1. Technical Field
The present disclosure relates generally to data security for electronic commerce, and more particularly, to limiting data exposure in authenticated multi-system transactions.
2. Related Art
All manner of transactions are conducted with computers connected to high-speed data transfer networks such as the Internet. In the broadest sense, a transaction involves a requestor initiating a request with a provider, with that provider responding to that request to the requestor. More particularly in the commercial context, also referred to as E-commerce, there may be a customer who requests to purchase an item sold by a merchant, i.e., to deliver the requested item in exchange for payment by the customer therefor. Such online shopping services have proved to be popular and profitable sales outlets, due in part to its convenience, ready availability of information for purchase decision-making, lower prices, and greater variety in the selection of available products. Besides the conventional transactions involving the sale of goods, transactions involving services, such as registering for overnight accommodations and other travel services, or for events such as athletic competitions, conventions, and the like are also routinely handled online.
Generally, customers visit the sellers' websites using a computer having a connection to the Internet as well as a web browser application. The e-commerce sites have visual representations of the products and/or services being sold, along with descriptions therefor. After selecting the desired items and storing them in a “shopping cart,” the customer exchanges payment information with the merchant website. Some information pertaining to the particular customer, including name, address, telephone number, and e-mail address, may be stored by the e-commerce site in individual accounts, which may be accessed following a login procedure. Various electronic payment modalities are known in the art, including credit cards, debit cards, gift cards, postal money orders, and personal checks, as well as those involving third party processors such as PayPal®. Upon successfully rendering payment to the seller with these modalities, the merchant ships the ordered product(s) or performs the requested service(s).
The particular implementations of e-commerce sites vary according to the needs and budgetary restrictions of the business. The largest typically handle all aspects of a transaction, from account setup, inventory and other tracking systems, to payment. In the event registration site example, a single e-commerce site may provide the registration functions and the payment functions. Integrating all such functions is typically justified when transaction volumes are large enough to justify the significant expenses of purchasing and maintaining the necessary information technology (IT) infrastructure including secured servers, server-side encryption technologies, connections to credit card processing networks, and the like. However, for smaller e-commerce sites, these additional costs associated with internal payment processing may be prohibitively expensive, especially when transaction volumes are much lower. To the extent that personal account number (PAN) data such as bank account numbers, credit card numbers, expiration dates, and security codes from customers are handled, there must be systems and procedures in place for compliance with the Payment Card Industry (PCI) standards. Non-compliance can subject the merchant to fines, legal action, and exclusion from credit card processing networks.
To avoid difficulties associated with infrastructure setup and continual PCI compliance, such smaller e-commerce sites typically outsource payment processing to third parties. Aside from payment functions, different e-commerce services may necessitate that certain functions be handled by other systems and entities independent thereof. The receipt and processing of sensitive information, such as the aforementioned PAN data, are the functions that are typically delegated. However, one of the challenges associated with such e-commerce site implementations is the preference for presenting a unified interface and user experience notwithstanding the employment of third party services. Accordingly, a primary service site to which the user logs in or authenticates and accesses information and functions particular thereto (which may involve less-sensitive information), may also be required to request from the user the sensitive PAN data for passing to the third party service site. This unfortunately necessitates the primary service site to adopt the same security policies as the third party service site, leaving the primary service site in not much more of an advantageous position than had it also implemented the functionality otherwise provided by the third party service site.
There is thus a need for improved methods and systems for e-commerce site implementations, particularly those that limit data exposure in authenticated multi-system transactions.