Shopping online is safer today than ever before, even though crooks continue to try to find ways to hack into systems, intercept your transactions or emails, and use “phishing” techniques to gather private information from you.
If you do shop online or over the phone, there are some things that you can do, and things to look at carefully, to make far safer.
Start with Your Computer Habits
Yup. The weakest link could be your own computer and security habits (or lack thereof.)
All of the things discussed below aren’t much use if you don’t have good firewall and security software on your own computer.
Some of the most common brands are Norton™ by Symantec™ or McAfee™ Symantec, along with proprietary software, are used by many banks, financial institutions and payment processors including the largest banks in the United States.
The most comprehensive Norton™ product for home users (Norton 360™) starts at about $130 for a two-year subscription. This includes firewall, scanning services, software that alerts you if your computer is about to enter an “unsafe zone,” and tools to prevent viruses or malware from downloaded to your computer, and blocks attempts for unauthorized parties from gaining access to your computer.
McAfee, versions of which often come free with a lot of Internet Service Providers (ISPs), is also commonly used.
Important Note: If you have both Norton and McAfee on your computer, there’s a chance that they could cancel out some of each others’ features. You really should pick one security system and stay with that.
Wireless connections are great, but they may require stricter security to protect you while surfing, particularly for online banking or purchases. Don’t necessarily take the advice from the computer store salesperson: contact your ISP about what security will best protect you giving what you use your computer for.
Then, make sure you keep your subscription current and regularly check (or have your computer set-up to automatically receive) that the most recent protection updates are downloaded. Regular security scans are also a good idea.
Use Discretion, and a Bit of Suspicion
By now, most people are aware of the scams from self-proclaimed “royals” from Africa or Europe who just need a little bit of your cash to get a huge fortune that was wrongly taken from them, a big windfall that they will share with you if you give them money to retrieve it.
An entire article could be devoted to the “Do’s” and “Don’ts” of providing information over the Internet or by telephone, bottom line: Never, and that is N-E-V-E-R, give out any information unless you know exactly to whom you are giving it and for what purpose. When in doubt, ask for a number and then call your bank or Credit Card Company.
No bank or credit will ever email you or call you for this information: they already have this information and don’t need to ask you for it. And never provide banking account numbers, bank routing numbers, or credit card numbers using email to anyone.
No matter how secure your computer is, the nature of email means that it just isn’t prudent.
Another thing to be careful of: Having your browser or a website remember your user name and password is convenient if you’re online for a short time, but overall not a really safe practice.
You should also change your email passwords on a regular basis and keep them in a safe place. (A safe place is not another email account.)
What to Look for When Shopping Online
You want to see more than pretty pictures and catchy phrases when you make your purchase decisions. Odds are you’ve see a logo on the website that says “VeriSignTM,” “TrustwaveTM,” or another certificate stating they provide online security during your transaction.
What’s the difference between different brands? Well, most use pretty much the same types of security protocols and most processors are mighty careful. If something goes wrong, the liability and losses (financial and reputational) can be tremendous.
Many times merchants get these icons/logos strictly for marketing purposes. This is not merely the opinion of this author; the following is a quote from VeriSign’s website:
“People make decisions fast when they browse the Web and your link has to stand out to earn a click. VeriSign Seal-in-Search technology puts the VeriSign Trust Seal next to your link in search results on enabled browsers and partnering Web sites. Seal-in-Search shows that your site has been verified by VeriSign and passed a Web site malware scan. Your link is safe to follow.”
And, so many merchants buy certificates, in part as a marketing tool.
What you do want to look for is the icon of the payment processor that the merchant uses and whether or not they are PCI DSS compliant (see below). Payment processors are required by the Payments System Industry and insurance companies to have extremely strict security standards.
Commonly used processors include, but are by no means limited to “Chargeback Guardian,” “Authorize.Net,” “PsiGate,” and “LinkPoint.” Often, payment processors cover merchants with their own security seal after ensuring that the shopping cart used is secure.
