Collecting personally identifiable information such as SSN, DOB, address, etc. from your customers and prospects online has it own set of challenges and considerations. The last thing you as a new or used car dealer needs is to have one of your customers fall victim to identify theft from filling out your credit app. Not only do you have a moral obligation to protect this information in many cases you also have legal obligations you must consider.
First, I would like to say that I am not advocating the abolition of online credit applications, as a matter of fact I feel taking credit apps online will make selling cars faster and easier. Many dealers have a secure credit app on their website, or at least that is what they were “sold” by their web site solutions provider. In reality many of these services provide you with nothing more than a shared credit application that is not located within your website. The reasons for this are many, first of all it is more expensive to have your own SSL site certificate and if you unfamiliar with the process can be a real pain in the butt to setup on your webserver.
For example if your website is StevenSellsUsedCars.com many providers go the ‘cheap way’ and provide access to their secure app which may be something like [https://www.ISellWebsites.com/creditapp.php?dealer=steven]. While this is technically a ‘secure app’ from the front-end (we will cover back-end later), the perception to the customers is that they have left *your* site and gone somewhere else. This leaves the customer wondering “Why am I not at StevenSellsUsedCars.com anymore? Who is this ISellWebsites.com guy? Can I trust them? Did this website get hi-jacked? Is my information safe?” In a time where ID theft is the hot topic on all the local evening news stations, people are scared about giving out their personally identifiable information to sources they do not trust. This little bit of doubt you have placed in this perspective customer’s mind may have cost you a sale, because he went back to Google and found your competitor’s website that had a more secure application.
Now that we have covered the front-end now lets look at how the data is stored and retrieved in the back-end. You would not believe the number of dealerships I have been to and had the dealer show me his email inbox. They are filled with credit apps email to them in non-encrypted ‘plain-text’; ready to be stolen by a hacker or even just a casual bystander. Think about it for a moment and it doesn’t take being a highly skilled uber-hacker to understand the implications. If you are going to encrypt the data from the user when he fills out the application, shouldn’t you keep it encrypted throughout the entire process? Who in their right mind would think it is logical to send this information in plain text in an email? Sadly most website solution providers on the market today do exactly this.