I had to chuckle recently. A potential Plus Edition subscriber sent me an e-mail message asking if he could call me on the telephone to give me his credit card information for a subscription to the Plus Edition newsletter. I replied "Certainly" and I sent along my phone numbers. However, I also asked "Why won't you use the online signup form?" He replied, "I don't want to enter my credit card information on the web. I am afraid it will get stolen."
Maybe it is time to give an introductory course in credit card safety.
I think I am qualified as I spent three years managing the customer service department of a company whose sole offering was providing credit card services to online merchants. I spent hours every day helping our customers install credit card processing software on their web servers and also educating the same merchants on the details of online credit card processing.
Apparently my recent e-mail correspondent did not understand or perhaps didn't even know about SSL encryption, which is required for use on online credit card transactions. He apparently did not know that his credit card information would be encrypted on his computer before being sent across the Internet. He would be using the same security technology that banks, stock brokerages, the Federal Reserve System, and others use to move billions of dollars every day. Use of SSL technology and credit cards is even safer than using cash or written checks. In short, there is nothing safer.
Next, did my would-be subscriber guess what happened when he called me and gave me the credit card numbers? He probably didn't realize that I would open a web browser and make an encrypted connection to the newsletter's web site and enter the information online for him. (Gasp!) Yes, his credit card information would move across the Internet, using the same security technology that he already had on his own computer.
Next, I suspect he doesn't understand what happened last week when he used his credit card at a gas station or at a restaurant, a convenience store, the barbershop, or the florist. Each of those companies gathered his personal information, including his credit card number. Perhaps they swiped his credit card automatically using a small device attached the cash register. What happened next? You guessed it! The restaurant's or store's computer immediately sent the credit card information across the same Internet that you and I use. His credit card information was sent to a credit card clearinghouse, using the same security technology that we all have installed in our web browsers.
Large businesses, such as major department stores, usually have their own private networks that do not use the general-purpose Internet. Almost all smaller merchants, including restaurants, gas stations, convenience stores, barber shops, florists, muffler shops, dry cleaning services and others use the same Internet that you and I use every day. They use the same security technology that is in all web browsers to safely send credit card information across the Internet.
If you have already used your credit card several times in person at various restaurants, stores, gas stations, or other merchants, your credit card information has already traveled across the Internet multiple times, even if you do not own a computer! Such transactions are safe, secure, and are trusted by security experts everywhere.
The myth that "credit cards are not safe for use on the web" continues to linger, despite the education efforts of credit card companies everywhere. It's time to stamp out this fictitious "urban legend."
For more information, look at:
VISA's security statement at http://tinyurl.com/ygpocm. Here is an excerpt:
"Use your Visa card to shop online, in a store, or anywhere, and you're protected from unauthorized use of your card or account information. With Visa's Zero Liability policy*, your liability for unauthorized transactions is $0-you pay nothing."
MasterCard's security statement at http://www.mastercard.com/us/personal/en/securityandbasics/peaceofmind.html. Here is an excerpt:
"Your MasterCard® card is protected from fraud and unauthorized charges in ways that are not available with other forms of payment. As a MasterCard cardholder, you are not responsible for unauthorized purchases charged to your account. The MasterCard Zero Liability coverage extends to purchases made in a store, over the telephone, or on the Web.'
American Express' security statement at http://tinyurl.com/8m4o5. Here is an excerpt:
"Our Fraud Protection Guarantee means you won't be held responsible for any fraudulent charges when you use your American Express Card. No fine print, no deductible-just pure protection so you can shop with confidence anywhere online or off."
Discover Card's security statement at http://www.discovercard.com/discover/data/faq/online_security.shtml. Here is an excerpt:
"Our $0 Fraud Liability Guarantee ensures that you're never responsible for unauthorized usage of your Discover Card."
All the major credit card companies guarantee that you will never lose a penny in case of online or offline fraud or theft. That's right: they GUARANTEE your credit card safety. Next, your credit card information has already moved across the Internet multiple times, even if you do not own a computer.
Let's compare this to sending a check in the mail. Unlike credit cards, most checks are not protected from fraud or unauthorized use. If the check you send gets stolen in the mail and deposited into some crook's bank account, you lose the money! Next, ask anyone at the post office about stolen checks. The truth is that hundreds of checks get stolen from mailboxes every day.
