Have you ever been searching for a specific product online (like that hot pair of shoes in your quickly-sold-out size), only to finally find the item on a website that looks a little cheesy? I know that when I land on a site that looks kind of homemade I hesitate to whip out the credit card. It’s hard to tell just by looks whether it’s safe to buy. But just because a site has a slick web 2.0 design doesn’t mean that it is any more secure than the cluttered one with the neon typeface on a dark background that makes you see spots when you look away.
We turned to David Mead, a Product Development Engineer at EMBARQ Business Security Solutions for some background on how shopping cart security works, plus steps for business owners to make sure that their carts are secure and their customers are confident buying from them. He also gave us some tips for when we are on the buying end of the cart.
First of all, how do shopping carts work?
An online store involves several pieces that need to work together.
First, there is the web host, or server space where the website and files are stored and made accessible.
Second is the shopping cart functionality. In a simple sense, the shopping cart component is what allows the user to search and purchase selections and stores then in a ‘cart’ or ‘bucket’ until the user is ready to check out. Typically, the shopping cart functionality also includes the mechanisms for the user to check out, get a total, figure shipping and put in their personal information.
The secure piece typically comes during check out with a SSL or Secured Socket Layer certificate. This is what makes “http” into “https.” The SSL provides for secure communication and transmission of the customers personal information (including credit card data) back to the server or payment processing gateway.
Third is the credit card gateway. Once the personal information is entered and submitted, additional things need to be secured. Most shopping carts do not have a credit card gateway built in, which is the thing that actually validates and charges the credit card. The gateway is kind of the equivalent of the payment system in a physical store after you swipe your card. Some online stores will actually store your cc information in a back end database and some smaller merchants will even then access that info, including credit card info and type it in to their physical credit card machine.
From the point where the personal information is entered, to wherever it is transferred, to however it is stored — it all needs to be secured. An SSL will typically take care of most of that (assuming the merchant is using a reputable credit card processor, which they probably are).
What’s the best way to make sure your cart is secure?
Use a secure shopping cart software
Sometimes shopping cart software has the security built in, and sometimes it doesn’t. The majority of big hosters like godaddy are offering ecommerce or shopping cart functionality that is pretty secure. They tend to have offer shopping cart products and a business can buy all of the secured pieces they need right there.
Bypass the need for SSL
In other cases, there are some great API schemas available that a merchant can use to go direct to a payment processor like PayPal or Google, and actually bypass the need all together to maintain any secured layers. Basically the shopping cart transmits the order information to the gateway like PayPal and that is where the personal info is entered. So, it then becomes Pay Pal’s responsibility to maintain the security.
Inform your customers
I think the important thing is that businesses need to be aware of the dangers and possible points for exploitations. They need to be able to explain to their customers that their website is secure. In addition to maintaining their site security, they also ought to have a clear and visible security policy that a potential customer can read to get the peace of mind they may need before making a purchase. If a customer has any sense that a site may not be secure, they may quickly leave the site.
As a consumer, how can I tell if a cart is secure when I go to check out? Are there telltale signs that a site is or isn’t secure?
First is the “https” in the address bar. Note that this is not only for shopping, but really for any web experience where you want a secure session. So, online banking or bill paying, or even web mail, would also have these in place.
Below is a screen shot from google /gmail. Also note in the bottom right hand corner, there is a little yellow padlock. This means the site is secure. When I hovered my mouse over the padlock, the little dialog box popped up that tells me this is SSL Secured at 128 bit. If that padlock were not in place, this would not be secure and especially if I was shopping, I would not want to proceed.
Laura Leites, Assistant Editor, Smallbiztechnology.com