Planning Your IT Requirements

Considerations to make when planning to sell over the Internet

The following specifications are only intended as general guidance. It is recommended that you seek assistance from experts in the field who can help you determine the IT requirements for your business.

ComputerDesktop PC or laptop? A desktop PC can be normally purchased at a cheaper price and is easier to upgrade.
However, a laptop offers more mobility and consumes less electricity.
Hardware• A fast processor (CPU);
• RAM memory should be at least 4GB;
• Hard disk should allow for a minimum of 500GB, depending on the amount of information you need to store;
• Removable media (required for backups);
• Monitor/screen (at least 17” screen).
Software• Off-the shelf or tailor-made to cater for your needs
• Operating system;
• Office automation applications;
• Support costs and license costs;
• Will it support your future business needs?
Internet connectionBroadband is the most adequate type of connection for conducting business via the Internet since:
• You’re always connected;
• You only pay a flat monthly fee;
• Permits large download limits;
• Provides high connection speeds.
It is recommended that you shop around the services being offered by the Internet Service Providers (ISPs) and compare the offers in terms of:
• Download & upload speeds
• Terms of service
• Contract conditions
• Cost
• Reliability
• Customer support.
Different types of Broadband Internet• ADSL
• Cable
• Wireless
• Fibre
Trading safely over the Internet

Cyber security is all about implementing the appropriate security measures with the aim of reducing the risks of cyber crime[1], computer viruses[2], online fraud and hacking[3]. Any business, big or small, can be the target of sophisticated and malicious online attacks which can shutdown the entire online store or website for several hours or even days. It is important that you understand the financial and reputational risks that may be associated with security or privacy breaches and take the necessary steps to mitigate the risk and potential loss.

You should:

  • take the time to ensure your online activity is secure, to guarantee the long-term security of your business;
  • employ basic online security precautions since these are extremely important for the survival of an online business;
  • implement a correctly configured firewall and an up-to-date anti-virus software to combat threats posed by hackers.

Most common threats

You need to be aware of a host of new cyber threats and how to mitigate the aftermath of such events.

Hackers can:

  • Carry out Denial-of-Service (DOS)[4] attacks that prevent authorised users of a website from accessing the site and therefore force the online trader to offer a reduced level of service, or in a worst case scenario, cease operation altogether;
  • Access and effect changes to, or intercept sensitive data;
  • Alter a trader’s website causing damage to his brand image or directing consumers to another site;
  • Obtain confidential information about a trader’s business or consumers with the intent of committing fraud;
  • Use viruses to corrupt a trader’s business data.

Cyber attacks affect the entire business. Therefore, it is crucial to integrate the managing of online risk within the company’s overall risk management plan.


Electronic security breaches and loss of data implications

Most traders store data on their computer systems and therefore it is important that you are aware of the consequences that loss of data could imply.

Some of the effects of a security breach and loss of data include:

  • Decline in productivity, business and in extreme cases even closure of the commercial entity;
  • Loss of reputation, especially when consumer sensitive data is stolen;
  • Loss of data to competitors;
  • Possible legal repercussions under the Data Protection Act;
  • Possible card scheme fines and reimbursement fees for traders that are not compliant with the Payment Card Industry Data Security Standards (PCI DSS)[5] at the time of the data breach.

Engendering consumers’ trust

Building trust in eCommerce is essential for any online trader. Statistical data confirms that one of the main barriers to the take up of eCommerce by consumers is the concern of unauthorised access to personal and, in particular, card details. The anonymity of card-not-present (CNP) transactions tends to increase the propensity for fraudulent activities, such as internet phishing[6] or identity theft[7]. This not only threatens consumers, but also the security and the reputation of traders. Security breaches undermine consumer trust in online transactions and can have far-reaching financial consequences for all parties involved.

Protecting consumers’ account information

A trader that captures and stores consumer personal details, especially if these relate to card payment information, is responsible for the safe keeping of this information. Therefore, if you are collecting such details from your customers, you need to adopt a number of security measures aimed at protecting cardholder databases, so as to prevent unauthorised disclosure of consumer information. Besides, you should immediately and appropriately dispose of any personal data after it is no longer required.

You can safeguard consumer details by:

  • Ensuring that all communication containing sensitive consumer data, such as card payment details or transaction information is conducted over a secured protocol in accordance with the Payment Card Industry Data Security Standard (PCI DSS)[8], a comprehensive standard intended to help organisations proactively protect consumer account data.
  • Encrypting sensitive data, controlling and auditing access;
  • Installing and maintaining a firewall[9] configuration to protect your internal networks;
  • Implementing router[10] security functions to safeguard the consumer from being re-directed to unauthorised websites, as in pharming[11];
  • Tracking and monitoring all access to network resources and cardholder data;
  • Developing and maintaining secure systems and applications;
  • Never storing the Card Security Code (CSC)[12];
  • Regularly updating anti-virus and anti-spyware software[13].

Fraud prevention

The best way to mitigate the threats and hazards present in an online environment is by developing risk management policies within the business. It is vital to clearly understand the risks posed by eCommerce systems and associated business processes and to be aware of the potential implications, should a security incident take place. Therefore, it is recommended to conduct a risk assessment and formulate an online security policy that details how the business intends to protect its IT assets, including its eCommerce systems, and how it will proceed in the case of an incident. For this to be effective, the policy needs to be continually revised to reflect changes in technology (Example: the introduction of new equipment, users and business systems) and in internal policies and procedures.

