November 26, 2009 08:00 ET

Deloitte's Tips for Safe Holiday Online Shopping

TORONTO, ONTARIO--(Marketwire - Nov. 26, 2009) - As consumers and retailers look to a second holiday season amid a recession, online shopping continues to show signs of strength and social media tools are increasingly being turned to for rapid sourcing of reviews, product availability and deals. According to a 2008 biennial Statistics Canada survey, close to $13 Billion was spent online in 2007—an increase of 61% from 2005. This year, current public health risks may contribute to a stronger reliance on internet-based shopping, yet convenience or access to online-only products continue to attract Canadians to the Internet this holiday shopping season. Staying one step ahead of fraudulent activity requires continued vigilance by consumers and retailers.

Deloitte's security, privacy and resiliency professionals offer tips for safe online shopping.

Consumers should:

1. Practice safe online shopping

  • Register your credit card for added protection from fraudulent purchases. Many major credit card companies now offer advanced purchase protection processes, such as MasterCard's SecureCode and Verified by Visa, for all online transactions when using their cards. This added layer of protection requires the cardholder to enter a pre-registered personal identification number (PIN) only the customers would know, at time of purchase. This PIN number should never be shared with anyone.

  • Avoid using public Internet cafes to conduct online transactions. Kiosk workstations may contain malicious code, such as keystroke loggers, to capture your username and password, and other sensitive personal information.

  • Access wireless access points with strong security and built-in controls such as Wi-Fi Protected Access (WPA). These controls ensure that sensitive data, including passwords, are encrypted on the wireless network you are surfing.

  • Look for "seal of approval" icons, and read the company's privacy policy. Seals of approval provided by different authorities, such as Verisign(TM) and WebTrust(TM), serve to verify that the web site adheres to their stated privacy and/or security policies. If you have any questions or concerns about its validity, consider contacting the retailer directly by phone to clarify that the site is adequately protected.

  • If you suspect that your identity has been compromised notify your financial institution and request that the credit bureau (Equifax/TransUnion) attach a fraud alert to your file. A fraud alert is a "red flag" on your credit report which will identify you as a potential fraud victim to credit grantors.

2. Practice good house-keeping

  • Update the latest operating system patches, firewall, anti-virus and anti-spyware software on your computer regularly and check that they are running. Set your computer to automatically scan for and detect any malicious programs (Trojan horses, spyware) planted by hackers wanting you to disclose sensitive information or to misdirect you to a fraudulent web site.

  • Verify that your browser has the latest security upgrades (also known as patches) and that it supports 128-bit encryption. This high encryption level helps to prevent sensitive data from being accessed by unauthorized people while transacting online. Consider upgrading the web browser to the latest version, as it provides a better security level and tools.

  • Avoid opting for the "remember password and username" option. Despite its convenience, your information will be stored for any and all future users to access. On a public computer, avoid this option altogether.

3. Don't fall prey to online fraud activities

  • Disregard emails requesting that you log in to a shopping/financial web site, in order to update account information. Never click on web site addresses sent via email. Unscrupulous individuals who attempt to steal your personal data often use this technique, known as "phishing", to lure customers to bogus, look-alike web sites designed specifically to collect as much of your personal information as possible.

  • Never send your financial information, including credit card, chequing account or social insurance numbers, via email. If you initiate a transaction and want to provide your financial information through an organization's web site, look for indicators that the site is secure, such as a lock icon on the browser's status bar or a URL for a web site that begins with "https:" (the "s" stands for secure). Fraud is ever-more sophisticated, so vigilance here is key.

Retailers should:

  • Participate in Verified by Visa and MasterCard's Secure Code. By making this service available to consumers, merchants can protect themselves against ID related chargebacks.

  • Request the three digit security code (on the back of the credit card) from consumers making online purchases and validate it as part of their authorization. For Visa it is called Card Verification Value or CVV2 and for MasterCard, it is called Card Verification Code or CVC2. American Express refers to this process as CID.

  • Adhere to the payment card industry data security standards (PCI DSS) and other application security standards. Assess your payments systems regularly against the PCI DSS. Adherence on your part will protect both you and your customers from breaches and losses of confidential information.

  • Provide assurance around the privacy of customer information. Post your privacy policy on your web site and communicate to your internal workforce the importance of adhering to the privacy policy.

  • Ensure that all card information is transmitted using SSL (secure socket layer) A higher level of encryption (128-bit) that safeguards the confidentiality of sensitive data transmitted over the web.

  • Leverage and adhere to Internet Seals of Approval. Leveraging seals, such as Verisign(TM) and WebTrust(TM), can enhance consumer's confidence in your web site.

  • Do not use email as a basis for driving traffic to your web site. Use other means to attract traffic (such as search engine advertising or other forms of advertising/branding), as consumers may not discern between legitimate and phishing email until it's too late.

  • Never send 'unmasked' credit card information in email messages to your customers. Emails containing confidential information can be intercepted and exposed if left unmasked.

  • Encourage customers to check your web site for status updates. A good practice is to always drive customers back to your web site for status updates or confirmations. Do not send links to your web site by email – rather, advise customers to re-type your domain name directly into the address bar. This will ensure that they are visiting your legitimate web site.

  • Test the vulnerability and exposure of your web site. Regularly verify and quickly correct vulnerabilities as a service to yourself and your customers.

  • Practice due diligence with regards to payment card addresses. Validate cardholder information for all transactions (i.e. do the area codes for phone number and billing address match?)

  • In the event of a breach or loss of customer data, be forthcoming and communicate quickly with your customers, banks and service providers.

About Deloitte
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 57 offices. Deloitte operates in Quebec as Samson Belair/Deloitte & Touche s.e.n.c.r.l. Deloitte & Touche LLP, an Ontario Limited Liability Partnership, is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

Contact Information