Cybersecurity & I.P. protection

4.2.1 How can a company ensure security during international transactions?

Security is fundamental for any online activity and e-commerce is a specific environment, where a huge amount of data is shared and stored. However, it is not only a case of securing business data, but also protecting sensitive customer data, enabling safe browsing and secured payments, which are just a few examples. When considering internationalisation, more measures may be required and will also be linked to the rules and conditions of the markets that a business will be targeting.

For any business planning to start selling online, security measures are critical. Any information that goes online is prone to cyberattack. Although a business can introduce new measures once a system is attacked, which will become effective from that moment onwards, previously stored data will still be exposed to a risk. This is why the implementation of security measures is a necessity, which should also involve regular and precise control measures, including regular updates of software and browsers in order to be able to detect any cyberattacks before they cause any harm.

Online security is quite often associated with online payments, which is in fact the case. In this respect encrypted (coded) transmission of data between the consumer and the seller, especially credit card details is a prerequisite. This should also include the ability to confirm both who the seller and buyer is. However, before providing online payments to customers, there are other measures that are necessary to implement. These start with securing the business’ own network(s), especially securing the server from third party attacks, both from outside (the Internet) or from inside (the LAN’s), and securing the server from unauthorised persons accessing the customer’s data without their consent. Other basic- security measures include SSL certificates and security seals.

An SSL Certificate links the domain name, server name or hostname with the organisational identity (i.e. company name) and its location. It is the first step to documenting that an e-commerce site is protected. The purpose of its implementation is to secure connections from a web server to a browser, specifically to secure credit card transactions, data transfer, logins and social media browsing. An e-commerce site that has a SSL certificate will have a padlock or green bar next to the HTTPS protocol on the address bar, previously http (‘s’ in https stands for secure).

Security seals (also known as trust seals) document the adherence of an e-shop to a privacy policy, when the last security scan was conducted (i.e., for malware or viruses) and if the website is safe. There are two types of security seals, server verification and site verification. The first will scan the hosting server for the elimination of any potential danger. The second will protect users from inserting undesired scripts into viewed pages (cross site scripting) and tampering user data, which may void transactions or the destruction of data (SQL injection). An e-commerce site that has a trust seal will have a badge or ‘secured’ / ‘verified’ message (e.g. Norton Secured) on its page, but also in many cases on the address bar, and its legitimacy can be checked by clicking on this icon to go to the page that verifies the authenticity of that seal. Another indication that the site is secured is the ‘protector’s’ green name in the browser’s address bar.

Online payments are especially vulnerable to cyberattacks and fraud and the problem will continue to increase due to the growing popularity of online and mobile shopping. Cybercriminals steal sensitive information and card-not-present (CNP) transactions are a huge target for them. Consumers prefer using credit cards (or cards in general) for online transactions. The European Central Bank estimates that CNP transactions represent more than 60% of the card fraud. Other common examples of online fraud in e-commerce include:

Merchant Identity Fraud: when a cybercriminal sets up a merchant account that is similar to that of a legitimate business, followed by making charges on stolen credit cards before the real cardholder realises what has happened.

Card Theft: when a fraudster obtains credit card information which can be used to make a purchase such as card number, expiration date, and CVV/CVC.

Customer Identity Theft: when a cybercriminal obtains key details of personally identifiable information that are then used to make a purchase.

Card Testing: when a fraudster uses stolen cards to make frequent low-value purchases.

Package Interception: when a fraudster uses a stolen card to buy physical items and then intercept or reroute the package during delivery.

Phishing: when a cybercriminal tries to acquire sensitive data, such as a username, password, credit card details etc., related to emails or websites.

False Demand for a Refund: when a (fake) cardholder files a chargeback instead of attempting to obtain a refund, therefore a (fake) customer wants to get money back for a legitimate purchase.

Malicious redirect: when a cybercriminal redirects to an infected site.

Pagejacking: when cybercriminals attack websites and redirect customers to untrusted pages.

Other cyberattacks that can be easier to detect and eliminate include the following:

Malvertising: when fake advertising campaigns (characterised by spelling mistakes, incorrect product, etc.) are spread, infecting webpages.

Suspicious pop ups: when fake messages appear on screen, downloading malware to the computer once they are clicked.

Defacement: when a cybercriminal replaces a site’s content with their name, logo, and/or ideological imagery.

Some additional measures necessary to be implemented in order to protect against the types of fraud mentioned above and to guarantee transaction security, include the PCI DSS Certification (Payment Card Industry Data Security Standard), a security measure that has been created to increase the level of security for card users and decrease credit card fraud; the Address Verification Service (AVS) to verify whether a purchaser is the card’s owner through verification of the card holder’s billing address, and Card Verification Value (CVV), also known as the Card Security Code (CSC) to verify that the purchaser has the card in their possession – the last two apply only to credit card transactions and AVS do not apply to all countries. 3D Secure is an additional security layer for online credit and debit card transactions that adds an authentication step for customers making online purchases.

