|
|
 |
|
 |
|
WorldWideOCR Security Policy
|
 |
|
|
| view privacy policy | view terms | back |
WorldWideOCR's data
and system security
At WorldWideOCR, providing fast, reliable and secure transaction and
payment processing services is our number one priority. The protection and
privacy of data residing on our systems is of utmost importance in meeting
this commitment. To assist in understanding how WorldWideOCR safeguards its
systems and data, we have outlined our security practices in the sections
that follow. These security practices are based, in part, on the ANSI
Information Security for Financial Organizations Guidelines, X9/TG-5
(1992) and the ISO/TR 13569 Banking and Financial Services Information
Security Guidelines, Second Edition. Security practices are segmented into
three primary disciplines, each of which provides a critical component in
the overall security of WorldWideOCR networks, systems and services.
Systems security protects software and processing
applications by allowing access only to authenticated users. Network
security guards against unauthorized access to network components and
provides secure transmissions across the network. Physical security
restricts physical access to network and systems hardware, processing
applications and transaction data.
Browser and Communication Security
WorldWideOCR uses enterprise web server software that is among the very best
and most secure Internet software available. Using any browser or
communications technology with Secure Socket Layer (SSL) encryption, all
information (including credit card numbers, names, addresses and telephone
numbers) sent to the WorldWideOCR servers is encrypted so that private
information cannot be read by anyone except WorldWideOCR. The SSL protocol
ensures user confidentiality, provides client and server authentication
mechanisms and protects against the possibility of data being modified
in-transit by a third-party.
Member Authentication
All communication between the member and the WorldWideOCR servers is done via
secure connections using high grade SSL security. This security verifies
that if the transaction data is intercepted, it cannot be read by anyone
other than the member and WorldWideOCR. The identity of each member is
automatically authenticated so that unauthorized third-parties cannot
assume the member’s identity and process transactions. Each transaction
request is logged and the source of each transaction is verified before
the request is processed.
Encryption
WorldWideOCR utilizes industry standard encryption technologies to protect
data traveling across WorldWideOCR’s networks and stores all sensitive
transaction data in an encrypted format.
All service requests sent to WorldWideOCR systems must
use the Secure Socket Layer (SSL) encryption format. SSL is the
universally accepted protocol for authenticated and encrypted
communication between World Wide Web (WWW) client and servers, and for
back end server-to-server communications. Any buyer or seller using a web
browser that supports SSL encryption (Netscape V1.2 or later, Internet
Explorer v1.0 or later, or AOL v3.0 or later) can be assured that any
information sent to WorldWideOCR will remain securely encrypted and
confidential while in transit to WorldWideOCR.
All sensitive transaction data, such as credit card
numbers and bank account numbers, are securely encrypted on WorldWideOCR’s
systems using multiple stage, 128-bit private key encryption. Passwords
and access control data are encrypted using 128-bit private key
encryption. Any log files containing sensitive data and all data sent
between applications is encrypted using proprietary cryptography
techniques.
All of these encryption techniques, when used
together, assist in securing the confidential transaction information as
it travels through and resides on WorldWideOCR systems.
Firewalls and Access Control Lists (ACLs)
The secure firewall environment is provided by redundant Cisco 7200 series
routers and PIX firewalls located within the Digital Island data centers.
Additionally, the data centers maintain router based Access Control Lists
(ACLs) for all equipment. ACLs permit or deny the passage of data packets
through a router by examining the source Internet Protocol (IP) address,
the source transport layer port, the destination IP address and the
destination transport layer port. Transport layer ports identify services
on a system and are synonymous with well-known ports and sockets.
The ACLs also ensure that only WorldWideOCR members have
access to the WorldWideOCR services by blocking data packets sent from other
unknown sources. Member transactions must originate from a pre-specified,
authorized IP address in order to gain access to the system. This packet
level protection of services also protects WorldWideOCR systems from Denial
of Service (DoS) attacks and is the first line of defense against
unauthorized system users.
Digital Product Delivery Security
WorldWideOCR offers a service for real-time delivery of digital content once
a payment transaction has been approved for a member.
All members' works are transferred onto WorldWideOCR systems using a password
restricted Secure Hypertext Transfer Protocol (HTTPS) upload utility with
Secure Socket Layer (SSL) encryption. Members' archived SEAL™ Files reside on securely
protected systems without remote accessibility to Internet users with web
browsers or File Transfer Protocol (FTP) applications.
user access control
Members are only able to access the WorldWideOCR Members' system only
through a secure SSL browser connection. A secure digital certificate is in place to verify the identity of the
WorldWideOCR server.
Access by WorldWideOCR member support employees is
restricted to a “need to know” basis only. Administrative security
measures are used to control accessibility, monitor systems and detect
suspicious activities.
