PCI Guidelines for E Commerce websites

Posted on February 1, 2013 by Vijayashankar Na

On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers.

The guidance offers a checklist of security recommendations and reminders. The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities.

It is observed that Merchants may develop their own e-commerce payment softwar or use a third-party developed solution,
or use a combination of both. Merchants may also use a variety of technologies to implement e-commerce functionality, including
payment-processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages. Merchants may also choose to maintain different levels of control and responsibility for managing the supporting information technology infrastructure like for example, choosing to manage all networks and servers in house or outsource the management of all systems and infrastructure to hosting providers and/or e-commerce payment processors, or use a combination.

The guidelines provide that

1. No option completely removes a merchant’s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected.

2. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.

3. E-commerce payment applications such as shopping carts should be validated according to PA-DSS,and confirmed to be included on PCI SSC’s list of Validated Payment Applications. For in-house developed e-commerce applications, PA-DSS should be used as a best practice during development.

4. Third-party relationships and the PCI DSS responsibilities of the merchant and each third party should be clearly documented in a contract or service-level agreement to ensure that each party understands and implements the appropriate PCI DSS controls.

A high level check list has also been provided to assist the Merchants regarding compliance requirements.

A Copy of the guidelines are available here.

Naavi

Posted in Information Assurance, Uncategorized | Leave a comment

Vishwaroopam Episode and Free Speech Rights in India

Posted on February 1, 2013 by Vijayashankar Na

During the last few days, discussions about Vishwaroopam, the movie has occupied the Indian media and have opened up debates on Free Speech as well as the Responsibility of the Police and State Governments as well as the power of Muslim fringe groups to dictate political will.

To record the facts, a well known artist in India by name Kamala Hasan produced a big budget movie called “Vishwaroopam” in Tamil, Telugu, Hindi and English languages. The subject of the story is “Terrorism” and appears to cover the Alquaida type of terrorism. The film has been already released in Los Angeles and was set to be released in India in multiple centers when it hit a controversy as to the contents being objectionable to the Muslim community. Presently it is running in some places but is yet to be released in Tamil Nadu the home state of Mr Kamala Hasan.

The film was set to create history by being the first film to have a premier release in the DTH as Mr Kamala Hasan had planned to release it through DTH channels a day before it was to hit the theaters. This was first objected to by the theater owners and hence did not materialize. In the meantime Mr Hasan invited a group of Muslim organization representatives and showed the film to them which Mr Hasan now claims was with a desire to use their references for the promotion of the film. The move backfired or appears to have backfired as it developed into an action by the Tamil Nadu Government which blocked the release of the film all over the State. The matter went to the High Court and after the Judge made a strange suggestion that Kamala Hasan should negotiate with the Government for a settlement, it was followed by the judgement ordering that the movie can be released as it had already been cleared by the statutory Censor Board. Th Government immediately went on appeal and a full bench of the High Court stayed the judgement of the single judge and ensured that the movie is still in cold storage in Tamil Nadu.

Pained by the developments, Mr Kamala Hasan announced in a press conference that he was considering shifting out of Tamil Nadu which was not a “Secular State” and if he cannot find any other State in India where an artist could live peacefully, he would shift out of India. This statement branded Tamil Nadu as a State which was not secular and did not support artistic freedom.

Some also alleged that the stand of the Government was dictated by the refusal of Mr Kamal to provide rights of the film for a TV channel which is believed to be controlled by the Chief Minister.

Stung by the implications, the Chief Minister of Tamil Nadu, Ms J Jayalalitha held her own press conference stating inter alia that Mr Kamal wanted to release the film in 500 theaters and according to the intelligence reports, there was a possibility of Muslim groups opposing the release and the State did not have enough police personnel to be deployed in all the locations to curb possible violence and hence they had taken a stand to stop the release. She also denied that there was any consideration as alleged about TV rights in the decision. She also passed wry remarks on Mr Kamala Hasan allegedly having spoken in support of a “Wasti-clad Prime Minister” (A reference implying his preference of Mr P.Chidambaram- who is a political rival of the Chief Minister, to be considered for Prime Minister ship). She also passed some uncharecteristic remarks that Mr Kamal was unwise in taking up a large budget film at the age of 60.

Mr Kamal who initially contemplated going to Supreme Court challenging the High Court decision has now announced that he would wait and negotiate with the Muslim groups. He refrained from taking a stand against the Chief Minsiter and appeared to be diplomatically submissive. In between these controversies, pirated copies of the film appeared on the Internet and were quickly blocked.

