Many people are still concerned about the security of their personal and credit card information on the Internet. The February, 1999 Small Business Computing magazine (citing a 1997 study conducted by Find/SVP, a New York based market research firm) said that

"the dirty little secret about Web commerce: 92 percent of all Internet transaction are actually processed manually - that is, off line. And most visitors to commercial sites do a lot more browsing than they do buying. Studies show that 91 percent of consumer are concerned about Internet security, and only 27 percent of regular Internet users have made online purchases in the last 12 months..."

These figures are now out of date, but they highlight the need to

1. Provide multiple means for our customers to buy our products or services, and
   
   
2. Reassure our customers of the security that now exists in purchasing online.

The publicity of a very few publicized incidents has caused online users to be far more concerned than is warranted, but perception is reality, so we need to deal with it. Actually, it is far easier for someone to steal your credit card information offline, by picking up your credit card receipt from the trash bin at the gas station, for example, as you casually through it away or digging through restaurant trash bins.

Secure forms via SSL are used to provide the security needed to reassure customers. They allow your customers privacy and piece-of-mind when completing a credit card transaction or transmitting personal information. They are a must for commerce enabled sites.

The industry standard method of secure forms is to have the communication encrypted by SSL (Secure Sockets Layer). SSL encodes or "encrypts" the information in the customer order form into an untranslatable code, which, if somehow intercepted by some third party while traveling between the customer's browser and the web site server, would not be readable. Sometimes you will hear of this technology as providing a "secure gateway".

Secure forms via SSL may be available through your web host. If not, you can obtain them from outside vendors. You simply link to the forms residing on a server completely separate from the one hosting your existing web site. When the visitor is in the secure area, they will know that because the little closed lock or key shows at the lower right of their browser window.

Some hosts offer three different types of SSL security - Virtual SSL, Verisign Authentic, and Thawte Authentic SSL.

With Virtual SSL, the secure part of your web site would actually use the web host's SSL certificate. Some web hosts charge extra for this service while some others do not.

First, it is important to understand that SSL is assigned to a single domain name. Using a virtual SSL, the web location would momentarily relocate from ibizcenter.com to the web host's domain for the secure portion of the transaction and then return to our site once the transaction was complete.

To make orders through your form secure, simply point to the order form through the web host's server. For example, if you have a form at http://www.ibizcenter.com/orders/orderform.htm, you would point to the form through the hosting company's server (in this example, innerhost.com), in a manner something like this: https://www.innerhost.com/ibizcenter/orders/orderform.htm.

Note the http changes to https for the secured server. You will need to ask your hosting company for the specific URL to use. Note that your customer may notice that he or she is no longer at your site, but at your host's site. If this happens only at your order form, this is probably not very important. However, if you wish to collect information at other points of your site, such as a registration form, when your relationship may not yet be cemented, you may not want your visitor wondering about what is happening.

The preferred alternative is to obtain an Authentic SSL - your own SSL certificate obtained from a certificate authority like VeriSign (http://www.verisign.com) or Thawte (http://www.thawte.com).

The certificate authority ("CA") will charge you for the certificate. In addition, your web site host may charge you to install the certificate, test and maintain it.

For example, comcity.com charges a $60 set up fee, but no monthly charge thereafter. Innerhost.com has no extra cost. Each host is different.

VeriSign is the more recognized version of SSL certification and they have the largest market share of certificates. The first year fee is about $329 and $229 each year thereafter for US merchants.

Thawte, on the other hand, offers a more economical certificate and is a very up and coming market share leader. Thawte charges $125 each year.

There appear to be some browser compatibility issues with Thawte, however, leading us to initially believe that Verisign was the better choice. Many other very large sites use Thawte. When I asked Thawte about this, their April 29, 1999 e-mail reply was:

"Thawte was not yet in business when Netscape Comm and IE were released so our root keys are not in those browsers and mail clients. However as more current versions are released there are fewer people using Nav and IE 1.0 and 2.0. We have also had a root roll over problem with Nav 3.0, however this has not proved to be too much of a problem with our customers. We have 37% of the worldwide market so we must have fairly extensive coverage. Another interesting point is that all the Verisign roots in all browsers up to Nav 4.3 will expire at the end of this year which means anyone using a Verisign certificate will get an expiry message when they try to use it on 1 Jan 2000. This means that Thawte will be THE most globally trusted CA worldwide. I hope this clears this issue up for you.

Regards
Vicki Smith, for Mark Shuttleworth, Thawte Certification"

You be the judge for your situation. I ultimately decided to go with Thawte. (Since I first wrote this, Verisign has acquired Thawte, thereby eliminating effective competition in the security certificate market.)

Secure Electronic Transaction protocol

Banks and card issuing authorities are investing heavily in a new encryption system known as SET. SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard to enable secure credit card transactions on the Internet. SET uses digital certificates to validate the identities of all parties involved in a purchase and encrypts credit card information before sending it across the Internet. However it is likely to be several years (if ever) before the use of SET becomes widespread.

Webreference has an excerpt from "Building SET Applications For Secure Transactions", by Mark S. Merkow, James Breithaupt, and Ken Wheeler, Wiley Computer Publishing. http://www.webreference.com/ecommerce/mm/books/c2-0.html

The excerpt is the second chapter from the book about the (SET) Standard for payment card acceptance via the Internet. Among other things covered is running the payment process on-line with SET.

Encrypted E-mail

An alternative to either SSL or SET to be able to securely order online would be encrypted e-mail messages. Pretty Good Privacy (PGP) encryption is an emerging possibility, but is not currently convenient to use and able to be used with any e-mail program. Maybe it will become more widely accepted, but I doubt it, with credit card purchasing via secured forms becoming more widely accepted by the customers all the time.

Secure Online Electronic Credit Card Transaction - How To Provide It For Your Customers