Most of online purchases are paid for by a credit card. Merchants like credit card payments because an instant authorization guarantees that the card is valid (as opposed to a check which may bounce). Customers like paying by credit cards because they can easily cancel a transaction in case when they don’t receive products or services according to the agreement in the transaction.
Payments on Internet
Most of online purchases are paid for by a
credit card. Merchants like credit card payments because an instant
authorization guarantees that the card is valid (as opposed to a check which
may bounce). Customers like paying by credit cards because they can easily
cancel a transaction in case when they don’t receive products or services according
to the agreement in the transaction.
While some of credit card payments for online
services are performed by phone, most of such payments are made by filling in
an online form.
Credit card information submitted by the
customer is sent to the bank which has issued the credit card to verify.
If the transaction is approved, the merchant
notifies the customer that the order has been placed. The actual transfer of
money from the credit card bank to the merchant may happen in a few hours, or
even in a few days.
Merchants who accept credit card payments pay
fee (between 1 and 7 percent of the card charge) for each card charge. In
addition, in some cases merchants pay authorization fee for each credit card
authorization attempt, as well as other fees related to credit card processing.
In case when a customer is not satisfied with
the product or a service, or for other reasons, merchants may issue a refund or
a charge-back to the customer’s account.
Technical Issues
There are several technical issues involved in
online credit card payments as described below
Quick Check for Typos
Since the merchant may be charged for each
credit card authorization, it is convenient to check that the credit card
number makes sense before sending it to the issuing bank to authorize.
There is an easy algorithm to verify a credit
card number the last digit of the credit card number is computed from the other
digits using a simple procedure. The details are given here.
The algorithm is public, and therefore can be
used only to catch typos and disallow random data, but not to check the
validity of a credit card number.
Authenticating the User —
Protection from Customer Fraud
Since the card is not physically present during
the transaction, it is practically impossible for a merchant to distinguish a
legitimate credit card user from a thief. In online transactions the user is
usually asked to provide additional information, such as their address and
phone number, and the card’s billing address, if different from the customer’s
address.
However, this information can be easily
mistyped. While in a telephone transaction an operator can use their judgment
to approve or reject a transaction based on how much of the information has
matched and how confident the customer sounds, in an online transaction the
level of “tolerance” of typos and mistakes must be set automatically.
Another way of verifying a card number is to
ask the user to provide the additional digits on the card (the digits which do
not appear on the magnetic strip or on a carbon paper when the print of the
card is taken). However, online customers may be reluctant to provide this
information because of fear of merchant’s fraud (see below) or of
eavesdropping.
Protecting Card Numbers in
Transmission
Since information transmitted in an online
transaction is sufficient for approval of a credit card charge, it is essential
that this information is protected from eavesdropping. The most common way of
doing it is to encrypt data in transmission. This is done via SSL. However,
many online businesses do not use SSL when transmitting credit card numbers and
other customer information, or do not make SSL the default for such
transmissions. While it is theoretically possible to obtain credit card
information sent in plain text (in an e-mail message or via an online form), so
far there hasn’t been a known case when a credit card number was stolen this
way.
Protecting Card Numbers on
the Merchant’s Site
In practice, the main vulnerability of dealing
with credit card numbers is not the transmission, but the storage. Security
experts agree that storing credit card numbers at the merchant’s site is a
risky practice, and should be avoided. If credit card numbers need to be
stored, they should be stored on a secure machine, and preferably in an
encrypted form. They should not be stored in a database which is (at least
partially) accessible to customers, nor should they be stored (in any form) on
the web server.
It is the merchant’s responsibility to protect
customer’s information from fraud. An e-commerce web site may suffer large
losses, including those caused by the loss of customer’s trust; it fails to
protect confidential customer information.
Protecting From Merchant
Fraud
The other side of protecting a merchant from a
customer’s fraud is protection of a customer against a merchant’s fraud. If the
merchant knows enough of the customer’s credit card information to be able to
authorize a transaction, then the merchant (including many of the merchant’s
employees) know enough to be able to use the credit card themselves! In the
majority of cases the highest priority of the merchant is to protect the
reputation of the business and their own, and a fraud is not in the merchant’s
interests. However, there may be exceptions, such as a desperate owner whose
business is about to go broke a disgruntled employee, or an online scam which
uses a fake online business as a cover up for collecting credit card
information.
An online customer has to be careful not to be
a victim of a merchant’s fraud. Using SSL to verify the site’s name is a way to
avoid sites that pretend to be a part of a respected business, but in fact are
not.
To verify that a business is legitimate, a
customer may try calling the phone number or sending an e-mail. It is always
important to check carefully the credit card statement and immediately
investigate an unauthorized charge (and possibly cancel the credit card if
theft is suspected).
If a merchant runs a new business which has not
yet established customer’s trust, they might want to provide a way for the user
submit their credit card number directly to a trusted agency which authorizes a
transaction. This is done by redirecting the user to a web page of the agency
for authorization.
An example of such product is VeriSign
PayflowLink. The customer enters information on the agency’s page, and the
agency sends the response back to the merchant with the authorization
information. This way the merchant doesn’t know the customer’s credit card
number.
However one has to check carefully the software
that implements this feature, because poorly written code for redirection may
expose the merchant’s ID or allow the customer to change the amount of the
transaction in the request.