If you are worried about the safety of paying bills, make sure that you always pay bills with a credit card or via a "pay your bills online" system, never with a paper check. Again, credit cards are protected from fraud and unauthorized use while paper checks usually are not. It makes no difference whether you use a credit card in person or online, the end result is the same: your credit card information will always be transferred online to the credit card companies in a safe and secure manner that is protected from thieves and rip-off artists. The credit card companies guarantee your transaction is safe from thieves and rip-off artists.
Now, can we kill this myth about the online use of credit cards?
While SSL secures a transaction with encryption, it does nothing to secure the use of the information once it reaches its destination. Using a credit card on a web site you do not know or trust is much like using it in a restaurant you do not know or trust (an unscrupulous web site employee, just like an unscrupulous restaurant employee, could copy and use your information. All that said, I do use credit cards online, but only with reputable businesses. It's not that I worry about my financial liability (I'm not, as the card companies take the liability as mandated by law). It's just to reduce the risk of having to deal with the consequences of fraudulent use or identity theft (which, by the way, could also result from sending it to a web site whose computers are compromised with malware). And certainly you must be alert to phishing and other credit card scams. There are a million ways your credit card information could be stolen, but using a credit card in a secure SSL transaction with a reputable business is probably among the least of your worries.
Posted by: Infinite Ancestors | January 16, 2007 at 06:28 PM
Here are some protection tips from the FTC (along with the legal requirements, which most credit card companies take further):
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.htm
Be a little more careful with ATM / debit cards. There are exceptions that could be important (and you certainly don't want your PIN compromised)...
Visa:
"*Covers U.S. issued cards only. Visa’s Zero Liability Policy does not apply to commercial credit card, or ATM transactions, or PIN transactions not processed by Visa. Notify your financial institution immediately of any fraudulent use."
MasterCard:
"* Zero Liability does not apply to MasterCard-branded cards issued
to an entity other than a natural person or primarily for business, commercial, or agricultural purposes, except the following card programs for small businesses:
Debit MasterCard BusinessCard® Card
MasterCard BusinessCard® Card
MasterCard Executive BusinessCard® Card
MasterCard® Professional Card
MasterCard® Small Business Multi Card
outside of the U.S. region, or
if a PIN is used as the cardholder verification method for the unauthorized transaction(s)."
Posted by: Infinite Ancestors | January 16, 2007 at 06:43 PM
I had an online client who refused to purchase a book from amazon.com "I'm *not* going to open myself up to identity theft!" he said. Now I have an article to refer the next person to. Thanks.
Posted by: Jude | January 16, 2007 at 07:10 PM
There can be a problem if the company you're dealing with uses their own systems to take your credit card details - then passes them on to the credit card company for payment. In this case, there are no such guarantees that your details are being stored securely on the vendor's systems. However, if the vendor is a large company that you've heard of before, with a good reputation to uphold, you're probably safe since they should have the resources to ensure that the security of their systems is never compromised.
If you want to purchase something over the web from a smaller vendor, or from one that you've never heard of before, the best approach is to ensure that they use one of the specialist online credit-card payment sites such as WorldPay or PayPal to take your credit card details on their behalf.
The vendor's site should redirect you to the secure payment site - the vendor only gets confirmation from the payment site that the payment has been authorised - allowing the vendor to dispatch the goods ordered without dealing with any credit card details or money at all. The payment site will generally settle up with the vendor after a number of weeks.
As a customer, this approach also means that you have the security of a reputable third-party to contact if, in the unlikely event, you need to query a payment. They can refund you your money directly and even stop the vendor from taking further payments if they appear to be acting fraudulently.
Posted by: Past Homes Ltd | January 17, 2007 at 04:39 AM
One important note: it can be quite easy to steal credit card info from your PC BEFORE it gets to the internet. I agree with everything you've said, but with the caveat that the user also needs an up-to-date version of Norton, McAfee, or other virus scanning software. A Trojan can record keystrokes before any information is encrypted and sent on its way.
Posted by: David | January 17, 2007 at 07:54 AM
One time we heard our neighbor talking on their cordless phone thru our baby monitor. If you have a cordless phone, even if you are not using it, your conversation can be intercepted (yes some phones do encrypt the signal.) This is probably less secure than sending it over the internet.
Also, if you use the internet to send info, your wireless network should be secure. Of course if your wireless network is not secure, you might as well leave your doors wide open.
Posted by: Pete Fear | January 17, 2007 at 08:59 AM
Credit card numbers are much more likely to be stolen by somebody to whom you have handed your card (or to whom you have read the number over the telephone) than when used online. This being said, keep in mind all of the caveats about dealing with reputable merchants and keeping your own PC malware-free.
