W A T S O N H A L L
Watson Hall Ltd
London 020 7183 3710
Edinburgh 0131 510 2001
Financial services e-commerce case study
website and web application security
Developing a new web application provides an opportunity to implement
security best practice from the start. Management of the complete
configuration, deployment and operations should continually address
security issues to ensure a safe and risk-minimised project.
A financial organisation in the City of London was looking to develop a
small number of e-commerce applications for their customers. These
would reference their internal customer systems which were developed
by a development house with whom they had a good working relationship
over a number of years. However, the necessary standards and
regulations which had to be met were different for the internal processing
systems than for the new web enabled application.
The organisation is subject to regulation by the Financial Services
Authority (FSA)1 and also wished to move towards implementing ISO/IEC
177992 and was concerned about the best way to undertake development
and manage the process.
The new web e-commerce applications would include taking online
payments using debit and credit cards, and setting up and amending
paperless direct debit mandates. These processes were to be
implemented on the organisation’s own hosting facilities, but required
interaction with remote services for payment card authorisation.
Thorough consideration of the Payment Card Industry Data Security
Standard3 (PCI DSS), issued by the PCI Security Standards Council4, had to
be made to ensure compliance.
The organisation’s in-house information systems and communications staff
were managing the development and implementation, working with
colleagues in the marketing and customer service departments who had
worked jointly to define the new e