An e-commerce market is expanding dramatically and is projected to reach over 8 $ trillion in 2020. As a result, the online payment processing market is growing at the same speed, simplifying B2C experiences with mobile payments – but also giving growth to fraudulent misuse of payment networks and data theft.
When placed in the e-market reality, a retailer can face a number of fraud tactics, each of which will influence his financial situation once a customer reports a fraudulent activity and requests a chargeback (a sum of reimbursement costs and recovery costs), plus it will undermine customers’ confidence in the merchant’s brand and jeopardize his relations with clients. Nowadays so much has been said about online transaction security, hackers attacking the websites of the biggest corporations and stealing their data and billions of dollars losses connected with fraudsters’ actions online, that customers can feel insecure and be unwilling to share their payment data and personal information with a website.
That’s why trust seals are so important for the website conversion: when a customer sees a visual proof that the website complies with security requirements, he will be more ready to commit a purchase. According to a survey, 75,66% of respondents stated trust logos affect their sense of trust for a website[i], with 60,96% admitting that at least once they didn’t commit a purchase because trust logos were missing.[ii] It is important for the customer to feel that he is paying safe online when on a website – and it is equally important for the merchant to make the customer feel so and not to disappoint him in the end. Types of Protection Methods Taken into account the scale of e-commerce operations committed everyday all over the world, a lot of attention is drawn to developing security methods by software development services companies which are aimed at providing a safe online payment. Encryption The encryption method transforms plain text information into a non-readable form called ciphertext. For decrypting the information and returning it to its original plain text format, an algorithm and an encryption key are required. There are two principal approaches to encryption: symmetric key and asymmetric key encryption. In symmetric key encryption, one key is used to both encrypt and decrypt the information. So if the key is compromised, it can be used to decrypt all of the data it was used to secure. Contrary to this, asymmetric key encryption provides two different keys for encrypting and decrypting the stored data. Another name for asymmetric key encryption is public key encryption: encryption (‘public’) keys can be freely distributed, whereas decryption (‘private’) keys must be kept in secret as they are used for decrypting the secret data. Cryptocurrency exchanges are based upon the public key principle. In this case, the public key is the address to which cryptocurrency is to be transferred. On the other hand, a private key is given to confirm, approve and perform a transaction with which cryptocurrency stored on one account is transferred to someone else’s public key. Payment tokenization With this payment, sensitive credit card information which includes the customer’s name, 16-digit personal account number (PAN), expiration date and a security is not stored online in the merchant’s payment but gets ‘tokenized’, i.e. it gets replaced with a randomly generated string of characters that can then be linked back to the original data only by an authorized party. So the original information doesn’t get into the merchant’s system but only the generated tokens do. The tokens are transmitted to the payment processor who is the only actor capable of de-tokenizing the received data and to authorize the payment. Secure Electronic Transaction (SET) Protocol SET protocol has been developed as a single standard for secure electronic payment transactions. It was supposed to reinforce and eliminate the drawbacks of the widely-spread SSL protocol which provides a communication channel between the merchant and the customer but doesn’t provide a level of security needed nowadays. SET was developed as a reply to the demand for a stronger authentication procedure, and a guarantee of the confidentiality of information. It has been developed by Visa and MasterCard in tight collaboration and widely supported by top vendors like IBM, Microsoft and others. SET protocol usage involves three participants: the merchant, the customer and the bank using the protocol. With SET, a user is given an electronic wallet, known as a digital certificate, which possesses a unique public key and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the three above-mentioned actors. After placing an order, the customer needs to receive the confirmation from his SET-enabled browser that the merchant’s certificate is valid. The browser sends a message to the merchant with the order information; the message is encrypted with the merchant's public key, the payment information, which is encrypted with the bank's public key (the merchant can’t read it), and information that ensures the payment can only be used with this particular order. After receiving the order message, the merchant sends it to the bank together with the bank's public key, the customer's payment information (which the merchant can't decode), and the merchant's certificate. The bank verifies the merchant and the message and puts his digital signature as authorization. The payment process is over – the merchant can start filling the order. The Payment Card Industry Data Security Standard (PCI DSS) and its framework PCI DSS is a certain regulatory framework created and put in place in order to protect consumers and businesses. It provides a universal standard for how to handle, use and store credit card information. The standard was adopted in 2004 by the major credit card companies, namely, Visa, MasterCard, Discover Financial Service, JCB International and American Express as a reply to a growing number of frauds happening during online shopping. The payment card industry (PCI) uses 4 merchant levels based on the number of annual transactions. Once attributed, merchant levels determine the amount of assessment and security validation that is required for the merchant to get PCI DSS compliance.
The verification process may seem overcomplicated, getting a compliance level is not easy. So is there any gain for a business in obtaining the PCI DSS compliance?
The PCI DSS provides a baseline of security requirements that help businesses know what to do and where to start on their security program. Keeping the customer data safe is important not only for him, whose data can be stolen. It is important for the reputation of your business which manifests its PCI DSS compliance on the website, thus stating that your security level is high and has been validated by unbiased agents. Plus it is important for your financial situation: if a customer declares that his bank data has been stolen and used for committing a purchase on your website, you will be up to paying a chargeback fee in addition to proving reimbursement for the customer. Moreover, such a data breach on your website may lead to lawsuits, like in an exemplary story of the Wyndham Hotels and Resorts whose website was breached 3 times and finally faced a lawsuit from the Federal Trade Agency for its lacking data security.[iii] Wrap Up A boom of online financial transaction goes hand in hand with a corresponding boom of Internet frauds. All online businesses are facing this problem, because even after taking precautionary measures, you and your customers are still susceptible to an attack and data breach. But a potential risk which you are facing once your business enters the Internet doesn’t mean that you shouldn’t implement top-level security standards. You are responsible for how you are handling the customer data, and it would be better for all if this responsibility is taken seriously. Being compliant with high-level security requirements will definitely do you good in the eyes of your customers – and for your own sake: even if a data breach happens, you will be considered a victim of the situation and not an irresponsible retailer, especially when this irresponsibility can cost too much.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
Archives
February 2018
Categories
|