Saturday, March 5, 2011

Online Shopping: Things You Can Do to Make Online Purchases Safer

Online Shopping: What You can do to be Safer

Shopping online is safer today than ever before, even though crooks continue to try to find ways to hack into systems, intercept your transactions or emails, and use "phishing" techniques to gather private information from you.

If you do shop online or over the phone, there are some things that you can look at carefully to make your purchase as safe as possible.

Start with Your Computer & Security Habits

Yes: the weakest link could be your own computer and security habits (or lack thereof.)

All of the things discussed below aren't much use if you don't have good firewall and security software on your own computer. The security systems that come with your computer usually should be supplemented by other packages such as Norton™ by Symantec™ or McAfee™.

Whether or not you shop or do online banking, you really need a comprehensive security system that includes a firewall, scanning services, software to alerts you if your computer is entering an "unsafe zone," tools to prevent viruses or malware from being downloaded to your computer, and blocking features that stop unauthorized parties from gaining access to your computer.

Important Note: If you have both more than one package of security software on your computer, there's a chance that they could cancel out some of each others' features. You really should pick one security system and stay with that.

Wireless connections are great, but they may require stricter security to protect you while surfing, particularly for online banking or purchases. Don't necessarily take the advice from the computer store salesperson: contact your ISP about what security will best protect you giving what you use your computer for.

Then, make sure you keep your subscription current and regularly check (or have your computer set-up to automatically receive) that the most recent protection updates are downloaded. Regular security scans are also a good idea.

Use Discretion, and a Bit of Suspicion

By now, most people are aware of the scams from self-proclaimed alleged "royals" from Africa or Europe who just need a little bit of your cash to get a big windfall, which they will share with you. An entire book could be devoted to the "Do's" and "Don'ts" of providing information over the Internet or by telephone.

The one thing you should always remember: Never, and that is N-E-V-E-R, give out any information unless you know exactly to whom you are giving it and for what purpose. No bank or credit will ever email you or call you for this information: they already have this information and don't need to ask you for it. And never provide banking account numbers, bank routing numbers, or credit card numbers using email to anyone.

No matter how secure your computer is, the nature of email means that it just isn't prudent.

And, while having your browser or a website remember your user name and password is convenient if you're online for a short time, it's not a safe practice to use all of the time. You should really clear your browsers' cache and history each time you leave the Web, especially if you've been shopping or used online banking.

You should also change your email passwords on a regular basis and keep them in a safe place. And a safe place is not another email account.

What to Look for When Shopping Online

You want to see more than pretty pictures and catchy phrases when you make your purchase decisions. Odds are you've see a logo on the website that says "VeriSign," "Trustwave," or another certificate stating they provide online security during your transaction.

What's the difference between different brands? Not much, except some brands have more "status" than others. In reality, most security systems pretty much the same security protocols and most processors are mighty careful. If something goes wrong, the liability and losses (financial and reputational) can be tremendous.

Often, merchants get these icons/logos strictly for marketing purposes. This is not merely the opinion of this author; as VeriSign says on their website:

"People make decisions fast when they browse the Web and your link has to stand out to earn a click. VeriSign Seal-in-Search technology puts the VeriSign Trust Seal next to your link in search results on enabled browsers and partnering Web sites. Seal-in-Search shows that your site has been verified by VeriSign and passed a Web site malware scan. Your link is safe to follow."

And, so many merchants buy certificates, in part as a marketing tool. So, if you don't see a VeriSign, Trustwave or other certificate, don't worry all that much. Payment processors generally make sure that any shopping cart is secure before they will perform transactions from any merchant.

What you do want to look for is the icon of the payment processor that the merchant uses and whether or not they are PCI DSS compliant (see below). Payment processors are required by the Payments System Industry and insurance companies to have extremely strict security standards.

Commonly used processors include, but are by no means limited to "Chargeback Guardian," "Authorize.Net," "PsiGate," and "LinkPoint." Often, payment processors cover merchants with their own security seal after ensuring that the shopping cart used is secure.

Don't Just "Look" at Security, Payment Processors or PCI DSS Icons

When most valid icons for security certificates, payment processor validations, or PCI Audit are clicked on, a pop-up window opens to validate that the certificate is legitimate. If you click on an icon and nothing happens, it is either configured incorrectly or the merchant just copied the icon and placed it into their website.

