Credit Card Fraud Alert


I had a suspected credit card fraud attempt on my site this past week that has prompted this week's articles. A customer accidentally subscribed to the site twice. I sent an e-mail to her as soon as I noticed it, to verify in fact that it had been a mistake, prior to issuing a credit on her credit card. I received the following e-mail message back from an entirely different e-mail address:

"I am writing you because I have reason to believe this computer, has opened an account or false account under a factious name, if so I need you to send me all of the info. as to date and times my name is XXXXXX at ( I believe there is a problem and I intend to turn it over to the police for unlawful use of this computer, I am the owner and this is my account thank you"

I replied that I would not divulge my customer's credit card data without verification that it was in fact her. The customer verified that she had never heard of the person who had replied or did not know anyone with that e-mail address. It appears to me that somehow, someone had "sniffed" out the e-mail message and attempted to obtain the credit card information to attempt credit card fraud. No damage was done in this case, as the original transaction had occurred via encrypted transmissions, and I had not revealed any confidential data in the unprotected message.

Nonetheless, it is scary, And that is why I bring you a story today addressing credit card fraud - from the visitors' and the merchants' point of view. I hope it is useful to you.

How To Provide Secure Transactions For Your Online Customers
Many people are still concerned about the security of their personal and credit card information on the Internet. The Small Business Computing magazine (citing a study conducted by Find/SVP, a New York based market research firm) said that:

"the dirty little secret about Web commerce: 92 percent of all Internet transaction are actually processed manually - that is, off line. And most visitors to commercial sites do a lot more browsing than they do buying. Studies show that 91 percent of consumers are concerned about Internet security, and only 27 percent of regular Internet users have made online purchases in the last 12 months..."

These figures are now out of date, but they highlight the need to:

1. Provide multiple means for our customers to buy our products or services, and

2. Reassure our customers of the security that now exists in purchasing online.

The publicity of very few publicized incidents has caused online users to be far more concerned than is warranted, but perception is reality, so we need to deal with it. Actually, it is far easier for someone to steal your credit card information offline, by picking up your credit card receipt from the trash bin at the gas station, for example, as you casually through it away or digging through restaurant trash bins.

Secure forms via SSL are used to provide the security needed to reassure customers. They allow your customers privacy and piece-of-mind when completing a credit card transaction or transmitting personal information. They are a must for commerce enabled sites. The industry standard method of secure forms is to have the communication encrypted by SSL (Secure Sockets Layer). SSL encodes or "encrypts" the information in the customer order form into an untranslatable code, which, if somehow intercepted by some third party while traveling between the customer's browser and the web site server, would not be readable. Sometimes you will hear of this technology as providing a "secure gateway". Secure forms via SSL may be available through your web host. If not, you can obtain them from outside vendors. You simply link to the forms residing on a server completely separate from the one hosting your existing web site. When the visitor is in the secure area, they will know that because the little closed lock or key shows at the lower right of their browser window.

Some hosts offer three different types of SSL security - Virtual SSL, Verisign Authentic, and Thawte Authentic SSL. With Virtual SSL, the secure part of your web site would actually use the web host's SSL certificate. Some web hosts charge extra for this service while some others do not. First, it is important to understand that SSL is assigned to a single domain name. Using a virtual SSL, the web location would momentarily relocate to the web host's domain for the secure portion of the transaction and then return once the transaction was complete. To make orders through your form secure, simply point to the order form through the web host's server. You will need to ask your hosting company for the specific URL to use. Note that your customer may notice that he or she is no longer at your site, but at your host's site. If this happens only at your order form, this is probably not very important. However, if you wish to collect information at other points of your site, such as a registration form, when your relationship may not yet be cemented, you may not want your visitor wondering about what is happening. The certificate authority ("CA") will charge you for the certificate. In addition, your web site host may charge you to install the certificate, test and maintain it.

The preferred alternative is to obtain an Authentic SSL - your own SSL certificate obtained from a certificate authority. The certificate authority ("CA") will charge you for the certificate. In addition, your web site host may charge you to install the certificate, test and maintain it.

Secure Electronic Transaction protocol[/heading] Banks and card issuing authorities use an encryption system known as SET. SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard to enable secure credit card transactions on the Internet. SET uses digital certificates to validate the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet.

Encrypted E-mail
An alternative to either SSL or SET to be able to securely order online would be encrypted e-mail messages. Pretty Good Privacy (PGP) encryption is an emerging possibility, but is not convenient to use and able to be used with any e-mail program. Maybe it will become more widely accepted, but I doubt it, with credit card purchasing via secured forms becoming more widely accepted by the customers all the time.

In my next article I’ll show you 11 Ways to Protect Your Business From Online Credit Card Fraud…