1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

E-commerce security

March 4, 2010

More and more, consumers are letting their mouse do the walking as they buy everything from books and plane tickets to computers and cars over the Internet. But how safe is their credit card information?

Someone handing a credit card to someone else
Where are your credit card numbers stored?Image: AP

E-commerce is here to stay. The question is: what happens to your information once the transaction is finished? Do e-commerce establishments delete your information? The answer is: not always, as shoppers who use Amazon know. For ease of shopping, Amazon asks customers if they want the company to retain their information so that their next transaction will be quicker. Many consumers give their consent and consider the process transparent.

But what about other websites? How secure should people feel? Hackers are continually devising new ways of getting access to consumers' credit card numbers via the Internet. One of the highest profile cases occurred in 2007, when unknown hackers got into the databases of off-price retailers TJ Maxx and Marshall's in the US and stole more than 45 million credit card numbers.

Thus, security is one of the big issues when it comes to online commerce and that was a major topic in the Banking and Finance hall at this year's CeBit trade show in Hannover.

Joachim Gebauer is a technical manager at VeriSign, a digital security company that provides security for web transactions of all kinds.

“If you offer e-commerce, you really should think: how can I bring in a layer of security and bring trust to my website?” said Gebauer.

Small and medium enterprise

Data security is vital to small and medium sized businesses on the Internet

One official from the Federal Office for Information Security (BSI), Germany's department of internet security acknowledged that the government was actively promoting e-commerce, especially for small to medium size enterprises.

So are consumers safe here in Germany?

“In Germany there is a very strong data privacy law, and that comes from the European Union data privacy regulation, where they say every real person and the private information like your name, your address and telephone number has to be protected,” Gebauer said.

Germany's percentage of online shoppers compared to its Internet-connected population is the third highest in the world after South Korea and the United Kingdom.

A recent survey by Deutsche Bank found that while roughly 75 percent of global online payments are made via credit card, only 44 percent of German online shoppers use such a card. The rest of the population prefers offline transaction methods such as invoicing (30 percent) or direct bank account transfers (23 percent).

But the question still remains, should companies conducting e-commerce be forced to delete customers' credit card information after a specific time period? And interestingly enough, that is a question that is difficult to answer.

One official at the BSI booth at CeBit, speaking off the record said he wasn't aware of a law requiring companies to delete credit card details after a set period of time.

Axel Diekmann, of Internet security company Kaspersky Labs, said that Germany's data protection act only came into force in August 2009. Companies now have to declare what they are doing with personal data and how long they store it, and give each person a clear answer to the question: what data about me do you store?

But when it came to the storage of credit card data specifically, Diekmann said he had never heard of any regulatory timeframes.

"As far as I'm aware - I may be mistaken - there is no clear rule for companies as to how long they are allowed or are forced to store specifically the data from credit cards," he said.

Shredding data not difficult

The secure destruction of data is vital to credit card fraud preventionImage: Bilderbox

One thing that is certain is that the technology exists. There are software applications that can be put on e-commerce servers that will delete credit card numbers from a database.

“If you're handling credit card information we can run that program and it will shred or overwrite the information on that server,” said Sami Tuupanen, a technical specialist at Blancco, a Finnish data destruction company.

The technology is pretty simple. You install the software, tell it to go to a specific file and delete or shred every single credit card number that has been stored before a certain date.

For now, it falls to the consumer to make sure that companies destroy their credit card information.

“What I would do as a consumer,” says Tuupanen, “I would be more active, before buying in certain locations. I would question that… are you doing enough on your data security? Are you getting rid of information which you no longer need? Or, how long are you storing information about me?”

Author: Andy Valvur
Editor: Sam Edmonds

Skip next section Explore more
Skip next section DW's Top Story

DW's Top Story

Skip next section More stories from DW