General discussion


How savvy are you about online security? Take the test & find out.

By deepsand ·
Before reading the findings of a study, conducted by the Univ. of Pennsylvania, based on this test, try it yourself.

Seventeen Facts American Shoppers Need to Know - But Don't

For the press release, see
For the full report, see


Topics > Privacy & Security > Privacy > Online Privacy >

How Savvy Are You About Your Online Security?

U.S. residents are "dangerously ignorant" of the data that Web site owners collect on them, a study shows.

Juan Carlos Perez, IDG News Service
Wednesday, June 01, 2005

U.S. Internet users are dangerously ignorant about the types of data that Web site owners collect from them and how that data is used, a new study has found.

This lack of awareness makes U.S. Internet users vulnerable to online exploitation, such as personal information misuse, fraud, and overcharging, according a study conducted by the University of Pennsylvania's Annenberg Public Policy Center.

For the study, titled "Open to Exploitation: American Shoppers Online and Offline" and released today, 1500 adult U.S. Internet users were asked true-or-false questions about topics such as Web site privacy policies and retailers' pricing schemes.

Failing Grades
Most respondents failed the test, correctly answering, on average, 6.7 of the 17 questions. The study's interviews, conducted between early February and mid-March 2005, yielded some findings the authors consider alarming, including:

75 percent of respondents wrongly believe that if a Web site has a privacy policy, it will not share their information with third parties.
Almost half of respondents (49 percent) can't identify "phishing" scam e-mail messages, which information thieves dress up to look as though they came from a legitimate company, such as a bank or store, to lure users into entering sensitive information. Requested information might include Social Security numbers, passwords, and bank account numbers.
62 percent of respondents don't know that an online store can simultaneously charge different prices for the same item based on information it has on different shoppers--a practice that can make users victims of what the study's authors call "price discrimination."
To address the problems identified in the study, the Annenberg Public Policy Center is proposing three measures:

The U.S. Federal Trade Commission should mandate that Web sites replace the term "Privacy Policy" with "Using Your Information" to combat users' misconception that those documents are Web sites' pledges not to share their information with third parties.
Consumer education and media literacy should be taught in elementary, middle, and high schools in the United States.
By government decree, online retailers should be required to disclose what data they have collected about customers, and when and how they will use that data.
If you'd like to take the test yourself, go here.

This conversation is currently closed to new comments.

46 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -


by jmgarvin In reply to It's a carry-over from th ...

When do we get to see this? I've gone to a number of stores and about 50% still print my full number. It happened in CA, NM, TX, and MO. I just can't wait for this stupid practice to STOP.

At one place I recently made a purchase and I scratched out the CC number. The clerk claimed that I couldn't do that and I would have to be re-rung! I told them where to shove it and explained how it was a major security violation and part of the identity theft problem!

Arg! I hate this little anachronisms....

Collapse -

2 answers.

by deepsand In reply to Finally!

1) Manual imprint slips will, of necessity, obviously continue to bear the entire account number. As such bears the signature of the card bearer, and such is a contractural agreement to pay, the account no. is required to identify the accountholder liable for such payment.

2) As regards POS receipts, signed by the card bearer, such is not under sole control of the merchant; see my above post on this aspect.

Collapse -

Deadlines vary by size of annual transaction volume

by deepsand In reply to Finally!

E-merchants Face Credit Security Deadline

By Brian Quinton

May 25, 2005 7:39 AM

The clock is ticking on an effort by the big credit card companies to get Web merchants to tighten up both their data handling policies and their network security.

Whether they know it or not?and according to observers, many don?t?online merchants are facing a June 30 deadline to come into compliance with a unified set of broad data-protection policies adopted last December by Visa, MasterCard, American Express, Discover and their issuing banks. If they don?t comply with these measures, they could face fines of up to $500,000 for each transaction or be permanently kicked out of the card acceptance program.

Despite the fact that these deadlines were announced last year, many of the web merchants covered have not yet put the systems in place to comply with the standards, known collectively as the Payment Card Industry (PCI) Data Security Standard, or have not gotten independent certification of their compliance, as most are required to do.

?We estimate that if an audit were done on PCI compliance today, the majority of U.S. merchants would be about 30% prepared,? says David Glaser, director of professional services for CyberSource, a payment solutions provider.

The PCI data standard replaces similar individual standards promoted for years by the separate card companies, in an apparent effort to encourage a proactive response to the problem of online credit card fraud. (Diner?s Club and JCB Cards are also participating in the effort.) They also interoperate, so that merchants who satisfy one card issuer that their systems are secure and compliant can assume that they are compliant for all the cards. Basically, the standards revolve around twelve specific measures in six areas of security:

* Build and maintain a secure network: Merchants must install and maintain a firewall configuration to protect data. They also may not use vendor-supplied passwords or other default security measures.

* Protect cardholder data: Merchants must protect stored data. They must encrypt transmission of that data and other sensitive information when sending it across public networks.

* Set up a program to manage security weaknesses: This will include using and regularly updating anti-virus software, and developing and maintaining secure systems and applications.

* Establish bullet-proof access control: Access to consumer data must be restricted to those who need to know for business reasons, and each person accessing computer systems must have and use a unique ID. Merchants must also restrict physical access to cardholder data.

* Test and monitor networks regularly: E-commerce sellers will have to track and monitor all access to cardholder data. They will also have to put their security systems and procedures to periodic testing.