The episode is a sad reflection of the state of Indian democracy and the status of “Freedom of Expression”. The fact is that our democracy is critically dependent on “Appeasement of the Minorities” and even persons like Ms Jayalalitha who was hitherto suspected to belong to the BJP camp and strong in administration has now shown that the policies of the Indian government authorities in both the State and the Center are guided only by the electoral considerations. If they see a group that consitutes a potential vote bank, they will do whatever is necessary to attract them whether it is unethical or illegal. The TN State Government expressing its inability to maintain law and order against a threat perception is also a development which raises a question of what is the responsibility of a Government in administration. In the current episode, after the initial singe judge verdict there was no justification for the TN Government to go on appeal abdicating its Governance responsibilities.

TN Government has by its action given a new undesirable guideline to other State Governments to take similar stand in future. I would not be surprised if Karnataka Government puts up the same argument namely- “We anticipate public unrest. We donot have adequate police machinery to handle the situation” when TN raises the Cauvery issue in future.

The incident has also exposed the weak belly of the Indian political system and if a strong leader like Jayalaitha can succumb to the temptation of Vote Bank politics, the possibility of other leaders standing up for principles is remote. There is also a possibility that Ms Jayalaitha would have sensed the opportunity to play politics, first imagined and then ignited a religious opposition where there was none to get political milege. This sort of intelligent manipulation of an event for a political advantage is the hallmark of current day politicians in India.

If a reputed person like Mr Kamal considers surrendering to the whims and fancies of fundamental muslim elements and or scheming politicians, then others stand no chance. By opting not to go to Supreme Court, Mr Kamal has prevented the only opportunity that was there to salvage the reputation of the system to come in support of Free Speech. Free Speech in India is therefore dead and gone. If the matter had been referred to the Supreme Court and it had dismissed the opposition with a guideline on the State’s responsibilities in similar situations, we could have seen a positive outcome of an ugly incident. But this has not happenned.

If this is the situation in the physical space in India, we can expect the Cyber Space to be no better.Today it is about speech that hurts the Muslim sentiments. Tomorrow it could be other reasons. Ultimately we can only speak in cyber space or physical space in “Diplomatic language” and nothing else.

If therefore Netizens need to survive in the Cyber Space of India with self respect, they need to organize themselves in Cyber Space without getting divided by language, caste and community and form a cohesive group which represents a significant voting strength in any future elections. An opportunity to forge such an organization is being debated separately in www.aifon.org.in and I invite interested persons to participate in the discussion.

Naavi

Related Article

Related Article2:

Posted in Netizen's Forum, Uncategorized | Leave a comment

Internet Censorship drives business out of India

Posted on January 29, 2013 by Vijayashankar Na

The Twitter Transparency Report is reported to have indicated that during the last 6 months of 2012, Twitter received two requests covering 16 accounts demanding for removal of content. One of the requests was from a Court and the other from the Government. Twitter also received 10 requests (from officials) for user information during the period. Twitter has refused all requests since they were deficient in information.

According to the Twitter report, the website received 42 requests to remove content or accounts worldwide in the last two quarters compared to just 6 in the first half of 2012. The number of requests seeking information about users was also up. In last six months Twitter received 1009 such requests compared to 849 in the first half of 2012. The number of copyright notices was, however, down from 3378 to 3268.

The website received highest number of censor requests from France that targeted 40 accounts. United Kingdom was second as it targeted 25 accounts while Brazil, which targeted 22 accounts, was third. India was fourth. In terms of number of requests, Brazil topped the list with 16 requests.

It appears that the failure to get the content removed had prompted the Indian Government to consider blocking of the Twitter accounts through the ISPs. Obviously this report does not refer to the action taken by the Police in arresting Twitter users for objectionable content.

The report provides a clear indication that worldwide the Governments are moving towards Internet Censorship. It is for the Netizens to recognize the trend and organize themselves to meet this assault on their freedom.

The Twitter’s refusal to provide information easily to Government will be seen as a strength by the Internet freedom lovers and is bound to enhance its popularity.  While many entrepreneurs in India are trying to set up business competing with Twitter or Facebook, their success will depend on their attitude to “Privacy”.

