Security Issues

Security for Your Customers
Making your visitors feel comfortable enough at your site to give you their credit card number may take some work and planning on your part, but will be infinitely worth the effort. Not only will the appearance and professional design of your site have an impact, but also the security features you build into it. More web shoppers are wise to the ways of the Internet and know the things they should look for in a site before they enter their financial and personal information.

For instance, they know to look for the lock symbol at the bottom of the screen to signify that their information is being transmitted to a secure server. They also know that the more recognizable trusted names they see on your site the better. Look at one of the larger well-known and trusted retailers such as L.L. Bean or Land's End and see how their site security is put together and displayed. Let's look at some of the things you can do to create that trust in your site visitors.

Digital Security Certificates
Shoppers often look for a trusted third party (TTP) to approve your site and your methods. Companies like VeriSign can provide your site with a digital security certificate that authorizes that you are who you say you are. This helps visitors to your site have the confidence to become buyers and will often make a big difference in your perceived credibility. VeriSign also offers a program called WebTrust that was developed by the American Institute of Certified Public Accountants (AICP) and the Canadian Institute of Chartered Accountants (CICA). This program also provides you with a seal to display on your site if you meet the criteria which includes an evaluation of business, accounting, and transaction practices, as well as protection of consumer information. The VeriSign site states that, "more than 75% of online users have had a favorable impression of the WebTrust seal and that almost half of them report that seeing the seal would make them more likely to conduct an online transaction."

Another security watchdog organization is Trust-e. Trust-e sets policies for the use of personal information, as well as the protection of consumers. There are four Trust-e seal programs:

  • Privacy Seal Program -- Companies who display the general Trust-e logo have agreed to abide by special rules concerning the use of personal information.
  • Trust-e's E-Health Seal Program -- If your site is health-related you should also investigate this program. It certifies that the site displaying the seal complies with specific principles concerning privacy, quality and best practices.
  • EU Safe Harbor Program -- This is a program designed for companies who do business in Europe and wish to comply with the Safe Harbor Privacy Framework put together by the U.S. Department of Commerce.
  • Children's Privacy Seal Program -- This program is compliant with the Children's Online Privacy Protection Act (COPPA) and has been approved by the FTC as an authorized COPPA safe harbor.

These TTPs control the use of their logos through various embedded links. For instance, the Trust-e site has a notice for people who landed on the site as a result of clicking on the trust-e logo while on a shopping site. The notice says that if they have arrived there through that method then they may have visited a fraudulent site and to click another link to report it.

Encryption and Secure Servers
Using SSL (Secure Socket Layer), an encryption protocol, along with a digital certificate, provides protection for sensitive data during its transmission to your secure server. This encryption requires two keys. One is a public key which is used to encrypt the data through your customer's browser, and the other is a private key which decrypts the data and is held only by you (or those you authorize). By using a digital certificate provider (like VeriSign), the holder of the decryption key is validated as the correct owner and can then use the data as they need. In this system, each player has access only to the information they need. The TTP (in this case, VeriSign) assures the shopper, through use of the digital certificate, that the web site is indeed who they say they are, and the shopper can buy with the knowledge and comfort that they aren't being scammed.

BBB Online Seals
Once you have been in business for one year, you can apply for the Better Business Bureau Online's Reliability seal program. To get into the program and display the seal you must:

  • join your local BBB
  • agree to abide by their standards including those for truth in advertising
  • provide the BBB with information about your company
  • have a satisfactory complaint record with the BBB
  • respond promptly to all consumer complaints
  • and agree to any consumer-requested dispute resolution.

Keep in mind that the BBB doesn't endorse companies, so don't add any text to your site saying you're BBB endorsed. They simply require that their participants have satisfactory complaint records.

Privacy policies and Personal Info Usage Policies
You must have a privacy policy and a usage policy for your site. These policies will state how you intend to use the personal information from product orders and other information you collect about your site visitors. This is a very important step to take and should not be taken lightly. When you write the policy make sure you follow it to the letter. Not doing so may put you in violation of the FTC Act. You can read the transcripts of a public workshop put on by the the FTC about the use of consumer data at the FTC web site. There is also a lot of other good information there. You might also visit some well-known commerce sites and see how they've done their privacy statements. If you get a seal from one of the TTP groups listed in the previous section then you'll have to also follow their specifications.

Display the link to your Privacy Policy in a conspicuous spot on your home page and your ordering pages. Make the language easy to understand and clearly state how the information will be used. It is generally recommended to give the consumer the option of not sharing their personal information (assuming you're planning on sharing the data with others). If you are sharing the information, state with whom you will be sharing it.

Include a statement about how you use cookies. Many people are still not clear about how cookies work and are not comfortable with idea. (You may also want to set up your system to not rely on cookies since many people have them disabled in their browsers.)

Security for YOU
OK, so I've talked about how to make your customers feel more secure, but what about you? What about your liability? What about your losses!? Statistics from credit card companies say that 75 percent of online retailers are liable for the full amount of any credit card fraud they encounter, while 90 percent of consumers are reimbursed for fraud. When you don't have a face-to-face transaction where all three parties (the actual card being the third party) are present then you have the potential for problems. And to make matters even worse, there are now software programs (illegal ones) that can generate an unlimited number of mathematically valid credit card numbers. But haven't mail order retailers been facing this problem all along? How do they protect themselves? There are some ways you can keep your credit card fraud to minimum. Here are a few of the best ones:

  • Work under the assumption that you will at some point face credit card fraud -- that keeps your defenses up
  • Use Address Verification Service -- This at least works for products that must be shipped within the U.S. It provides no protection for downloadable products such as software or books. (Authorizer and NetVerify are examples.)
  • Consider not allowing different "ship to" addresses -- Thieves can always provide you with the correct billing address and then request a different shipping address. By not allowing a different shipping address you could cut back some of your fraudulent charges. Or, you can always perform additional checks on these addresses. (Make sure you get a phone number for the ship-to address.)
  • Get a faxed copy of the credit card and signature when in doubt.
  • Watch out for large orders of high priced items that are asked to be shipped quickly. If it doesn't match your typical order, call the customer and verify the order and payment information.
  • Don't process any order you can't verify by phone.
  • Watch out for customers who give you an e-mail address from a free e-mail service like Yahoo or Hotmail. Those are an often used by thieves to help hide identities because any identification information can be submitted in order to get the e-mail address. Require a true ISP-based e-mail address.
  • If the customer is - or appears to be - a business, check the web address (Often the last part of the e-mail address is the web address. Just add a www. to check it out.) If the web site doesn't match up with the information you were given then don't fill the order until you can verify further.
  • Code your form handler to collect the IP address of the computer sending the order. You can trace it back to the ISP and let them know about the fraudulent activity.
  • Watch out for orders that originate, or are to be shipped out of the country. There has been particular fraudulent activity in the Eastern European countries.

Visit the AntiFraud web site for more ways to protect yourself, as well as a list of free e-mail address providers. You should probably also set aside a sum of money for credit card fraud. Talk to your accountant about what a reasonable amount might be.