When can you Trust an online transaction?

1 10 2011

by Fahad Alkhowaiter

Is your credit card information stored with other companies like apple or Zipcar? Can you trust your information with them? A big well reputable company like Sony failed in protecting its customers’ credit cards information, what prevent other companies from failing in doing so. In fact, how companies should proof to its customers that they are trustworthy of holding their information securely? How can those companies communicate this in an easily understandable manner for the average internet user? Actually, do companies need to store credit cards information? If they do, for how long they can legally keep it?

Nowadays, people just input their credit card information to get goods or services online. After that, they are unaware of what happens with it. Personally, I want to know if my information is protected, because, whoever gets this information can steal my money easily. The solution for this is to adopt PCI (Payment Card Industry) standard with all companies dealing with credit cards. Currently, PCI is used, but not in a mature way.

Before I explain how PCI standard can be used for this purpose, I want to give a brief overview of PCI. There are many kinds of PCI compliance levels depending in how credit cards are handled. For example, companies who process and store credit card information are in a certain PCI level with lots of security requirements. On the other hand, companies that use the credit card only for one purchase and don’t store credit card information, or use a third party (like PayPal) to process payments for them have less strict requirements.

Whenever I shop for things in the internet, I rarely see “PCI Compliant” with companies providing online payment service. The average user should know if the company processing his/her critical information is PCI compliant, whether it is a big reputable company like Apple.com or small unknown business like hotelseval.com. In the future, average internet user should know what PCI standard is.

Currently, PCI body is providing a list of companies that can “assess” if you are PCI compliant. Press on this link to access those companies. We need to have a more formal way to “certify” rather than “assess”. In this way, customers can be more assured and companies will be more pressured to adopt security.

In addition, each company needs to display its PCI category to the customers so they know what level of clearance that company has. So, if certain company has PCI clearance to process payment through a third party, it should state its level of clearance. This should be displayed in a very simple language understandable to the average internet user. so that consumers know what they are getting themselves into before providing their data.

I want to shed light on the period of retention of the credit card information. Retention period should be clearly stated when paying. The credit cards information should be kept only when needed. No company should hold for credit card information for more than a year except after prompting the user and request for his/her permission. In this way, we guarantee that no company holds credit card information that doesn’t need. For example, this article clearly states that Sony lost credit cards data from 2007! Why would Sony keep such information for this long? Sony should be sued for this.

In order to improve security for our online shoppers, PCI needs to have more formal ground where there should be a certification body that conducts periodic audits. In addition, PCI should give a portal for average user where he/she can map the level of PCI clearance of any company he/she deals with. Finally, PCI standard should force companies to explain the handling of the credit card information in a brief clear way during payment, not imbedded in a long terms and conditions list. Example of such information is, “we will be storing your credit card information securely for 3 month to make sure we process your transaction properly. After that it will be deleted permanently”.

_______________________

https://www.pcisecuritystandards.org/

http://www.soe.com/securityupdate/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: