How safe are your credit card details online?

Shopping online has a number of benefits and is becoming increasingly popular. However, surveys are finding that many people are scared about using their credit or debit card online.

When we investigate frauds, such as the Zavvi Direct scam we uncovered in June 2008, all the victims who contacted us were deeply concerned that their credit or debit card details had been compromised and would be used for other frauds, but this was not the case.

So we wanted to find out why, by taking a look at what happens to your card details when you shop online.

Gateway to the bank
It may surprise people to know that many genuine online retailers never see their customers’ card details. It depends on how they set up their online payment system once they have been authorised by an acquiring bank to take card payments.

This acquiring bank, sometimes called the merchant bank, is the organisation that carries out the checks on companies applying to take card payments.

There are currently nine in the UK, including Barclays Merchant Services and Lloyds TSB Cardnet. Once approved, the retailer then chooses a payment gateway; the merchant account is useless without one. Sometimes the acquiring bank will have its own payment gateway that the retailer will use, but they can choose their own.

Payment gateways, or portals as they are sometimes known, such as Secure Hosting and Protx (now called Sage Pay), connect the retailer’s website with the acquiring bank.

Many online shoppers will be familiar with those names and others such as Worldpay. Essentially these companies are the middlemen in the online payment process. It is at this point that online retailers differ in the way payments to them are processed.

The online store can choose to host a payment page on its own computers and transfer the card data to the payment gateway as many of the major retailers do. But this isn’t always the case.

Jonathan Rodger of Secure Hosting explained: “We handle the technical side of the payment process. Online retailers are allowed to store people’s card data except the CV2 number (the three-digit security code on the back of the card) but if they do there are a lot of obligations they have to meet.

“Any company processing, storing, or transmitting cardholder data should be PCI (Payment Card Industry) compliant ­ – this is a security standard run by the finance industry. They must have a secure server and it is their responsibility to ensure the card data is encrypted when they send it to us.

“However, a lot of retailers, particularly smaller ones, don’t want this responsibility and we can do this for them. When the customer goes to the online checkout to make a payment they are transferred to the secure servers of a payment gateway, such as Securehosting, where the retailer’s payment forms are hosted.

“Card details are then input here. People may not realise this as we can set up the payment page so that it looks just like part of the retailer’s website.”

You can look at the address bar once you are about to enter your card details and if this method is being used, you will see that you have been directed to a payment gateway’s site.