Privacy Blog

"Friends don’t let friends get spied on.' – Richard Stallman, President of the Free Software Foundation and longtime advocate of privacy in technology.

How to Safely Enter Your Credit Card Numbers Online

I had a telephone call today from a subscriber to my genealogy newsletter who wanted to renew a subscription. I asked him why he didn’t renew using the online form on the Web site. He replied that he didn’t trust entering his credit card number online. He preferred to give the number to me over the telephone.

This isn’t a new experience. I have had similar phone calls in the past and even an occasional letter or two from people who said they didn’t want to enter their credit card numbers online. I find that amusing. What does the person think I am going to do with the information? That’s right, I will open a web browser and enter the numbers into a web form and then send it (securely) online to the credit card service I use.

Sending credit card numbers online is safe, secure, and fully insured. It makes no difference if the caller is dealing with a small-time merchant, such as myself, or with a multi-billion dollar retailer such as Sears or J. C. Penney or with Wal-Mart. In all cases, the information is entered into a local computer, encrypted for security purposes, sent online to a credit card service, decrypted, and the funds are withdrawn from the credit card company’s account.

In all cases, security is essentially the same. Actually, the safest method is for the buyer to directly enter the credit card information into his own computer and then to send it (via encrypted SSL) to the merchant. By giving the numbers verbally to a third party, such as to me, the buyer is increasing the probability that a third party will keep the numbers and then use them for some illegal purpose.

I hope that I am trustworthy and I can assure my subscribers that I will not mis-use their private information. However, what if you call a larger company and give the numbers to a clerk in a call center who is probably is a short-term employee and is being paid a salary near the minimum wage? In most cases, the buyer doesn’t even obtain the name or employee number of the clerk. Can he or she be trusted? Stories I read in the papers indicates that many retail clerks, waiters, waitresses, and others are not to be trusted. They either use the numbers themselves or sell them to others.

Did the caller use a cordless phone? That greatly increases security problems! All sorts of $200 radio scanners in the neighborhood might be listening in. After all, cordless telephones are really just small radio transmitters and receivers. (Today’s more expensive cordless phones often use channel hopping, digital security, spread spectrum technology (SST), and the newer, higher frequencies, 900 MHz and 2.4 GHz to improve security However, cheaper and older cordless phones usually do not.)

Was the caller using a cell phone? Those certainly are not secure! Just ask German Chancellor Angela Merkel. She had her cell phone conversations monitored, transcribed, and distributed to a number of U.S. government officials by the NSA. The NSA also admits to regularly monitoring cell phones being used by terrorist suspects. If the NSA can do that, can others?

OK, just to be safe, the caller might be using an old-fashioned wired telephone. However, wired telephones are easily wire tapped. That can be done by someone at the telephone company’s central office or by any other person who surreptitiously attaches a small box onto the telephone wiring where it enters your house. Anyone can purchase wireless wiretapping devices from a number of online merchants.

In contrast, directly entering the credit card information into a secure web browser not only eliminates the possibly dishonest middle man and eliminates the possibility of wiretaps, but also encrypts the information before being it is sent across the Internet. Encryption keeps the information safe from prying eyes.

When entering credit card number or any other sensitive information, look at the address bar in your web browser to make sure it is connected to any address beginning with “https”. The letter “s” indicates that a secure SSL connection is being used. In other words, the connection is encrypted.

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).

SSL allows sensitive information such as credit card numbers, Social Security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent without SSL. That is, it is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information. Use of SSL eliminates the problem.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

When a large merchant, such as Wal-Mart, sends your credit card information to a credit card clearing house, the same or similar encryption techniques are being used. It makes no difference if a private individual uses a web browser or a major retailer uses credit card swipe machines to read the information, the results are the same: your sensitive information is encrypted before being sent across the Internet. Your credit card information is safe from prying eyes.

SSL is used daily by stores, banks, credit unions, stock brokerage firms, insurance companies and others to safely move billions of dollars online. If the security of SSL is good enough for them, it probably is also good enough for you and for me.

As if that were not enough, all the major credit card companies in North America, Australia, New Zealand, most of Western Europe, and many other countries also insure all transactions against fraud. Even if a thief does manage to somehow get his or her hands on your credit card numbers and makes purchases, the credit card company will refund the money to you, assuming you report the theft as soon as you become aware of it. You might suffer some inconvenience but you will never lose a dime.

