New Zealand: Technology Law Bulletin - Is it Safe to Enter your Credit Card Online?

Online transactions are booming in New Zealand. VISA recently reported earlier this year that New Zealanders spent NZ$56.51 million in ecommerce sales using Visa cards in March 2005, up from NZ$31.51 million in March 2004. Research also shows that there are more than 1.4 million New Zealanders registered to bank online (this represents 35% of New Zealand's total population). So, why do we have the confidence to send credit card and other personal information over an open network like the Internet? In short, online businesses implement and maintain practices, policies and procedures that aim to make online transactions as secure as technologically possible.

It is essential that an online business offers a secure interface to transfer its customer's credit card details and other personal information from the customer's browser to the online business' server. Secure Socket Layer ("SSL") is the industry standard in security technology for creating an encrypted link between the customer's browser and business' web server. This link seeks to ensure that all data in a customer's transaction is processed in real time, free from interception and tampering. In order to generate an SSL link, the business' web server needs to have a SSL certificate. Thawte, Verisign and Instant SSL all offer SSL certificates, which can cost a little as NZ$99 plus Goods and Services Tax for a single domain.

Technology savvy web users can easily tell the difference between a secure and an insecure site. A secure site, when configured correctly, will cause a locked padlock icon to appear on the web user's web browser. By contrast, an insecure site may trigger a warning, to be displayed when the web user attempts to submit his or her personal details, which will usually kill off any prospect that the transaction will be completed.

Compliance with legal requirements is also important. An online business needs to put in place and have privacy and security policy statements readily available on its website. Customers look to those policies as an indication that the online business has secure systems in place to help prevent authorised use of, or access to, the customer's information.

A specialist IT lawyer should review or prepare those policy statements. Online New Zealand businesses have particular obligations under the Privacy Act 1993 (NZ) to inform the customer:

1. what personally identifiable information is collected through the business' website and who is collecting the information;

2. how the customer's information is used;

3. with whom is the customer's information shared , such as direct marketing firms, partners and advertisers;

4. the security safeguards that are in place to protect against loss, access, use, modification, disclosure or other misuse of the customer's information; and

5. how the customer can correct and access the personal information collected.

Web technology is not bullet proof. Therefore, an online business' security policy should avoid claiming that online transactions on its website are "safe" or "secure". Instead, the security policy should use a statement like "We are committed to protecting the privacy and security of your personal information" and describe in detail the procedures undertaken by the online business to protect its customers' information.

The security policy should also explain some helpful tips for the customer's own web security. It's not well known, but a customer cannot guarantee that his or her online transaction is safe and secure unless he or she has a secure browser. A basic precaution is to avoid public computers, such as those in Internet cafés. NetSafe, New Zealand's Internet safety group, recommends that customers undertake the following safety steps:

1. enter a website by typing in the URL;

2. never follow a link from an email to a secure website;

3. change your password regularly;

4. don't use the same passwords on different sites;

5. don't share or write down your passwords or save them to your computer;

6. install a basic firewall and an anti-virus programme;

7. don’t leave your computer unattended when engaged in an online transaction;

8. always log out when ending a secure transaction; and

9. look for the padlock at the bottom of the screen, which denotes a secure, encrypted session.

You might ask yourself whether the cost of implementing these policies and procedures is worth it for a business. The answer is generally "yes". The ability to allow transactions online may offer many benefits that are not otherwise currently being realised by a business.

Increased customer satisfaction maximises sales. In particular, the technology for online transactions enables a business to accept the payment type that customers demand, and customers can sometimes make payments in the currency that the customer prefers and understands. Customers enjoy the convenience of conducting their personal transactions online. Transactions can be undertaken anytime and these days, with wireless technology, virtually anywhere as well.

Business efficiency is also improved. Once the payment system is up and running on the business's website, it is generally easy to operate and maintain and the overall effectiveness of the business' website is significantly increased.

If you thought that the only businesses that were permitting online transactions were goods vendors in the 'Amazon' mould, it's time to reshape that thinking. Today, customers conduct online banking, and can use their credit cards to pay online for airline tickets, their groceries and a range of other goods and services. Perhaps, in the near future, we might see lawyers accepting online credit card payment for their services and offering air points upon payment of their invoices too!

© Phillips Fox 2005. All rights reserved.