Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Power Pay

As the 2006 holiday season looms, retailers consider bypassing credit cards in favor of more secure online payment options

Online purchasing showed double-digit growth last holiday season, for the third straight year. But one trend got lost in all the excitement: 30 percent of consumers actually decreased their online shopping, citing concerns about Internet security.

As they gear up for another big shopping season, retailers are searching for ways to get that 30 percent back. And one of their chief weapons will be online payment systems that don't require customers to type a credit card number into a retailer's online system.

"With the continued growth of identity theft, credit card fraud, and phishing scams, security on the Internet is more important than ever," says John Rogers, founder, chairman, and CEO of Pay By Touch, an online payment service. Working with UPEK, a vendor that makes a USB-capable fingerprint sensor, Pay By Touch earlier this week unveiled TrueMe, a biometric authentication service that lets users protect payments with a fingerprint.

Other experts agreed. "There is a strong perception out there that credit cards are not secure," says Marwan Forzley, president and CEO of MODAsolutions, which offers Secure-eBill, a service that helps consumers make retail purchases through their online banking systems.

Statistics support this conclusion. According to the Business Software Alliance, 38 percent of consumers who shopped online during the 2005 holiday season said they spent more than the year before -- but 30 percent said they spent less, citing concerns about credit card fraud, identity theft, and spyware. A June report by Javelin Strategy & Research says that 79 percent of consumers would buy more online if they had a more secure payment system. And Gartner and Jupiter Research estimate that there are still 80 million Internet users who don't buy anything online, many of them concerned about security issues.

"A substantial number of shoppers are still wary about e-commerce safety," says Diane Smiroldo, vice president of public affairs at BSA.

With so many potential sales at stake, it's not surprising that retailers -- and the technology vendors that supply them -- are experimenting with new, more secure methods of enabling consumers to pay online. One of the most novel approaches is TrueMe, a service that enables consumers and business users to verify their identities with a fingerprint before giving authorization for payment.

Using Pay By Touch's finger sensor -- which is already built into PCs such as Lenovo's -- or UPEK's finger sensor, which can be added via a simple USB connection, Pay By Touch is offering a service that lets retailers, banks, or businesses authenticate their regular users with a second, biometric factor. Information about the user is encrypted with the fingerprint, ensuring that only authorized users can initiate a payment, the companies say.

Retailers that are less cutting-edge are now accepting payments from a variety of other alternative payment systems. One of the best-known is PayPal, a service acquired by eBay last year. PayPal stores the user's bank account and credit card information in a single, secure account, then acts as a proxy for paying retailers or auction sellers online, without giving out one's account data to the recipient.

With Secure-eBill, MODA Solutions is doing PayPal one better, according to Forzley. Instead of paying online, the Secure-eBill service lets customers make a purchase and then get an online invoice, just as they would from their phone company or gas utility, he explains. Then the consumer can pay the bill using any online banking service, eliminating the need to put any account information out on the Web.

"For consumers, it's all about trust," Forzley says. "We think consumers trust their banks more than any retailer or online service."

Retailers that have tested Secure-eBill say it works. Big Al's Online, which sells supplies for aquatic hobbyists, has increased its customer base by 39 percent since adding Secure-eBill to its site, according to Dan Hamilton, director of e-commerce at the company. "Repeat order rates also have exceeded expectations."

Yet another company, Bill Me Later, essentially extends an automatic line of credit, enabling the consumer to make purchases online without giving out any credit card or bank account information. Bill Me Later uses online credit reports to authorize payments up to a certain level, basically giving the user a loan to make an online purchase. If the user fails to pay for the purchase on time, the service may be declined for subsequent purchases.

Use of alternative payment services is still nascent, as most purchases are still made through credit cards, experts say. Forzley says Secure-eBill only accounts for about 10 percent of the purchases made on its retailers' sites so far, but he expects that figure to increase.

None of these services is foolproof, however. PayPal already has seen a number of phishing scams, and others could be penetrated if an identity thief had the right information, critics say.

Still, the new systems may be more secure than asking users to input their credit card information. "Retailers want to increase their business online," Forzley says. "Alternative payment services are a proven way to do that."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before, 14.x before, and 15.x before for FreePBX In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.