Credit Cards Online

24 June 1999
Electronic commerce or, as many call it, e-commerce, is here and growing rapidly. Buying goods and services over the Internet is something more people are doing for the first time everyday. In most cases, the preferred method of payment is the credit card. The problem, which is in some ways is more perceived than real, is credit card fraud.

Consumer’s Perspective It seems that the average consumer is just beginning to get comfortable with the idea of transmitting their credit card number over the Net. At the dawn of the Internet age (three or four years ago for most people), the mantra was, “Never, never send anybody your credit card number over the Net. A hacker from hell might intercept it while it flew through cyberspace.”

Well, it turned out that while this risk made for good headlines, it was overblown. Even if it did happen, a Federal law limited a consumer’s risk to $50. Today, the Amazon.com’s and eBay.com’s of the world are getting people used to the idea of sending their credit card number over the Net.

My advice to people has been and remains that the Internet is safe enough for credit cards. If you want to buy something over the Net, then do it.

Now, you should bear in mind that I said the Net is “safe enough” not perfectly safe, but no place is perfectly safe. When you give a waiter your credit card, that’s not perfectly safe either. He could copy your number and use it later to buy something.

I’ve never understood people’s paranoia about the Net when they’ll call 1-800-Send-Me-Junk and blithely read their number to a minimum wage order taker working for some company they don’t recognize located they don’t know where. Still, these are the risks we all take and the law limits our loss at $50 if somebody steals a card number.

Online Seller’s Perspective

The one who really gets hurt by fraudulent online commerce is the seller. Most credit card fraud revolves around a valid credit card that’s used by someone other than the owner of the card.

The big loser in this scenario is the seller. The goods or services are out the door and the money is uncollectable. Banks typically won’t pay a seller for a fraudulent online transaction even if the bank “approved” the sale.

Security Protocols

Two major security protocols can govern credit card transactions over the Net. They are Secure Sockets Layer (SSL) and Secure Electronic Transactions (SET) Standard. The bottom line today is that SET is safer, but SSL is easier to use, already in place and relatively safe in many ways.

SET’s beginning goes back to February, 1996, when MasterCard and Visa jointly announced SET and hailed it as the future technical standard for safeguarding credit card purchases made over the Internet. Still, SSL remains the standard for the Net. Some estimate that as many as 85% of all commercial websites use SSL.

SET has not caught on for a series of complex reasons. I think the starting point is that generally sellers, not banks, are the loser with online fraud. This means that banks have had little incentive to push SET.

Y2K has even had a part in this. Banks have had to make Y2K, not the implementation of a new electronic transaction protocol, the priority.

SET’s big selling point is that it’s a super strong security program. The reaction of many was that this meant that it was too complicated, excessive and expensive.

SSL is seen as less complicated and always had the advantage of being developed by Netscape, who, until recently, dominated the browser marker. (Now, in terms of market share, Microsoft’s Internet Explorer is the king. As for me, I still prefer Netscape.)

SSL’s biggest weakness is that it doesn’t authenticate that the buyer is who the buyer purports to be. SET can do that electronically.

What SSL does do is encrypt the communication between the consumer and the seller. This means that even if the hacker from your nightmares intercepts your transmission over the Net, she can’t read it because encrypting it turns it into gibberish. Only the intended recipient can decrypt the transmission so that it’s readable.

SSL is clearly enough security if both sides of an online transaction know and trust each other. You can always confirm if your transaction is secured by SSL by checking for an unbroken key or closed lock symbol in the frame of your browser window.

SET makes Net transactions even safer than SSL because SET uses “digital certificates” that verify that both the buyer and the seller are authorized to use and accept the credit card. Without getting lost in the technology of “digital certificates,” suffice it to say that they’re state–of–the–art electronic identification certificates and they do what they purport to do rather well. (You can get paralyzed with technology if you insist on understanding how technology works before you’ll use it. I think that I can make this point by reminding you that everybody steps on the gas pedal, but very few people really understand how fuel injection works.) Understanding how a digital certificate works is complicated. Using it is easy (like stepping on that gas pedal) because the software you would use does the hard part in a way that’s invisible to you.

Shopping with SET

The first step in shopping with SET is having digital wallet software. If SET ever really catches on, this will undoubtedly be built into Netscape’s and Microsoft’s browsers, but today you have to download the software. The purpose of this software is to verify that your seller is who they purport to be and that they have a relationship with a trusted financial institution.

The second step is that the consumer gets a digital certificate (electronic identification card) from their financial institution.

At the time of payment, each side’s SET software verifies that the other side is legitimate before exchanging other information.

The third step is you shop. When you’re ready to finalize the purchase, the software sends your credit card information in an encrypted format that can only be deciphered by the seller’s financial institution.

The final step is authorization from the cardholder’s bank. At this point, it’s just like going into a retail store. In this scenario, the digital certificate stands in the place of a pen, paper and a John Hancock.

If this sounds complicated, that’s because it is. Still, if the software were built into the major browsers, SET would stand a chance. As it stands now, if I wanted to buy from a website that required SET, I’d find another website. I can’t find a compelling reason to be inconvenienced by setting this up on my computer. I’d rather find a website that uses SSL.




Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.