In an effort to make consumers more confident about online shopping by ensuring that financial transactions and personal data won't be intercepted by hackers, the National Computer Security Association and the Better Business Bureau are launching new watchdog services to keep an eye on electronic merchants and their services.
Under a program to be announced this week, the computer association will certify that a given Web site is secure by testing its servers on ten security criteria. Web sites that pass muster will be able to display a certified logo.
The association, with about 2,000 dues-paying members, is known mostly for its monitoring of computer viruses and the tools used to exterminate them. But the organization has begun moving into other aspects of computer security.
As reported last week by CNET, the Better Business Bureau today announced a parallel service designed to separate legitimate online businesses from scams by randomly monitoring participating Web sites--not for technological security per se, but for their response to customer complaints lodged with the bureau. Participating businesses will likewise display an encrypted BBBOnLine seal on their advertisements.
"No single vendor or product can address the global problem of security on the Internet," computer association President Peter Trippett said in a prepared statement. "But certification of Web sites will lead to both a significant reduction in risk, as well as an improved perception of security across the Net."
The organization's criteria, developed in conjunction with Georgia Tech, specify the use of association-certified firewalls or other security measures and use of encryption, such as SSL (Secure Sockets Layer) or SHTTP (Secure HyperText Transfer Protocol). The certification process also requires that sites avoid the use of "cookies" to record sensitive data and that they maintain log files and documentation of back-end transaction processes.
"It's going to give end users for the Web site more confidence that information they are submitting online is not going to be hacked into," said Sam Glesner, association consortia manager. He added that the group will also eventually offer to certify intranet servers.
The testing process will be based both on tests run remotely and on-site visits conducted by Ernst & Young. Glesner anticipates that the evaluations will take about four weeks.
Association expects Web hosting companies, catalogers, business-to-business marketers (manufacturers selling to distributors, for example), or any site that handles financial transactions to sign on for the program. The organization says several sites are being processed now under a beta program but wouldn't name any names.
The Better Business Bureau service won't launch until the first quarter of 1997 and its requirements will focus on customer service records, but the bureau's standards are rigorous in their own way. The criteria include:
--being in business at least six months
--providing the bureau with substantial information regarding company ownership and management and their prior business records
--answering all complaints sent to the Bureau
--not having any repeated or continuing patterns of the same complaint
--agreeing to participate in the bureau's advertising self-regulation program and correcting or withdrawing advertising found by the bureau to be unsubstantiated
--handling complaints online if the complaints are transmitted electronically by the bureau
--agreeing to binding arbitration by the bureau if a dispute cannot be resolved using a company's existing customer satisfaction programs.
Consumers who click on advertisements that display the BBBOnLine seal will be linked to a report describing a company's management and time in business, relevant aspects of its services, complaints and examples of market behavior, and the bureau's conclusions regarding its marketplace record.
Start-up costs for the Bureau's service are being met by a long list of prominent sponsors, all of whom have invested heavily in either using or promoting electronic commerce systems and would like to improve the consumer perception of their reliability. The list includes: Ameritech, AT&T, Eastman Kodak, GTE, Hewlett-Packard, Netscape Communications, Sony, US West, and Visa.