The silence of the order posts

Posted by Nick Vincent
Posted: 16/3/2012

I don't think anyone would argue against the need for standards regarding payment methods, and the PCI Data Security Standards (DSS) introduced over the last few years are well intentioned. In essence they say that in order to handle sensitive customer data a strict set of security criteria must be met. The introduction of these standards has taken that sensitive information out of the hands of some parties who may not have taken keeping it a secret as seriously as you do, and this is a good thing.

Many merchants have, quite understandably, chosen to steer clear of some of the quite onerous requirements that the standards dictate in order to allow handling of payment credentials. As such many retailers now choose to submit payment details directly to a PCI compliant payment provider instead of handling and storing them. This means that they no longer need to comply with PCI standards, because they no longer handle any payment card information for even a fleeting moment. This also means that payment information is handled by a specialist payment provider who should know exactly how to keep it secure. Sounds great doesn't it? Customer details are safer and the bank sees less fraud, but does this really mean that payment details are safe from fraudsters?

There are three main ways that a retailer can use an external payment processor to handle card details for them:

1: Go here, then come back

This is where the customer leaves the seller's website and enters their payment details on a completely different website belonging to the payment provider. It's an unnerving solution for customers, and hence only really provides a reassuring experience when the payment provider is very well known. It's a poor user experience, but the customer knows exactly where they are, what is happening and who is handling their data.

2: I loaded a web page in my web page

Another solution is to use an "iframe". This is where a page from an external payment site is loaded inside an area on the merchant site. This normally means that you get a badly designed, usability nightmare of a web form provided by a payment provider slapped right in the middle of the merchant's checkout process. A hosted payment page may look something like this:

This is not a great solution for a number of reasons, and is generally being usurped by...

3: Silent order post

This is the option that provides the most coherent payment experience for the customer. Payment details are only handled by the payment provider, the customer never has to know that they left the merchant website, and the merchant keeps control of the aesthetics. So why might this not be the best solution? The clue is in the description, "the customer never has to know that they left the merchant website". Can you think of the last time you saw a message like this when you were shopping online?

Well, you didn't ever see that message because no major browser available today will warn you of this. As a customer what really happened just now?

What you thought happened was this:

  • You were shown the payment page
  • You noticed that you had a secure connection, you checked your connection was secure, and viewed the site's certificate to make sure you were dealing with the right company*
  • You entered your payment details
  • Your payment details were submitted over a secure connection to the company whose credentials you just checked

\* I know you didn't, but you should have done.

What actually happened was:

  • You were shown the payment page
  • You checked your connection was secure, and viewed the site's certificate to make sure you were dealing with the right company*
  • You entered your payment details
  • Your payment details were submitted to an unknown third party. They have a secure connection, so there was no browser error, but as a customer you have no idea where your information went, and you have had no chance to discover who they are or examine their security credentials.
  • You were returned to the original site none the wiser

Scary stuff eh? Normally that mysterious third party is going to be a trustworthy payment provider, but the customer didn't know that before they submitted their details, and had no opportunity to check. If someone unscrupulous (for instance Richard Pryor's character Gus Gorman from Superman III) were to have gained access to the servers running the website then he could have sent the payment details to his own site.

With access to a merchant's servers, which is hopefully the hard part, all Gus has to do is change one URL in a plain text file and to install any valid SSL certificate (which he can buy for less than £10) on his own server to avoid the customer seeing a browser alert. If the fake payment site also responds in the same way as the real payment provider then the customer might even receive their order. In the worst case scenario the customer only finds this out when their details are used fraudulently, and the merchant doesn't discover this until they reconcile their payments and find they have not taken any money.

So how is the customer benefiting from PCI DSS? The good news is that overall fraud levels are decreasing, and it is now much less likely that your payment details could be stolen from a merchant due to a security lapse months after you have used them to make a purchase. However, the current "best practice" PCI DSS compliant payment implementation method means that instead of sending payment details to the merchant the customer ends up sending them to an unknown third party, who is hopefully a reputable payment service provider. The customer won't know where they are submitting their details and moreover neither they, nor the merchant have any record of where the details were actually sent.

In the UK the customer is afforded protection from online fraud by the Consumer Credit Act and Distance Selling Regulations, and similar legislation exists in other countries. Recovering from an identity theft can be a lot of hassle for the customer, however it is the merchants and card issuers that end up shouldering the burden, and ultimately this cost is passed on to customers through increased prices and credit card charges.

So how can the situation be fixed, maintaining customer experience and reducing the risk of fraud? That's a question that I will try to answer in a future article.

ask the author

Do you have any comments, questions or words of wisdom, please let us know below:

* indicates required field
  1. Send Message