An e-commerce market is expanding dramatically and is projected to reach over 8 $ trillion in 2020. As a result, the online payment processing market is growing at the same speed, simplifying B2C experiences with mobile payments – but also giving growth to fraudulent misuse of payment networks and data theft.
When placed in the e-market reality, a retailer can face a number of fraud tactics, each of which will influence his financial situation once a customer reports a fraudulent activity and requests a chargeback (a sum of reimbursement costs and recovery costs), plus it will undermine customers’ confidence in the merchant’s brand and jeopardize his relations with clients. Nowadays so much has been said about online transaction security, hackers attacking the websites of the biggest corporations and stealing their data and billions of dollars losses connected with fraudsters’ actions online, that customers can feel insecure and be unwilling to share their payment data and personal information with a website.
That’s why trust seals are so important for the website conversion: when a customer sees a visual proof that the website complies with security requirements, he will be more ready to commit a purchase. According to a survey, 75,66% of respondents stated trust logos affect their sense of trust for a website[i], with 60,96% admitting that at least once they didn’t commit a purchase because trust logos were missing.[ii]
It is important for the customer to feel that he is paying safe online when on a website – and it is equally important for the merchant to make the customer feel so and not to disappoint him in the end.
Types of Protection Methods
Taken into account the scale of e-commerce operations committed everyday all over the world, a lot of attention is drawn to developing security methods by software development services companies which are aimed at providing a safe online payment.
The encryption method transforms plain text information into a non-readable form called ciphertext. For decrypting the information and returning it to its original plain text format, an
algorithm and an encryption key are required.
There are two principal approaches to encryption: symmetric key and asymmetric key encryption. In symmetric key encryption, one key is used to both encrypt and decrypt the information. So if the key is compromised, it can be used to decrypt all of the data it was used to secure. Contrary to this, asymmetric key encryption provides two different keys for encrypting and decrypting the stored data.
Another name for asymmetric key encryption is public key encryption: encryption (‘public’) keys can be freely distributed, whereas decryption (‘private’) keys must be kept in secret as they are used for decrypting the secret data.
Cryptocurrency exchanges are based upon the public key principle. In this case, the public key is the address to which cryptocurrency is to be transferred. On the other hand, a private key is given to confirm, approve and perform a transaction with which cryptocurrency stored on one account is transferred to someone else’s public key.
With this payment, sensitive credit card information which includes the customer’s name, 16-digit personal account number (PAN), expiration date and a security is not stored online in the merchant’s payment but gets ‘tokenized’, i.e. it gets replaced with a randomly generated string of characters that can then be linked back to the original data only by an authorized party. So the original information doesn’t get into the merchant’s system but only the generated tokens do. The tokens are transmitted to the payment processor who is the only actor capable of de-tokenizing the received data and to authorize the payment.
Secure Electronic Transaction (SET) Protocol
SET protocol has been developed as a single standard for secure electronic payment transactions. It was supposed to reinforce and eliminate the drawbacks of the widely-spread SSL protocol which provides a communication channel between the merchant and the customer but doesn’t provide a level of security needed nowadays. SET was developed as a reply to the demand for a stronger authentication procedure, and a guarantee of the confidentiality of information. It has been developed by Visa and MasterCard in tight collaboration and widely supported by top vendors like IBM, Microsoft and others.
SET protocol usage involves three participants: the merchant, the customer and the bank using the protocol. With SET, a user is given an electronic wallet, known as a digital certificate, which possesses a unique public key and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the three above-mentioned actors. After placing an order, the customer needs to receive the confirmation from his SET-enabled browser that the merchant’s certificate is valid. The browser sends a message to the merchant with the order information; the message is encrypted with the merchant's public key, the payment information, which is encrypted with the bank's public key (the merchant can’t read it), and information that ensures the payment can only be used with this particular order. After receiving the order message, the merchant sends it to the bank together with the bank's public key, the customer's payment information (which the merchant can't decode), and the merchant's certificate. The bank verifies the merchant and the message and puts his digital signature as authorization. The payment process is over – the merchant can start filling the order.
The Payment Card Industry Data Security Standard (PCI DSS) and its framework
PCI DSS is a certain regulatory framework created and put in place in order to protect consumers and businesses. It provides a universal standard for how to handle, use and store credit card information. The standard was adopted in 2004 by the major credit card companies, namely, Visa, MasterCard, Discover Financial Service, JCB International and American Express as a reply to a growing number of frauds happening during online shopping.
The payment card industry (PCI) uses 4 merchant levels based on the number of annual transactions. Once attributed, merchant levels determine the amount of assessment and security validation that is required for the merchant to get PCI DSS compliance.