Credit Cards
and the Internet

I recently completed a three-year consulting contract with Visa International, so I've been "on the inside" of the credit card industry and I'm pretty familiar with the issues. In my opinion, the whole issue of credit card security on the Internet has grossly overblown by the media. To a large extent, I think it's a red herring. I am comfortable with sending my own credit card numbers via Web forms and Internet mail, and I do so regularly.

I'm not saying this because I believe the Internet can't be readily penetrated. Obviously, it can. Rather, I say it because conventional (non-Internet) credit card transactions are so grossly unprotected that I don't feel that using credit cards over the Internet exposes one to any additional risk, and it's probably safer than many (perhaps most) conventional methods of credit card usage.

The fastest-growing segment of credit card transactions today are so-called "card-not-present" transactions where the customer is not physically present at the merchant's location and simply gives a credit card number over the telephone. Card-not-present transactions are almost totally unprotected...the merchant has no idea whether or not you're actually the legitimate cardholder, and you have no idea whether the minimum-wage telephone clerk on the other end of the line is keeping private copies of card numbers.

The other class of transactions where you actually present your card to the merchant are a bit better protected, but when the merchant swipes your card through his Verifone terminal and gets an electronic authorization, the entire contents of the mag stripe (card number, expiration date, and DES-encrypted checksum) are sent over the phone at 1200 baud in clear ASCII. So anybody with a $15 Radio Shack tape recorder and a set of clipleads can easily capture every card swiped at a shop or restaurant and then walk home with them on a tape cassette.

In view of this, I feel that sending credit cards over the Internet represents no meaningful incremental increase in exposure, because we're tremendously exposed anyway. That's why I have no hesitation myself in making credit card purchases via the Web.

The technology to make card-not-present transactions secure is readily available, and it's called the "smart card". However, there are so many hundreds of millions of cards in the U.S. that the cost for Visa or MasterCard to deploy smart cards is staggering, and they have no plans to do so in any big way. The only country where smart cards have been deployed on a widespread basis is France. I'm not holding my breath for this to happen in this country anytime soon. And so the credit card infrastructure in the U.S. remains leaky as a sieve. Fraud is significant, and the industry simply lives with it as a cost of doing business. On-line fraud is an infinitesimally tiny part of the overall picture.

I honestly believe that you can make credit card purchases on our Web site now without incurring any greater risk that in your other non-Internet mail and phone purchases. I do it myself without any qualms. And if you've read this and are still losing sleep over credit card security, may I suggest that the only really safe option is to cut up your credit cards altogether, because the entire credit card infrastructure is fundamentally insecure.

For those who are still not convinced but would like to order products and services from CPA, you may print a hardcopy of the applicable order form, fill it out, and FAX it to us at 1-805-934-0547. You may also mail the form to CPA at:

-- Mike Busch (mike.busch@cessna.org)

The September 4th issue of Business Week (p96) reports that online fraud is insignificant compared to ordinary check fraud. The American Bankers Association estimates that check fraud costs banks $10 billion a year, while online fraud is running only about 0.05% of that ($5 million a year).

The September 4th issue of Information Week (p20) says that only 40% of banks use any sort of data encryption in their networks, while virtually no encryption is used in the authorization of credit cards.

In the August 28th issue of Computerworld (p59), senior editor Gary Anthes interviewed Tony Rutkowski, the executive director of The Internet Society, and asked him about the risks of credit card transactions over the Internet. Rutkowski's reply was that net experts view the risk of sending a credit card number unencrypted over the Internet as no greater than giving it over the telephone.

The November 30th issue of Investor's Business Daily (pg A8) reported that Internet security risks for consumers have been grossly overblown. "By and large, consumers have very little risk using and doing business on the Internet," says the chairman of Open Market Inc. While it is theoretically possible to intercept Internet packets and discover an individual's credit card number, it's much easier to copy them off of discarded carbons. "If someone wanted to steal a credit card number, all they would have to do is go to any gas station and look on the ground around the pumps," says the CTO at Internet security firm Terisa Systems.

But perhaps New York Times journalist Peter H. Lewis put it best:

"Sending a credit card number to an electronic merchant over the Internet is probably the safest way to make such a transaction. In the last week, for example, I handed my credit card to a waiter who disappeared with it for five minutes. I faxed my credit card information to a business in New Jersey, and the fax probably lay exposed to everyone in that office for hours and perhaps to the cleaning crew that night. I called a hotel and gave my card data to a reservation clerk and continued my recklessness by ordering some merchandise from a clothing catalogue, again by reading my credit card information to some unseen operator. ... Compared with the risk of handing my credit card to a stranger, which I do nearly every day, sending it over the Internet is pretty secure. (The New York Times, Nov. 13, C3)