MerchantSelect
 

Information Security

Have you ever wondered where your credit card information goes after you submit it to pay for an online purchase? Although you may think that the data goes directly to the merchant, as it passes over the Internet it actually travels through intermediary networks before it reaches its targeted location. As a result, the Internet is often referred to as an ‘open’ system.

Due to the open nature of the Internet there is increased security risk. For instance, when customers provide their credit card information over the Internet to purchase online, this data is at risk of being intercepted as it travels from a customer’s site to the merchant’s site. If the data is intercepted the order can be stopped, the payment information can be altered or someone other than the cardholder can use the credit card information.

Six main security elements are required in an E-commerce transaction. From a consumer’s perspective, they are as follows:

Non-repudiation: The consumer cannot deny having made an order.
Confidentiality: The consumer’s personal information is protected from unauthorized access as it travels through intermediary networks and computers.
Access Control: The consumer’s personal information can only be accessed by those who are supposed to have access.
Integrity: The consumer’s personal information is protected from unauthorized modifications.
Authentication: The identity of the consumer is verified.
Availability: The consumer is assured that the system and data are accessible when needed.

ENCRYPTION

[an error occurred while processing this directive](none)

To aid in the process of effectively protecting data as it is transmitted over the Internet, encryption techniques are available. Encryption is the transformation of data into unreadable code that is not easily interpreted. Two common encryption techniques include private (secret/symmetric) key and public (asymmetric) key cryptography.

Private Key Cryptography

In private key encryption, both the merchant and consumer share a private key that is used to encrypt and decrypt data. Private key systems are simpler and faster. The main drawback is the distribution and management of the keys. Imagine having thousands of customers who require their own key. You would need to devise a method that ensures each person receives a key and that the key is managed appropriately. Hence, private key systems are best for small networks where the parties know each other and can trust each other with the keys.

Public Key Cryptography

Public key encryption uses two keys - a public key that encrypts the message and a private key that decrypts the message. Both the consumer and merchant would have their own pair. The public key is stored in a key repository with a certification authority (trusted third party) and is publicly available, while the private key is retained by the user.

For instance, a customer uses his or her credit card to make an online purchase. The merchant’s public key is used to encrypt the customer’s credit card information. When the merchant receives the encrypted data it is decrypted with the merchant’s private key.

The main advantages of a public key system are that it supports digital certificates and digital signatures, and it provides all security elements required for an E-commerce transaction. The main disadvantages are that it uses more computer resources than private key cryptography, which means it is slower, and it is more costly to implement.

Public key cryptography provides the ability to use both digital certificates and digital signatures. A digital certificate can be attached to an e-mail or read within a computer application i.e. browser, and is used to verify the identity of the certificate’s owner. It also provides proof of credibility, as it is obtained from a certification authority like Verisign. However, it is under the discretion of the consumer to understand the process taken to authenticate the certificate owner. There are different certificate levels available which means some certificate owners may not be as trustworthy as others.

A digital signature aims to duplicate the process used for physical signatures by ensuring that a message arrives in its original form. It also validates the identity of the sender.

SECURE SOCKETS LAYER (SSL)

SSL is an example of an industry wide encryption standard used worldwide in E-commerce transactions to protect online submission of sensitive customer information, such as credit card details. SSL uses public key encryption, including digital certificates.

Today, all web browsers support SSL, which is essentially transparent to users, with the exception of an icon (lock or key) at the bottom of a browser window that indicates when a secure area is locked.

SECURE ELECTRONIC TRANSACTIONS (SET)

Secure Electronic Transaction (SET) was launched in 1997 by MasterCard and Visa and is like SSL as it involves the use of public key encryption.

The main difference between SET and SSL is that SET uses digital certificates for all involved parties, unlike SSL which has only recently introduced this feature to its newer versions. As a result, SET provides for better authentication. As well, SET has better overall security. Unfortunately, it does have its drawbacks including complex implementation and higher costs than SSL.