Online Transactions: know What’s Happening To Your Data

Online purchasing transaction security is not absolute. There are not really “safe” and “unsafe” options anymore, meaning only alternatives remain that have varying degrees of security. However, understanding how your data is stored and used is an important first step.

WHAT ARE THE RISKS OF PURCHASING ONLINE?

The risks of conducting transactions online are real and require constant vigilance. Online transactions are open to “normal” procurement risks, but also have a unique set of other hazards. Beyond being exposed to such things as fake websites, inflated user reviews, or the possibility of never actually receiving what was bought, purchasers can be exposed to much more sinister dangers. Credit card fraud and identity theft are real possibilities. It is not all doom and gloom though. The key is understanding these risks and what is being done to protect you and your personal data.

WHAT INFORMATION CAN ONLINE RETAILERS STORE?

The storing of personal data is controlled more by the industry than by federal or provincial laws. The Payment Card Industry Data Security Standard (PCI DSS) was implemented by the major credit card companies as a means of ensuring compliance amongst the retailers, online or otherwise. Deviation from compliance is met with stiff fines. Per PCI DSS direction, brick and mortar stores are required to keep customer data only until they have been successfully authenticated. Online retailers face similar restrictions. However, when it comes to saving data for repeat transactions, customer data can be saved if it is properly encrypted and guarded. Due to the complex nature of storing and managing customer data in this manner, this function is often off-loaded to third-party providers.

The actual data that is stored by online retailers, per the PCI DSS, is the customer’s:

  • name
  • account details
  • credit card number (a.k.a. Primary Account Number or PAN)
  • the expiration date

Not to be stored are the customer’s:

  • PIN number
  • the security code (CVV).

Further, access to the stored data is to be restricted, and the full PAN must be concealed. Policies must also be in place to destroy the customer’s data once it is no longer required.

WHERE IS PERSONAL INFORMATION STORED?

To understand how your online personal data is stored, it is important to understand that there are two different areas in which your data is stored. First, many people store personal details within their internet browsers (Google Chrome, Firefox etc.). This allows for increased convenience – you don’t have to enter addresses, credit card numbers and other details each time you want to shop online.

Websites can store these details in the form of cookies, or as part of the autofill functionality. Cookies are stored on your computer and accessed by the website when you navigate there, and can store account numbers, even credit card numbers. Recently, browsers have significantly expanded their use of autofill functionality. A large amount of personal data is stored within the browser setting files, and can be accessed to speed up the process for people filling out online forms.

Secondly, retail partners themselves maintain personal data in the form of customer accounts, complete with address, credit card, buying patterns and many other sensitive details. We have all signed up for customer accounts to take advantage of promotions, newsletters, points, or just to speed the checkout process. Online transactions are usually brokered by a Payment Service Provider (PSP). These PSPs tokenize the consumer’s payment details and are usually certified by the relevant agencies. The certification details are often available on the seller’s website. Tokenization means that the data is encrypted as randomized characters and transmitted as such. Interception of this data is meaningless, as the credit card numbers, addresses and other details have been scrambled.

HOW DO YOU SECURE YOUR INFORMATION?

If we think about the two different places where customer data is stored, it makes sense that we will have two different approaches to securing our personal data.

First, make a habit of reviewing and deleting the cookies saved on your computer, especially if other people use your computer. To stop new cookies from being created with your data, simply use the “Guest” option on websites as much as possible. This is usually available on most websites and refers to the option of entering only the personal data needed to conduct the immediate transaction. Much less data is stored for future recovery, or misuse. If you choose to save some of your data, use the autofill functions. This not only speeds up data entry later, but also stores it more securely than with cookies.

Finally, in terms of data stored by online retailers, staying informed and proactive on what data you have out there is important. Take a minute to read the retailer’s security policy and understand their policies in terms of customer data retention, and if they use professional third-party partners to guard your data. Consider whether you really need to create an account with the retailer to speed future transactions. Maybe you will prefer to manage this data yourself.


Disclaimer: Avisar Chartered Professional Accountant’s blog deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.

Although every reasonable effort has been made to ensure the accuracy of the information contained in this post, no individual or organization involved in either the preparation or distribution of this post accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.