Safe online shopping? How to recognize a trustworthy vendor

Safe online shopping? How to recognize a trustworthy vendor

You’ve finally found it — the one gizmo or gadget that will complete you. And lucky you, you’ve found the best possible price online! But are you really sure you want to hit “confirm” on that order page?

Online shopping has become as natural as breathing for some people, and it’s easy to see why. The convenience of staying at home while you shop, and having the ability to instantly cross-reference price points can’t be overstated.

But an increase in popularity doesn’t erase the large number of risks that exist out on the Internet. The reality is that even shopping in brick and mortar stores carries a risk: huge retailers like Target and Home Depot have had notorious data breaches in recent years that have affected thousands of shoppers. The difference is, you have the option to pay cash when you leave your home to go shopping — the age-old form of payment that can keep our spending habits anonymous. But you usually don’t have that option when shopping online, so everything you do leaves a trace.

But how did this happen to me?

Identity theft is a huge problem on the internet. You may have already experienced having to get a new credit or debit card. It’s a major headache to find out that someone has been running up your limit in a city 300 miles away. But did you ever stop to think how internet thieves got a hold of your information to begin with?


Stolen credit cards are sold on the black market — don’t let this be yours!

As you can see here, people are selling credit cards on the black market. While we won’t sink so low as to buy the card to confirm if it’s legitimate or not, you can see that there is a market for your stolen credit card information. This may have been how your credit card information was compromised!

All it takes is an insecure payment page or a data breach of a vendor that is holding onto your payment information. There’s no room to be even the slightest bit careless in this crazy world.

Online vendors don’t always have your best interest in mind

Over 900 million people in China currently use online banking, and some estimates report that by 2020 there will be about 450 billion transactions on the internet daily.

Whether through ignorance or negligence, some online vendors don’t have the right practices in place to protect your financial and personal information. They know that people will spend money on their products anyway, so why bother? Our CEO, Christian Mairoll, told us a horror story about vendors asking for credit card information through unencrypted emails!

There are a number of other things that novice vendors might do that compromise your payment information. But more often than not, it’s what they don’t do that can really put you in a bind. Study the information below and you’ll have a much better sense of what standards you should have for any vendor you do business with, as well as what payment options are optimal for privacy.

How secure is your online payment method?

Different payment options are more or less popular in different parts of the world, 
and often times what our friends, co-workers, and families are using influences our own decisions. Not only that, but limits on what forms of payment vendors will accept also sets the boundaries for these choices. The following payment options are popularly used around the world for online shopping:


Screen Shot 2015-07-23 at 1.50.52 PMPayPal is an international online payment service provided by a U.S.-based company. It’s one of the most popular payment options made available by online vendors after credit and debit cards.

Pros – Paypal isn’t new to the online shopping scene, and as a result it’s a trusted option for many consumers. They are one of the first to use the tokenization technology to help you keep your financial information private, even from vendors. Tokenization is the process of substituting sensitive data with a non-sensitive replacement, or a “token.”  PayPal allows easy chargebacks in case of fraud. There is a relatively simple process of disputes compared to other methods, which is why you should prefer PayPal over credit card if a vendor offers both options.

Cons – Many vendors are unhappy with the fees that PayPal charges them. But never fear, the customer is not charged extra for using their services. PayPal may also be eclipsed by other forms of payment in the future, like Google Wallet, Apple Pay, and Skrill, which all use tokenization technology.

Credit Card

29623190_sCredit cards have been around for decades and are very strong forms of payment depending on what part of the world you live in. They are almost universally accepted with online merchants. If you have a credit card with a major company, you’re card is likely to have fraud protection which makes it a lot easier to deal with in the case of identity theft.

Pros – Credit cards are accepted by the vast majority of vendors online. If you already own a credit card, then you don’t have to worry about creating a new account with a web-based form of payment (like PayPal). Additionally, if your information is stolen, you can work with your credit company to cancel and replace your card. Credit cards can also provide certain reward benefits that can cut your shopping costs (if you don’t accumulate debt, of course).

Cons – There is no tokenization process when you use a credit card directly to purchase something online. Therefore, you are putting very sensitive information out there and therefore it’s good to limit this payment method to companies you really trust are secure.

