[i/s Home] [Distribution] [Search] [Back Issues] [Publications] [Feedback]


 

i/s Back Issues

Volume 15

No. 1   September/October 1999

Considerations When Using Credit Cards for Web Purchases

Lorraine Rappaport

The Internet has emerged as an important force for commerce. The allure is obvious. Sellers no longer need bricks and mortar: they can set up Web storefronts relatively quickly. Customers are no longer limited by time zone or geographic location: they can buy via the Web virtually anytime and from any place. The Web has enabled Internet-connected merchants to compete on a more level playing field.

One drawback for e-commerce has been the perception by customers that their credit card information may be intercepted during transmission or stolen from a database. Reputable merchants address three basic areas of security:

1.

Collecting customers' credit card information securely. Secure Sockets Layer (SSL) is the most common method of encrypting data on the Web. SSL is built into browsers and provides for encryption between Web servers and browsers. You can tell that a transaction is encrypted when the URL begins with https.

2.

Protecting stored credit card information from theft. The best defense is to not store credit card numbers in any form--in a database, on paper, or in email. In instances where they are stored, merchants need to take extra precautions.

3.

Passing credit card information to the merchant's bank securely. This is typically done via third-party products or services (such as Open Market's Transact or CyberCash) that provide secure ways of transmitting information to the bank and authorizing the buyer's credit card. The information is sent over the Internet or via a leased line or dedicated line. There is no recommended method for doing this yet, and transport options depend on the product or service. Service levels, options, and costs can vary widely.

Credit Cards and MITnet
IS and the Controller's Accounting Office (CAO) have launched a project to determine how best to provide MIT departments, labs, and centers with the ability to accept credit card payments via the Web. The team is exploring the business case, technical and financial feasibility, and options for providing a centralized service and standardized controls. In addition to addressing the security issues discussed above, the project team is evaluating transaction reporting capabilities and integration with SAP for recording receivables. More information about the project will be available later this fall.

Since MIT is a non-profit institution, specific guidelines govern commercial activities on MITnet. If you intend to sell goods or services on the MIT network, send email to the project team at <chargeit@mit.edu> to make sure you are in compliance.

Consumer Tips for Buying on the Web
Credit card fraud for Web orders is no worse than it is for any other credit card transaction. Most of the same security issues apply, whether you place an order via the Web, by phone, or in person. To reduce the risk of fraud, follow these tips when making credit card purchases via the Web:

1.

Order from merchants you trust. Use the same common sense you would when dealing with new merchants in person or by phone.

2.

Limit shopping to sites that use SSL to encrypt data. Look for a closed padlock in the bottom left-hand corner of your browser window and/or a URL that begins with https.

3.

Find out if and how vendors store credit card information. If they don't state their policy on their site, ask.

4.

Be aware of your credit card company's policies about fraudulent charges. Some credit card banks waive liability altogether.

Note: "Seal of approval" programs such as TRUSTe or Webtrust focus on issues of privacy, not the security of information sent to the vendor.


i/s Home |  i/s Back Issues |  Volume 15 |  No. 1