sid_vicious's Journal: Online Credit Card Fraud

Well, I guess it was bound to happen eventually. Today, I got the credit card bill for a Visa card that I barely ever use, and was surprised to find a charge for $59.95 with a transaction description of "REMARQ COMMUNITIES, INC. 4089383954 CA" (don't bother calling what appears to be a phone number in there - it's been disconnected.

Needless to say, I've never done any business with "Remarq Communities" (which appears to be a pay-based news (as in NNTP) service). I've called my credit card company to cancel the account, and contacted Remarq to see if they have any records of the transaction.

I've always considered myself a pretty savvy online shopper - I'm not exactly keying my credit card number into every pr0n site I run across - but I'll be thinking twice before doing any online shopping in the future. Anybody out there had a similar experience, and if so, how much luck did you have getting the charges wiped off?

Replying from the other side of the fence.

[Pinball Wizard]

As an operator of an ecommerce site(and one that doesn't have the benefit of being a $HUGE_MEGACORP), what would it take for me to gain your trust as a user? Do I brag about my security procedures, my OpenBSD firewall, the way I encrypt credit card numbers? Is the simple assurance that you won't be held liable for fraud enough?

I suspect people wary of fraud on the net won't buy online no matter what I do. So tell me, what can I do to make you trust me?

Re:Replying from the other side of the fence.

[sid_vicious]

..what would it take for me to gain your trust as a user? ?

You know, that's an excellent question. Assurances that you've got a good technical setup (firewall, encrypted credit card numbers, secure transactions) are absolutely a must. If I'm online (especially with a small vendor) and something about their technical setup sets off my bullshit meter ("we have both a hardware and a software firewall!"), I'm done with them.

On the other hand, even the most solid setup is only half the story. I want to be able to talk to a real human being if need be (phone number on front page), so I don't get the impression that this is a fly-by-night operation. 100% of convincing someone to buy from you online is convincing them that there's a real human being on the other end.

It's funny, companies make a big deal about how many bit-encryption their transactions and storage are, but all that makes no difference if they dump a ream of non-encrypted credit card numbers in the Dumpster out back. So, it'd be nice to see a brick-and-mortar security policy in addition to the electronic security policy (e.g., "receipts are kept in a cipher-locked room and cross-cut shredded at close of business the day of the transaction").

As silly as I *know* it is, a well-designed site is still part of the equation. If I'm plunking down my credit card number, I don't want the website to look like amateur hour. It's the same way I'm not handing my credit card to some guy selling VCRs out the back of his minivan.

And, though some people may, I've never put a lot of stock in that Verisign-type crap.