For instance:

VISA credit cards and debit cards are fully insured against fraudulent purchases, both online and in person, with no deductible charge. Details are available at:

MasterCard (including both debit cards and credit cards) is fully insured against fraudulent purchases, both online and in person, with no deductible charge. Details are available at:

American Express: Use the American Express card online or off, and you won’t be held responsible for any fraudulent charges. Period. If someone uses your American Express card without your consent, you’ll never pay any part of the fraudulent charges. See

Discover Card: You’re not responsible for any unauthorized charges on your account—online, offline, anytime, anywhere. See

In all cases, you are not liable for credit card fraud.

For example, a couple of years ago received a notice from one of my credit card companies, Capital One 360, that states, “If fraud happens, you won’t pay for any charge on your Debit Card that you didn’t authorize. It’s that simple.” I will not use any credit card or debit card that does not have a similar policy. Luckily, all the major credit card companies do have similar policies.

Even better, PayPal provides DOUBLE insurance. PayPal insures all online transactions against fraud. In addition, if the PayPal transaction is funded by a credit card, that credit card company also provides similar insurance. You won’t get paid double the amount of your loss, but you are assured that the two companies will work together to make sure you always get 100% of your money back. Details may be found at:

I trust PayPal even more than the credit card companies because Paypal never tells the merchant your credit card number. With a normal credit card, your card number is usually sent to the merchant where a dishonest employee may be able to see it and to use that number fraudulently. In contrast, PayPal doesn’t send the credit card number to the merchant. Instead, PayPal simply gives the merchant the name and required identifying information of the buyer to the merchant and then simply deposits the funds into the merchant’s bank account. The credit card information is never exposed to anyone outside of PayPal (and even then only to a very few bonded and insured employees of Paypal).

In my mind, PayPal is more secure than any of the major credit card companies.

Does this mean you can ignore security concerns when using credit cards? Of course not. Whether paying by credit card, cash, personal check, or any other means, you always have to be aware of security. When using a credit card online:

  • Shop only at sites you trust.
  • Make sure the credit card entry page is secure. On the page that you enter your credit card information, the URL in your browser’s address bar should begin with “https” and there should be a lock in the lower right corner.
  • Don’t make online credit card purchases from a public computer, such as at a library or an Internet cafe. Public computers and networks are less secure so there’s a greater chance that your credit card information can be stolen when you use it on a public computer.
  • Protect your computer from viruses and hackers.
  • Save your online credit card receipts. You can either save electronic copies or even print them on paper. Whatever method you use, make sure you do save them in case you ever need to contact the credit card company to question a charge.

In all cases, using a credit card online is safer than using it in person where a dishonest sales clerk can easily record your information and use the card later when you are not around to watch. Credit card companies all report that in-person theft of credit card numbers is much more common than online usage. Just ask Home Depot, Target, DSW, TJX Companies Inc. (owners of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright) and other multi-billion dollar merchants about their losses due to credit card theft. In all cases, the credit cards were NOT used online. The cards were used in person in the stores and the information was then stored on internal, non-Web, servers where hackers obtained the numbers.

Based on that history, I always feel safe when using credit cards online but I rarely use a credit card in a store. When I do have to use a credit card in a store, I always save the receipt (in Evernote) and then trust the credit card company’s insurance to protect me against fraud.

Categories: Credit Cards, Online Privacy & Security

3 replies

  1. If you want to be extra careful you can take some steps to overcome basic “key loggers” – malware on your computer that reads your card number as you enter it. Basic key loggers cannot detect mouse operations – they are “key” loggers not “mouse” loggers – although I am sure that they will become a serious threat shortly!

    So suppose your credit card number is 1234 5678 8765 4321,
    you enter 95678 43210 12349 87650
    then use the mouse and right click function to delete the irrelevant numbers (0 & 9 in the above) to get 5678 4321 1234 8765, then you use the mouse (and right click) to cut and paste the numbers into the right order to leave 1234 5678 8765 4321. Always you the mouse to select from the right click menu and not the cursor keys.

    Why doesn’t this blog use https by default?


    • —> Why doesn’t this blog use https by default?

      Because there is no sensitive information stored on this blog’s web site. I don’t want to know or to store any of your private information on a blog that describes how to keep your private information secret. Everything here is public.


      • Increasingly though, people are demanding that privacy should be the rule and not the exception. Most of us don’t think of our browsing or email as public but that is, in effect, what it is and always has been.

        Groups as diverse as Reset the Net and Google are now encouraging users and organisations to adopt encryption as a matter of course, while the Internet Engineering Task Force is putting encryption front and centre in the design of HTTP 2.0.
        Sophos: Naked Security Blog – Naked Security bids farewell to HTTP


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.