E-commerce and your site’s payment security
Monday, January 19th, 2009In a previous post I addressed the topic of online payments and how they’re processed. Today I’d like to address the security of your E-commerce site’s payment transactions in a bit more detail.
A surprising number of small businesses avoid E-commerce (which could prove very profitable for them) because they believe credit card information submitted via the Internet can be easily compromised. Nothing could be further from the truth. In fact, if your E-commerce is properly implemented by a skilled developer, your customers are safer using an online interface than they are handing their card over to the staff at their local coffee-stop.
Here’s a quick little tale of credit card woe. A few years back The Missus and I traveled to Guatemala City. Shortly after we returned from our trip, several charges dated after our departure appeared on my card statement. During the entire trip I had allowed my credit card out of my sight on only one occasion - when I paid the bill after we had dined at an American-based chain restaurant (a Chili’s in this case) near the hotel. Obviously, in the three minutes my card and I were separated somebody had made use of the local photocopier. Ugh.
It was easy enough to sort things out on my end - the re-entry stamp on my passport was handy proof that I wasn’t in Guatemala when the charges were made - but it’s an example of something that can happen to any card-holder any time they hand their card over to another person for payment.
The singular vulnerability in the payment process - another person - is eliminated entirely under the automated payment processing model used in secure E-commerce. Payment gateway services like Authorize.net directly capture your customers’ credit card information. This means that their payment information never resides on your web site at any time, which in turn means that an unauthorized administrative login or a data security breach of your site can never expose your customers to fraudulent charges on their accounts.
Of course, in order to take advantage of this extraordinary security, your site has to be designed to use secure automated payments. That sounds like a no-brainer, but over the years I’ve come across an unsettling number of small business web sites that have no secure features on them at all. They have no security certificate, so credit card information is transmitted unencrypted and ‘in the open’. They keep the credit card information in a database on their web server and use the information to run a manual charge to the account using their point-of-sale system.
Not surprisingly, these unsecured web stores seldom see much in the way of sales. Online shoppers are increasingly security-aware and few of them, if any, will type in their credit card information unless they see that little security ‘lock’ icon appear at the bottom of their browser window.
Maintaining credit card information of any kind on your store’s web server is a grave financial liability for your business. I understand that for many businesses and small web sites the extra expense of a gateway account (in addition to their point-of-sale account) can be a nuisance. But when you consider that a single compromised credit card number could cost your business thousands of dollars, $20 a month or so looks like very cheap insurance.