Access Logs
The WorldWideOCR system automatically tracks and logs changes made by system
users through a uniquely assigned User ID and through the IP address of
the connection made by the member. The following system logging procedures
are employed by WorldWideOCR:
Every request to the WorldWideOCR system is logged
and in the event an error occurs, the entire request is securely
archived for operator review.
Every transaction sent to a third-party payment
processor is uniquely identified and logged.
Communication with the third-party payment
processor is logged by the payment application.
All transaction information is archived and can
only be retrieved by authorized WorldWideOCR personnel or by members
through a secure administration system that logs every action taken by
a system user.
The time, date, and IP address of every request is
archived along with the transaction information.
All access to transaction data is logged by user
ID, date, time, and the type of information viewed.
System generated errors are logged and reviewed by
WorldWideOCR personnel. Severe errors may trigger an alert to on-call
WorldWideOCR technicians and system operators.
WorldWideOCR system logs are stored on a secure
network inside the WorldWideOCR system.
Data Integrity
WorldWideOCR strives to protect data at every step in the transaction
process, ensuring that errors do not result in corrupted or lost data.
Database applications are mirrored and checked for accuracy and integrity
on a regular basis. Any database problems generate exceptions that are
monitored and checked by WorldWideOCR system operators.
WorldWideOCR networks and systems are designed
specifically to protect against unauthorized changes in configuration or
data. For all applications, revision control is used to ensure a change
history that can be logged and reviewed. All system development is
performed on off-site servers only, and is transferred to a production
environment only after passing quality assurance testing procedures.
All traffic passing through the WorldWideOCR systems is
logged and recorded in GMT time. Data center management applications have
the capability of seeing down to the network transaction level to review
the source/destination and IP/port pairs and report for non-repudiation
and possible intrusion. Non-repudiation protects against a person denying
later that a communication or transaction took place as recorded.
Network Security
The data centers network security systems ensure accurate and reliable
transactions by guarding against unauthorized access to networks and
network related components. Digital Island network engineers implement
only best practices approaches to network authentication, authorization,
administration and control.
Access control lists (ACLs) are used to permit or deny
the passage of data packets through the routers by examining the source
Internet Protocol (IP) address, the source transport layer port, the
destination IP address, the destination transport layer port, or any
combination of these items. Both routers and front-end servers are
configured to accept data packets using only the Hypertext Transport
Protocol with Secure Socket Layer (SSL) security (HTTPS). Any ACL
violations are logged to a centrally administered server and may trigger
an alert for operations personnel to investigate and resolve. The ACL
logging helps identify security issues and assists in the analysis of a
security event.
Additionally, WorldWideOCR controls administrative access
to systems and software for only authenticated users with proper
identification. Remote access authentication is accomplished through a
select group of trusted authentication applications, including Secure
Shell (SSH), pcAnywhere with RSA encryption, and Kerbertized telnet. SSH
authenticates users with public key authentication, pcAnywhere uses
symmetric key encryption, and Kerberos is a private key authentication
system. Programs using cleartext logging and passwords do not provide
strong authentication and are disabled on all systems as a standard
practice.
A variety of network features and watchdog programs
also protect the network and system servers against intrusive attacks and
denial of service (DoS) attacks. A DoS attack is an attempt by an outside
party connecting to a system in rapid succession with the intent of
exhausting system resources until it can no longer provide service.
WorldWideOCR strives to keep all systems up-to-date by
installing the latest security patches and updates. Anti-virus software is
used to scan applications on all production servers. Digital Island
routinely conducts a series of remote attacks and intrusive maneuvers
designed to evaluate the security of systems within the networking
environment. These attacks focus on improperly configured applications,
networks and operating system weaknesses.
Physical Security
Physical security refers to the control of physical access to facilities,
networks and systems and is an essential part of WorldWideOCR’s overall
security infrastructure. Security in place at AssureBuy’s leased data
center includes the monitoring of all physical access to the facility,
including the use of video surveillance, motion detectors, controlled
access via a card-key entry system and on-site security personnel present
24 hours a day, 7 days a week.
All visitors to the data center are required to
pre-register and must present appropriate credentials and a photo ID to
gain access into the facility. Once inside the facility, access to actual
systems is controlled by locked network cabinets and caged areas, locked
patch panels, restricted access with card-key entry, and secure console
port access.
Physical access records are kept to account for access
to all systems by both data center personnel and visitors. These records
can account for the movement of personnel during the event of a security
incident. Additionally, maintenance records are kept on all data center
systems, including power supplies, backup generators, cooling systems and
fire suppression systems. |
|
|
|
 |
|
 |
Back to top
|
|
