Why we don't take your credit card number over the Internet- and why you shouldn't give it to anyone on the Internet. |
Plus: Cybercash and a note for merchants |
The Internet is not a secure network. Anyone could be listening to Internet traffic, and pulling off whatever information they want, whether it was addressed to them or not. This includes someone interested in using your credit card on a shopping spree.
A number of companies are working on secure commerce servers, i.e. web servers with some form of encryption to try to encode credit card numbers. In fact, this is one of the areas of the Internet undergoing almost daily development and the answers seem closer every day. Unfortunately, the answer is not yet in hand, and there would not be so much R&D in this area if it were. Soon, there will be a truly reliable credit card encryption system, and when that day arrives, we as merchants will use it. But until then, consider the position you and we are in. Recently, VISA entered into a joint venture to establish a secure transaction standard. If the answer were in hand, we would not be reading of the fast pace of developments in this area.
As a credit card holder, you are bound by the contract you signed with your credit card company (usually a bank) to safeguard your credit card number. If you are surprised to learn of a few thousand dollars charged to your account by a stranger, the bank will not just write it off. First they will call you and ask you some questions. If you allowed your sister to go shopping with your card but didn't realize how much she would spend, the bank will tell you that is between you and your sister. You still owe the bank. If you put your credit card number on an insecure network like the Internet, will the bank also tell you that you are responsible for the resulting charges? Maybe and maybe not - the question is too new to have an answer you can count on. Why find out when you can do so much secure business on the Internet without giving away your credit card?
If you feel there's nothing to worry about, we ask you to run two quick experiments. First, call your credit card company and ask if you would be responsible if a merchant's employee sees your credit card number on a sales slip and uses it without your knowledge. You'll get a simple and straight answer that you will not have to pay for such an employee's shopping spree. Second, ask that same person if you would also be "off the hook" in the event of Internet fraud. You will hear "we're looking into that" or "we'd have to look at that on a case-by-case basis" or an honest "we don't know", but you are unlikely to get a straight answer. Bankers are risk-averse people and the Internet is too new to assess the risks or to have much legal precedence.
Finally, is it important to conclude your purchase on the Internet by sending your credit card number? Most of the utility of shopping on the Internet is looking over the merchandise. You can learn all the facts, compare vendors, see pictures of products, get presale questions answered via email, and perhaps type your order to make sure your name and address are spelled correctly. How important is it that you conclude the exercise by sending your credit card number as well? How much value do you compromise if the vendor calls you back on a secure voice line to take your credit card number shortly after you place your Internet order? Moreover, such a callback is the only sure way to confirm:
Several vendors are providing various forms of a debit card, the most popular Internet version being cybercash. These are great ideas on and off the Internet for small purchases.
Debit cards are becoming popular as prepaid phone cards because your risk is limited to the amount prepaid on the card. It's also great for the vendor because there are almost no merchant disputes as with credit cards. As long as someone, anyone, places the order using your debit card number and your password, the deal is the same as cash. You'll keep maybe $50 on a debit card the same way you'll keep $50 cash in your wallet, and this is also why you won't keep $5000 on a debit card any more than you'll keep $5000 in your wallet. You will, however, keep a $5000 credit limit on your credit card because you don't want that to disappear without recourse. This is why we don't use cybercash for products or services that can sell over $100 - we don't see customers with that much cybercash now or in the future.
From the marketing perspective, the main disadvantage to cybercash and debit cards is that the web page can rarely consummate the sale unless the customer already comes equipped with one of the competing cybercash standards that we are prepared to accept. Otherwise, the web page marketing ends by asking the customer to go away, secure a cybercash account, and then come back to make the purchase. Until we see more customers showing up with cybercash, we'll let them fill in the order without the payment information, and then call them back for payment. This asks customers to do the least work for us when they place their order.
If you are a merchant, you need to consider the risk of credit card transactions from a different perspective. Although the concept of a secure credit card transaction is interesting to discuss, the final word is in your contract with your merchant bank. That contract spells out the transaction steps you must follow - or the bank may rule against you automatically in a merchant dispute. For example, if you don't obtain an authorization code for purchases over $50 or to get a separate signature on a mail order, the bank can and often will refuse the draft. Your contract always has a clause to state that any credit card transaction not explicitly described in your contract is not covered. This is to discourage creative merchants from coming up with risky new transaction types. Unfortunately, the Internet is too new to be covered in most contracts, thus allowing your merchant bank a way to leave you holding the bag.
This does not mean your bank will never side with you on an Internet transaction, but put yourself in their shoes. Let's say the bank receives a merchant dispute letter from a credit card customer. The bank doesn't want to be a defendant in Small Claims Court, and technically your contract gives them a way out. Will your bank choose to be your friend?
Consider that a refused draft is not the worst that could happen. Certainly the customer in Kansas has your product and the bank has said you're on your own to collect. But let's say the bank calls you with a different problem. A credit card has just been hit with $10,000 in fraudulent charges, and you were one of the last merchants to accept a charge from the legitimate card holder. The bank learns you took the card number over the Internet, an insecure communication network. Will you or your high-priced lawyer have to explain the Internet to a poker-faced bank officer or to a judge, and why you were not at fault? Will they let you off because you had a great encryption scheme and a "secure" commerce server? Will they have a clue what those things are? To the vendors of such "secure" transaction systems, we suggest you pose the only question that matters, "Will you indemnify me against any suit that alleges your system compromised credit card security?" This is a fascinating but evolving area of law, but we don't want to help foot the bill for the learning curve.
Back to adding value to your customer, is it that much of an expense to call back your customer to confirm the order, obtain a credit card number, and to have a human ask them if they're satisfied?