'

ePOS security certification for online merchants

Hkpos.com, developed by the Visualized and Interactive Education (VIEd) team of The University of Hong Kong, recently unveiled a programme that certifies the security of online merchants.

Hkpos.com, developed by the Visualized and Interactive Education (VIEd) team of The University of Hong Kong, recently unveiled a programme that certifies the security of online merchants.

HONG KONG - Online-shopping is still not as popular as compared to the fast growth in the usage of Internet and the development of e-commerce.

"This is due to the fact that most people think twice before they type in their credit card numbers and other personal details," said Dr E. Herbert Li, associate professor of the Department of Electrical and Electronic Engineering, HKU and leader of VIEd team.

He further explained that shoppers have difficulty in recognizing whether or not a merchant has installed security facilities. In addition, online SME merchants may not have enough technical guidance to provide a secured solution.

"Thus without knowing whether it is secure to shop from an online merchant, we would most likely give up shopping online altogether."

In order to solve this problem, hkpos.com has recently launched its ePOS Q-Mark Programme to certify online merchants who meet a basic set of security standards with the appropriate hardware, software and administrative control to prevent their customers' information from being disclosed or stolen.

The checkers include Computer Associates, i-cable Communications Limited, Jade Pacific Hong Kong Company Limited, Corpmart.com Limited, and Tech Source Limited.

Q-Mark ePOS requires a Point of Sale (POS) server that provides an interface between Cardholder software and Acquirer payment systems, using messages that adhere to the SET protocol.

The payment system has a POS software for transaction handling of one or multiple merchants. Each merchant maintains a smaller amount of software to interface with the server and to transfer a transaction initiated by a cardholder to the server.

Physical requirements for non-SET online transaction should include:

  • 128 bit valid SSL-certificate for secure communication channel must be applied in the full path on transaction so that all communication between the cardholder and the electronic commerce merchant including cardholder identification, authentication, account or transaction information can be transferred under strong cryptography
  • payment server must not be reached directly via Internet
  • isolated LAN segment needs to be set up for payment server and only allows trusted IP access from defined ports in LAN environment
  • intrusion detection facility must be set up for security monitoring

    Online merchants who meet these set of security regulations will be certified under the ePOS Q-Mark Programme, and a ePOS Q-Mark logo will be posted on their Web sites, indicating they have met the basic requirements on security. Internet shoppers, whenever they see the ePOS Q-Mark logo, should be reassured.

    With the launch of Q-Mark Programme, hkpos.com hopes to minimise the concern of security for personal online shopping and to boost the popularity of e-commerce by providing a more convenient and secured way for both the shoppers and the online merchants.

    William Tse is ZDNet Asia's correspondent in Hong Kong.