Page 3
Sharing Brings Variations
Linkedin Company ProfileFacebookTwitter



Small/Medium Sized Business and E-Commerce

We explained about some of the e-commerce management points at some of previous issues (Page 4 at the second issue of PayDeg Journal). Here we would like to mention some points about security while managing E-Commerce.

E-commerce security has its own particular nuances and is one of the highest visible security components that affect the end user through their daily payment interaction with business. The “E-commerce” term refers to online payment transaction between Businesses to Consumer (B2C), or between Businesses to Business (B2B).

Sales volume from virtual point of sales for 2012 is 30,6 billion Turkish Liras (17 billion Usd dollars) according to BKM - Bankalararası Kart Merkezi; The Interbank Card Center (BKM/istatistik). Since 2011 this number grew %35,3.

Seeing those numbers it is right to say e-commerce is part of our lives. With the consortium between Google, Garanti Bank, Yurtiçi Kargo, Ideasoft and SadeceHosting SMBs in Turkey can move their business to internet.  With the “Move your business to internet” campaign this consortium helps SMB to increase their competitiveness. SMBs may apply for it from .


Our topic is Security for this issue. We mentioned about the needs to build own e-commerce system at the previous issue.  We did not mention about the security issues, which should be in the consideration while building e-commerce site.  Security issues for e-commerce site may be solved internally or by third-party service providers.

According to PCI Security Standards Council, these are the things we should do to take care of the security for e-commerce;

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need to know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

While managing E-commerce site you have to take care of the security issues related to infrastructure, systems, network, storage, software and of course the consumer data.


Security scenarios

How secure Cloud is?

Today, all users, business or home users want to access to their data anywhere from any device. Variation of devices also makes security tough to reach.


To be effective, security must be integral to the way people think and work, not merely an afterthought or another item to be checked off a list.

From the previous issues' Roll Out Cloud or Cloud Computing pages you can have an idea what is cloud computing. Here is the first issue's Roll Out cloud and Cloud Computing page link, do not forget every issue have those pages. PayDeg has YouTube channel too, and from Roll Out Cloud playlist you can view videos too.

Now about security, as we said at Academic IT conference at Antalya; cloud is secure as the place you are in now..

You need to make sure that you are secure enough you want to be. To do that, be sure to aware of which scenario you are in, and understand about the responsibilities and who has control over what in the cloud.

Before checking out on scenarios what we should know?

To see who has control over what, please check our 3rd issue's Roll Out Cloud Page

I believe there is also need to know about the roles in the Cloud.

Roles in Cloud Computing

Cloud user can be an organization, a human being or an IT system that consumes (i.e., requests, uses and manages, e.g. changes quotas for users, changes CPU  capacity assigned to a VM, increases maximum number of seats for a web conferencing cloud service) service instances delivered by a particular cloud service.

Cloud auditor who is independently evaluating the security and performance of cloud services.(i.e CSA-Cloud Security Alliance).

Cloud Carrier who is providing the connectivity between cloud services and cloud users.

Cloud Service Broker is responsible for gathering cloud services, which can be run by different Cloud Service Providers and by that exposed to Cloud Service Consumers.

Cloud Service Provider has the responsibility of providing cloud services to Cloud Service Consumers.

Security ScenariosSecurity ScenariosSecurity Scenarios
Some security scenarios

We first need to know how the cloud structure is; there can be many different scenarios about it. PayDeg thought that considering cardholder data will be much more general in terms of e-commerce, so let's take a look at the first picture to have an idea how can be a basic structure; Merchant may get some cloud services from broker or directly from the provider too. While considering security of cardholder data it is important where data risede and process.

Take a look at the picture in the middle; merchant uses cloud provider(s) for testing, training, backup systems, data storage, etc. So cardholder data is transmitted through cloud and stored in cloud, but no payment data is processed in cloud. This case may range from a simple cloud or hybrid backup to offsite storage of historical data.

Scenario gives different results according to provider having the encryption key or not.

The core of the provider side is also important to figure out about responsibilities. If merchant has SaaS service, let's say uses Salesforce, and cardholder information in customer records, then merchant and provider shares the responsibility on the cardholder information. If the data is not encrypted by a key not visible to cloud provider. Thus, the cloud systems are in scope (down to VM layer) and it is most likely that the cloud provider will be responsible for most of the controls (must be PCI compliant service provider).

