deadlock Message Board
[ November Full List | Reply ]

Re: Secure order forms
From Jim on 30 November '98
replying to Re: Secure order forms posted by Jim

I seem to be spamming my own board, sorry, but I'll shut up just as soon
as I've made this final comment...

Most people, when they ask me about security of order forms, aren't
really sure why they're worried, they just have a general "uneasiness"
purely because of all the hype surrounding this topic.

Let me give you a couple of reasons why you might be worried:

a) You want to assure the people who visit your site that if they
purchase something, their card will be "secure".

OK, let me ask you, personally, if you've ever purchased anything
online with your card?

If you have, then you must either have been satisfied at the level
of security, or you just didn't care. Either way, you agreed to the
transaction. Sale made. End of discussion. This is what happens in
99% of cases.

If you haven't purchased anything online, there are two possible
reasons why you haven't: either you don't "trust" the Net because
you don't understand it fully, in which case you're not going to
use an online form no matter how much technical security is promised
by the webmaster (you'll probably order by fax instead), or you have
a deep understanding which makes you distrust SSL security. I happen
to be in this category, and let me tell you that given a choice between
two order forms, one with SSL and one without, I'll go for the one with
because it's better than nothing.

On a side note, I also know that placing an order online is just as
safe, if not safer than other methods, regardless of encryption.
This is because I know that without a "hard" card receipt (with a
physical signature) I can refuse to pay for any transaction that I
disagree with. I know this to my cost, being a merchant myself!

This all boils down to my original statement: browser security is the
only thing that matters to your customers, so as a webmaster, why are
you concerned about anything else?

b) As an online merchant, you want to take all technical precautions
to protect yourself against card fraud.

Protecting yourself against fraud has little, if anything, to do with
the way you collect the card details.

The rip-offs occur AFTER the card number has been given. Ideally,
you should process the card BEFORE you deliver the goods (even then,
the card could later be reported as stolen, or charged back by the
genuine cardholder because they simply don't like your product). I'm
drifting off-topic here though, what we're discussing is order form
security.

At the end of the day, SSL security was invented in order to coax
people into making card transactions online, and it does this job
brilliantly. Don't try sniffing any deeper because you won't like
what you find.

See also Rant #2:

http://deadlock.com/bbs/2/948.html


Replies from other people:


Reply to this message

Required Details
Your name:
Subject:

Optional Details
Home page title:
Home page URL:
Email:
(if you'd like to receive
automatic replies by email)

Your Message