Safe Shopping, Do you love the convenience of online shopping but worry about who might be grabbing your credit card information?
Do you love the convenience of online shopping but worry about who might be grabbing your credit card information? The truth is, using your credit card anywhere puts you at risk. Anyone who handles your credit information is a potential thief. But the Internet somehow instills greater fear. As we'll see, though, online credit card transactions are no riskier than their off-line counterparts, and could be a great deal safer.
The Secure Sockets Layer (SSL), the Web's de facto security protocol, encrypts data that will travel over the Internet. SSL uses public-key cryptography. Data is scrambled using a published code—the public key—which contains no information that would assist a hacker in unlocking the data. Decrypting the data requires a private key known to the recipient only. SSL comes in two versions—40-bit encryption and the much more powerful 128-bit encryption.
In Web-based credit card transactions, the merchant's Web server generates a public key for the purchase transactions and hands the key off to the purchaser's browser. The browser uses the key to encrypt the purchaser's information and sends the data to the payment gateway software, which is the first stage of the credit card authorization and approval system. The gateway decrypts the data and transmits it, using additional security protocols, over the credit card network. (See the sidebar "Where the Data Goes.") Payment-gateway software typically supports both versions of SSL.
Despite its strengths, SSL is better at authenticating the merchant than the cardholder, leaving the shopper's identity in question. For this reason, other security technologies are in development. Two major examples are the Secure Electronic Transfer protocol (SET) and the XML Key Management Specification (XKMS).
SET was developed by a consortium (www.setco.org) that includes Visa and MasterCard. SET works through a combination of public-key encryption, digital wallets, and digital certificates. To shop on a SET-enabled site, the purchaser must download one of several available digital-wallet software packages, enter the credit card data in the wallet configuration, and use this wallet instead of the raw data when selecting the payment type. Security is enhanced if the purchaser obtains a digital certificate from one of several certification agencies, such as VeriSign.
The entire transaction travels under the protection of public-key encryption, with the digital certificate verifying the cardholder's identity, the digital wallet hiding the credit card data, and the encryption rendering the transaction difficult to hack. The problem is, Web shoppers have thus far been reluctant to download and install digital wallets and to obtain digital signatures.
XKMS (www.w3.org/tr/xkms) was developed by Microsoft, VeriSign, and webMethods. XKMS uses digital signatures in conjunction with XML, public key infrastructure (PKI), and programs called trust utilities that perform the various PKI tasks. XKMS services can generate and register pairs of keys and then validate these keys throughout a transaction. In April of 2001, Evincible (www.evincible.com) became the first company to implement an XKMS service. Given the increasing success of XML on the Web, the use of XKMS will likely grow as well.
The Weakest Link
As important as these protocols are, theft of credit card data in transit is rare. The real problem is that credit card data often sits in a poorly secured database on a merchant server. The database gets cracked and the records are copied to the cracker's machine. But that data is just as likely to have come from telephone or brick-and-mortar sales as online. So the risk is not added by the online aspect of a transaction, but by ineffective security where the data is stored.
Consumer apprehension gets most of the publicity concerning credit card security, but the stakes for merchants are significantly higher. Laws in many places limit the liability of consumers in fraudulent transactions, but merchants can get nailed in a number of ways. When a transaction is reversed, the costs of the reversal fall to the merchant, including significant fees charged by financial institutions. For this reason, merchants may want to consider outsourcing all e-commerce activities, relying on a reputable service to provide the strongest possible security.
What to Do
You can help protect yourself against credit card data theft in several common-sense ways. First, don't store your credit card data on your hard drive; anyone breaking into your computer via your Internet connection will probably look for such information. Second, get into the habit of using a credit card that has a low dollar limit, which limits the potential damage. Third, buy from vendors with proven reliability and safety records. Check the seller's Web site for statements regarding security, and look for symbols or logos. If you see the VeriSign or SET logos, for example, you stand a good chance of a safe purchase experience. Finally, check your Web browser to determine that you are inside a secured site. Internet Explorer, Netscape, and Opera all display a security icon in the status bar. This symbol indicates the use of SSL technology.
If you're using IE, you may want to activate the browser setting Warn if changing between secure and not secure mode. Choose Tools | Internet Options | Advanced, and check the appropriate box under the Security heading.
The best way to avoid the theft of credit card data is not to give it out. Two systems already in place, Private Payments and PayPal, let you do this. Private Payments is an American Express service for its cardholders. When you buy from a site that accepts American Express, you request a transaction number from the Private Payments site (www.americanexpress.com/privatepayments). The service sends you the number under 128-bit SSL protection, you then enter it into your purchase form. The transaction number and your card number are associated only in American Express's databases; the vendor never sees your card information.
PayPal (www.paypal.com) offers a similar service, and you can use a bank account tie-in instead of a credit card. Your data, stored in PayPal's databases, is never sent over the Net except when you set up your account via PayPal's secured servers. PayPal lets you send money to any e-mail address; your recipients set up PayPal accounts for themselves and the money is wired to their accounts. Merchants can accept PayPal transactions either as single-item purchases or through a multiple-item shopping cart. PayPal offers three account types: personal, premier, and business. Merchants must have premier or business accounts to accept credit and debit card payments. (Business accounts are simply premium accounts under a corporate name). PayPal charges a fee for credit card transactions.
Obviously, a great number of data transfers occur in processing purchases over the Internet, and skilled hackers can tap these transfers. But follow some simple guidelines and your online transactions will be as safe as they are in the world of bricks and mortar.
Where the Data Goes
Clicking the Submit button to finalize a purchase launches a complex process. The data for your order must travel securely not only to the merchant's Web site, but to a series of financial institutions through a network that combines public and proprietary security standards.
The main institutions are the issuing bank, which supplied the credit card to the buyer, and the acquiring bank, through which the seller has a merchant account. The acquiring bank buys the sales transaction from the merchant (after credit approval), waits until the funds transfer is complete, then transfers the funds into the merchant's account.
The purchase data travels from your credit account to the merchant through the credit card interchange, a network built by Visa and MasterCard that routes transactions to the appropriate banks. The data enters through one of several processor systems. Companies providing processing services include First Data Merchant Services, NOVA Information Systems, Paymentech, Vital Processing Services, and Total Systems Services. Each acquiring bank has an arrangement with one of these services to get the data into the credit card interchange.
Processor services deal with only the very largest of corporations, not with individual merchants. As a result, most merchants submit their transaction data through a payment gateway intermediary such as InfoSpace's Authorize.NET system, CardService International's LinkPoint Gateway, and Verisign's Payflow. The payment gateway works with software on the merchant's Web server to transfer the transaction data into the processor's network. Payment gateway services often work with several different processor systems.