how to implement security in e-commerce application?can e-commerce be 100% safe?

Hi! Thanks for the question.

I will try to answer your question in a point-by-point manner. I will
also provide small snippets from the articles I will cite but I highly
recommend that you read them in their entirety to get a better grasp
of the topic.

1. How to implement security in e-commerce application?

Overview: 

The following articles provide discussions on how to implement
security among e-commerce applications and environments. Our first
link provides a general overview of the concepts inherent in
e-commerce security.

?Public key infrastructure (PKI) technology uniquely fits the bill for
business to-business transactions, providing robust, bulletproof
security perfectly suited for the environment of electronic business.
In a virtual world where anybody can be anybody, PKI establishes the
essential element of trust ? the foundation for business ? between
buyers and sellers.?

?Another critical issue in B2B security is preventing unauthorized
parties from intercepting messages. There are several basic ways to
minimize eavesdropping and they are often combined in order to reduce
the risk of penetration. One basic step is to establish a secure
communications channel by using one of several protocols that operate
as a layer above the standard Internet TCP protocol. The most popular
of these protocols, secure sockets layer (SSL), provides a range of
security services for communications between a client and server.?

?An alternate approach to ensuring the privacy of communications,
which can be used in place of or in combination with a secure
protocol, involves transmitting a message in a secure form so that it
cannot be opened or read by another party. One of the most popular
approaches is a message format called Secure/Multipurpose Internet
Mail Extensions
(S/MIME)??

?Pretty Good Privacy (PGP) is an alternative to S/MIME. It?s quite
similar in concept to S/MIME but also accommodates digital signatures
and encryption.?

?The Basics of Business-to-Business E-Commerce Security?
http://www.ipnetsolutions.com/download/pdf/wp_security.pdf


-------------------------------------------
After learning the basics and general concepts of e-commerce security,
we will dig into much deeper with the requirements necessary for its
implementation.

One of the first requirements is adopting a security policy.

SECURITY POLICY:

?The primary goals in developing a security policy are to define
organizational expectations for proper system use and define procedure
to prevent, and respond to, security events. Similar to other
organizational policies, the security policy must maintain and
complement the organization?s business objectives. The creation of a
security policy for networked systems is inherently an ongoing and
iterative process due to the dynamic nature of electronic commerce
systems. When new technologies are adopted, an organization?s security
policy and privacy policy must be revisited and oftentimes revised to
respond to the policy conflicts introduced by these new technologies.?

Steps to creating a security policy:

- ?identifying assets centered around software, hardware, people and
documentation;?

- ?evaluating and prioritizing those assets;?

- ?identifying risks and vulnerabilities, including the probabilities of
each;?

- ?defining a policy of acceptable use based on work ethic and culture;?

- ?identifying necessary safeguards, including physical security, au-
dit/logging and incident response;?

- ?creating the plan for a phased approach to introducing the policy;
and communicating policy to users within the organization, as well as
appropriate external individuals such as partners.?

?STRATEGIES FOR DEVELOPING POLICIES AND REQUIREMENTS FOR SECURE
ELECTRONIC COMMERCE SYSTEMS?
http://ecommerce.ncsu.edu/studio/anton+earp.pdf_2.pdf 


--------------------------------
Our next concern will be the technologies involved in e-commerce
security. We have already touched on them on our first resource but
this time we will go into them much deeper.

IDENTITY SECURITY: 

a. SSL:

?In general, SSL uses public key cryptography as its method of communication.
Each communicating host has a public key (available to anyone
interested) and a private key (a non-shared key owned by the host). An
SSL connection involves generating a secret key at connection time for
each host and a public key exchange. By using the Diffie-Hellman or
RSA key exchange algorithms (the two most common), the hosts will not
see each other?s secret keys. For that matter, no passwords are
exchanged and no passwords ever traverse the network. Public key
cryptography is effective because it is virtually impossible to
determine someone?s private key, even if you have the public key.?


b. Real Time Credit Card Authorization:

?Authorizing your customer?s credit card in real time allows you to
verify that the credit card is legitimate and has not been reported
lost or stolen. The authorization can be done with third party
software such as ICVerify (http://www.icverify.com) or Mail Order
Manager (http://dydacomp.com).


c. Address Verification Systems:

?Address Verification Systems (AVS) provide an additional measure of security.
An AVS will cross check the billing address (provided by the
customer). Vendors may decide to decline a transaction based on a
failed check.?