But if merchant uses for cloud service for their different operations, not for cardholder data, then cloud provider not responsible for it. Merchant takes the responsibility.

Let's take a look at third picture; Merchant uses public IaaS cloud and processes cards and possibly stores them as well in the cloud. So, cardholder data stored, passed through and processed in the cloud at provider. Cloud provider must be PCI-ok.
For this scenario;

  • Encryption - all at merchant side
  • Password management – both at merchant and provider side
  • Incident response  - true shared
  • Physical security – all at cloud provider side

There is responsibility split in this scenario;


  • Application security
  • Updating OS- guest Os
  • Scoping
  • Monitoring
  • Log management – guest OS and applications


  • Physical – access control
  • Network
  • Encryption
  • Key management
  • System security
  • Parts of application security
  • Updating OS- host OS
  • Log management- host OS, management systems

Owning the infrastructure does not mean owner has to manage it. Cloud IaaS service provider owns the firewall appliances but Merchant or other cloud service provider or 3rd party manages the appliances.

About our traning for SMBs

PayDeg with Roll Out Cloud training program are eager to give consultancy where and when to use those free tools and training how to use them.

We are aware of most of the needs since we ourselves also an SMB. We very well know that an SMB worker must wear hats in a different time zone. And we also know that the time has much more value for SMBs, therefore we together do the training plan. PayDeg's first goal is train SMBs to ease their work. We are also very well aware that none of SMBs are administering same way. Therefore needs are varies.

Please follow us at conferences too, in İstanbul and in Ankara. We will publish about conferences we are going attend at our web page; Conferences

We have YouTube video channel to support our training that SMBs can freely follow it; Video Training Channel

As an SMB How can we make sure that we are secure?

The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.

What is different about the cloud? Your data can be anywhere on the earth - especially if you are using public clouds like Google or Azure- jurisdictional issues will definitely complicate your road. Specifically, think about locations where certain security safeguards are illegal due to privacy constraints. Laws may cause security breaches too..

For cloud we can add some to the security principles;
  • Openness
  • Design for privacy
  • Policy-based access to services
  • Multi-tenancy

Keep in mind while planning about security for your own infrastructure there are five phases which are:

  • Initiation Phase - the need for a system is expressed and the purpose of the system is documented.
  • Development/Acquisition Phase - the system is designed, purchased, programmed, developed, or otherwise constructed. Activities include determining security requirements, incorporating security requirements into specifications, and obtaining the system.
  • Implementation Phase - the system is tested and installed or fielded. Activities include installing/turning on controls, security testing, certification, and accreditation.
  • Operation/Maintenance Phase - the system performs its work. Activities include security operations and administration, operational assurance, and audits and monitoring.
  • Disposal Phase - IT system life-cycle involves the disposition of information, hardware, and software.  Activities include moving, archiving, discarding or destroying information and sanitizing the media.

And while buying cloud service for your own company purposes make sure that your service provider following those steps and security principles. If you are getting software services make sure that the software is designed with security.

To summarize;

As a result of small research made by PayDeg, people mostly think about guards in front of the bank when they have been asked what comes first in their mind about security (güvenlik). At Google search of “güvenlik” also resulted with security guard firms.

At Google search of “security” resulted with “security essentials” and meaning of security in Wikipedia.

PayDeg believes in Turkey still most valuable thing is money while it is information for other countries.

Especially if you are using cloud for your company's e-commerce business try to be on the safe side and consider the scenarios we are mentioning at left side. There are more scenarios then we mentioned here, be sure you know about all.

If you are the cloud service provider be aware what your customers are doing and get some proper auditing to be on the safe side. And don't forget for some scenarios service providers are in scope and have responsibility with merchant.

If you are a merchant assuming that you know all about scenarios and adjustment of the devices at provider's side. Don't forget you always the first to be blamed. So be sure about your service provider's situation and build your e-commerce system accordingly.

Please don’t forget, for the e-commerce good security on the buyer's system also benefits the seller; the buyer's system is less likely to be used for fraud or to be unavailable or otherwise negatively affect the seller. (The reverse is also true.).

Even all are doing same business let's say e-commerce, every company has different security levels. So at the begining make sure to review and decide your own security level.

In conclusion, knowing about the security principles, roles, services and possible scenarios lets we to choose proper security options and functions in the Cloud.

<< --
-- >>