Debit Card

Debit cards look and act like credit cards, but are generally attached to a bank account and are not based on credit. They are simply a plastic substitute for cash, which is useful for the pragmatic and spending conscious shopper.

Pros – The process of tracking your payments and finances is much easier with a debit card. Additionally if you use a prepaid debit card, the amount of damage that can be done is limited (since prepaid cards are not tied to a bank account, but rather a fixed amount of cash like a gift card).

Cons – If your debit card is stolen, it’s much harder to get your money back if the thief goes on a reckless spending spree. While this is being remedied by some institutions, using a form of payment that is directly tied to your bank account is unwise unless you are using a very reputable merchant.

What a legitimate (and safe) vendor looks like

Don’t be fooled by a pretty website

Just because a vendor has a nice website, that doesn’t mean the vendor is keeping your financial information safe from digital thieves. In fact, they might even be fraudulent themselves!

It’s incredibly easy to set up a good website nowadays. Sites like Strinkingly, Foursquare, and even WordPress make it so that you can set up an attractive website in under an hour with no coding knowledge whatsoever. Additionally, the increase of freelancing sites means that anyone can easily hire a worker to create them an attractive looking page, even if it doesn’t actually have any of the proper safety features to support shopping online.

Phishing sites are also a big issue. These are created when a crook steals the source code of a website and uses it to create another identical website. So double check the URL before sharing your information – to make sure you’re dealing with a legitimate vendor and not a copycat.

pasted image 0 (1)

Clicking “view page source” is all a scam artist needs to do to create a phishing site.

The truth: Online vendors want to get your money, and many of them don’t care to do it the right way because they want easy money fast.

The 6 signs of a secure vendor

A safe vendor will communicate to its customers on its website or through customer support how they keep personal information safe from harm’s way. Although there is no way to keep private information perfectly safe online, there are a few standards that a good vendor will adhere to.

1. Has a secure website

Unfortunately there are a lot of fake vendors out there just waiting for you to visit their website so that they can infect your computer with malware or steal your personal information. Don’t use an etailer just because they have the lowest price! Find a good phishing filter for your browser of choice, and avoid shopping at any sites that trigger a warning. Then immediately run your Emsisoft scanner to detect any malware that could have made its way onto your system!

2. Utilizes Secure Sockets Layer technology (SSL)


Look for the lock symbol.

SSL is another baseline requirement for secure online shopping. This technology establishes an encrypted connection between a website and your browser. This secure connection helps keep personal information safe, and any vendor that is collecting your credit card information should have an SSL certificate. This is very standard for online vendors, and it is usually represented with a little lock icon situated before the site URL.

SSL alone will not protect you from all threats, and you should learn about infamous vulnerabilities on our blog.

3. Never asks for more information than necessary

It’s true that vendors have to ask for very personal information in order to process and ship your order, but there is a limit to what they should require you to disclose. Never trust a merchant that asks for an employee ID number, social security number, bank account number (this may be safe with Amazon or PayPal, but you should hesitate to give this number directly to a vendor), salary or tax information, or anything that may identify your family or friends.

4. Subscribes to safety certifications

If you want to be extra secure when it comes to shopping online, it may be worth it to invest a little time and research into the standards your merchant has in place to handle your private information. You may find that many vendors outsource this part of their business to safety experts.

cb-logoFor example, here at Emsisoft we don’t process our own customers’ payment information. Instead this is handled by Cleverbridge. Cleverbridge is certified with Safe Harbor, a commerce framework that was developed by the U.S. Department of Commerce.

Additionally, most secure vendors comply to payment card industry data security standard (or PCI DSS). PCI DSS is a standard put forth by the Payment Card Industry Security Standards Council, which was formed in 2006 by American Express, MasterCard, Discover Financial Services, JCB and Visa International.

The PCI DSS has 12 requirements for compliance, which includes regular testing of security systems, encrypting transmission of cardholder data, and maintaining a firewall configuration among other things. If you are unsure of how a vendor stores data and keeps customer information safe, it’s best to send an email and check to see if they are PCI DSS compliant or certified.

While a certification does not mean that the vendor is completely safe with your information, it does mean that there are some standards and protocols in place to prevent a data breach, as well as to minimize damage in the event of one. Consider reading the privacy policy of your merchant of choice to get a sense of the type of systems they have in place.