In the absence of a “Privacy Act’, at present Indian entrepreneurs need to follow the prescriptions under ITA 2008. When a proper notice is received under ITA 2008, the website which is considered an “Intermediary” has to take action to either release the account holder’s information or remove the content. Otherwise they face the prospect of being held criminally liable.

We may also recall that in the recent Headlines Today interview, Mr Kapil Sibal made a mild threat that he may introduce a law to make user identity disclosure compulsory for Twitter type accounts. Given the propensity of the Indian Police to misuse law, User’s may therefore feel unsafe to use Indian micro blogging websites or Indian social networking websites. This attitude is likely to shift Social Networking and Micro Blogging website business out of India to countries where “Privacy Standards” are strong. This is an adverse impact of the current Government policy.

In this context the call for an All India Forum of Netizens (www.aifon.org.in) becomes even more relevant.

Naavi

Posted in Cyber Law, Netizen's Forum | Leave a comment

HIPAA-HITECH Act Data Breach Audit

Posted on January 29, 2013 by Vijayashankar Na

The Final Rule on HIPAA-HITECH Act released by HHS after a prolonged public discussion makes some changes in the way the Data Breach notification needs to be handled by Covered Entities and Business Associates.

The key points of the Final Rule are as follows:

1. Breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant harm to the individual as was provided under the interim final rule.

2. The onus of proving that an “Impermissible use or disclosure” of PHI is not a “breach” lies with the covered entity. In other words, all impermissible uses are “breaches” unless the entity “Demonstrates” that there is a low probability that the PHI has been compromised.

This essentially means that whenever an “Impermissible” use or disclosure is observed, the entity should initiate a “Data Breach Audit” process and document if the impermissible use is in fact a “Breach”. Such a “Data Breach Audit” will determine if there has been a breach and whether the probability of compromise is significant.

Naavi

Posted in HIPAA, Privacy | Leave a comment

Kapil Sibal on Headlines Today with Rahul Kanwal

Posted on January 28, 2013 by Vijayashankar Na

On 26th and 27th of this month, Headlines Today broadcast an interesting discussion  with Mr Kapil Sibal, the minister of Communications and IT. The discussion put Mr Sibal in the center stage and direct questions were put to him by the recent victims of Section 66A arrests including Mr Assem Trivedi, (Cartoonist who published anti corruption cartoons) the Palghar girl (who opposed Mumbai Bundh on Bal Thakre’s death on Facebook) and Mr Ravi Srinivasan( who tweeted about Karti Chidambaram’s wealth). There were also a few eminent Cyber Law aware professionals in the audience along with general public. Mr Rahul Kanwal moderated the show.

Mr Sibal being an excellent orator and an experienced advocate himself easily warded off the questions from the audience. He generally defended Section 66A stating that it only provides for “Reasonable restrictions” to the “Freedom of Expression” guaranteed by Article 19(1) (a) of the Constitution and the stray cases that are being talked about are errors of judgement on the part of the Police. He also stated that since the matter of constitutionality of Secion 66A is with the Supreme Court now, Government will wait for the views of the Supreme Court and take an appropriate decision.

Neither Mr Rahul Kanwal or the audience were able to confront and effectively argue against Mr Sibal. The advocates present were too tight-lipped to be able to provide a credible counter argument. Mr Sibal was even able to bully the advocates regarding whether Section 66A provided for arrest without warrant.

While watching the program I was reminded of an NDTV Big Fight debate in the year 2000 when the same Mr Kapil Sibal criticized ITA 2000 as a “Draconian Law” because Section 80 of the Act allowed “Arrest without warrant”. At that time, Pramod Mahajan was the IT Minisiter and Mr Sibal was an advocate in the opposition Congress party and he was reacting as a “Political Opponent” and not as a “Professional”.

Presently in ITA 2008, the same Section 80 remains and provides powers of arrest without warrant. In ITA 2000 passed by the NDA, the powers were vested only with the DSPs. Now ITA 2008 vests the same powers with the Inspectors. No body asked Mr Sibal if this did not make the law more draconian than what it was in 2000?

Secondly, I have maintained from the beginning that in all the recent cases of police excesses, it is not the law to blame but the Police misinterpreting the law. (Please see earlier article 1 in Naavi.org earlier article 2 in Naavi.org) .

