Christmas is almost here again. Black Friday and Cyber Monday are still fresh in our memory, with shoppers hunting bargains in stores and online. However you’re shopping, a lot of personal information (credit card details, delivery addresses, etc.) has to change hands. Of course, companies have an obligation to protect their customers’ data but there are technological safeguards in place to ensure that nothing can go wrong.
The average American will spend $752 during Christmas 2016 according to Statista, almost $100 less than last year. With that in mind, here’s a quick look at two of the most common ways retailers work to protect customers from financial mishaps.
One of the lesser known schemes, the Payment Card Industry Data Security Standard (PCI DSS) is an initiative that aims to protect customers using Visa, American Express, and several other cards by encouraging retailers to follow a series of security guidelines. The three most important PCI DSS requirements revolve around firewalls, data encryption, and anti-virus software.
PCI DSS isn’t really something that customers will come across directly – it’s more of a behind-the-scenes thing – but it manifests in improved security for the transmission and storage of consumers’ data. Certification is mandatory for retail companies that handle sensitive information but the size of their commitment depends on how many transactions they handle per year.
For example, a firm that sees more than 6 million sales or payments a year is considered a level one business as far as compliance is concerned, which is the highest grade. This kind of company must be audited by a qualified official once a year. At the other end of the scale, level four, are businesses that handle less than 20,000 transactions per annum. In this case, the completion of a self-assessment questionnaire may be enough to comply with PCI DSS.
However, there are elements common to all businesses. All grades must run website vulnerability scans regularly to close security holes that could allow SQL injection or similar attacks to take place.
Put simply if your site is secured with Secure Sockets Layer (SSL) and Transport Layer Security (TLS) look for the padlock icon next to the web address on websites like Amazon and PayPal when providing your payment information or login details. The latter is simply the more recent of the two technologies. The word “https” before the website address is also a good indicator of SSL or TLS, as opposed to the unsecure http.
It’s perhaps easiest to imagine SSL and TLS as creating a secure “room” where stores and customers can share information online without the risk of hackers and other criminals eavesdropping.
While some sites (like Facebook) use SSL throughout their website, others don’t. Many popular websites, for example, only use the technology on pages where sensitive information is requested such as when requesting credit card details. That’s fair enough; there are both pros and cons for sitewide SSL. However, in March of this year, Google found that 79 of the 100 biggest websites in the world don’t use https as the default option, including Apple. The same report apparently upset somebody at Microsoft, one of the companies on Google’s original list, as the company now uses TLS 2.1 on every page.
As a final point, technology exists as a failsafe, but that doesn’t mean that consumers don’t have a role to play in protecting their own information. Consumers need to be aware of how secure the sites they are browsing are and not give personal information – including passwords – to insecure sites. Unfortunately, a lot of evidence points to customers as a weak link in the chain as far as identity theft and other fraudulent behavior is concerned, especially when shopping on the internet.