Our customers say...

" ...the tech support, initial & ongoing, has been excellent!  The plans are also very competitive! "


Using Credit Cards on the Internet - Is it secure? Print

So often, as an ISP we hear our customers say "I won't use my credit card on the Internet ... It's not safe". We'd like to set the record straight. We believe that the use of credit cards on the Internet is SAFER than processing transactions in-store, providing that you're careful about what you do. This is no different to any other aspect of life.


First, let's see just how vulnerable credit cards are to abuse EVEN IF YOU NEVER USE THEM!


Credit card numbers are generated using a known prefix of digits (for example, Visa card numbers commonly start 4546, Mastercard 5313, etc). They conform to a known length, and the part of the number after the prefix consists of random digits, except the last digit. The value of the last digit is calculated mathematically using an algorithm called luhn modulus 10. Armed with this information, a would-be fraudster can generate valid credit card numbers en-masse. It's only a matter of time before they find one that has funds available. It could be yours - or mine. Clever fraudsters will also use sources of information like merchant card warning bulletins to determine more digits of card numbers currently in circulation.


With the prevalence of telephone, mail order and Internet transactions, it's not unusual for credit card merchants to supply goods and services without sighting your credit card and therefore being able to verify your signature. Such transactions are prone to fraud from generated card numbers. Certainly, there are mechanisms in place to protect consumers from such fraud, but if nothing else being the victim is certainly inconvenient.


So you see, it's very easy for someone to randomly generate credit card numbers, and use them to generate fraudulent transactions against real credit card accounts. It's probably also pretty easy for such folks to get caught. After all, not all of the numbers that they generate will lead to real accounts. It's much easier to collect real credit card numbers.


In-Store transactions are vulnerable to security breaches, perhaps more than any of us would care to know. We've probably all heard the stories of rogue employees who swiped cards through a magnetic stripe reader in their pocket. Merchants without an EFT terminal are even more prone to such "skimming". Those paper vouchers record your whole card number and it's expiry date after all, and merchants are required to retain them for up to 12 months - with a copy of your signature. And after the 12 months is up? Those vouchers are generally just thrown in the bin. Do you see the problem here? These systems are vulnerable in many ways, and from many sources.


By comparison, online transactions are relatively safe. You should be careful though to consider the following safeguards:


First, always ensure that when you provide your credit card details, you're dealing with a "secure site". Such a site will cause most web browsers to display a small padlock icon in the status line at the bottom of their window. This indicates that data transferred between the web server and you is ENCRYPTED. You can click on the padlock icon to see details of the security being used. This encryption makes it very hard to intercept your card number during transmission. It's much easier to find credit card numbers "in-store", or after transactions are processed, in a database - see below.


Next, wherever possible, deal with companies who will process your transactions in "real-time". If the transaction is not approved while-you-wait, there's a chance that it's manually processed. That usually involves a human, and that usually means that you're as vulnerable as you are "in-store".


Finally, deal only with companies whom you know and trust, who you have been referred to, or who have a reputation as being reliable to deal with. Ultimately, if you're not sure who you're dealing with, make contact by email or phone first and look for any signs that might be warning bells.


At Virtual Access, our transaction processing is done using SSL encryption and realtime processing for your security. When you make a payment online, you enter your details using our secure (SSL) server - the information is encrypted by your computer before it is sent to us. Our server is able to decrypt the information because it has the key required to do this in its SSL certificate. The information is then re-encrypted using SSL and sent to our credit card processor, eMatters (www.ematters.com.au). eMatters then links directly to our bank via private communication links that operate to bank specifications. The bank sends back a code - indicating whether the transaction was approved - which is passed back to us, then on to you.


To further protect your security, eMatters does not store credit card numbers once the transaction is completed (which usually takes just a few seconds). Virtual Access stores only enough information to allow for bank reconciliation and query resolution. This means that we retain only a partial credit card number - the first and last 4 digits of the number, and the expiry date - after processing is completed. This is obviously insufficient detail to enable us to process further transactions. (Note: If you have asked us to process recurring transactions as they are required, then obviously the whole number and expiry date are stored)


We also log the Internet address details of each computer requesting transactions to be processed. This information can be traced if required at a later stage, and effectively discourages fraudulent activity.


What we do, and what has been described above is technical. To the uninitiated it's daunting. Having been involved in the Internet business now for over 13 years, with much activity in that time centering around payment processing, banks, web sites and the like, we've got a fair handle on the technology though. We do all this so that you don't have to worry and we're always on the lookout for ways to make systems even better. After all, improving the systems may mean peace of mind for you, but for us it also means reducing risks.


Of course, if you're still not convinced, you're welcome to call us and make a payment if you prefer.  (It should be noted that if you do call us to make a payment, we end up processing the details in the same manner as described above - we no longer have the tools required to process credit card payments any other way)