Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Power Pay

As the 2006 holiday season looms, retailers consider bypassing credit cards in favor of more secure online payment options

Online purchasing showed double-digit growth last holiday season, for the third straight year. But one trend got lost in all the excitement: 30 percent of consumers actually decreased their online shopping, citing concerns about Internet security.

As they gear up for another big shopping season, retailers are searching for ways to get that 30 percent back. And one of their chief weapons will be online payment systems that don't require customers to type a credit card number into a retailer's online system.

"With the continued growth of identity theft, credit card fraud, and phishing scams, security on the Internet is more important than ever," says John Rogers, founder, chairman, and CEO of Pay By Touch, an online payment service. Working with UPEK, a vendor that makes a USB-capable fingerprint sensor, Pay By Touch earlier this week unveiled TrueMe, a biometric authentication service that lets users protect payments with a fingerprint.

Other experts agreed. "There is a strong perception out there that credit cards are not secure," says Marwan Forzley, president and CEO of MODAsolutions, which offers Secure-eBill, a service that helps consumers make retail purchases through their online banking systems.

Statistics support this conclusion. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. A June report by Javelin Strategy & Research says that 79 percent of consumers would buy more online if they had a more secure payment system. And Gartner and Jupiter Research estimate that there are still 80 million Internet users who don't buy anything online, many of them concerned about security issues.

"A substantial number of shoppers are still wary about e-commerce safety," says Diane Smiroldo, vice president of public affairs at BSA.

With so many potential sales at stake, it's not surprising that retailers -- and the technology vendors that supply them -- are experimenting with new, more secure methods of enabling consumers to pay online. One of the most novel approaches is TrueMe, a service that enables consumers and business users to verify their identities with a fingerprint before giving authorization for payment.

Using Pay By Touch's finger sensor -- which is already built into PCs such as Lenovo's -- or UPEK's finger sensor, which can be added via a simple USB connection, Pay By Touch is offering a service that lets retailers, banks, or businesses authenticate their regular users with a second, biometric factor. Information about the user is encrypted with the fingerprint, ensuring that only authorized users can initiate a payment, the companies say.

Retailers that are less cutting-edge are now accepting payments from a variety of other alternative payment systems. One of the best-known is PayPal, a service acquired by eBay last year. PayPal stores the user's bank account and credit card information in a single, secure account, then acts as a proxy for paying retailers or auction sellers online, without giving out one's account data to the recipient.

With Secure-eBill, MODA Solutions is doing PayPal one better, according to Forzley. Instead of paying online, the Secure-eBill service lets customers make a purchase and then get an online invoice, just as they would from their phone company or gas utility, he explains. Then the consumer can pay the bill using any online banking service, eliminating the need to put any account information out on the Web.

"For consumers, it's all about trust," Forzley says. "We think consumers trust their banks more than any retailer or online service."

Retailers that have tested Secure-eBill say it works. Big Al's Online, which sells supplies for aquatic hobbyists, has increased its customer base by 39 percent since adding Secure-eBill to its site, according to Dan Hamilton, director of e-commerce at the company. "Repeat order rates also have exceeded expectations."

Yet another company, Bill Me Later, essentially extends an automatic line of credit, enabling the consumer to make purchases online without giving out any credit card or bank account information. Bill Me Later uses online credit reports to authorize payments up to a certain level, basically giving the user a loan to make an online purchase. If the user fails to pay for the purchase on time, the service may be declined for subsequent purchases.

Use of alternative payment services is still nascent, as most purchases are still made through credit cards, experts say. Forzley says Secure-eBill only accounts for about 10 percent of the purchases made on its retailers' sites so far, but he expects that figure to increase.

None of these services is foolproof, however. PayPal already has seen a number of phishing scams, and others could be penetrated if an identity thief had the right information, critics say.

Still, the new systems may be more secure than asking users to input their credit card information. "Retailers want to increase their business online," Forzley says. "Alternative payment services are a proven way to do that."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
PUBLISHED: 2020-08-11
Broker Protocol messages in Teradici PCoIP Standard Agent for Windows and Graphics Agent for Windows prior to 20.04.1 are not cleaned up in server memory, which may allow an attacker to read confidential information from a memory dump via forcing a crashing during the single sign-on procedure.
PUBLISHED: 2020-08-11
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth'...
PUBLISHED: 2020-08-11
HUAWEI Mate 20 versions Versions earlier than;HUAWEI Mate 20 Pro versions Versions earlier than,Versions earlier than,Versions earlier than;HUAWEI Mate 20 X versions Versions earlier than
PUBLISHED: 2020-08-11
In PACTware before 4.1 SP6 and 5.x before, passwords are stored in a recoverable format, and may be retrieved by any user with access to the PACTware workstation.