Internet shopping safer than many other online activities

Online security is the biggest reason UK consumers do not shop online, according to a survey by the Office of Fair Trading.

Online security is the biggest reason UK consumers do not shop online, according to a survey by the Office of Fair Trading.

A poll of over 2,000 respondents revealed that 23% of UK consumers do not shop online because of security concerns.

Even the 46% who said they do shop online named security and privacy as their top concerns.

Although concern about security among online shoppers has dropped 10% since 2006, 68% said it was still a concern and 28% said they were worried about privacy.

Yet concerns about security around online shopping are misplaced, says Ken Munro, director of the penetration testing division at NCC Group.

"Internet users are far more likely to have personal information stolen using social networking and other sites than having their credit card details compromised through shopping online," he says.

Malware threat

A slew of reports by security suppliers on trends in cybercrime show that the most popular way for criminals to target personal information is to infiltrate malware onto legitimate websites.

According to Munro, shopping is now one of the safest activities online because retailers are obliged to comply with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS is an industry-defined set of rules that regulate cardholder data handling and transaction processing. Compliance with PCI DSS has made online shopping more robust and secure than ever before, says Munro.

In January, a US online payments organisation revealed that a data breach had exposed millions of credit card holders to fraud, despite PCI DSS compliance.

But Munro says incidents like that at Heartland Payment Systems are very rare and it is thanks to PCI DSS that the organisation was forced to report the breach.

The lessons learned about the need for end-to-end encryption are likely to be incorporated into the PCI DSS.

"In the past, such breaches would have gone unreported even though they were happening all the time," says Munro.

Take PCI DSS compliance seriously

Simon Black, managing director of payments processing service provider SagePay, says while PCI DSS is central to minimising risk, adoption is still far from universal.

Many online retailers, particularly smaller ones, still do not adhere to the highest levels of PCI DSS compliance, he says.

PCI DSS is continually being improved to respond to the changing security threats, says Black, but online retailers risk falling behind, particularly as the business grows.

For this reason, he says some larger organisations such as National Express are outsourcing online payment processing.

"Online retailers need to take PCI DSS compliance more seriously as few could afford the damaging consequences of data breaches," says Black.

Banking institutions also have an important role in ensuring greater PCI DSS compliance, he says, by continually asking retailers to prove they are up to date.

Online shoppers should look for retailers that subscribe to the pass code security systems such as Mastercard Securecode and Verified by Visa to provide additional assurance, says Black.

Read more on IT risk management