Shopping Over The Internet Not So UnSETtling After All

Six and a half million U.S. households made their first purchase on the Internet last year, according to Forrester Research. I was one of them.

It was a desperation move. I'd put off my holiday shopping so long that I had to either get into the car and fight 5,000 people for the mall's 4,000 parking spaces or point my browser at Amazon.com and (shudder) send my credit card number over the Internet.

I ignored the nagging feeling that I was just asking for trouble by transmitting private information over the public network before Visa and MasterCard had widely implemented their Secure Electronic Transaction (SET) protocol. I searched for a few book titles, put several into my shopping basket, typed in my credit card number and hoped for the best. Two days later, the UPS truck rumbled up our lane with my books inside. That was good.

In fact, online shopping was so easy, I decided to chance it again and again. And it just got easier and easier. With my account information on file, I didn't have to do much more for new orders than pick out the books and choose how fast I wanted to receive them.

In the end, there really was no need for me or those other 6.5 million first-time online shoppers to worry. When I got my credit card statement, the only charges on it were those I had made.

I shouldn't have been surprised. There are technical, legal, business and practical reasons why shopping over the Internet is safe now, without waiting for SET.

Technically, the Secure Sockets Layer protocol, which was created by Netscape and also implemented by Microsoft, addresses all the necessary security issues. SSL authenticates the server so customers know they are dealing with the intended Web commerce site. It encrypts sensitive information before sending it across the wire, and it provides a way to verify that the transmission has not been altered en route. Optionally, it can even authenticate the client to the server, a feature more important for business-to-business commerce than for retailer-to-customer transactions.

SET provides the same assurances as SSL, but because it is a protocol designed especially for payment processing, SET adds an acquirer to process the transaction for the card issuer through a payment gateway. It also adds the derailing requirement for customers to acquire a digital certificate before they can engage in electronic commerce.

In other words, SET adds expense and complexity to a process that already does the job reasonably well.

Legally, online shopping with a credit card is safe because fraud on the Internet is protected in the same way as any other credit card fraud. The Fair Credit Billing Act limits the credit card holder's liability to $50 for fraudulent charges.

As a smart business practice, many online sites--among them Amazon.com and Dell Computer--guarantee to cover the $50 for customers should their credit card number be compromised during a purchase made on that vendor's site. Dell claims that it has never needed to make good on that guarantee, despite sales of more than $10 million per day on its Web site. Granted, some portion of Dell's sales are completed using "paperless purchase orders" in which a customer company establishes a line of credit with Dell and charges its Internet purchases against that P.O.

Practically, there are a lot easier ways to steal credit card numbers than cracking codes on the Internet. Being a waiter, for instance, comes to mind.

What's more, although holes in SSL have been discovered, and RSA Data Security this week is reporting a vulnerability in public-key encryption used by both SSL and SET, I doubt the usual credit card thieves have the technical savvy to exploit those holes. Nor does there appear to be interest from the usual Internet crackers to steal credit card information. They seem to be content simply with disabling sites.

All these considerations do not mean that Internet commerce is risk-free, however. It's a calculated risk, similar to those we take when we drive a car or when we're on a plane.

What's obvious is that electronic sales are safe enough, and with consumer confidence in place, sales on the Internet are taking off.

Compaq, for one, is cashing in on that wave with its announced purchase last week of online retailer shopping.com, which it will combine with its AltaVista search engine to create a one-stop search-and-shop site.