How do you know which websites to trust with your credit card information? My answer: almost none of them. That’s a strange thing to say when 99% of my purchases are done online, both at home and work. And yet, there are very few web services that you should trust with your info.
What most people have been taught is to look for the Padlock icon on your browser to tell whether a site is secured. I dispense that advice myself, but would you be shocked to hear that anybody can add that to their site for about $100 (or for free with a little coding)?
Let’s talk about what that Padlock really means.
It’s a “Site Security Seal” which simply means that the website is using public data encryption to help you upload your information securely. (*The process of this public encryption is something I love explaining, but we’ll get to that another day.*) This is a good thing — and by no means should you ever give your credit card info to a site that doesn’t have this seal — but it only protects the info for the quick passage from your computer to the website’s host.
Why does that matter? Because to get from your house to the webserver, every page request is relayed through dozens of ISPs. Any of these could potentially be storing your info if it’s unencrypted.
So if you’ve entered your info into a secure site, what’s the problem?
If you’ll allow me an analogy: Pretend you’ve got a burning secret that you want to tell your best friend and you’re paranoid about anyone else overhearing. You don’t trust cell phones, texting, anything like that, so you employ a spectacularly complicated method involving invisible ink, carrier pigeons, and a Flintstones decoder ring.
But you forgot … your friend is a blabbermouth.
And that’s the problem in a nutshell with websites. Internet standard is to enforce this Padlock security protocol when sending/receiving critical information, but there is absolutely nothing enforcing these businesses to keep your info secure after they’ve received it.
You’d be shocked at how many businesses keep their customers’ credit card info in places that can be accessed from the outside, just waiting to be burgled. It’s insane.
Me, I’ve always followed the Amazon model. They built their business on getting people to trust credit card transactions, and in the early days they went to great lengths to explain to people how their practices worked. The server that held the credit card info was far removed from the servers that gathered the info initially. They even claimed that this financial server had no internet access, though today you’d just bullet-proof the firewall that contained it.
Before I scare you away from ever shopping online again, I’ll tell you who you can and should trust. The big players who employ large networks security teams: eBay/Paypal, Amazon, your banking institution, major department stores. (Yes, Target got hacked last Christmas, proving that nobody is foolproof, but your odds are much better with major companies like this.) It’s when you start shopping small business that you need to be on guard.
There are dozens, maybe hundreds, of 3rd party credit card processors and most new sites today will use them; GoDaddy is a major pusher for this type of eCommerce solution. There’s nothing wrong with it. It allows small businesses to create websites without having to know anything about security. It gives you, the user, another level of security because the eCommerce processor holds all the credit card info so securely that the business itself cannot log in to see all of your card info. It works great.
So how will you know when your website is using one of these? Um … yeah, that’s the trouble. Most of the time, you won’t. Once in a while you’ll get a message about being redirected to the eCommerce site to complete your transaction, but the more fashionable method is to make it all look and feel like one seamless site. Furthermore, you as the end user will probably never know which eCommerce site they are using and you can’t be expected to stop and read reviews of them before you buy those designer sweat socks that are going, going, gone.
So my rule whenever I’m ordering from a business smaller than a national chain is simple: don’t give your info to them directly. Look for the sites that allow you to use PayPal – that’s the easiest way to make sure your info is secure because PayPal mandates that all the sites that use their services redirect to the PayPal website for transferring information.You’ll get the message that you’re going to PayPal and you can verify in your browser’s address bar that you are actually on the PayPal website before you enter any passwords. That’s one site that doesn’t mess around when it comes to security protocols.