5. Has trusted site seals

192071-BBB-LogoThere are a number of trust seals that can give a good indication on a vendor’s trustworthiness. Which one to look for depends on your location.

For example, in Europe the Trusted Shops awards certified shops with a European trustmark to allow customers to shop online with confidence. Every shop that gets this trustmark has been screened thoroughly on a number of criteria, including buyer protection.

The TRUSTe seal is another commonly used seal for online stores that focuses on privacy protection. TRUSTe assesses, monitors, and certifies websites, mobile apps, websites_0912141cloud, and advertising channels to allow companies “to safely collect and use customer data to power their business”. Additional site seals are the Better Business Bureau (US) and the “Norton Secured” badge.

6. Has happy customers

Certifications are not the only way to know whether a vendor is trustworthy or not. Checking a merchant’s reputation is very easy online, and it can make a huge difference in maintaining your privacy.

Go to your search engine of choice and type in <vendor> review, or <vendor> experience. Make sure to read reviews from about a dozen different sites if possible, because review sites can be fraudulent as well! Sometimes fake reviews and sites are created to support scam vendors, so be wary if all reviews are unrealistically perfect. 

Online shopping safety checklist

Knowing that vendors are responsible for your privacy may have you feeling powerless and overwhelmed. But if you follow the list of safety guidelines below, you’ll greatly reduce your chances of financial fraud:

  • Keep your social media profiles private if possible, or limit personal information if you choose to keep them public. Credit card thieves will use the information on these sites to fill in the blanks and run up your limits!
  • Install appropriate phishing filters and trustworthy anti-malware software.
  • According to the Wall Street Journal, small vendors are more likely to experience a data breach. Sometimes big retailers may not have the product you need, so it’s important to be extra vigilant with your research of smaller etailers.
  • Spend some time researching before you make a purchase with a new vendor. What are their reputations on review sites? What certifications do they have? What forms of payments do they take?36945340_s
  • Also check a new vendor’s contact details. Make sure that they are consistent with the address the company is registered with.
  • Never trust a vendor that asks you for your payment information via email. This is not a secure method, even if the vendor has the best of intentions. Additionally, don’t send money upfront if there is any doubt that the vendor may not deliver.
  • Use a cancellation-enabled payment method like PayPal or credit cards. NEVER send cash or check (or wire money upfront)!
  • Read the vendor’s return, shipping, and privacy policy. Be aware of how they store data, and what guarantees they make about their products as well as your information.
  • Similarly, avoid using the phone to process your payments if you can. Your information can be stolen this way, and some vendors don’t realize that they need to secure these lines just as rigorously as their online payment forms.
  • If you haven’t already, learn what your credit card provider’s policy is on unauthorized charges. The card you use for online shopping should have limited to no liability if your information is stolen.
  • Record all the details of your transaction with screencaps, receipt or order confirmation number, and the date. Awareness of your online purchases is critical to recognizing theft when it happens.
  • Check credit card accounts online regularly for unauthorized charges however small—you generally have 30 days to report suspicious activity, but this can vary per credit card provider.

You can never completely protect your information online unless you avoid the web entirely! This is obviously an extreme measure and we don’t recommend it. Instead, we recommend making informed choices about what payment options you use online, what information you choose to share, and which merchants you do business with.

The online shopping landscape will continue to change, and the specific requirements and standards for a safe vendor will as well. But something that won’t change is that there will always be someone trying to get a hold of your money. So be vigilant and stay educated, and you’ll remain ahead of the curve.

Have a great, theft-free day!

  • John D Lord

    I use PayPal and the vendors should be pleased with a fee if they are an honourable trader, and PayPal customers are assured that their transaction is secure. For the guaranteed security received, maybe the customer should share the cost of the fee with the vendor, 50/50.

    • Glenn McGrew II

      Customers pay 100% of the fees. It’s called “markup”, i.e.: the cost of that security is built into the prices.

      • John D Lord

        No there is not a ‘markup’, some of us in business know what it is. Do a comparison with a cash transaction vs PayPal or just ASK a trader what percentage he pays.
        My problems have been solved promptly with PayPal, every word of every transaction information is recorded.

        Look at the rates paid as a trader:—-

        • Glenn McGrew II

          You have misunderstood. A large number of businesses add the cost of the transaction fees to their prices, which is what I mean by markup. Fees, shipping, insurance and most other types of overhead are calculated to arrive at a retail price. How they calculate the overhead may vary, however.

          If you are not passing the cost of those fees on to your customers, that is your own choice.

  • Glenn McGrew II

    Sadly, I have had less than sterling experiences with PayPal and I would tend not to recommend them. This is not in regards to safety but to customer service and compliance.

    A couple years ago, a friend sent me some money and I had a really terrible time getting my bank account linked to my PayPal account. First, they said that I’d only be able to do it with a bank account at certain banks they accept. PayPal then blamed the bank for the problem, but then the bank confirmed that the info I had given PayPal was correct; despite that, PayPal continued to say it was the bank’s fault. PayPal refused to cooperate. After 3 months of going back and forth, PayPal then tried to wash their hands of the problem by claiming that my problem was beyond their “time limit”. I immediately reminded them that this was so because they refused to cooperate. They kept dragging their heels and, in the end, it was only by threatening to make it a public issue that I was able to connect my account.

    Strangely, this year I was told by PayPal Customer Service that a PayPal rule had been put in place to deal with situations like mine so that people would still be able to withdraw their money from PayPal …and it was dated from before the problem I had. Why didn’t they immediately apply this rule to me? Why didn’t they even mention it? Why did they try to wash their hands of my problem? Perhaps it’s because I reside in Indonesia (but I’m a foreigner).

    Earlier this year, I wanted to set up a fundraiser to raise funds for the book I’m writing “Education Can Save the World”. Prior to starting it, however, I was advised by Indiegogo that PayPal has specific rules about fundraisers online (commonly called crowdfunding), so I contacted PayPal’s customer service. They referred me to their Compliance team, so I wrote asking what I had to do to comply with PayPal rules because I’d already read the rules they had posted online and there wasn’t enough info.

    Instead of responding, Compliance locked my account although I had made it clear that I was inquiring for a FUTURE campaign. Their system said I had to submit certain documents – some of which were impossible because I’m a foreigner (such as proof of address in the form of a utility bill, where here the utility bills are in the name of the house owner/my wife) – in order to get my account unlocked and approved. No email response to my questions was made until after I wrote to Customer Service and complained. I was given vague answers to some of my questions and attempts to get clarification were ignored or waltzed around. After sending the documents that I could and informing them why I couldn’t send the other documents, they finally unlocked my account and claimed that they’d given me a special exception! This trouble happened despite the fact that I did NOT have a campaign running and was just asking about the rules! They said to go ahead and set up my campaign and they would review it for compliance with their rules.

    Note: During this struggle, PayPal suddenly modified its fundraising rules, yet Compliance made no effort to inform me.

    After reviewing more than 150 websites to find a crowdfunding site that I could use and met my needs, I set up a fundraiser on GoGetFunding (GGF), only to discover that (1) my PayPal account is unverified and I cannot use my bank account to get it verified; (2) I would need a credit card (which I don’t have and I am not allowed to work in Indonesia due to red tape) OR a debit card to do so; (3) but there is only one bank that they’ll accept a debit card from in Indonesia, and I’m not a customer of that bank. I switched to RocketHub which, unlike GGF, has terrible customer service, but which doesn’t require a verified PayPal account to start a campaign. After I created my campaign (“project”), being careful to comply with what little I knew about PayPal’s rules, I contacted Compliance and asked for their approval. I also contacted CauseVox, and they also require a verified account. I had severe problems with customer service quality on most of the other ~10 sites that are usable from Indonesia (Pozible, Kapipal, Indiegogo, etc.), so I was not able to use them.

    PayPal Compliance rejected my campaign. The reasons they gave did not make sense, and from one email to the next their reasons changed. They didn’t explain the reasons and eventually completely ignored me. Even when I asked for the issue to be escalated to a supervisor, they refused to cooperate. The reasons they gave included:
    (1) They claimed that my gifts (“perks”) were mostly donations. I repeatedly asked them to clarify what they meant but never got an answer.
    (2) The value of my gifts (which PayPal requires) is less than the donation amount that earns them. “… the value of these perks doesn’t match the donation
    amount. It is obviously lower than the market price of a normal business.”. This, of course, is how fundraising works. You give a gift of a much lower value in return for a specific amount of money. They claimed I was doing something wrong despite their rules requiring it.
    (3) They claimed that they couldn’t help process the donations for my campaign, but failed to clarify why.
    (4) They claimed I was not raising money for a product when my book is clearly a product.