Posted by: acrawfordiii | January 17, 2007 at 10:49 AM
Your article is dripping with characteristic, mean-spirited and unkind condescension. Since when is it a crime to fail to understand the details of modern technology? Get off your high horse and put yourself in grandma's shoes - at least do her the favor of explaining how to tell when her web browser IS using a secure, encrypted connection.
Posted by: securitydept | January 17, 2007 at 10:59 AM
Didn't think you were condescending at all, Dick.
Good article. I use my credit (not debit) card for everything, for the reasons mentioned by you and the other posters, and also because if there is a dispute, the credit card company will support you. I am a big internet shopper and have never had a problem.
The only time I've ever had my credit card used fraudulently was in Madrid when I handed my card to a flower vendor and he went into the back room to process our order. He ran the card several times. The credit card company gave me a tip: Always watch the vendor run your card, particularly when traveling abroad.
Checks: My daughter had checks stolen and lost about $200 (a lot for a struggling college student) which her bank refused to reimburse her for.
Posted by: soccermom | January 17, 2007 at 12:04 PM
"dripping with characteristic, mean-spirited and unkind condescension"? I'm not sure how you got that out of it, but it is unlikely that there is anyone who has not been told by someone at some time that using a credit card online is safe.
Here you go: if there is a closed lock symbol in one of the browser window corners you have a secure connection. There will also often be a logo from Verisign or other SSL provider.
Funny how in your rant about grandma, you didn't say how to tell if your connection is secure either.
It should be pointed out that most phone calls, regardless of whether it is a cell phone, cordless phone, or otherwise, is transmitted. Even if your cordless phone encrypts the signal from the handset to the base, it will be transmitted later without encryption. The larger the city you live in, the more likely that even local calls are transmitted. Voice telephone is one of the least secure methods of doing anything; never give any personal information over the phone.
Posted by: Tim | January 17, 2007 at 04:09 PM
A few months ago, in a 'news-magazine' type show John Stassel (sp?) cited information about on-line sales and reported that the credit card companies reported on-line purchases as the market segment with the least fraud. I don't recall how many other segments were named but it was of interest to me because this is a point of difference between me and me ex-wife. We both work with computers. I pay everything on-line except church donations. She will use any means available to avoid an on-line debit/credit card transaction.
While it is theoretically possible to break any encryption if you have enough samples there is still a cost to doing it and the cost to break your average citizen's card number security is just not worth it.
Posted by: Lorin Lund | January 17, 2007 at 09:54 PM
To the person using the pseudonym of securitydept: I think you are being very hard on Mr. Eastman. I read the article twice, the second time after reading your comments. I do not find the article to be the least bit condescending.
I also object to your derogatory use of the word "grandma." I am a grandmother. I also was a software developer for over thirty years. I also shop online a lot and I investigated the security of online transactions long before this article was written. Everything that Mr. Eastman wrote agrees with what I have read elsewhere, including information found on the web sites of the credit card companies.
I'd suggest that everyone, grandmothers and all others alike, should be encouraged to read this article.
Posted by: jenniferw | January 17, 2007 at 10:06 PM
I just had my Mastercard cc number stolen and now have to be issued a new card. The only purchases I have made in the past two months were with Amazon and my automatic deduction from AOL. Hmmmmmm
In October my Visa card number was stolen by a low-paid hotel employee and $1100 of Tracphones were purchased with it. I had to get a new card for that one too. The thing that sucks about this is that you lose internet access to these accounts as soon as they close them. You have to call (and remember the old numbers) to get any reprints of statements.
Posted by: Marilyn | January 19, 2007 at 01:34 AM
That is very funny, I do the same thing to clients that don't 'trust' the online form. Open the same browser they would and enter the order.
I hear also that there are some options to purchase pre-paid credit cards to help alleviate fraud. It gives you a bit of control over how much is available to steal.
Posted by: Quote Catcher Credit Card Processing | August 07, 2008 at 02:54 PM
One option is very simple but not many people think of it: use PayPal. When you pay online with PayPal, you never enter a credit card number. Therefore, nobody can steal the number from that transaction.
Details are available at https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/buy/Privacy-outside
I am always amazed that a lot of people do not like PayPal and yet it has excellent security, better than most credit cards.
- Dick Eastman
Posted by: Dick Eastman | August 07, 2008 at 05:03 PM
I have been using credit cards and a avid online shopper. In case of a wrong doing or fraud the credit card companies do help and they can be your best bet in case of someone wanting to steal your hard earned money.
Posted by: Web Designing Quotes | April 14, 2009 at 05:45 PM