That depends completely on who you are buying from & can range from not safe at all, to safer than handing your CC to a waiter.

WW_Watcher

>> I know you will

It's not safe at all - if you happen to have a bullseye on your back. I'd estimate a minimum of 50% of the online stores on the planet could be hacked in under an hour. The only reason they haven't been is because they don't have the traffic/sales to warrant a hacker/theif's attention. I submit that as your sales increase so does the bullseye on your back.

I submit that as your sales increase so does the bullseye on your back.

I would have to differ, no matter how large you are(just as a merchant), if you follow the rules using SSl and do not store any credit card information on your site(part of the rules), and allow the CC Processor to do all this for you(their job anyway), there is nothing to hack, nothing to steal, names and addresses, hardly worth the effort.

If you hand your CC Over to anyone who can scan/imprint your card, IMHO, you are at much greater risk than buying product off my website. If you call someone, trying to feel safer than just buying off a website and give them verbally, ALL of your information, name, card info, billing address, you are at the most risk of all.

As a consumer, it is difficult to tell which websites are safe & which are not, but if done properly, web purchases are safer than most human to human exchanges.

WW_Watcher

[edited by: WW_Watcher at 2:06 pm (utc) on Nov. 17, 2007]

It's always done through a third party provider I assume?

As a developer who has seen many "back end methods," the scary truth is no, it is not always so.

Recently I viewed source on a page. It looked to be well done, no corners cut in design and navigation, but when I got to the secure checkout page, the form POSTED to a NON-SECURE, shared version of a mailto.pl mailer!

Other systems I've seen in place store credit card info directly on the server, in plain text, on a shared server. Or email the info to the company. Bad. Very bad.

You can usually tell these by looking at the overall site: if it looks like the site owner went low-budget, or did it on their own, you can just about bet your data will be insecure. Most of the time this is because the merchant refuses to pay for a second account when they have an in-store terminal.

How safe is it really and how does the process work?

Larger established sites, or sites that have done the work to secure the data will be pretty obvious. They will have documentation on their site defining what is done to protect your data and it will be verifiable. They will have *their own* SSL cert, not one shared on a shared hosting server. We should not eliminate payPal-connected sites from this; if they are accepting payments via payPal, this is at least one of the *right* ways to accept payments securely for companies who would rather just get the CC info and process it manually.

The way is works is the payment processor is PCI compliant. (Google this.) Their networks and methods of storing/processing credit card information have been audited and have the highest possible degree of security.

A website connects to this processor via SSL. SSL is a method of encrypting the information transmitted to and from a server using 128 bit or 256 bit encryption. The web site will not store this information, it only sends it to the credit card processor and asks for a response. Based on the response, it will process or reject the order.

Larger companies **may** store credit card info, but then the responsibility becomes theirs to be PCI compliant.

Even the highest degree of security is not perfect. Anything can be hacked, but the likelihood is very slim if done correctly. For the most part, it can be a safe process.

Overall, buying online can be extremely safe. But it can also be extremely hazardous on poorly implemented web sites. So when buying from a site, if you're concerned, look around. See how they are doing things. When you get to checkout, don't be afraid to view source and look at the <form action=""> line. If you get a funny feeling, go with your instincts.

rocknbil
Excellent detailed post, spot on!

The Internet has a HUGE problem with the misconception that purchasing stuff online is not safe, compounded by people in a perceived position of authority, who say things like

It's not safe at all

Many websites are just about as safe as it gets using credit cards & statements like that do nothing but scare off possible customers & hurt the whole industry.

WW_Watcher

>> if you follow the rules

That's the issue. Many smaller shops don't follow the rules for one reason or another which leaves them open to exploitation.

But from a hacker's point of view, why bother with an ecommerce site in the first place? While I maintain that many of them are easy targets, why bother trying to get access to money in transit? It's better to hit the final destination - the banks.

Within the past 5 years:

Credit card database hacked - BBC 2003 [news.bbc.co.uk]
45 Million Credit Cards Hit By Hackers - CBS News 2007 [cbsnews.com]
40 Million Credit Card Numbers Hacked - Washington Post 2005 [washingtonpost.com]
Hackers steal credit card details from Roses Only database - ABC News (Australia) 2007 [abc.net.au]
How Credit-Card Numbers Are Stolen on the Web - Fox News 2006 [foxnews.com]

Great, I am impressed(not), I had no idea that there is a hacker who does not believe in e-commerce as a mod, in an e-commerce forum, why are you here?

The subject was about "How safe is e-commerce really", you are giving examples of what information was stolen from banks, all credit card users, not from websites, but ALL, even places that have no websites. Not even on topic.

Yes we had said that some, and I repeat *some* websites were not handling CC transactions safely, you are of the opinion that no use of credit cards is safe.

Perhaps you should do some research on how the vast majority of identity theft is done and actually used for fraud, it is not from hackers stealing from banks or websites, it is done closeup & personal. The vast majority of hackers do it for a thrill & to be able to brag to their friends, and would have no idea on what to do with what they took. Typically very smart, but no common sense, that is why they do what they do.

Last post in this forum, I will not further waste my time, I do not hang out in hackers forums, I do not wish to become a target.

WW_Watcher

I'm very sorry you feel that way.

I did not mean to mislead you. Yes, some of the CC info was from non-online transactions. I still believe the examples are relevant.

I do believe in ecommerce but I don't believe that ecommerce is as safe as some seem to feel it is and I think it is important to point out that just because a eStore owner buys a cart and SSL cert doesn't mean their setup is secure. There are so many details to ensure an online shop is secure - and not all of them are in the hands of the store owner. I've seen shopping carts with unencrypted cc numbers. I've been told by clients they don't want to delete the CC numbers because they want to hold on to it for some reason (bookkeeping, possible future charges, ease of use, etc.) I've seen hosting companies that don't update their webserver's OS when security patchers are released. I've seen all manner of honest mistakes and plain disregard for security issues. While the total number of people I've dealt with is only a fraction of the all ecommerce I suspect they aren't the only ones to take risks or make mistakes. Does this mean that all ecommerce is at risk. No. But I think it's misleading to say it's safe and secure.

So what exactly is the worst case financial risk to the buyer?

$50 in the U.S. in theory.

Zero as a practical matter, plus maybe some time to get things straightened out with your CC company.

Unfortunately, there are people (myself included), who do not always check their credit card statements. Therefore a fraudulent purchase may be missed altogether.

I agree that many small shops are generally unsafe. Many will just keep credit details on their server.

You should always check your credit card statements.

I agree with jsinger -- perfectly safe, at least in the U.S., for the buyer. A major headache for all the people involved in securing such data, but for the buyer using a credit card? Not a problem. I buy from all kinds of online sources. I've only had to do a chargeback once, and my credit card issuer acted promptly and with no hassles.

However: Never, but never, use a debit card for online purchase. If that number is stolen, you're in bad shape. The money is taken from your account immediately, and you don't have the legal protections that you get with a credit card. You're not likely to get your money back, and even if you eventually do get it back, you've been without your own money for all that time, which is likely to drag on for months.

Unfortunately, there are people (myself included), who do not always check their credit card statements. Therefore a fraudulent purchase may be missed altogether

For about 45 years, U.S. law has limited CC losses to $50. And CC companies never go after that.

Here's something I didn't know.
From (US) Federal Trade Commission site:
"Also, if the loss involves your credit card number, but not the card itself, you have no liability for unauthorized use."

I have 4 members of my family using my main card so statements are huge. But I scan it every month for unauthorized sellers which are easy to spot. We have many transactions but we usually shop the same 30 or so places. A bogus 3+ figure payment would never be missed.

More U.S. info on CC, ATMs, and debit card safety:
[ftc.gov...]

Ive never had a problem with an ecommerce store, only trojans on my PC capturing my CC details.

So Id say, and been buying for 10 years on line, very safe.

Let’s put this in proper perspective. There is risk with everything. There is a risk that while crossing the street in front of my house that I might get hit by a car. But should that stop me? Lorax’s comments make it sound like you have a 70% of having your identity stolen if you purchase anything online. The fact is that vast majority of identity theft doesn’t occur online. Most identity theft comes from people you know, from people who break into mail boxes, people who dig through your trash, people who break into homes and businesses, and steal computers and filing cabinets. I worry more about handing my card to a minimum wage employee in a restaurant, than I do shopping online from reputable websites.

The points made about using ssl, encryption, not storing the information are all spot on. These points also have their counter parts in the brick and mortar world which no one gives a second thought about. How many stores or restaurants do you think have your credit card info laying around somewhere in their back office? Is it encrypted? (the answer is no) Do you think they store it in a safe of a filing cabinet? Sounds a lot more dangerous to me.

As for Lorax’s post about hackers breaking in banks you could be a victim of that even if you didn’t shop online.

I have been buying things online for about 10 years and have never had a problem. You are more likely to have your card details stolen in a restaurant or physical shop.

I really think it depends what the checkout procedure is, is the merchant using your CC directly or Paypal or others like it? What are the security procedures that used while paying? Does he have only one method of payment or a few? Does the site look established or new? All these can contribute to your gut feeling of how safe it is to buy online....