 

d. Card Verification Codes

?Card Verification Codes (CVV2 for Visa, CVVC for MasterCard, and CID for
American Express) is a three or four digit number, independent of the sixteen digit
credit card number.?


e.) Predictive Statistical Model

?A Predictive Statistical Model queries a database (external to your
site) against millions of online sales to come up with a score for a
given transaction. This score quantifies the risk of the transaction.?


f.) Rule-Based Detection

?Rule-Based Detection integrates all of the above into a set of if-then
statements, specific to your organization. The rule set is meant to get better over
time as you become more aware of where the red flags should be. For example,
a business might choose to deny any order greater than $1000.?  

Sample Products: 
FraudShield: www.clearcommerce.com
Equifax ElDverifier: www.equifaxsecure.com


g.) SET

?SET is significant because it allows for payment processing without
the seller ever having to see the customer?s credit card information.
Without SET, a merchant must maintain a database of credit card
numbers on site.?

?Identity Theft and E-Commerce Web Security: A Primer for Small to
Medium sized Businesses?
http://www.giac.org/practical/GSEC/Josh_Sorbel_GSEC.pdf 


-------------------------------------
CONFIGURATION MANAGEMENT:

After the authentication techniques, our next concept for security
will be configuration management.

?Configuration Management is the implementation of a database
(Configuration Management Database - CMDB) that contains details of
the organization's elements that are used in the provision and
management of its IT services. Configuration management is responsible
for the identification, recording, tracking, and reporting of key IT
components or assets called configuration items (CIs).?

?Configurations are the actual arrangement and
functionally-interlocking structures of multiple components of all
hardware and software, regardless of size and location. Without the
definition of all configuration items that are used to provide an
organization's IT services, it can be very difficult to identify which
items are used for which services. This could result in critical
configuration items being stolen, moved or misplaced, affecting the
availability of the services dependant upon them.?


-------------------------
STAFF SECURITY TRAINING and MONITORING:

?Any time an IT candidate is about to be hired, most companies should
do a background check. The price of such checks has dropped
dramatically since the Internet made the practice easy, and a feeling
of assurance about a new employee can be priceless.?

?Although educating employees can result in a definite improvement in
security, it certainly does not hurt to establish some barriers
between workers and data.?

?The solution, Duseja said, might lie in implementation of a layered
security system that puts firewalls at different points and severely
limits data access. Beyond the network level, firewalls can be erected
at the application and desktop levels to give employees only the
access they need.?

?When Employees Are the Enemy - Security from the Inside?
http://www.ecommercetimes.com/perl/story/31238.html 
 

---------------------
Our next 2 links provide some ?good practices? advice on securing
e-commerce applications and systems.

?"MAG 10" STEPS TO A SECURE NETWORK?
http://digitalenterprise.org/security/mag_10.html 

?Security and Encryption?
http://digitalenterprise.org/security/security.html 


------------------------------
2. Can e-commerce be 100% safe?

Just like any man-made technology or object, there is nothing 100%
foolproof. Even homes or a powerful country can be victims to security
breaches. The reasons for such assumptions are the following:

1.) ?Both CERT and @stake recommend vulnerable companies encrypt
network traffic, but even encrypting all network traffic isn't
foolproof protection. While at-risk networks will greatly reduce this
vulnerability's impact through encryption, they warn, sensitive
information leaked from such sources as kernel memory can still be
viewed by prying eyes.?

?Security Firm @stake Says Your Network May Be Leaking Sensitive Data?
http://www.informationweek.com/story/IWK20030107S0003


2.) ?New technologies can improve the quality of life, but they are
not foolproof. The authors point out that computerised
crime-prevention systems are only as reliable as the people who run
them. "Even the tightest security controls may be undermined through
... social engineering or human negligence," they say.?

?Bridging the real and the digital worlds?
http://www.cordis.lu/euroabstracts/en/december03/human01.htm


3.) ?Security incidents were principally generated in the U.S. (81
percent), but the percentage of fraud attempts made from the U.S. was
much lower (48 percent). One reason for the difference is the weak
policing of the Internet outside the U.S., according to Verisign.

"?International criminals can essentially commit fraud with impunity,
given that jurisdiction issues make policing international fraud near
impossible,? the report said.?

?E-commerce Fraud, Security Attacks on the Rise?
http://www.bahamasb2b.com/news/wmview.php?ArtID=2577  


4.) In terms of security flaws, tech enthusiasts wince at the
seemingly simple rules companies fail to comply with properly.

?Top 10 eCommerce flaws?
http://www.nta-monitor.com/news/eflaws-detail.htm 


Search terms used:
e-commerce ecommerce ?e commerce? security implementation foolproof 100% basics
"Configuration management"
security training

I hope these links would help you in your research. Before rating this
answer, please ask for a clarification if you have a question or if
you would need further information.
                 
Thanks for visiting us.                
                 