Additionally, tracking IP addresses, card numbers and other elements that can be associated with transactions that seem to be fraudulent, are important security measures. E-businesses should also make sure to provide information about international currency exchange rates and that all information is provided in the language spoken by the target market. Depending on the country targeted, different security measures may be required, and the decision whether a business decides to implement them or not will also impact on the business’ ability reach a new market.

Apart from the basic fraud protection solutions previously mentioned, there are also more advanced tools on the market, each providing a suite of fully integrated fraud prevention and detection checks before a transaction or verification request is processed. They should be chosen based on the type of e-commerce site, size of the business, number of customers and the potential to reach new markets.

4.2.2 I.P. Protection and GDPR

Intellectual Property (IP) refers to various aspects of creativity in the minds of individuals and groups and is protected by law.  It is also the ownership of a particular product or service, which makes it an important component of e-commerce, where product / service descriptions, images, videos or other data is shared. As trade over the Internet must be protected, using technological security systems and IP laws should be equally addressed, or else IP can be stolen. Examples of IP are patents, trademarks, copyrights, and trade secrets. E-commerce and online businesses are based on product or patent licensing, also trademarks, which if not protected can cause harm to the business. Therefore, IP is closely connected with any sensitive data and security and this relates to GDPR.

GDPR stands for General Data Protection Regulation under which personal data collection is governed by the consumer’s consent that they agree that their data is collected and stored. This means it is not possible to collect, store and use data without a customer’s permission. The General Data Protection Regulation (GDPR), of 14 April 2016, adopted on 25 May 2018, was designed to protect EU citizens. The regulation introduces limitations to both data collection and data use, explains data protection and data privacy, and limits data use without customer alienation.

The protection of personal and sensitive data is obligatory, as well as the distinction between them, as different levels of protection may be required. Personal data, apart from names, addresses or bank account details, are cookies and IP addresses and biometric data will be classified as sensitive data. An e-commerce site will come in contact with a huge amount of personal and sensitive data, therefore safety measures must be introduced from the very moment a business has a visitor on the webpage (especially if the site is using cookies, has already collected data from the visitor, or when they sign up for an e-newsletter) and during their conversion to becoming customer (setting up an account, making a purchase, entering data). In any case, businesses are obliged to explain to customers why they are asking for their data and that they are responsible for protecting the customers’ data. This information should also be available for customers to consult at any time (e.g. in the privacy policy or in any other place on the website that is easy to find).

Digitalisation makes it easier to collect data, but with the introduction of GDPR the amount of data collected drops significantly, since customers are more careful with information they share online. Businesses are also starting to understand that they do not need to collect so much data from customers, additionally building trust of those customers that think businesses are taking advantage of their data and not necessarily protecting it. In e-commerce, data collection and data storage is not necessary for the purpose of completing an order, but it can be vital for the purpose of other activities, e.g. analysing consumer’s online behaviour or their subscription to an e-newsletter. Whichever the case, the consumer must always confirm that they agree for the website / e-commerce provider to collect their data, which applies under GDPR.

Supporting e-commerce security and guaranteeing consumers’ online activities, and therefore the protection of their rights online is The Digital Single Market Strategy of the EU (launched in May 2015). The main proposals of this strategy include payment services and banning geoblocking, among others. In terms of payment, the Payment Services Directive (Regulation (EU) 2015/2366) was set up to increase consumer rights, guarantee safe and faster payments, describe refund rights, give clear information on payment methods and promote mobile payments. As a response to geoblocking, the Regulation 2018/302 of 28 February 2018, adopted on 3 December 2018, puts an end to geoblocking, facilitating the ease of e-commerce activities (selling and buying outside the country of residence) and increasing sales within the EU. Geoblocking imposed limitations not only on consumers and businesses, but also on economies. Moreover, consumers received additional protection in April 2018 by the proposals of a New Deal for Consumers which obliges online market places to inform consumers if they are buying from a trader or an individual, if their search result is pre-paid by a trader and under what conditions, as well as allowing consumers to cancel a digital service purchase contract within 14 days. It is expected that in January 2021 new VAT rules for online sales of goods and services will come into force, which will simplify VAT rules for the sales of goods online and will also combat tax fraud. The EU is regularly introducing new rules for the protection of online consumer rights and improving e-commerce performance. More information in this respect can be found on the European Commission Shaping Europe’s digital future policies pages (European Commission, 2020).