The only losses that my family has experienced were when my mother's cards were stolen from her bag.

Just think about sending a cheque in the post, all your bank details printed on it, a copy of your signature and a covering letter with your address. A huge slice of the population regard that as secure but think the web is unsafe.

It is just as safe to use your credit card on the internet as it is to use it at a brick-and-mortar location. Our site has been hacked before, but we didn't sustain any losses because the credit card information is not made available to us. It goes straight to our credit card processor and we only get to see the last four digits of the number.

Running a software site, we do experience an unfortunate volume of fraud orders. Since the government doesn't seem to be able to effectively combat credit card fraud online, credit card companies give the funds back to consumers and leave companies holding the bag. It is so important to have a dedicated staff member to focus on your security. There are lots of tools out there that will help to identify whether an order is fraudulent, but you'll still have to do the manual work to fight internet thieves yourself.

The fact hasn't changed that the bulk of credit card information is stolen offline. Many crimes are inside jobs, or hackers obtain access to credit card information by posing as IT within large companies, or even dumpster diving. It's really not difficult to get credit card information if you know where to look.

Just think about sending a cheque in the post, all your bank details printed on it, a copy of your signature and a covering letter with your address. A huge slice of the population regard that as secure but think the web is unsafe.

I never thought about that. Just about everyday we get a phone call from a customer saying they do not want to use a credit card on our website but prefer to mail a cheque. Not that you pointed this out, you are correct, it is likely an insecure way of paying.

e-commerce is generally very safe and you are well protected as a consumer. Very occasionally though customers get scammed, identities do get stolen and it can be a real battle to sort out, especially as now in the UK you cannot report it to the police anymore, only the bank can.

Also small merchants with insecure processes get targetted and used to test which stolen cards work, usually in the ewarly hours when the owners are asleep!

My advice is always use a credit, not a debit card, dont buy ouside of your own country and dont be complacent.

You know it really doesn't matter really. Why all you have to do is a charge back dispute the charge cancel the credit card and it is over.

I have informed many customers of ours to get away from using a debit card. To get a credit card with 300 line and use it for all online buying. This will keep it safe as with any company no matter how large or how small there are holes usually an employee is the hole.

What I don't do is submit personal information SS number date of birth place of birth mother's maden name all that can be used to steal your idenity, this is the dangerous part stealing a CC number is chicken feed and easy to defend.

lorax you didn't do or say anything wrong WW_Watcher is most likely an ecommerce guy in a tight way and real touchy about it right now. We ecommerce owners get that way when sales arn't going well....

It's not safe at all - if you happen to have a bullseye on your back. I'd estimate a minimum of 50% of the online stores on the planet could be hacked in under an hour. The only reason they haven't been is because they don't have the traffic/sales to warrant a hacker/theif's attention. I submit that as your sales increase so does the bullseye on your back.

I agree and disagree with this. I think it is safe overall. At least as safe as any brick and mortar store.

Can most sites be hacked? Yes... Can most physical buildings be broken into? Yes... In fact I would argue more people have the skills to put a brick through a window and take whatever they want then there are people who have the skills to break into a site's DB.

Really it comes down to what info are they keeping? What is available to be taken?

I don't keep anything as far as credit card numbers or anything. There is no reason to at all other then convenience of the vendor.

All you could get from my DB is some purchasing patterns and contact info. Nothing you can't get from a phone book though in most cases.

Shop with me... you are really safe.

Merchants, be very aware of SQL injection attacks, Google it to get the low down, but certificates are no protection as the hacker can get into your database, if you store numbers for processing, then they get them, hence the delete rules.

If you have a SQL database storing customer payment details, I suggest you contact your web designer and ask if the database is secured against an injection attack.

I agree, merchants should also prepare for the "Brick through the Window" attack. Google it. people break into your store by using a brick to break the window.

Sorry couldn’t resist.

nothing is impenetrable...wipe out card data on a regular basis..

Okay, so two of the last three posts alluded to stored credit card data.

If your system is PCI compliant, you won't be worried about SQL injection because the programming has been audited and deemed secure against SQL injection and other vulerabilities.

If your credit card storage is NOT PCI compliant, then your sites are some of the ones that are the problem sites discussed in this thread. I suggest you Google for PCI compliance and stop storing credit card info, immediately, and understand what position you place your customers and yourself in.

Setting customer security and "safety in shopping" aside, there are very stiff ramifications that include fines and payment of fees in arrears if you are storing credit card info without the knowledge of your merchant provider, or otherwise in violation of your merchant account agreement. Further food for thought.

Deemed secure means nothing...We all need to be more vigilant than pci...