* Finally, merchants will have to establish and comply with a set of policies to keep information secure.

All merchants processing their own card transactions will have to comply with these standards. But the card companies and financial institutions have set up a tiered system of requirements for validating that compliance, based on the volume of card transactions a merchant processes. This system makes certifying compliance more rigorous for the high-volume merchants, on the theory that they represent most of the fraudulent transactions. The compliance deadline has already passed for the top rank, clearing more than 6,000,000 transactions a year in any channel, online or off-, on a single card system?for example, Visa. Those merchants have been compelled to submit to an annual on-site security audit and a quarterly network scan, either by their own IT officers or a qualified third party assessor.

Level 2 and 3 are the merchants with the looming June 30, 2005, deadline. Level 2 merchants are those processing 150,000 to 600,000 transactions per year on one of the participating cards. Level 3 are those merchants clearing 20,000 to 150,000 sales on a single card system. Those two groups will need to go through a mandatory annual self-assessment of their compliance and a quarterly network scan, which they can either perform themselves or have done by a qualified independent assessor. The first validation must be done by the end of this coming June.

At the lowest tier, Level 4, are all other merchants processing credit card transactions, either physically or on the Web. These merchants must comply with the PCI standards just like their larger counterparts. But validating that compliance, with an annual self-assessment questionnaire and an annual network scan, is optional?although ?strongly recommended? by the credit card companies. Since validation of compliance is voluntary at this level, these smallest merchants don?t face a deadline.

The card issuers won?t reveal how many Level 1 merchants have already met and certified the required security standards. But reports indicate compliance at the top has been high, partly due to the cooperation and persuasive powers of the banks that sponsor the merchants into the card networks.

At the lower levels, the security situation is more complex. ?It?s a mixed bag at the moment,? Glaser says. ?Most merchants have a concern for the cardholders? data, so they are making some effort to secure that. Most we see are encrypting that data. But they may not be encrypting it to the levels that are required by the standards. The problem for many may be in the level of compliance, not the process.?

At the small-to-midsized end of the spectrum, the security status quo may be even spottier. ?Some merchants have been focused on selling as much as they can, while others have been focused on building a secure environment,? Glaser says. ?Especially among smaller merchants, we see a tendency to focus on one thing to the exclusion of other elements.? One particular problem for small merchants may be simply generating and documenting a security policy, and then training personnel to observe it.

Despite the deadlines, the compliance requirements and the stated penalties, it?s still not likely that merchants who can?t certify security will find themselves barred from processing card transactions or facing a whopping fine on July 1, 2005. The card companies have all indicated a willingness to work with the merchants and their sponsoring financial groups, provided they can show a good-faith effort to come into compliance with the PCI standards.

CyberSource and other payment advisors are now working with various merchant clients to bring their systems into line with the PCI. Glaser says one thing he sees is that merchants often don?t know which level of compliance they will be held to. He recommends that merchants with questions about what standards they will need to meet get in touch either with the card issuer or their acquiring bank, whichever they are more accustomed to dealing with.

?If you?re sure you?re going to be compliant by June 30, then go ahead and file the paperwork,? he says. ?If you?re not sure, the best thing is to show proactively that you have a plan in place for becoming compliant, with a timeline and deliverable dates. The most important thing to do is to start the work and to register with your banks that you are working on compliance. It may not get you off the hook for a fine or penalty if your system gets breached before you are compliant, but it should keep you from having a card company breathing down your neck until you comply.?

Collapse -

Right on...

by jmgarvin In reply to Deadlines vary by size of ...

I'm bringing this article to all my local merchants and them I'm ratting them out when they don't comply by June 30...I'm tired of lazy merchants not protecting consumer information.

Collapse -

Fly in the ointment?

by deepsand In reply to Right on...

How would you determine their classification level?

It's almost assured that they're not going to hand you their merchant acct. stmts. for AmEx, Discover and VISA/MasterCard, 36 statements in all, for the previous year so that you can see their total no. of transactions for each of the three systems.

Collapse -

Not here

by Oz_Media In reply to Why do they still print c ...

I can't speak for the rest of Canada but any card I've used here has never had the FULL number printed on the receipt.

Collapse -

not here either

by john.a.wills In reply to Not here

I don't think I've seen the full number on a printed receipt for several years. Of course, the full number is still on embossed receipts, and I have had a few of those recently (taxi, electrician).

Collapse -

Bank account mailings, too

by JPLconsultant In reply to Why do they still print c ...

All banks will X-out most numbers of your bank account when using snail-mail to discuss the account. However, they don't always X-out the same numbers of the account for all snail-mail. Thus, your monthly statement may only show the last 4 digits, but the monthly advertisement to get you to sign up for another program tied to that account will show only the first 6 numbers. Thus, a person who steals your mail can still get your bank account #. I don't understand why they do that.


Collapse -

The situation that you describe is an unusual one.

by deepsand In reply to Bank account mailings, to ...

In fact, at my age of 59, I've seen countless financial statements of my own, those of family members, friends, clients, etc., spanning numerous financial institutions, and have never seen a printed statement, for any type account, by any bank, that did not display the entire account no.!

Collapse -


by Jellimonsta In reply to How savvy are you about o ...

I don't rent movies very often so I actually got number 11 wrong. Guess I am paranoid! :)

Back to Desktop Forum
46 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums