Online Ordering Tips – Considerations for Providing Sensitive Information over the Internet

Online Ordering Tips – Considerations for Providing Sensitive Information over the Internet

Online vs. In Person

The risk of credit theft is viable no matter how you purchase, be it online or in person. However, in my experience as a retailer for 5 years and a consumer for 20+ years, and as it seems now, it is more likely that your credit card information will be found in the wrong hands from an in-person purchase than from an online purchase. Consider that when using a credit card in person, such as when you are at a restaurant and your credit card disappears to a back room somewhere. Is someone writing down your number, expiration date, and CCV somewhere? Who would know? I have heard of one account where that happened, and I have heard of another where a copy of the card was made. Then there was another incident at a well-known department store where copies of carbons were pocketed and used for employee-to-employee purchases. Another consideration for in-person credit card use is that signatures are rarely verified, and even when they are, they are typically not scrutinized adequately. The same goes for photo identification. Moreover, as just mentioned, these incidents are not limited to hole-in-the-wall diners and shops either. Employees of well-known dining and shopping establishments are committing this type of theft.

Now suppose you do not give your card to a stranger for processing in some back room where you cannot see, but instead you swipe your card through a machine (otherwise known as a terminal). Guess what? You just made an online purchase. All of your credit card information just went through an electronic processing gateway, which is the same thing that happens when your credit card is processed over the Net. As you can see, Internet processing is nearly the same as in-person processing in that sometimes your card information goes directly into an electronic gateway, and sometimes it resides with an employee who then processes the information (for online purchases, the information is temporarily stored on a secure server until an employee processes the information).

You can now see that there are two ways for processing credit cards: online and in person. The first way (automatic processing) is identical for both online and in-person transactions in that no employee ever sees your information. The second way (manual processing) requires an employee or storeowner (or sole proprietor) to process your transaction manually.

Why is online more secure than in person? There are at least a couple of reasons. If the process goes directly through a processing gateway (automatic processing), then there is very little if no difference between online and in-person transactions. If the process is done through an employee (manual processing), then typically the online store only has one person or small department who is allowed access (or exposure) to your information, whereas when you are processing a card at a restaurant, almost any employee is allowed and able to handle your credit information. Also, consider that unless you are dealing with a well-known, nationwide store, most online stores are fairly small and owned by sole proprietors or an LLC. These owners put a lot of time, energy, and cost into establishing their store. To become the subject matter of credit theft would undermine these efforts. In-person stores, on the other hand, hire employees who have little, if any, stock in the success of the company.

Uninvited Thieves

Online purchases typically avoid most, and sometimes all, of the potential threats from so-called ”trusted” employees. However, online purchases do offer a potential danger zone of their own: hackers. Credit card numbers and other vital information are almost certainly stored in a database somewhere. If that database is compromised, so is the credit card information it contains. Although, from what I have read and heard over the last 5-7 years, this happens far, far less than in-person theft. A lost or stolen purse or wallet is much more likely to result in attempted credit card fraud. Even if a hacker were to break into one of these databases, not only would the investigation be taken to a very high level of investigation (as opposed to a stolen purse or wallet or even identity theft), but there would also be hundreds to millions of others in line with you.

CISP: VISA (et al) is On Your Side

We have learned that automatic transaction processing is just as secure whether it is done online or in person. And based on the points made, manual transaction processing is typically more secure when done online than in person (again, at least at this point in time). There is one consideration, however, that can lower the defenses of a manual transaction done online. Typically, your credit card information is stored on a secure database, and an employee must transfer that information to the secure gateway. However, if the store saves any of your credit information on their local computer, then that leaves your information open to hackers on that computer. Unfortunately, short of asking, or unless it is mentioned in the store’s FAQ, there is no way of knowing whether they do this. Although it is unnecessary for a storeowner to store this information, and it is technically against VISA regulations, it can certainly happen. If you do feel or find that your credit information is being stored by a store owner, be it in person or online, feel free to visit the VISA Cardholder Information Security Program (CISP) page located at http://usa.visa.com/merchants/risk_management/cisp_overview.html

Catching a Card

If a credit card thief tries using a stolen credit card at a store (online or in person) that uses manual processing, there are signs that can flag such an illegal transaction, which humans can catch. In person, there are photo and signature IDs that, when used, can flag the purchase. Online, an incorrect billing address, phone number, or even a returned e-mail can flag the process. With automatic transactions, the card is likely to be accepted without question, even if there are one or two small flags. In such cases, if your credit card or credit information is stolen, you can only hope that the thief will use a store that processes transactions manually.