Regards,                 
Easterangel-ga                 
Google Answers Researcher

Ecommerce transactions occur over publicly accessible (ie, snoopable)
channels and this must be addressed lest customer information (eg,
account numbers, addresses, names, other private data, ...) become
available to the malicious/mendacious. Assorted laws and regulations
have been passed in various places to 'deal' with this problem. Of
course, assorted laws and regulations have been passed to 'deal with'
extortion and kidnapping, much more venerable forms of mendacity, as
well. The malicious may not find such legal threat quite convincing.

In the case of the Internet, it is possible to so increase the level
of difficulty required that the malicious will fail, in practice. This
may be enough. At least in theory. Adequate crypto systems (high
quality algorithms, properly implemented, embedded in crypto systems
using high quality (perhaps even provably secure) cryptographic
protocols, used properly by human users, ...) will work. Note that
there are several contingencies in that sentence; it is in these
details that the Devil lurks. There is much crypto snake oil on the
market, and for most users it is impossible to distinguish between
good cryptosystems and fraudulent cryptosystems. Even without
deliberate fraud, an imperfect implementation of an otherwise
acceptable algorithm or protocol is very likely to be insecure. But,
these are merely engineering problems, if very difficult ones; and
enough attention (ie, money and tained personnel) ought to deal with
them. How one can know they've been dealt with is something else, of
course.

More serious, because harder, are any number of managment problems,
most conncected with the presence of humans somewhere in the loop.
Even if you have the best possible cryptosystem, can you be sure that
its operators have not gotten bored and are taking 'shortcuts', thus
losing all security? Could some person have sufficient gambling debt
to be willing to accept an offer from a representative of Thieves'RUs?
And, is the computer system/network topology you're using sufficiently
well configured that it is not possible for the malicious to acquire
the information you've so carefully protected cryptographically, by
simply copying it from one or more of those computers? With some
operating systems, it is not possible for anyone to have any rational
confidence in the security of their configuration as there have been
for years high numbers of security defects / vulnerabilities
discovered in the operating system, leaving everything on such systems
(however otherwise protected in transit from customer to 'store')
open.

In this context, Bruce Schneier tells the story of some California
house burglars who managed to find a way past the very best (and very
most $) security systems. You know, the kind with a phone connection
to the central office, sensors everywhere, super locks with monster
deadbolts, reinforced door frames, non-duplicatable keys, large
monthly bills, .... In short, the sort of security system we would all
rationally get if the money were available. They simply bypassed it
all -- they used chain saws to go directly through the walls. Neither
doors nor windows, however protected, were an issue.

We humans habitually imagine possible attacks and then try to prevent
them. Or think we're doing something like that. Attacks can be made
from the Internet, so we install a (wonderfully reassuring name!)
firewall. Or viruses might appear on disks, in email, in programs, ...
so we get anti virus software. Truth be told, most folks don't really
understand what's going on in either case, but the marketing machine
(and the commentators) yak on and on and on so it must be the thing to
do... But if someone has decided to use the computer equivalent of a
chainsaw, we're going to be toast.

I think the only answer, and this is not one likely to be welcomed by
those thinking about ecommerce security, is to hire good system
administrators, let them get the tools they think they need, and stay
out of their way, letting them do their jobs. How to decide whether
one has a good one, and whether or not this tool (thousand$?!) is
needed, and whether this scheme will be worthwhile, are other things
altogether. Such folks are not cheap, they want you to do inconvenient
things (eg, shut down this access, don't do that on this machine, no
remote access for that, ...) that may not be easy to understand (or
for some of these folks) to explain, ...

But these kinds of problems are, in other guises, old hat. As a steel
mill manager, are you likely to understand obscure but important
metallurgical stuff? Are you likely to directly understand some arcane
tax provision which your accountant tells you must be observed,
however much a pain? And so on for legal issues, zoning stuff, and
much else. The difference is expectation, I think. These computer
systems are so spiffy, and the marketing folks promise so much, that
it must be possible to do wonderful things, evading all those
unfortunate limitations that we have come to expect in regard to taxes
and legal advice and zoning hassles and ...

Ecommerce security is no exception, I think. There are no magic
answers, anywhere. Just as with accounting advice, or legal advice,
one must do the best one can, knowing that it may not be enough. The
difference is that, if things are so set up as to allow a mistake to
affect 'everything' (a very common design approach in computing) the
consequence of a mistake will be large, and will happen much more
quickly, than with accounting or legal difficulties. Defensive
management is needed, I think, not willing belief in the marketing
claims or one's hidden hope that this computing thing (in this case
ecommerce security) will fix all. Not a very satisfying observation,
but one that has the virtue of tracking reality rather better than do
marketing claims about Wondoware, the solution to everyone's problems,
and easier to use too!