In terms of section 43(3) of the Electronic Communications and Transactions Act (ECT Act), the supplier that sells goods and/or services over the Internet must utilise, and the online purchaser (consumer) has a right to a payment system that is sufficiently secure with reference to accepted technological standards at the time of the transaction and the type of transaction concerned.
The term 'payment system' is not defined in the ECT Act and it is the opinion of some that it refers to systems that effect not only online credit card payments, but also debit card payments, e-cash redemption and debit orders confirmed electronically. If the term were applied widely, it would also relate to the security of information provided by the consumer to effect the electronic payment, such as credit card numbers and expiry dates and the secure safekeeping of such information after the payment was effected.
The determination of sufficient security measures is a factual question that should be answered by examining the technological security standards used at the time of the transaction by the e-commerce payment industry. The type of transaction and the payment system employed may also play a role in determining whether the security of the payment system in question was sufficient.
It is suggested that the use of digital certificates, encrypted communication of payment information, access to transactional pages through the use of usernames and passwords, time-out functions and secure storage of payment information will play crucial roles in answering whether or not the payment system was sufficiently secure. Obviously new and future technologies that come to be industry standards for payment system security would change the elements of the investigation. Another fact that needs to be considered is whether or not the payment system reasonably employed the latest and updated versions of security software, eg, for encrypted communications or firewalls.
In order to give proper effect to section 43(5), it is suggested that the examination into sufficient payment system security should not only focus on the technologies employed at the time of payment but also investigate possible misuse, negligence or wilful actions by the supplier or those in its employment. A supplier may use the best and most updated versions of security technology, but if employees do not use it properly or use it negligently, such technology would be worthless.
When will the supplier be liable?
In terms of section 43(6), the supplier may be liable for any damage suffered by a consumer due to a failure by the supplier to comply with the prescribed security measures. This clause creates a civil claim by the consumer against the supplier. The consumer will have to prove:
i) that a security failure occurred during or after the payment process concerning the consumer's payment or payment information;
ii) that the security failure was due to a failure and/or refusal by the supplier to use and/or maintain sufficient payment security technology or that the supplier or its employees acted negligently or willfully with the consumer's payment and/or payment information; and
iii) that the consumer suffered damages (the ECT Act states 'any damage') because of the security failure.
Examples of security failures related to payment systems that may invite civil liability include:
* Payment into and from the wrong accounts;
* Payment that is more than the agreed amount;
* Subsequent unauthorised payments;
* Willful or negligent disclosure and/or use of the consumer's payment information by the supplier or its agents and employees; and
* Unauthorised access to and use of the consumer's payment information by third parties, eg, hackers that steal and use credit card information from the suppliers network.
Third parties and suppliers
Although suppliers normally outsource payment system security to third parties, as was discussed in a previous edition of eSecure, section 43(6) clearly states that the supplier would be liable for the consumer's damages. The supplier will have to rely on its agreement with the third party security provider to recover damages paid to the consumer.
Section 43(1)(p) forces the supplier to disclose the website's security measures to a consumer. The supplier must disclose the procedures, technically and otherwise, that is in place to ensure the privacy and security of the payment mechanism (if any), the consumer's payment information and personal information. In this regard it should be noted that measures should also be employed to secure this information after it was received and used by the supplier if it is retained for later use, such a database should be protected from internal and external security breaches. The unauthorised use or disclosure of payment and personal information should at all costs be avoided.
When will an e-commerce website comply with the ECT Act?
It is suggested that an e-commerce website with a payment gateway will be regarded as safe and secure if it employs the following technologies:
i) digital certificate to authenticate the website (little padlock appears at the bottom of the browser when visiting the authenticated Web page);
ii) encryption technology that encrypts all communications between the consumer, the supplier and the banks in question (eg, secure sockets layer or SSL, indicated by https://);
iii) use of username and password to gain access to the transaction engine by the consumer;
iv) time-out function of the login or transaction pages are not used for a certain period; and
v) off-line or off-premises storage of payment and personal information, where possible.