Web Security, Privacy and Commerce, 2nd Edition

25.3 How to Evaluate a Credit Card Payment System

There are many credit card systems being developed for web commerce; any list here would surely be out of date before this book appears in bookstores. Instead, we have listed some questions to ask yourself and your vendors when trying to evaluate any payment system:

• If the system stores credit card numbers on the consumer's computer, are they stored encrypted? They should be. Otherwise, a person who has access to the consumer's computer will have access to personal, valuable, and easily abused information.

• If the system uses credit card numbers, are they stored on the server? They should not be stored unless recurring charges are expected. If the numbers are stored, they should be stored encrypted. Otherwise, anyone who has access to the server will be able to steal hundreds or thousands of credit card numbers at a time.

• Are stored credit card numbers purged from the system after the transaction is completed? If a transaction is not recurring, they should be. Otherwise, a customer could be double-billed either accidentally or intentionally by a rogue employee.

• Does the system test the check digit of the supplied credit card number when the numbers are entered? It should, as it is easier to correct data-entry errors when they are made (and, presumably, while the customer's card is still out), than later, when the charges are submitted.

• Can the system do preauthorizations in real time? This is a feature that depends on your situation. If you are selling a physical good or delivering information over the Internet, you may wish to have instantaneous authorizations. But if you are running a subscription-based web site, you may be able to accept a delay of minutes or even hours between making an authorization request and receiving a result. Some banks may charge a premium for real-time authorizations.

• How does the system handle credits? From time to time, you will need to issue credits onto consumer credit cards. How easy is it to initiate a credit? Does the system place any limits on the amount of money that can be credited to a consumer? Does the system require that there be a matching charge for every credit? Is a special password required for a credit? Are there any notifications or reports that are created after a credit is issued? Issuing credits to a friend's credit card is the easiest way for an employee to steal money from a business.

• How does the system handle charge-backs? If you are in business for any period of time, some of your customers will reverse charges. Does the charge-back automatically get entered into the customer's account, or must it be handled manually?

• What is really anonymous? What is private? Algorithms that are mathematically anonymous in theory can be embedded in larger systems that reveal the user's identity. Alternatively, identity can be revealed through other techniques, such as correlation of multiple log files.

The answers to these questions don't depend solely on the underlying technology: they depend on the particular implementation used by the merchant, and quite possibly also on the way that implementation is used.