Online Skeptics Are Still Online

Considering the number of people who are skeptical of making purchases online, it would seem that these folks are either not aware of a law that took effect on October 28, 2004, or do not write personal checks. The Check 21 Act has nearly guaranteed that your personal checks will be scanned into an electronic format, stored, and even transferred as necessary just like credit card information. You can find additional information on the Check 21 Act at [http://www.ftc.gov/bcp/conline/pubs/credit/check21.htm]

Security = Encryption

One of the most common precautions for purchasing online is to ensure that the Web page you are providing the information to is secure (encrypted). Depending on the browser you are using, secure pages will typically have a lock somewhere in the status bar. In addition, the URL (Web page address) will begin with HTTPS:// (Notice the “S” after the HTTP. The “S” means that the page is secure.) On a secure page, the information being sent is encrypted, that is, the information is made into a puzzle that is extremely difficult for anyone except the receiving computer to solve. Also, remember that credit cards are only one type of information collected online. Always ensure that Web pages are secure before providing Social Security Numbers and other vital account information, such as bank account information.

Aging is a Good Thing

Consider the number of years a store has been open for business. Check for their Sales and Use or Tax Permit. Even online, they should display one because if they are transacting business over the Internet, then that is their “place of business”. Obviously, stores need to start out somewhere, but just take a little extra caution with stores that have been open for only a year or two. Consider calling them before ordering just to verify that there is someone on the other end.

Changing Names – Changing Favorites

When information is collected on every other Web site you visit, the sensitivity level of such information is diluted. Consider changing your favorite pet’s name once in awhile. And the “First street you lived on” does not have to be the first street you lived on. Nor does it have to be the last school you attended. These are simply reminders and are sometimes easier for a stranger (or even a family member) to guess at than your password. Consider not using the real answers to these. They can be used as backdoors into your account.

Use Another Credit Card

Most people nowadays have more than one credit card. Select a card that has the least amount of credit on it to ensure that if something were ever to go wrong, you have the least to lose. You should also consider only using a credit/debit card from your primary bank account for larger and less-often purchases. If this card is swiped and used, it could leave you short for any legitimate transactions that have yet to clear, like your online bills. You could also set up a bank account solely for online purchases. If you use your primary bank, you can transfer money as needed to cover charges before they are made: Or just keep a very small amount (like $100) in that account at all times.

Temporary Credit Cards

Speaking of using another credit card for online purchases, some financial institutions now offer temporary credit cards with a set limit, a set time frame, or both. Contact your financial institution for additional information on temporary credit cards.

Outside the Box (or in another box)
Another idea for making online payments is to always use the same credit card for online purchases and keep an eye on that account on a very regular basis. Also, consider minimizing its use. You can also consider using an online money transfer service such as PayPal or Google Checkout (although these limit your purchases to stores that also use these services).

Information Storage

When purchasing online, you will most likely be asked to come up with a password for an “account” with the online store. At some point, perhaps even today, you already have far too many passwords to remember. In contrast, if you use the same password for everything, and that password is found out, you have even more places where you are vulnerable to theft. As you probably already know, writing passwords down and putting them in your purse or wallet is extremely risky, and you NEVER want to store your PIN numbers in the same location as your ATM/debit cards (that’s like putting your password under your keyboard or a key under the mat). A safe-deposit box or fireproof house safe would be good but considerably less convenient. You might want to consider a password-storage application that can be found by visiting the Sponsored Links at http://www.google.com/search?q=password+storage. Using this method, you remember one password that will allow you access to all of your other passwords (so make it a long and complicated password). And if you store passwords in your cell phone, on a PIM, or on a laptop (although all are very dangerous), be sure to password protect those devices as well.