Digital Credit Card & Identity Theft
Just 10 years ago it was impossible to convince anybody to supply their credit card details to any online merchant. Fear of credit card details being stolen, thousands of dollars being withdrawn with no recourse for the thief and general irrational paranoia held e-commerce back for a long time. Today, the situation has completed a complete 180 degree turn and it’s common to see credit card details and sensitive personal information passed around via email and other insecure means.
The good – true e-Commerce Security
When you supply your credit card or personal details to a website over a secure connection (e.g. directly to a merchant during payment or via a payment gateway such as Paypal), the chance of your credit card details stolen is virtually zero. Even if your entire transaction content is captured by a bad guy somewhere in the middle between you and the destination, there is nothing that can be done with this information. The standard for encrypted connections used for this purpose (commonly called SSL (Secure Sockets Layer). Secure websites have an address that begins with a https:// prefix in your web browser) uses encryption of very a high grade.
It will take a supercomputer and specialised facilities to brute force the common kind of encryption used to protect credit card details. The cost in supercomputing power of breaking the code to obtain your credit card details would not quite be covered by the money available on your credit card limit. Since your typical credit card thief will not have access to this kind of technology, it is a mute point. And if somebody is infact using a supercomputer to decrypt your communications, you have much bigger problems coming than credit card theft.
There is a whole science on the subject called cryptography. This is a very advanced field that has been in development for a long time and is well matured.
The bad - Storage
The problems with credit card details and personal data being stolen usually arise from their insecure storage after collection. Once the merchant receives the details, they are most likely be stored in a database for future utilisation (unless they are used and immediately discarded – a good practice). This database would need to be encrypted using some sort of technology to be secure. There should always be an assumption that the database could be stolen at any time if a hacker or a disgruntled employee were to gain access to the server or PC where the details are stored.
It is never a good practice to store raw customer credit card details in a spreadsheet on your computer. It is probably safer to store credit card details in print in this case – at least physical access would be required to commit credit card theft. Small business owners often do not take enough precaution when it comes to IT security and it takes theft and disgruntled customers to force change.
The good – Paypal
The point above highlights why a gateway service like Paypal is almost always safer to use on a website, than it is to supply credit card details directly to the merchant. Paypal handles credit card details without passing them on to the merchant, hence avoiding the situation mentioned above. The merchant only receives the final payment.
A large corporation specialising in collection and processing of credit card details is likely to have already developed better and more secure facilities than a standalone web developer is capable of. For this reason, I always recommend Paypal as a collection facility for my web development clients.
The Bad - Credit Card details by Emails
It is now a common place to send credit card details directly by email. This is a very dangerous practice – especially if you use a standalone mail application (non web-based). Consider this – your details are saved in your Sent Folder, sent insecurely over the Web, stored on a mail server and stored on the recipients computer somewhere (or email account). If any of these facilities are compromised, your details will be stolen.
Sending credit card details in the form of images (such as scanned forms) is also insecure. A more appropriate way to send forms with credit cards filled out would be using a fax. Faxed documents are unlikely to be compromised and are not stored in a digital format in most cases (if a traditional fax machine is at the destination number).
It’s a bit odd that the same people that would be afraid to use a properly secure e-commerce website in the past are sending their credit card details by emails at the present date!
My Own Story
I have completed all kind of purchases online for a long time and have experienced credit card theft just once. When my credit card statement contained a debit from a casino in Europe, I knew something was a foot. I traced the theft to a US-based website that I used to make some purchases – that was actually quite a large and reputable business. My only theory is that they did not securely store details after collection.
If your business needs a website with secure credit card transaction facilities, please do not hesitate to get in touch with us.
by Daniel Moisyeyev