Secure your customers' online payments

Reports of credit card details being stored on insecure servers, and then being obtained by hackers for use in fraudulent transactions, have alarmed many consumers. According to research firm Jupiter, almost 60 percent of consumers have not purchased goods from an online retailer due to security fears.

In September, the Association for Payment Clearing Services released figures detailing that while UK consumers made $5.75 billion in credit or debit card transactions in 2000, only $88.5 million -- or 1.5 percent -- of these transactions were done online.

However, it is the online retailers who suffer most when online fraud occurs because they, not the consumers, are liable for failed transactions. Additionally, if fraudulent transactions rise beyond an acceptable level, credit card companies have the right to stop the merchant from accepting their credit cards. Internet retailers are concerned about the risk of bad publicity and liabilities if credit card details are exposed or intercepted through their payment systems.

As a result, several methods are being developed to overcome the problems of posting credit card details online. These solutions range from digital signatures to safe shopping portals and pre-payment systems, but all have the same goal -­ to authenticate payments, to ensure that when an order is processed both the shopper and the merchant can trust that the details are secure and genuine. One way of tackling the problem is to use authenticated electronic signatures. Among organizations developing digital-signature systems are the UK and Irish postal services. The signatures are used alongside order details as a means of authenticating the customer, and are binding under European law.

Consignia, the UK postal service, will offer consumers in the UK digital signatures from early next year. ViaCode, Consignia's e-commerce arm, is responsible for developing the technology and processes to support the signatures.

Online retailers will need to install ViaCode software to make use of the system, and once this is in place, they will be able to access and read ViaCode's directory of signatures. ViaCode will charge a fee for the service.

The method for providing consumers with their digital signatures has not been finalized, according to ViaCode, but it is likely consumers will need to take their passport to a post office branch for visual identification, before receiving a disk or CD-ROM containing their unique identification code. The Irish post office is working on a similar system.

These schemes are designed to increase the confidence of businesses and customers in e-commerce. By using digital signatures, consumers are reassured that any sensitive information they send across the Web, such as postal addresses and credit card details, is protected from interception along the way. Meanwhile, online merchants can be more confident that the customer placing the purchasing order is indeed entitled to use the payment card in question.

Security experts believe that digital signatures will encourage more consumers to purchase goods online. Toby Ben, product manager at security company Access Research Technologies, says consumer confidence will be essential for the progress of e-commerce. "Digital signatures are going to become increasingly important in this arena as they can prove mathematically and legally the identity of a user," he adds.

The use of digital signatures still requires users to send personal details across the Web. Other companies are developing ways to enable online transactions, without the need for any personal details to pass across the Internet from the consumer to the merchant.

Securicor, for example, launched its SafeDoor safe shopping portal in March so users can shop online without sending personal details via the Web. Users register their personal and payment card details with SafeDoor once, either online or over the phone. They can then purchase goods from a range of retailers signed up to the service without having to send their details to each online retailer for every purchase. The system acts as a secure shield but does limit the consumer to dealing with the retailers participating in the scheme.

SafeDoor encrypts the user information and stores it offline. When an order is placed, the customer clicks on the

SafeDoor button on the retailer's site. The order details are transferred from the retailer to SafeDoor, allowing SafeDoor to match it against the consumer's account details, confirm the sale and bill the consumer's payment card.

For retailers wanting to use the scheme, integration is a simple, step-by-step process, which takes about a day using a Java object provided by SafeDoor, says Nigel Marson, SafeDoor's commercial director. There are no up-front fees for retailers ­ SafeDoor generates revenue by taking commission from any sales generated through the site. 'Retailers will also benefit from increased traffic to their sites, as new users follow links to other retail shops from within the SafeDoor portal,' Marson adds.

However, consumers and merchants want simplicity as well as security. The disadvantage of safe shopping portals is that consumers can only shop with retailers registered at the portals, and retailers have to find out who is offering portal services and register with them.Payment card company Visa International is working to improve existing payment methods to ensure they are more secure for online commerce.

Using its Visa Authenticated Payment (VAP) system, Internet retailers can check card details with the issuing bank in real time, reducing the risk of the merchant being liable for failed transactions.