It is advisable to:

  • Never accept payment with expired cards;
  • Be wary of consumers that demand next-day delivery without showing regard for the extra costs involved;
  • Verify transactions prior to shipping a product or rendering a service;
  • Request the CSC;
  • Watch out for any warnings issued by the bank.


Additionally, when accepting CNP payments you should ensure that the following information is transmitted in a secure manner:

  • Card account number;
  • Cardholder’s name, as it appears on the card;
  • Card expiry date, as it appears on the card;
  • Cardholder’s billing address;
  • Cardholder’s address for delivery of goods;
  • Card issue number and start date (if available);
  • Contact phone number (preferably not a mobile number);
  • The name of the issuing bank, building society or other financial institution that issued the card.

 Attention! Traders are responsible for ensuring that the CNP transaction is not fraudulent. If it is, a trader could be liable for the loss incurred in the absence of appropriate security controls, such as 3-D Secure[14] which is used as an added layer of security for online credit and debit card transactions. It provides higher coverage against fraud losses since 3-D Secure traders will not be held liable for fraud-related charge backs.

Minimising risks

The following are some precautions that you can adopt to limit fraudulent activities aimed at your online business:

  • Always obtain further authorisation for repeat orders prior to processing and shipping;
  • Ensure compliance with information security and ethical use policies by employees and/or partners;
  • Be more vigilant when dealing with new or unknown customers; it is important to authenticate the details provided by a new customer;
  • Implement cardholder verification methods such as card security code validation and 3-D Secure;
  • Keep in mind that significant time may elapse before fraud is discovered;
  • Be wary of consumers who change the delivery address at short notice;
  • Maintain records of any fraudulent activity; this can be an effective way of identifying patterns and exposing areas of potential risk, such as:
    • orders made on different credit/debit cards but shipped to the same address;
    • multiple transactions on one credit/debit card over a short period of time;
    • multiple transactions on one credit/debit card but different shipping   addresses;
    • multiple credit/debit cards from a single IP address[15].
  • Avoid delivering goods to hotels or guest houses;
  • Always register/record goods sent by post or use a reputable courier;
  • Ensure that all transactions are properly recorded;
  • Carry out post transactional analysis – this can help detect potential fraudulent activity ( Example: an IP address shows inconsistent cardholder details);
  • Keep software up-to-date;
  • Retain a back-up of all business data and store in a safe place, ideally away from one’s own home or business premises for disaster recovery purposes;
  • Develop a contingency plan to ensure business continuity in the event of a disaster.

Warning signs that warrant in-depth checks

Be vigilant of the following warning signs:

  • Inconsistent cardholder information provided by consumer;
  • CSC/CVV/CVC does not match;
  • Returned back items due to recipient not known at property or building was empty;
  • Cardholder makes direct contact about a transaction s/he did not authorise;
  • Unusually large orders – stolen cards or account numbers have a limited time-span and thus fraudsters need to maximise the size of the purchase;
  • Different credit card and delivery addresses;
  • Orders requested to be shipped overnight or as soon as possible – fraudsters are not concerned with paying a higher price as long as they get the item/s fast.


Related links:
MCA Guides to Communication Service
How to choose an ISP for your small business
Stay Smart on Protecting Against Card Fraud!
PCI DSS Quick Reference Guide
Visa Merchant Best Practice Guide for Cardholder Not Present Transactions
ICC Cyber Security Guide for Business
Security Rules and Procedures
How Encryption Works
Information Systems Audit and Control Association (ISACA)

[1] Manipulating a computer network to carry out illegal activities, such as stealing intellectual property and data, fraudulent behaviour, hacking, violating privacy and virus attacks.
[2] Malicious computer programs that can reproduce themselves and infect a computer without the permission or knowledge of the owner. These can be transmitted as attachments in emails or by downloading infected software from other websites.
[3] Persons who attempt to gain unauthorised access to a computer system for fraudulent purposes.
[4] A type of attack on a network that is designed to flood the network with useless traffic –
[5] Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment account data security –
[6] Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
[7] Identity theft is a term used to refer to fraud that involves someone pretending to be someone else in order to steal money or get other benefits.
[8]Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment account data security, which was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. PCI DSS aims to ensure that valuable cardholder account data is stored, transmitted and processed securely. Traders that capture or store card payment information are responsible for the protection and storage of this data. Failure to do so can result in financial and reputational consequences.
[9] A system designed to prevent unauthorized access to or from a private network –
[10] A device that forwards data packets along networks. A router is connected to at least two networks and is located where two or more networks connect –
[11] Pharming is a hacker’s attack aiming to redirect users to a false website, even if they type the right Web address of their bank or other online service into their Web browser.
[12] The card security code is a unique three number printed on the back of the debit/credit card. The number is not embossed on the card so that it cannot be printed on receipts – making it difficult for anyone other than the genuine cardholder to know it –
[13] Spot & Stop Card-Not-Present Fraud –

[14] 3-D Secure stands for Three Domain Secure – the payment industry’s internet authentication standard which has been developed by the major card schemes. Visa has called their version of the scheme ‘Verified by Visa’ and MasterCard have called their equivalent initiative ‘MasterCard Secure Code’. These are both collectively referred to as 3D Secure. –
[15] This is a unique identifier made up of numbers that are used by the Internet for distinguishing between the different computers connected to it.