This is all about keeping credit card information away from prying
eyes. This is no longer a must do from a customer point if view, but
is now required by VISA and other providers. Encryption is the process
which provides this security by changing credit card information into
a meaningless jumble until it is converted back to usable information
once the data is moved to a secure location. There are two techniques
that are currently in wide use to provide this security.
SSL
...requires an electronic certificate from a third party who can prove
that your customer is dealing with the firm they think they are. The
most well known provider of certificates is Verisign,
which purchased Thawte, a relative newcomer in February of 2000. Verisign
certificates start at $349. Thawte's
certificates start at $125 per year. There are significant differences
in service.
These certificates provide proof of identity that cannot be forged,
assuring users that your site is protecting valuable data from prying
eyes. They also enable the encryption of all communication between
you and your customers using the Secure Sockets Layer (SSL) protocol,
which enables all major browsers to initiate a secure session with
your site.
The main drawback to this server based method is that it is symmetric
i.e. the means to decrypt is also present at the site, as all encrypted
data must be decrypted before being sent to the vendor. This means
that if the Web site is compromised either externally or by ISP/Web
server staff, all credit cards will be freely available to the hacker.
This represents a fundamentally higher risk for the provider of the
e-commerce service than, say Actinic Catalog, which uses end-to-end
asymmetric encryption, explained in the next paragraph.
128-bit Encryption key
is more sophisticated and difficult to break than SSL. SSL
offers only a 40-bit key in non-US implementations (although 56-bit
key implementations are now becoming available). To put things in
context, each additional bit of key space takes twice as long to break.
So a 41-bit key is twice as strong as a 40-bit key. The 128-bit key
is 4,722,366,482,869,645,213,696 times as strong as the SSL 56-bit
key. Encryption occurs on the buyer's PC and decryption only occurs
on the vendor's PC. At no stage is the transaction decrypted while
it travels over the Internet, or while it is stored on a Web site.
This is the method that is built into our e-commerce solutions. Here,
access to the server gives no benefit to the hacker in decrypting
credit card information.