Western Knight Center for Specialized Journalism

Security and Protection of Internet Payments

The Western Knight Center is now the Knight Digital Media Center - Visit Now!
About the WKC
Seminar Archive
Speaker Showcase
Seminar Showcase
Resources and Links
Knight Digital Media Center
Contact Us

Payment security issues concern not only the cardholder who pays for the goods in the online store, but also the online store itself, and the acquirer, and the issuer, and, finally, payment systems that invest huge amounts of money to ensure protection against fraud. What actions are being taken to create secure payment systems on the Internet and what technological means of protection are used? And why, despite supposedly strong protection, do fraud and theft on the Internet continue to flourish? If you want to protect your e-commerce transactions the right way, you are recommended to go to the PCI compliance company. It’s the best way to find out how you should do it being a PCI compliant.

Online Commerce: How Does Payment System Work?

Recall that in payment systems, participants are divided into issuing banks that issue cards for holders and acquiring banks (in a particular case, the issuer and acquirer can be one credit institution/bank), which ensure the acceptance of issued cards at points of sale of goods and services. Following this division, the following interaction model is built: the cardholder makes a purchase in a store, information from the magnetic stripe of the card from the store in the form of a request is transmitted to the acquiring bank serving this store, from there, through the services of the payment system itself, to the issuing bank.

The issuing bank checks the received information about the card and the holder, as well as the status of the authorization limit and, based on the results of the check, allows (or does not allow) the transaction. A positive response from the issuing bank to the authorization request is a kind of guarantee that the acquiring bank will receive the funds and transfer them to the store's account. According to the rules of international payment systems in traditional trade, responsibility for fraudulent card transactions is distributed approximately in equal proportions between the issuing bank and the acquiring bank, that is, in the event of fraud, the holder returns the debited funds or the issuer.

In online commerce, the responsibility for fraudulent transactions is unequivocally borne by the acquirer, who in turn transfers it to the store, as a result, the refund to the cardholder is carried out at the expense of the online store through which the fraudulent transaction passed. Hence, it follows that the most unprotected link in the payment scheme on the Internet is the online point of sale, since, ultimately, it is at its expense that the cardholder is reimbursed for losses. A significant number of online stores operate according to the described scheme, which accepts cards for payment, which implies the presence of some security mechanisms that can relatively successfully resist fraud.

Protocols and Other Security Methods

The measures are taken by e-commerce participants to ensure secure payments on the Internet have always been quite diverse. First of all, this is training cardholders in the minimum skills to ensure their security: using only familiar Internet resources, studying the procedure for delivering goods and providing services, checking the use of certified protocols by an Internet merchant that guarantee the security of transmitted information. In addition to such simple methods of protection against fraud as education of holders, technological means are certainly used.

The SSL (Secure Socket Layer) protocol, widely used and practically obligatory in Internet commerce, allows all traders to easily transfer a variety of information. When an attempt is made to intercept data, they will be closed with a cipher, which cannot be broken in any adequate period.

A competent cardholder who uses the services of Internet resources that sell goods and services will be prejudiced against the lack of SSL at the e-commerce point. SSL uses public-key encryption technology and digital certificates to identify the server involved in a transaction and protect information as it travels from one side to the other over the Internet. SSL transactions do not require client authentication. Numerous attempts by international payment systems to make e-commerce settlements as secure as possible led to the emergence of the 3-D Secure protocol developed by the Visa International payment system. 3-D Secure technology is a cardholder authentication protocol for making purchases on the Internet, designed to ensure the security of Internet payments: identity verification is carried out online.

A partnership of...

Funded by the John S. and
James L. Knight Foundation