VII.1 List of abbreviation

ACH Automatic clearing house

ATM Automated teller machine

AVS Address verification system

B2B Business-to-business e-commerce

B2C Business-to-consumer e-commerce

C Consumer-to-consumer e-commerce

CEO Chief executive officer

CIA Confidentiality, integrity, availability

COO Chief operation officer

CVN Card verification number

DBMS Database management system

DMZ Demilitarized zone

DOS Denial-of-service

DRC Democratic republic of Congo

E-CASH Electronic cash

E-CHECK Electronic check

E-COMMERCE Electronic commerce

ICT information and communication technologies

IDS Intrusion detection system

IEC International electro technical commission

IS Information systems

ISMS International security management system

ISO International standards organization

ISP Internet service provider

IT Information technology

LAN Local area network

M-payment Mobile payment

PDA Personal device assistant

PSP Processing service provider

VPN Virtual private network

Page | 58

VII.2. List of figures

Figure 1: From of e-commerce

Figure 2: E-commerce framework

Figure 3: Initial structure of IT capabilities

Figure 4: IT infrastructure components

Figure 5: Level of acceptable security for e-commerce

Figure 6: Layered security

Figure 7: DMZ deployment

Figure 8: Processing of card transaction

Figure 9: E-checking processing using Authorize..net

VII.3. List of tables

Table 1: Qualitative vs quantitative research methodologies

Table 2: Types of central tendency measures

Table 3: Repartition of respondents per working experience

Table 4: Repartition of respondents per position

Table 5: E-payment methods reported

Table 6: List of issues faced by e-payment systems

Table 7: Confidentiality elements

Table 8: Score of Integrity check of the firewall configuration

Table 9: Frequency table of integrity check of firewall configuration

Table 10: System integrity result

Table 11: Report of unauthorized attempts to sensitive data

Table 12: Additional physical access control score

Table 13: Frequency distribution of physical access control

Table 14: Availability capabilities

Table 15: Summary of the security capabilities

P a g e | 59

VII.4. Data Collection questionnaire

Brief Overview

The aim of this questionnaire is to assess the security of the e-payment systems in Democratic republic of Congo in accordance to the confidentiality, integrity and availability concepts of the security of an information system. Because it's for an academic dissertation, only a sample of relevant questions has been selected for quantitative analysis purpose.

Select only one response unless otherwise stated A. Generality

Question 1

Are you interested by the result of this assessment?

1: No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 2: Personal information

Position in the company:

Sex :

Years of experience:

Company name:

Question 3

Are you familiar with electronic payment systems?

1 : No 2 : Not sure 3 : Not applicable 4 : yes 5 : Most familiar

Question 4

Does your organization used or commercialize an e-payment system?

1 : No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 5 (select all which applied)

Which product are you offering to your clients?

1 : None 2: Not sure 3 : Visa card 4: Mastercard 5 : electronic check

6 : electronic cash 7 : Online banking (e-banking) 8: Mobile payment (M-payment)

9 : Other : (cite) ----------------------------------------------------------------------------------------------------------

Question 6

During the last past twelve months, have you faced some issues related to the use of one of the e-products you are offering to your clients?

1 : No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 7 (select all which applied)

Please select which issue have you encountered

1 : Fraud 2 : Not sure 3:Theft 4 : service unavailability

5 : disclosure of confidential information 6 : misuse of information 7 : falsification

8 : Other (cite) ------------------------------------------------------------------------------------------------------

Page | 60

Question 8

Does any written security policy exist related to electronic transaction?

1 : No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 9

Is the written security policy shared to your clients?

1 : No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

B. Confidentiality

Question 10

Are all connections between the organization's networks and external third party or public wide area IP networks made via a formally authorized firewall (or have equivalent approved controls over the data and protocols which are allowed through)?

1 : No 2 : Not sure 3:No firewall used 4 : Not applicable 5 : No external connection
6 : yes

Question 11

Does your main internet connection use a router?

1 : No 2 : Not sure 3 : Not applicable 4 : No internet connection 5 : yes

Question 12

Is remote access to the management port of the router or firewall strictly restricted?

1: No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 13

How often is the router or firewall configuration checked for integrity?

1 : Never 2: Not sure 3 : monthly 4 : weekly 5 : Not applicable 6 : Daily

Question 14

Are the firewalls configured to default to reject everything, only accepting those protocols that are explicitly required, to those IP addresses which specifically require them?

1 : No 2 : Not sure 3 : No opinion 4 : Not applicable 5 : Yes

Question 15

Is the logical access to firewalls (admin user logons, etc) subject to tight restrictions and authentication... and is this regularly reviewed?

1 : No 2 : not sure 3 : No opinion 4 : partially 5 : Yes

Page | 61

Question 16

How is encryption being applied on your network infrastructure?

1 : No encryption 2 : Not sure 3 : LAN and PC resident program

4 : Hardware Cryptographic Device 5 : hardware cryptographic device and software resident
program