Friday, January 14, 2011

The dangers of online credit card processing.

Did you know that when you use your credit card in most stores, the seller (meaning the store) does NOT see your full credit card information. They usually see only the last four digits. Remember in the past when you handed your credit card to the checker and they would literally make a copy of your credit card information and store it. That was an enormous security risk. And we left that behind with the advent of customer access machines. It's not an accident that now you swipe your own credit card. It's not a way for the store to get you to work for them. No, it's all about credit card security. The important point to notice is that you hold the credit card all the time and the seller never sees the credit card information.

Well, we've taken an enormous step backwards in the area of online credit card processing. Imagine you are buying something online. Let's say you are signing up for a running event. The race organization usually defines the online registration system that you must use to sign up. The race organization is usually small and usually does not have much or in some cases any technical knowledge. You usually end up with whatever is sold to them or whatever everyone else is doing. This may or may not be the best choice for you in terms of your security.

Let's say a very small beginner website talks the race organization into using their site. Let's say that the very small website creates a merchant credit card account. This means that the small website can process the credit card information directly with a credit card processor. This is an alternative to the Google Checkout, PayPal, and Amazon, etc. payment processing options. This is where the security problem begins. You are passing your complete NAME, CREDIT CARD NUMBER, and CVC CODE to this beginner website. The beginner site says that it is secure because it uses SSL. But SSL is only a mechanism to help ensure that the data that the client browser passes can only be seen by the seller website server. But this does not handle the case where the seller website server is compromised. All the information is in clear text and available on the seller website server. This is a problem because multiple people and programs have access to this information.

You may say this is terrible, but what is the solution? The solution is to use payment processors such as Google Checkout, PayPal, and Amazon, etc. as the payment processors. These larger payment processors only give an tracking code to the seller and they process the credit card information securely. You should only buy from sites that give you the Google Checkout, PayPal, Amazon, etc. option. Otherwise, you are spreading your credit card information all over the web to many sellers. Not a good idea.

There will always be critics that say, "I don't want to give my credit card information to PayPal, Google, Amazon, etc." The irony is that the smaller website actually use PayPal, etc for their payment processing. So you give the credit card information to a small website with possibly questionable security and the small website gives it to PayPal and then you purchase the item. It seems to be common sense that you should reduce the number of eyes and programs that can see your credit card information.