Under the UK Consumer Protection (Distance Selling) 2000 regulations, vendors are liable for online fraud if cardholders are not physically present when a card payment is made. When the card holder is present, the issuing bank is liable for failed transactions. however, to encourage take-up of its new system, Visa is offering cardholder-present status to transactions done under VAP.

Visa is offering the VAP service to issuing banks in Europe and the US. Merchants need to download a plug-in to link to the issuing banks' systems in order to validate online shoppers in real time.

Consumers still need to enter their credit card number online, but as soon as they click the purchase button, the card details are sent to a directory server, which alerts the issuing bank. A box appears on the consumer's browser, and they are asked to enter a PIN. Once the bank has checked this number, a message is sent to the merchant stating that the consumer's identity has been verified and the purchase can be completed.

This technology benefits merchants, consumers and banks issuing Visa cards. It offers consumers additional protection against illegal use of their cards, reduces the cost of fraud for merchants, and enables the banks to offer better protection to their customers.

MasterCard is currently preparing its rival Secure Payment Application service, which is due to launch next year. Visa performs authentication on the merchant's site ­ the MasterCard system will handle it on the customer's PC, using a previously downloaded applet.

However, the two card systems will not be compatible, raising the support costs for firms if they decide to use both.

Another approach to the problem is to use pre-payment systems. BTopenworld signed an agreement with payment technology provider iPin at the start of this year to offer BT users a pre-payment system called eWallet. Customers can add funds to their eWallets by visiting a participating store and paying cash to top up the wallet with the required amount. The customer can use their eWallet as a payment method for online transactions, without sending bank account or credit card details over the Internet.

However, there is a danger that the growing number of systems for online transactions will lead to confusion for consumers and an administrative headache for merchants. There is a strong case for a unified approach to these issues. SafeDoor's Marson says companies will have to work together. "Industry should line up behind one solution and with one voice assure consumers there is no need to worry any longer about the safety of credit card details online," he says.Concerns among Internet shoppers over credit card security and the possibility of fraud are undoubtedly hindering the growth of e-commerce.

Reports of credit card details being stored on insecure servers, and then being obtained by hackers for use in fraudulent transactions, have alarmed many consumers. According to research firm Jupiter, almost 60 percent of consumers have not purchased goods from an online retailer due to security fears.

In September, the Association for Payment Clearing Services released figures detailing that while UK consumers made $5.75 billion in credit or debit card transactions in 2000, only $88.5 million -- or 1.5 percent -- of these transactions were done online.

However, it is the online retailers who suffer most when online fraud occurs because they, not the consumers, are liable for failed transactions. Additionally, if fraudulent transactions rise beyond an acceptable level, credit card companies have the right to stop the merchant from accepting their credit cards. Internet retailers are concerned about the risk of bad publicity and liabilities if credit card details are exposed or intercepted through their payment systems.

As a result, several methods are being developed to overcome the problems of posting credit card details online. These solutions range from digital signatures to safe shopping portals and pre-payment systems, but all have the same goal -­ to authenticate payments, to ensure that when an order is processed both the shopper and the merchant can trust that the details are secure and genuine. One way of tackling the problem is to use authenticated electronic signatures. Among organizations developing digital-signature systems are the UK and Irish postal services. The signatures are used alongside order details as a means of authenticating the customer, and are binding under European law.

Consignia, the UK postal service, will offer consumers in the UK digital signatures from early next year. ViaCode, Consignia's e-commerce arm, is responsible for developing the technology and processes to support the signatures.

Online retailers will need to install ViaCode software to make use of the system, and once this is in place, they will be able to access and read ViaCode's directory of signatures. ViaCode will charge a fee for the service.

The method for providing consumers with their digital signatures has not been finalized, according to ViaCode, but it is likely consumers will need to take their passport to a post office branch for visual identification, before receiving a disk or CD-ROM containing their unique identification code. The Irish post office is working on a similar system.

These schemes are designed to increase the confidence of businesses and customers in e-commerce. By using digital signatures, consumers are reassured that any sensitive information they send across the Web, such as postal addresses and credit card details, is protected from interception along the way. Meanwhile, online merchants can be more confident that the customer placing the purchasing order is indeed entitled to use the payment card in question.

Security experts believe that digital signatures will encourage more consumers to purchase goods online. Toby Ben, product manager at security company Access Research Technologies, says consumer confidence will be essential for the progress of e-commerce. "Digital signatures are going to become increasingly important in this arena as they can prove mathematically and legally the identity of a user," he adds.

The use of digital signatures still requires users to send personal details across the Web. Other companies are developing ways to enable online transactions, without the need for any personal details to pass across the Internet from the consumer to the merchant.

Securicor, for example, launched its SafeDoor safe shopping portal in March so users can shop online without sending personal details via the Web. Users register their personal and payment card details with SafeDoor once, either online or over the phone. They can then purchase goods from a range of retailers signed up to the service without having to send their details to each online retailer for every purchase. The system acts as a secure shield but does limit the consumer to dealing with the retailers participating in the scheme.

SafeDoor encrypts the user information and stores it offline. When an order is placed, the customer clicks on the SafeDoor button on the retailer's site. The order details are transferred from the retailer to SafeDoor, allowing SafeDoor to match it against the consumer's account details, confirm the sale and bill the consumer's payment card.

For retailers wanting to use the scheme, integration is a simple, step-by-step process, which takes about a day using a Java object provided by SafeDoor, says Nigel Marson, SafeDoor's commercial director. There are no up-front fees for retailers ­ SafeDoor generates revenue by taking commission from any sales generated through the site. 'Retailers will also benefit from increased traffic to their sites, as new users follow links to other retail shops from within the SafeDoor portal,' Marson adds.

However, consumers and merchants want simplicity as well as security. The disadvantage of safe shopping portals is that consumers can only shop with retailers registered at the portals, and retailers have to find out who is offering portal services and register with them.Payment card company Visa International is working to improve existing payment methods to ensure they are more secure for online commerce.

Using its Visa Authenticated Payment (VAP) system, Internet retailers can check card details with the issuing bank in real time, reducing the risk of the merchant being liable for failed transactions.

Under the UK Consumer Protection (Distance Selling) 2000 regulations, vendors are liable for online fraud if cardholders are not physically present when a card payment is made. When the card holder is present, the issuing bank is liable for failed transactions. however, to encourage take-up of its new system, Visa is offering cardholder-present status to transactions done under VAP.

Visa is offering the VAP service to issuing banks in Europe and the US. Merchants need to download a plug-in to link to the issuing banks' systems in order to validate online shoppers in real time.

Consumers still need to enter their credit card number online, but as soon as they click the purchase button, the card details are sent to a directory server, which alerts the issuing bank. A box appears on the consumer's browser, and they are asked to enter a PIN. Once the bank has checked this number, a message is sent to the merchant stating that the consumer's identity has been verified and the purchase can be completed.

This technology benefits merchants, consumers and banks issuing Visa cards. It offers consumers additional protection against illegal use of their cards, reduces the cost of fraud for merchants, and enables the banks to offer better protection to their customers.

MasterCard is currently preparing its rival Secure Payment Application service, which is due to launch next year. Visa performs authentication on the merchant's site ­ the MasterCard system will handle it on the customer's PC, using a previously downloaded applet.

However, the two card systems will not be compatible, raising the support costs for firms if they decide to use both.

Another approach to the problem is to use pre-payment systems. BTopenworld signed an agreement with payment technology provider iPin at the start of this year to offer BT users a pre-payment system called eWallet. Customers can add funds to their eWallets by visiting a participating store and paying cash to top up the wallet with the required amount. The customer can use their eWallet as a payment method for online transactions, without sending bank account or credit card details over the Internet.

However, there is a danger that the growing number of systems for online transactions will lead to confusion for consumers and an administrative headache for merchants. There is a strong case for a unified approach to these issues. SafeDoor's Marson says companies will have to work together. "Industry should line up behind one solution and with one voice assure consumers there is no need to worry any longer about the safety of credit card details online," he says.