.


33

• Audit Policy and Log managemento Auditing is a formal examination and review of actions taken by system users. Event

auditing allows the reliable, fine grained, and configurable logging of variety of security relevant system events, including logins, configuration changes and file and network access.

o Audit policy detects and deters penetration of organization’s computer system and reveals the usage that identifies misuse. Audits may be conducted to :

- Ensure confidentiality, integrity and availability by reviewing and maintenance audit logs

- Ensure access to audit logs is restricted and segregation of duties is maintained.- Investigate possible security incident to reconstruct the sequence of events that

preceded a problem and everything that occurred after it.o The organizations shall identify all auditing requirements for Windows hosts, Linux

hosts, web servers, database servers etc. whichever is applicable and define audit policy for them

o The organization shall conduct periodic assessment and correlation of logs from firewall, IDS/IPS, Applications servers (web, mail, and database), systems etc. and draw conclusions about type and time of incident, vulnerabilities exploited and its root cause. These logs should provide vital inputs for managing computer security incidents, both for incident prevention and incident response

o Regular management reports should be generated to properly track backup and disposal events and detect any analogies that might arise in the systems.


34

Appendix 1: Terms and Definitions


35

S.No Term Definition1 Consent Consent of the data subject means any freely given, specific,

informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2 Data Refers to all data and information (such as personal information, financial information of a data subject etc.) in electronic form that ecommerce merchants and financial institutions capture, retrieve, share or process for the provision of e-commerce services to public.

3 Data Controller Refers to an entity (natural or legal person, public authority, agency or any other body ) which (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

4 Data Processor A data processor is an entity (natural or legal person, public authority, agency or any other body) which processes data on behalf of a data controller. A data controller decides the purpose and manner to be followed to process the data.

5 Data Subject Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.

6 Data Processing Refers to carrying out of any operation or set of operations on data, including the collection, receipt, recording, organizing, storing, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, transmission, blocking, erasure, or destruction of such information.

7 Data Sharing Means the disclosure of data form one or more agency/entity to a third party Agency/entity or Agencies/entities, or the sharing of data between parts of an Agency/entity.

8 MoTC Refers to the Ministry of Transport and Communications- Qatar

9 Organization Refers to ecommerce merchants and financial institutions.

10 Personal Data It refers to• any information about an individual whose identity is

apparent or can reasonably be ascertained either from that information or from a combination of that and other information; and/or

• any information, including location data, that can reasonably be linked to a specific individual irrespective of whether or not the identity of the individual is apparent from that information or from a combination of that and other information.

11 Third Party Refers to any person or entity, other than the Data Controller, which carry out data processing on behalf of a controller and shall include any other person or entity appointed by a Third Party for the said purpose.


36

S.No Term Definition12 Sensitive Personal

DataThis relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

13 Address Verification Service (AVS)

Address Verification Service (AVS) verifies the personal address provided by a customer at the time of a credit card transaction.

14 Authentication Authentication is the process of recognizing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials.

15 Card Verification Number

Card Verification Number (CVV) is the last three digit number printed on the signature panel located on the back of credit/ debit card. The CVV/CID is a security feature that allows the e-commerce merchant and credit card issuer bank to identify the cardholder and provide an additional security against fraud.

16 Credit history A credit history is a record of a borrower’s responsible repayment of debts. A credit report is a record of the borrower’s credit history from a number of sources, including banks, credit card companies, collection agencies, and governments.

17 Validation Assessment of a user credentials to establish that it is correct and complete.

18 IP Geolocation It is the identification or estimation of the real-world geographic location of an object, such as a radar source, mobile phone, or Internet-connected computer terminal. In its simplest form geolocation involves the generation of a set of geographic coordinates and is closely related to the use of positioning systems, but its usefulness is enhanced by the use of these coordinates to determine a meaningful location, such as a street address.

19 Device Fingerprint A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off

20 Consumers Individuals/Organizations who acquire pre-paid payment instruments for purchase of goods and services, including financial services

21 Issuer Entity operating the payment systems issuing pre-paid payment instruments to individuals/ organizations. The money so collected is used by this entity to make payment to the merchants who are part of the acceptance arrangement directly, or through a settlement arrangement.

22 Pre-paid Payment Instruments

Pre-paid payment instruments are payment instruments that facilitate purchase of goods and services, including funds transfer, against the value stored on such instruments. The value stored on such instruments represents the value paid for by the holders by cash, by debit to a bank account, or by credit card.

23 Open System Payment Instruments:

These are payment instruments which can be used for purchase of goods and services, including financial services like funds transfer at any card accepting merchant locations (point of sale terminals) and also permit cash withdrawal at ATMs


37

S.No Term Definition

24 Closed System Payment Instruments

These are payment instruments issued by an entity for facilitating the purchase of goods and services from them. These instruments do not permit cash withdrawal or redemption. As these instruments do not facilitate payments and settlement for third party services, issue and operation of such instruments are not classified as payment systems.

25 Semi-Closed System Payment Instruments

These are payment instruments which can be used for purchase of goods and services, including financial services at a group of clearly identified merchant locations/ establishments which have a specific contract with the issuer to accept the payment instruments. These instruments do not permit cash withdrawal or redemption by the holder.

26 Limits All ‘limits’ in the value of instruments stated in the guidelines, indicate the maximum value of such instruments that can be issued to any holder.

27 Vulnerability A vulnerability is a flaw or weakness in a system’s design, implementation, operation or management that could be exploited to compromise the system’s security objectives

28 Vulnerability Assessment

Vulnerability assessment is a scan performed from the internal network and provides an overview of vulnerabilities which are visible from the local network, taking into account host based security control that are present on the target system. By performing an internal or external scan of each component in architecture, the results can provide information on how well each layer is secured. (“Defense in-depth”)

29 Threat A threat is anything (a malicious external attacker, an internal user, a system instability, etc.) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability

30 Test A test is an action to demonstrate that an application meets the security requirements of its stakeholders

31 Patch A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data.

32 Security Patch It is a patch developed by Original Equipment Manufacturers (OEMs) to fix identified security vulnerabilities.

33 Security Advisory A notification released by OEMs about the identified security vulnerability which can be fixed by applying suggested security patches or making some configuration changes.

34 Software Release It is a notification released by OEMs about the major/minor software upgrade which addresses the bug-fixes, software enhancements.


38

Appendix 2: List of Sources


39

List of Sources• ISO 27001:2013 Standard

• Identity Management - SANS Institute

• OWASP Application Security Guidelines

• Web Content Accessibility Guidelines (WCAG) 2.0

• Modern Technology and E-Banking Services Risks Annex No. (192)

• ISO/IEC DIS 29115 -- Information technology – Security techniques – Entity authentication assurance framework

• Payment Cards Industry Data Security Standard

• COBIT 5 Framework

• 3D Secure Guidelines

• General Data Protection Regulation

• IRDAI - Information Security Framework

• Cybersecurity framework in Banks – Reserve Bank of India

• Visa E-commerce merchants’ guide to Risk management

• National Cybersecurity Strategy – MOTC

• NIST Cybersecurity Framework

E-Commerce Guidelines Security...e-Commerce Guidelines: Security 6 1.1 Background E-commerce...

Documents

Transcript of E-Commerce Guidelines Security...e-Commerce Guidelines: Security 6 1.1 Background E-commerce...