Define Payments on Internet

Payments on Internet

Most of online purchases are paid for by a credit card. Merchants like credit card payments because an instant authorization guarantees that the card is valid (as opposed to a check which may bounce). Customers like paying by credit cards because they can easily cancel a transaction in case when they don’t receive products or services according to the agreement in the transaction.

While some of credit card payments for online services are performed by phone, most of such payments are made by filling in an online form.

Credit card information submitted by the customer is sent to the bank which has issued the credit card to verify.

If the transaction is approved, the merchant notifies the customer that the order has been placed. The actual transfer of money from the credit card bank to the merchant may happen in a few hours, or even in a few days.

Merchants who accept credit card payments pay fee (between 1 and 7 percent of the card charge) for each card charge. In addition, in some cases merchants pay authorization fee for each credit card authorization attempt, as well as other fees related to credit card processing.

In case when a customer is not satisfied with the product or a service, or for other reasons, merchants may issue a refund or a charge-back to the customer’s account.

Technical Issues

There are several technical issues involved in online credit card payments as described below

Quick Check for Typos

Since the merchant may be charged for each credit card authorization, it is convenient to check that the credit card number makes sense before sending it to the issuing bank to authorize.

There is an easy algorithm to verify a credit card number the last digit of the credit card number is computed from the other digits using a simple procedure. The details are given here.

The algorithm is public, and therefore can be used only to catch typos and disallow random data, but not to check the validity of a credit card number.

Authenticating the User — Protection from Customer Fraud

Since the card is not physically present during the transaction, it is practically impossible for a merchant to distinguish a legitimate credit card user from a thief. In online transactions the user is usually asked to provide additional information, such as their address and phone number, and the card’s billing address, if different from the customer’s address.

However, this information can be easily mistyped. While in a telephone transaction an operator can use their judgment to approve or reject a transaction based on how much of the information has matched and how confident the customer sounds, in an online transaction the level of “tolerance” of typos and mistakes must be set automatically.

Another way of verifying a card number is to ask the user to provide the additional digits on the card (the digits which do not appear on the magnetic strip or on a carbon paper when the print of the card is taken). However, online customers may be reluctant to provide this information because of fear of merchant’s fraud (see below) or of eavesdropping.

Protecting Card Numbers in Transmission

Since information transmitted in an online transaction is sufficient for approval of a credit card charge, it is essential that this information is protected from eavesdropping. The most common way of doing it is to encrypt data in transmission. This is done via SSL. However, many online businesses do not use SSL when transmitting credit card numbers and other customer information, or do not make SSL the default for such transmissions. While it is theoretically possible to obtain credit card information sent in plain text (in an e-mail message or via an online form), so far there hasn’t been a known case when a credit card number was stolen this way.

Protecting Card Numbers on the Merchant’s Site

In practice, the main vulnerability of dealing with credit card numbers is not the transmission, but the storage. Security experts agree that storing credit card numbers at the merchant’s site is a risky practice, and should be avoided. If credit card numbers need to be stored, they should be stored on a secure machine, and preferably in an encrypted form. They should not be stored in a database which is (at least partially) accessible to customers, nor should they be stored (in any form) on the web server.

It is the merchant’s responsibility to protect customer’s information from fraud. An e-commerce web site may suffer large losses, including those caused by the loss of customer’s trust; it fails to protect confidential customer information.

Protecting From Merchant Fraud

The other side of protecting a merchant from a customer’s fraud is protection of a customer against a merchant’s fraud. If the merchant knows enough of the customer’s credit card information to be able to authorize a transaction, then the merchant (including many of the merchant’s employees) know enough to be able to use the credit card themselves! In the majority of cases the highest priority of the merchant is to protect the reputation of the business and their own, and a fraud is not in the merchant’s interests. However, there may be exceptions, such as a desperate owner whose business is about to go broke a disgruntled employee, or an online scam which uses a fake online business as a cover up for collecting credit card information.

An online customer has to be careful not to be a victim of a merchant’s fraud. Using SSL to verify the site’s name is a way to avoid sites that pretend to be a part of a respected business, but in fact are not.

To verify that a business is legitimate, a customer may try calling the phone number or sending an e-mail. It is always important to check carefully the credit card statement and immediately investigate an unauthorized charge (and possibly cancel the credit card if theft is suspected).

If a merchant runs a new business which has not yet established customer’s trust, they might want to provide a way for the user submit their credit card number directly to a trusted agency which authorizes a transaction. This is done by redirecting the user to a web page of the agency for authorization.

An example of such product is VeriSign PayflowLink. The customer enters information on the agency’s page, and the agency sends the response back to the merchant with the authorization information. This way the merchant doesn’t know the customer’s credit card number.

However one has to check carefully the software that implements this feature, because poorly written code for redirection may expose the merchant’s ID or allow the customer to change the amount of the transaction in the request.