Don’t Just “Look” at Security Icons
When most valid icons for security certificates or payment processor validations are clicked on, a pop-up window opens to validate that the merchant is authorized to do business with them. Sometimes you’ll see the name of the website; sometimes you’ll see the name of the corporation that runs the website. (Keep in mind most e- stores are incorporated a name other than the website name as many merchants run more than one website or multiple e-stores.)
And, there’s a lot more involved in making sure you’re dealing with an honest and legitimate business.
Payment System Industry (PCI) Data Security Standard
In the past year or so, all credit card processors and many merchants have been required to meet Payment System Industry (PCI) Data Security Standard. These standards were developed by the major credit card companies and incorporate a set of security requirements created by the Payment Card Industry.
The PCI DSS standards outline strict guidelines that specify what Merchants and payment processors must do to protect the privacy of customer information. This includes measures to protect any information provide to over the internet, as well as physical measures taken to physically safeguard any data that collected, such as invoices for tax records.
The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). It means that a merchant has undergone reviews to see that its secure checkout meets or exceeds industry standards for encryption so that you can buy with confidence, knowing your private information and payment information is secure. Merchants do not see your credit card number or your security code.
Some payments processors require that merchants undergo an audit; others allow the merchant to make the decision on their own. While the audits are a lot of work, they are beneficial to merchants to make sure they are doing everything possible to protect customer information, as well as the merchant’s interests. Sometimes, insurance companies ask that merchants undergo the audit.
Making Payments over the Telephone
This is up to you and your comfort level with the merchant. While most small businesses will take credit or debit card information over the telephone, many responsible merchants will ask that you stay on the line while they enter the credit card number into the processing system. This way, they don’t have to write down or record the credit card number in any shape or form. It protects the customer and protects the merchant.
Most merchants, by the way, never see your credit card number or the security code on the back. These are truncated by the payment processor and this merchant for one like it to be this way.
This is another reason why many merchants do not accept telephone checks, which are ACH payments made over the telephone when you provide your bank’s routing number and your account number.
In fact, once a credit card transaction is processed, payment processors will allow a merchant to refund the consumer any amount up to the amount paid by the consumer. But, a merchant can never charge additional funds unless permission is granted by the consumer through a separate independent transaction.
Isn’t PayPal™ More Secure?
PayPal is a legitimate choice for consumers who feel more comfortable going through a large well-known company, especially folks that do not have credit cards or only have American Express which any merchants, online and otherwise, do not accept.
And to many, it is offers comfort and a sense of security to many people. Since merchants like to keep customers happy, most let them decide how to pay. But is PayPal really “more secure” than other payment processors? Not really, as most payment processors pretty much all use similar security protocols.
PayPal’s website does have a video that implies that merchants require a heck of a lot more than a credit card number, CVC code and expiration date (which protects both consumers and merchants in the event a credit card number is stolen), but that merchants ask for banking data, digits of bank accounts and passwords and things that simply are not required.
This is not true of legitimate merchants. If a merchant ever asks you for personal data such as how many children you have, your annual household income, banking account information when you are paying by credit card, or anything else that makes you feel uncomfortable with, go elsewhere.
This information is completely unnecessary for an online transaction. If you come across a screen that asks you for such information, leave the site, clear your browser’s cache and make the purchase elsewhere. There are very few items available online through only one website.
PayPal does store two forms of payment for recurring payments such as subscriptions, usually credit card data, and your bank account number and your bank’s routing number.
Another video says that PayPal is more secure it prevents merchants from seeing your payment information. As noted above, most merchants NEVER see this data.
So, What’s Your Best Choice?
Whatever makes you, the consumer, feel most secure and comfortable.
Just be sure that you aren’t lulled into a sense of security from certificates that may or may not mean much and that you understand your protection starts with your own computer maintenance practices. And, check your credit card statement carefully each month and question any transaction that you do not recognize or feel is inaccurate.
Note: This article is the opinion of the author. While the author has experience working in payments for the banking industry, and for Internet and network security companies, all statements are the opinions of the author alone and no other entity. The only exceptions are direct quotes taken from specific companies’ websites which are referenced above.
Symantec, the Symantec Logo, Norton 360™ and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign™, VeriSign Trust™ and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. PayPal™, McAfee™ are registered trademarks of the respective entities. Trustwave™ is a registered trademark.