    It was clear that the people I was dealing with were not native English speakers, and it is possible that this was part of the problem.

    The final message I received claimed I’d been given an “exceptional approval”, but not what that approval was for. Since it was in a paragraph about the previous lock on my account, it seemed to be in regards to unlocking my account.

    They also claimed I would be able to change my account to Premier or Business to receive donations, but hadn’t ever responded to my questions about that (and their online help didn’t provide enough info), nor did the clarify how that would allow an unverified account to be used when crowdfunding sites require a verified account.

    Finally, they advised me that I would be able to take my funds out of my account after the campaign finished, but that if I started a new campaign, they would need to approve it.

    I never heard from them again, despite writing.

  • Cat Tilley

    I’ve being using PayPal since 2009, and what a relief it is NOT to have to do hardly anything other than click the PayPal symbol at checkout. Makes the transaction about 3-5 minutes faster & 98+% more secure. The merchant gets paid, and all they get is the customer’s shipping & email address, and phone number. That’s all they need, and that’s still plenty enough to flood one’s email box full of garbage unless we click the unsubscribe link.

    The other thing about PayPal is they’ve saved my backside on several occasions, half the time didn’t even need to return the junk that was sent to me. If it’s an counterfeit item, it’s illegal to mail it anyway (the vendor or the consumer), as a couple of these were when I was an young eBayer & didn’t know that vendors actually done business this out in the open. The items were XP Pro media & COA that were designed to be installed on a certain brand of computer one time, the other was an outright counterfeit. Windows OS media doesn’t have a sticker on it, everything’s baked in with watermarks that changes color.

    More recently, I purchased a ‘genuine’ keyboard for a Toshiba A665 notebook, only to find out it didn’t even work, nor would the screw holes line up if it had. After uploading photos to PayPal with my claim at 1AM (my time), my account was credited that morning by 10AM. Was told to throw the item away.

    See, these vendors doesn’t get paid the instant the PayPal transaction is completed, unless it’s a site of excellent reputation. eBay vendors has to wait from 1 to 4 weeks for payment, depending on feedback & volume, and all it takes is a handful out of a thousand to be knocked down a tier & have to wait longer again until trust is regained, often 12 months later. Though PayPal is fair to them also, they spot patterns of customers who are always not pleased & will ignore those reviews. Some folks can never be pleased, I’m one who’ll accept human error, yet there’s a huge difference between human error & an outright deceitful listing.

    And let us not forget in the midst of this, the importance of having top notch security installed. For some users, Emsisoft Anti Malware is all that’s needed, as long as the router’s firewall is properly configured. A hardware based Firewall (one’s router usually for consumers) offers a much better one than a software based one can provide. The simple things, like disable remote administration, UP&P unless needed, a good WPA2-PSK password, renaming your router to anything except the factory defaults & changing those passwords (which defeats thieves looking for that enabled remote administration password that’s a Google search away for nearly all brands).

    For those who wants more firewall & less do it yourself on the router (though the latter is still good to do, many will do it for you for $50 or less), Emsisoft Internet Security is the way to go, I have it on all of my Windows installs with an i5 or higher CPU with 8GB or more of RAM. It’s more heavy duty, but really doesn’t strain the system.

    With either choice, one gets a free 30 day trial to see which fits the need, so without providing any payment information whatsoever, it’s the full featured product and nothing’s watered down.

    Go ahead, give Emsisoft a chance, am glad that I did in 2011.

    Stay safe & subscribe to the Emsisoft Blog for news that we all need to know.


  • Gina Ashton

    Talking about getting blank atm card seek no further but contact

    [email protected] for credibility in service. The card i

    got from this company came with a stock cash of $50,000 and i have not

    had course to complain with their services for the past 3 months of

    usage. I personally recommend [email protected] for optimum


  • jacob chiron

    It is really nice to provide such information and Tips.