Press Centre

Protecting the Numbers

by Wayne Rash
Security Pipeline
June 27th 2005

E-commerce is buried beneath a blanket of fear. Online purchases, according to some observers, are down by nearly half; Internet banking by nearly a third.

Tales of lost credit information, worms in credit processing computers and missing tapes have made customers —and everyone else — nervous about revealing personal information over the Web. Although we know that recent privacy breaches have not been e-commerce related, that's small comfort when people are scared.

To keep e-commerce thriving, Internet transactions must be as safe, or safer, than those that take place in brick-and-mortar establishments. Consumer confidence has to be restored.

As a customer, there are steps you can take to reduce or eliminate the chance that your credit card numbers or other personal information will be stolen. Even better, these steps don't cost anything and they aren't hard to do.

And as a merchant, you need to take steps to secure your customers' credit card numbers and other personal information, and let your customers know what you're doing, so they feel safe shopping with you.

Perhaps the buyer's best protection is simply not providing a real credit card number to anyone on the Internet. And, no, I don't mean you should give out bogus numbers or "borrow" one from your mother-in-law. But if you use credit cards issued by MBNA, CitiBank or Discover, you can use a method of buying in which a temporary number is created each time you want to purchase something.

In fact, the banks offering these substitute numbers also have an applet you can use with Internet Explorer that will automatically fill in your purchase information, including the substitute number. With this system even if someone does steal your credit card number, they won't be able to use it, because it won't be the real number. You can find these services on each credit card issuer's Web site. MBNA, for example, calls theirs "ShopSafe."

"It's safer than buying in person," said Diane Shaib, executive vice president at Orbiscom, Inc., the Dublin, Ireland, company that invented the means of creating substitute credit card numbers. Shaib noted that Orbiscom (www.orbiscom.com) provides the technology, but does not process the credit cards. "The data resides only at your bank," she said.

I tried out the MBNA version of Orbiscom's credit card number substitution software to buy a book from Amazon. I also downloaded the applet to automate the process. It worked exactly as advertised, although first I had to register with my credit card provider.

In fact, this process is so fast and easy it's hard to see why everyone doesn't use it. I'm sure it's a lot easier than it will be to get reimbursed for my Amazon.com purchase — after all, it was a necessary research expense.

Unfortunately, not every credit card issuer uses this technology. Instead, many companies simply promise that you won't lose any money if someone steals your card. Never mind the pain in the neck caused by having to change card numbers.

But if you don't want to change card issuers to protect your online purchases, there are a couple of things you can do. The first is to make sure you keep detailed records of every transaction, and check them against your statement every month. That way, if some does get your number, you can respond quickly and notify the card company.

Know Who You're Buying From
The second step is to make sure that the people you buy from are protecting your information. Question any request beyond what's needed to complete the transaction.

Let's face it, they really don't need your social security number for most transactions, and you shouldn't give it to them. And of course, you should be careful about who gets your number. That waiter who takes your card to the back room is a much bigger threat of theft than nearly anything on the Internet.

If you're a merchant, either online or in a physical store, it's up to you to be the first line of defense in protecting customers. Fortunately Visa and MasterCard have issued a set of security standards called the Payment Card Industry Data Security Standard.

The standard requires compliance with what are in reality some basic security practices. Companies that don't meet these standards by July 1 risk losing their ability to accept MasterCard and Visa. This means that you'll have to take a few steps you probably are (or should be) taking already.

For example, if you're an online merchant, you must have a firewall between your computer and the outside world. You must encrypt all customer and credit card information using products such as SafeBoot from Control Break International (www.controlbreak.com) or even the more basic encryption offered within Windows. And you must take basic steps listed in the PCI standard, including such things as changing default passwords in firewalls, routers and computers. If you're a Visa or Master Card merchant, your bank should have already given you a copy of these requirements.

But the standards are just a first step. You can also make your customers more willing to buy from you if you adopt business practices that protect their interests. If you're selling over the Internet, for example, you must use a secure Web site for credit card transactions. While there's no evidence that a credit card number has ever been stolen while being transmitted over the Internet, there's no point in taking a chance.

You must also avoid the temptation to hang on to credit card numbers and personal data unless you're prepared to go to the trouble and expense required to protect them as well as your customers' banks do. You're much better off if you simply purge all personal and credit card information as soon as you can. After all, nobody can steal what you don't have.

And if you ask for personal information, you must be prepared to explain why you want it, and then be willing to do without it if your customer doesn't want to tell you. Yes, it helps your marketing department to know everyone's ZIP code, but do you really want to lose a sale if it's not forthcoming?

You must also make sure that your handling of customer information is secure. That means you have to carefully restrict who has access, and you must monitor what they do with it. Remember, if your staff is keeping copies of credit card numbers, either through a device that reads the magnetic strip (using a device about the size of a Palm Pilot, with a magnetic stripe reader) or by keeping extra copies of receipts, it's your fault, and you'll suffer the liability impact. And of course, you need to get your card issuer to set up your receipt printer so that it doesn't print the whole credit card number on the receipt.

Right now, online customers are scared. They want to do business with shops in person or online, but they don't want their money or their identities stolen, and who can blame them? Merchants need to be able to show consumers, through use of secure processing systems, good management techniques and actions, that they can trust the store. But you also need to make it easy and convenient for customers to protect themselves, and that means not asking for information you don't need, or keeping information when you no longer need it.

Customers will eventually come to realize that it's not the Internet that they should worry about, but rather companies whose security practices are not up to snuff. You might not be able to do much about other companies, but at least you can work with your customers, and make it so your customers can work with you, to ensure your end of every transaction is as secure as it can be.

http://www.securitypipeline.com/showArticle.jhtml?articleID=164903077