B2B-Sicherheit
How to Practice Safe B2B
In summer 2000, Visa unveiled its "Digital Dozen," a list of securityrequirements calling for firewalls, encryption, testing and accesspolicies that its service providers and merchants must have as acondition of doing business with Visa. That's right--if a bank ormerchant can't play by these rules, they don't play withVisa.
Visa's merchants and service providers must annually demonstratecompliance, through an online self-assessment for Mom-and-Pop shopsand extensive third-party audits for merchants or service providershandling large volumes of cardholder information. And if a merchantrefuses to comply, Visa can fine the bank that processes that store'stransactions. Then it's up to the bank to punish the merchants."Eventually, if we don't have proof from an independent third partythat you qualify with our requirements, we really don't want you totake the card," says John Shaughnessy, Visa USA's senior vicepresident of risk management in Tampa, Fla.
Not everybody is as deadly serious about B2B e-commerce partnersecurity as is Visa. In the stampede to e-commerce, most companieshave disregarded the security of their partners and their role inexerting pressure to make sure they're safe. "My sense is that B2Bsecurity is not a consideration for many organizations," says JamesWade, chief security officer for the Federal Reserve System andpresident of Framingham, Mass.-based ISC2, a training and professionalcertification organization for IT security professionals. Many B2Brelationships spawn from manufacturing, marketing or some other groupwithin an organization without involving IT security.
That may or may not be the case in your company, but regardless, it'syour responsibility to see to the security credentials of your B2Bpartners. "The security of your B2B partner is as important as theircreditworthiness," says Paul Gaffney, CIO of Staples, theoffice-products retailer based in Framingham, Mass.
Indeed, the risks of working with a nonsecure partner are frightening.A partner that fails to secure its own systems could become a launchpad for attacks into your system. Someone could tamper with data in asupplier's system, such as switching a digit in a product SKU number.Or a virus could disable your partner's systems. Either way, yourjust-in-time supply chain operations will grind to a halt. Worst ofall, you might incur legal liability if your partner exposes yourcustomers' data. "Your customer will ask, 'Why didn't you investigatethis partner?' That customer can sue you," says Dorsey Morrow, generalcounsel for ISC2.