IT and security leaders spell out their security requirements for their online partners and explain how they make sure their partners comply.
Before swapping information with multiple e-commerce partners, it pays to protect yourself by pushing partners to adopt better security practices.
In the Northern summer of 2000, Visa unveiled its "Digital Dozen", a list of security requirements calling for firewalls, encryption, testing and access policies that its service providers and merchants must have as a condition of doing business with Visa. That's right - if a bank or merchant can't play by these rules, they don't play with Visa.
Visa's merchants and service providers must annually demonstrate compliance, through an online self-assessment for mum-and-dad shops and extensive third-party audits for merchants or service providers handling large volumes of cardholder information. And if a merchant refuses to comply, Visa can fine the bank that processes that store's transactions. Then it's up to the bank to punish the merchants. "Eventually, if we don't have proof from an independent third party that you qualify with our requirements, we really don't want you to take the card," says John Shaughnessy, Visa USA's senior vice president of risk management.
Not everybody is as deadly serious about B2B e-commerce partner security as is Visa. In the stampede to e-commerce, most companies have disregarded the security of their partners and their role in exerting pressure to make sure they're safe. "My sense is that B2B security is not a consideration for many organisations," says James Wade, chief security officer for the Federal Reserve System and president of ISC2, a training and professional certification organisation for IT security professionals. Many B2B relationships spawn from manufacturing, marketing or some other group within an organisation without involving IT security.
That may or may not be the case in your company, but regardless, it's your responsibility to see to the security credentials of your B2B partners. "The security of your B2B partner is as important as their creditworthiness," says Paul Gaffney, CIO of the office-products retailer Staples.
Indeed, the risks of working with a nonsecure partner are frightening. A partner that fails to secure its own systems could become a launch pad for attacks into your system. Someone could tamper with data in a supplier's system, such as switching a digit in a product SKU number. Or a virus could disable your partner's systems. Either way, your just-in-time supply chain operations will grind to a halt. Worst of all, you might incur legal liability if your partner exposes your customers' data. "Your customer will ask: Â'Why didn't you investigate this partner?' That customer can sue you," says Dorsey Morrow, general counsel for ISC2.
Of course, it's not just about the risks. Safe B2B e-commerce carries huge business benefits too. In fact, companies can market the security of their B2B programs to enhance customer confidence and thus attract additional partners. Safer B2B practices also protect against glitches and outages, preserving the critical just-in-time nature of e-commerce, which keeps the revenue flowing.
With so much to lose and to gain, every company should establish a set of security expectations for its B2B partners, drawing from the list that follows. In addition, take heed of the strategies to counter resistance and enforce compliance since you will be dealing with companies that aren't under your control.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.