I therefore expect that the Supreme Court is most likely to come to the conclusion that Section 66A is not against the Constitutional provision of “Freedom of Expression”. However the wide mis-perception about the section and the inability of the media to project the correct information to the public has created a situation where any decision by Supreme Court stating that “We donot think Section 66A should be scrapped or changed” would be seen as an endorsement of the actions taken by Police in all the recent cases. This should be avoided at all costs. In case the Supreme Court clarifies its decision in detail it will help marginally. But even that clarification will be lost in the din of the media misrepresentation.

The Headlines Today debate only extended this mis perception and did not provide the proper clarification on the topic.

It was necessary for the debate to corner Mr Sibal on whether mandatory provisions can be added to ITA 2008 in the next amendment for “Punishment of the Police officers” found to misuse the law. Police will continue to misuse the law with impunity since they act under instructions from the political leaders. Every time it is not possible to invoke Human Rights Commission. The vocal human rights activists only act when they have to support terrorists and criminals. When an ordinary citizen is wronged no human rights activists dear to the media would come forth to defend.

Mr Kapil Sibal is therefore responsible for ensuring that the law (ITA 2008) itself incorporates some safeguards for misuse. However despite many suggestions in this regard from Naavi.org itself, Mr Sibal is guilty of inaction. Mr Sibal is also directly responsible for the closure of Cyber Appellate Tribunal which is the apex judicial body specially formed under ITA 2000/8 to redress the grievances of Cyber Crime victims.

Unfortunately, Mr Rahul Kanwal or any of the advocates present in the debate who are supposed to be informed about these aspects on which Mr Sibal has a direct control raised these issues with him.

In summary, we can say that the debate was good and useful but could have been more useful if it had been properly handled. I must however congratulate Mr Sibal for his ability to convert an adverse situation to his advantage and his comments that there are many criticisms about himself including comments such as “Kill Mr Sibal” on the Internet and he has chosen to ignore them. This would have certainly evoked lot of sympathy amongst the audience and a projection of a freedom friendly attitude of the Minister. The audience was hardly a match for the wit and intelligence of Mr Sibal and he came out as a clear winner of the debate.

I take this opportunity to reiterate that Netizens in India are terrorised  by the Section 66A arrests and Mr Sibal’s assurances not withstanding the terror will only grow. Law will not come to our help since political masters and Police control the law to their advantage. In between the discussions, Mr Sibal has held out a mild threat that he is prepared to pass the law to make “Posting of comments on the Internet in anonymous names will be made punishable”. Though this was stated more in the course of the debate, the possibility of this being made real is very very high.

There is therefore an urgent need for Netizens of India to organize themselves into a strong outfit and be prepared to come together to fight for the freedom of speech. Naavi is therefore suggesting Netizens to come together in the platform of “All India Forum of Netizens” (www.aifon.org.in). This should not remain just a website but should develop itself in strength so that it acts as a pressure lobby to represent the interest of the Netizens. It should also grow into a platform where referendum can be held on various Netizen’s issues and before 2014 should gain such strength as to influence the election results at least in some cities where the Netizen population is decisive.

Naavi

Posted in Cyber Crime, Cyber Law, Netizen's Forum, Privacy | Leave a comment

Mobile Apps.. Guidelines on Privacy

Posted on January 28, 2013 by Vijayashankar Na

California Department of Justice has released a set of guidelines for Mobile Apps developers which act as “privacy Practice Recommendations”. The practices recommended here are expected to help in the compliance of the California Online privacy protection Act (COPPA) Being perhaps the first of such codes, this is a useful document to be adopted by all mobile apps developers as well as other stakeholders such as app platform providers, mobile networks etc.

These principles include making an app’s privacy policy available to consumers on app platform, before they download the app. It is stated that major app platform providers such as Amazon, Apple, Google, HP, Microsoft, RIM< and Facebook have agreed to the principles.

Highlights of the recommendations are:

For App Developers

•Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
•Avoid or limit collecting personally identifiable data not needed for your app’s basic functionality.
•Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
•Use enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers

•Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
• Use the platform to educate users on mobile privacy.

For Mobile Ad Networks

•Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
•Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
•Move away from the use of interchangeable device-specific identifiers and transition to app-speciic or temporary device identifiers.

For Operating System Developers

•Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile Carriers
• Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy

This is a good starting point for a new regime on privacy protection on the mobile platform. Hopefully it would be adopted at the earliest by responsible apps developers and distributors.

Naavi

Copy of Guidelines

Posted in Cyber Law, Privacy, TELCO | Leave a comment