THE CUTTING EDGE / PERSONAL TECHNOLOGY : Easing the E-Commerce Jitters : Retailing: Though banks say buying online is as safe as buying at the mall, many consumers don’t believe it. Merchants make education a priority.
E-commerce is already a $24-billion-a-year consumer business in the United States. But imagine how much bigger it could be if two out of three consumers who browse shopping sites weren’t afraid to give out their credit card numbers online.
The irony is that buying books, clothes or airline tickets on the Web now is as safe as handing over a credit card number to a waiter or making a catalog purchase over the phone, according to major credit card companies and banks.
And now that electronic commerce is a significant economic force, the federal government, merchants and consumer groups are forming coalitions to collect data on online fraud and educate consumers about the real risks when they use their credit card online.
Internet merchants also hope that positive word of mouth from consumers such as Van Nuys resident Tary Alpizar, who regularly shops on the Internet, will encourage more of the 27 million online households to take the e-commerce plunge.
Alpizar, who spent about $300 for household items on one site, relies on the Internet to help her buy videos and airline tickets and order documents such as birth certificates. “I’ve never had a problem,” Alpizar said, “but I only use secure sites, and my computer tells me if I have approached an unsecure site.”
About 95% of consumer online purchases in the U.S. are made with credit cards, according to Jupiter Communications, a market research firm in New York. Security experts agree that this method adequately protects consumers because banks that issue credit cards are required to reimburse cardholders for fraudulent online charges over $50, as they do for conventional retail purchases.
“Many online merchants are covering that $50, so the consumer’s liability is essentially zero,” said Ken Cassar, a digital commerce analyst at Jupiter.
The world’s largest credit card network, Visa USA Inc., said the rate of online credit card fraud is similar to that associated with traditional credit card purchases. Last year, Visa had a fraud rate of 0.7%, amounting to about $427 million of Visa’s $610 billion in retail transactions in the U.S.
An examination shows why it’s difficult for a thief to steal a credit card number during an online transaction.
* Consumers should be sure they’re using a secure Web site before making a transaction. A site is secure when a graphic that looks like a key or padlock in the lower corner of the browser is in the closed position and the letters “https” appear in the Web site address, instead of “http.”
Most sites use the Secure Sockets Layer (SSL) protocol developed several years ago by Netscape Communications to protect credit card information. But Visa and MasterCard are offering merchants a competing approach, called Secure Electronic Transaction. SET, they say, is even more secure because it uses digital signatures that allow consumer and merchant to verify each other’s identity.
* After you type in your credit card number, your browser communicates with the merchant’s server computer to figure out what level of encryption they have in common. The encryption process scrambles a consumer’s credit card number before it’s sent to the merchant. There are several levels of encryption: With 56-bit encryption, there are billions of possible “keys” to unscramble the information, but only one works. With 128-bit encryption, the number of false keys is virtually infinite.
* When the consumer’s browser and the merchant’s server settle on an encryption level, the scrambled credit card number--and perhaps your name, address and phone number--are sent to the merchant’s server.
* After the credit card number is decrypted by the merchant’s server, the merchant passes it on to the credit card issuer for billing and payment.
There are two places where credit card information can be stolen during this transaction: as it’s traveling through the Internet as an encrypted file and when it’s stored on the merchant’s server.
Online experts say they have yet to hear of someone’s credit card number being stolen while it was encrypted.
Hackers can steal credit card information if it’s stored unencrypted on a merchant’s server. But most online fraud occurs when people make purchases with stolen or fraudulent credit card numbers--fraud that’s no different from the offline variety.
One method crooks use to steal a credit card number is to masquerade as a security officer for a Web site and send out a survey asking people to confirm personal information, said Tom Arnold, chief technical officer at CyberSource, a San Jose-based company that designs online payment systems.
Merchants who sell digital products online, such as software, tend to suffer from the highest fraud rates--from 10% to 20% of all purchases. Web sites that sell electronics and gift certificates have a fraud rate of about 1%; others that hawk toys and other low-priced items have fraud rates under 1%, said Allen Jost, vice president of Internet risk management for EHNC, which tracks fraudulent transactions for Web merchants.
Consumers can also be victimized when buying something from an individual in an online auction and paying by money order or check, said Susan Grant, director of the Internet Fraud Watch program at the National Consumers League.
Because data on online fraud are so sparse, several groups are collecting complaints from consumers to track trends. Last week, HNC Software, the parent of EHNC, announced the formation of the Internet Fraud Prevention Advisory Council. The council will use EHNC software to gather statistics about fraudulent credit card transactions online.
On Wednesday, six companies, including Microsoft Corp., Netscape parent America Online and IBM, joined forces to try to boost confidence in online purchasing. Online merchants are also developing alternate payment methods to ease concerns about fraud.
One option allows consumers to bill their online purchases to a monthly statement from their phone company or Internet service provider. An electronic check system, under development primarily for business-to-business transactions, isn’t expected to be available to consumers for several years, said Frank Jaffe of Bank of Boston.
Analysts say it will take a similar length of time before most consumers are comfortable with handing over their credit cards online.
“It’s like ATM machines,” said Barry Parr, director of consumer e-commerce at International Data Corp. “It took a few years for consumers to adopt them and feel comfortable with taking cash out of a machine as opposed to talking with a human being. But once they did, they couldn’t live without them.”
(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)
Charge!
Shopping online with a credit card is no risky than making a conventional credit card purchase. When a consumer decides to buy something online, a four-step process ensues:
Step 1. Consumers enter information on a secure retail Web site.
Step 2. After a credit card number is entered, the consumer’s browser communicates with the merchant’s server to figure out what level of encryption they have in common. Encryption is used to scramble a consumer’s credit card information before it’s sent to the merchant.
Step 3. The scrambled credit card number then is sent to the merchant’s server.
Step 4. The credit card number is unscrambled, and the merchant passes it on to the credit card issuer for billing and payment.
Source: Netscape Communications Corp.
Net Sales
Projections for consumer-only e-commerce sales in the U.S., in billions:
2003: $75 billion
Source: International Data Corp.