The information available through these icons varies: sometimes you'll see the name of the corporation that runs the website, sometimes the website's URL is references. Keep in mind most e- stores are incorporated a name other than the website name as many merchants run more than one website or multiple e-stores.

And, there's a lot more involved in making sure you're dealing with an honest and legitimate business.

Payment System Industry (PCI) Data Security Standard

In the past year or so, all credit card processors and many merchants have been required to meet Payment System Industry (PCI) Data Security Standard. These standards were developed by the major credit card companies and incorporate a set of security requirements created by the Payment Card Industry.

The PCI DSS standards outline strict guidelines that specific actions merchants and payment processors must do to protect the privacy of customer information. This includes measures to protect any information provide to over the internet, as well as physical measures taken to physically safeguard any data that collected, such as invoices for tax records.

ThePCI Councilrequires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). It means that a merchant has undergone reviews to see that its secure checkout meets or exceeds industry standards for encryption so that you can buy with confidence, knowing your private information and payment information is secure. Merchants do not see your credit card number or your security code.

Some payments processors require that merchants undergo an audit; others allow the merchant to make the decision on their own. While the audits are a lot of work, they are beneficial to merchants to make sure they are doing everything possible to protect customer information, as well as the merchant's interests. Sometimes, insurance companies ask that merchants undergo the audit.

Making Payments over the Telephone

This is up to you and your comfort level with the merchant. While most small businesses will take credit or debit card information over the telephone, many responsible merchants will ask that you stay on the line while they enter the credit card number into the processing system. This way, they don't have to write down or record the credit card number in any shape or form. It protects the customer and protects the merchant.

Most merchants, by the way, never see your credit card number or the security code on the back. These are truncated by the payment processor and this merchant for one like it to be this way. In fact, once a credit card transaction is processed, payment processors will allow a merchant to refund the consumer any amount up to the amount paid by the consumer. But, a merchant can never charge additional funds unless permission is granted by the consumer through a separate independent transaction.

Isn't PayPal™ More Secure?

PayPal is a legitimate choice for consumers who feel more comfortable going through a large well-known company, especially folks that do not have credit cards or who only have American Express which any merchants, online and otherwise, do not accept.

For many, PayPal offers comfort and a sense of security. Since merchants like to keep customers happy, most let them decide how to pay. But is PayPal "more secure" than other payment processors? Well, most payment processors pretty much all use similar security protocols and that includes PayPal. And, PayPal has many employees that may have access to your information.

PayPal's website has a video that implies that merchants require a heck of a lot more than a credit card number, CVC code and expiration date (all of which protect the customer in case someone has obtained your credit card number) and other information such for banking data, digits of bank accounts and passwords and things that simply are not required.

This is simply not true of legitimate merchants. If a merchant ever asks you for personal data such as how many kids you have, your annual household income, banking account information when you are paying by credit card, or anything else that makes you feel uncomfortable, go elsewhere. This information is completely unnecessary for an online transaction.

And, when you leave the site make sure you clear your browser's cache and make the purchase elsewhere. There are very few items available online through only one website.

(Note: PayPal does store two forms of payment for recurring payments such as subscriptions, usually credit card data, and your bank account number and your bank's routing number.)

Another video says on PayPal's website states that PayPal "is more secure it prevents merchants from seeing your payment information." Well, as noted above, most merchants NEVER see this data.

So, What's Your Best Choice?

Whatever makes you, the consumer, feel most secure and comfortable.

Just be sure that you aren't lulled into a sense of security from certificates that may or may not mean much and that you understand your protection starts with your own computer maintenance practices. And, check your credit card statement carefully each month and question any transaction that you do not recognize or feel is inaccurate.

--

Note: This article is the opinion of the author. While the author has experience working in payments for the banking industry, and for Internet and network security companies, all statements are the opinions of the author alone and no other entity. The only exceptions are direct quotes taken from specific companies' websites which are referenced above.

Symantec, the Symantec Logo, Norton 360 and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. PayPal, McAfee and Trustwave are registered trademarks of the respective entities.

Copyright 2011, AM McElroy, SolarFlairLighting.com, and SolarLightingSmart.com

AM McElroy has over 20 years experience in corporate communications and marketing/sales within the banking, civil/environmental engineering, high-tech and natural sciences (physics) arenas.

No comments: