How SecureBuy® Defends You Against Fraud
By: James Packer Esq.
In October 2000, Congress passed the federal Electronic Signatures in Global and National Commerce Act (“ESIGN”), making electronic signatures legally equivalent to written signatures.
The ESIGN Act includes provisions to:
- Protect the consumer with appropriate notifications and disclosures
- Ensure technological neutrality and universal access
- Ensure authentication and privacy
- Create legal certainty and protection to prevent fraud
- Allow easy document access and record retention
As per the law – “a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form.” Senator Spencer Abraham, R-Mich., a key backer of the bill stated, “This legislation will eliminate the single most significant vulnerability of electronic commerce, which is the fear that everything it revolves around could be rendered invalid solely by virtue of there being an electronic form.”
Prior to the ESIGN Act, in July 1999, the National Conference of Commissioners on Uniform State Laws approved and recommended for enactment in all the states the Uniform Electronic Transactions Act (UETA). The UETA was developed by the National Conference of Commissioners on Uniform State Laws to provide a legal framework for the use of electronic signatures and records in government or business transactions. UETA makes electronic records and signatures as legal as paper and manually signed signatures. Since its enactment, forty-seven states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted the UETA.
The Definition of an “Electronic Signature”
ESIGN and UETA define an “electronic signature” in substantially the same manner, and require three specific elements for a valid signature:
- an electronic sound, symbol or process,
- attached to or logically associated with a contract or other record, and
- executed or adopted by a person with the intent to sign the record.
In addition, the Visa International Operating Regulations state that a merchant using an electronic signature capture device must:
- Only store and reproduce a signature on a Transaction-specific basis in relation to the Transaction for which the signature was obtained
- Only reproduce a signature upon specific written request from the Acquirer or in response to a Retrieval Request
- Have proper controls in place to ensure the security of the stored signatures and other Cardholder data in accordance with the Payment Card Industry Data Security Standard (PCI DSS)
Based on the statutory elements, SecureBuy electronic signature technology constitutes an “electronic sound, symbol or process” under ESIGN and/or UETA. Furthermore, the SecureBuy process of electronically associating the signature with the record would comply with the second element of an electronic signature under ESIGN and UETA. As to the final element, the act of replicating one’s own signature using a mouse, finger or stylist on the SecureBuy Signature Pad would sufficiently meet the requirement to manifest one’s intent to sign the contract or record.
There is no requirement under the electronic signature laws that a signature must resemble or match a person’s manual signature or that the form of the signature using an electronic means must be similarly repeated in order to be valid. The importance of a valid electronic signature is the manifestation of one’s assent to a contract, not the form or appearance of such signature, as it would be in connection with a traditional, manual signing of documents.
Courts have enforced paper contracts in which a party has signed his or her full name, partial name, printed name, initials, “X”, or with a thumb print. In the area of online contracts, courts have consistently upheld “checkbox” contracts as meeting the signature requirements. See e.g., Mortg. Plus, Inc. v. DocMagic, Inc., 2004 WL 2331918 (D. Kan.2004); Hugger-Mugger L.L.C. v. Netsuite, Inc., 2005 WL 2206128 (D. Utah 2005), as well as use of an “S-signature”. In addition, credit card terminals used in retail stores to capture a signature are very similar to SecureBuy Signature Pad. However, those signature images are often of low quality and do not always mirror a person’s manual signature, yet they are widely accepted as a valid signature.
The use of an E-signature satisfies the requirement of “genuineness” of the signatories’ intent to bind him or herself to the contract between the parties. Traditionally, eCommerce merchants have used and relied on a “check box” to verify and signify the consumer’s understanding and willingness to enter into a valid contractual agreement, however, a “check box” does nothing more than demonstrate the fact that a box was checked. As a result, a consumer may argue that he or she did not intend to check the box (“it was an accident”), whereas the deliberate act of signing one’s name cannot be reasonably challenged. This provides a necessary degree of security and assurance that the “signer” will be legally bound to the terms of the agreement or contract.
Check Box v. E-Signature
As compared to checkbox contracts and other electronic signature processes commonly encountered online today, the signature generated by SecureBuy Signature Pad provides greater evidence of a consumer’s intent to adopt a contract and is the closest process to a manual signature. Because a consumer must go through the process of actually signing his or her name in a manner similar to a manual signature, he or she will instinctively try to replicate his or her manual signature. In addition, because the consumer observes their signature being created in real-time on the screen and also has the option of clearing and re-signing if he or she does not like the signature initially produced, the consumer overtly validates the signature and the process invariably generates a unique voluntary signature, even though it may not be a carbon copy of his or her manual signature.
The SecureBuy technology complies with the federal Electronic Signatures in Global and National Commerce Act, codified at 15 USC 7001 et. seq. (“ESIGN”) and the Uniform Electronic Transactions Act (“UETA”).
This provision is designed to protect the signer and conspicuously disclose information to the consumer so they can affirmatively consent to signing using an electronic signature – the notification must be disclosed so that it is timely, clear and conspicuous, and presented in a clear way that is easy to understand.
SecureBuy notifies the consumer that they will be required to sign using a real-time Internet cloud based signature pad that has been seamlessly integrated into the SSL secured shopping cart of the merchant.
The screenshots in Appendix A demonstrate the key notification points and real-time Internet cloud based signature pad that SecureBuy provides the consumer during the shopping cart check out process.
The ESIGN Act does not dictate the use of a particular technology for the transmission of electronic signatures; rather, the Act leaves those choices to the marketplace. However, this provision in the Act mandates that the consumer have access to a computer, to the Internet, and to the necessary software required to submit an E-signature.
Because SecureBuy uses a real-time Internet cloud based Signature Pad that has been seamlessly integrated into the SSL secured shopping cart of the merchant, consumers can sign using any Internet browser, or a mobile device via mouse, finger or stylist.
This ensures the consumer has multiple access points to sign, and can use the option with which they are most comfortable. This also ensures that the consumer is signing in a familiar and secure environment, and is not required to learn a new piece of software or hardware to submit an electronic signature. And because the consumer can observe the signature being created in real-time on the screen, after signing, they have the option of clearing and re-signing if he or she does not like the signature.
Authentication and Privacy
SecureBuy uses a real-time Internet cloud based Signature Pad that has been seamlessly integrated into the SSL secure shopping cart of the merchant as its method of obtaining the consumer’s E-signature. This ensures that the consumer has the highest level of security available when signing. In addition, after the consumer submits their signature, the signature is stored as a graphic image file and attached to a specific document file that acts as a “signed sales receipt” of the transaction. This electronic document is assigned its own unique transaction ID, which is embedded in the signature image in order to associate a specific electronic signature with a specific record or document. This record is then warehoused within the trusted PCI compliant SecureBuy network of secured servers in order to protect the identity of the consumer and to create a legal and clear chain of custody, which validates and authenticates the documentation for the merchant.
Legal Certainty and Fraud Protection
This provision is aimed at protecting both merchant as well as the consumer. Merchants should be assured that they obtain consent in a manner sufficient to make the electronic signature transactions legally valid. Consumers should be protected from merchants changing the terms of the contract. Both parties have easy access to an electronic trail to confirm the transaction.
As stated above, and as a means to protect both the merchant and the consumer, SecureBuy provides ample notification to the consumer indicating that an electronic signature is required to complete the transaction and in entering into a legally binding sales contract. In addition, during the signature process, the Terms and Conditions can be reviewed by the consumer or signer, but cannot be altered; protecting both the consumer and the merchant from unauthorized changes, see Appendix B.
During the checkout process, to further protect the interests of both the consumer and the merchant, SecureBuy technology captures certain user identifying information (e.g., Internet address, timestamp of transaction, email address and unique transaction number) and actual client-side HTML (i.e., what the user actually had on their screen at the time of the signing, including the Terms and Conditions) which can be used to ascertain that a consumer did in fact sign and agree to the transaction. Once the consumer signs and submits the transaction for final processing, an electronic record, including the signature, is saved as a PDF file within the trusted PCI compliant SecureBuy network of secured servers in order to protect the identity of the consumer and to create a legal and clear chain of custody, which validates and authenticates the documentation for the merchant and consumer.
In addition, SecureBuy also provides a secure audit trail -- tracking every step in the signature transaction such as the date and time when the signature was sent, the date and time when the secure PDF document was created, an exact copy of the Terms and Conditions that were offered and viewed at the time of the transaction, the date and time when the Terms and Conditions were last updated, the Device ID of the hardware used by the consumer during the transaction, the IP address of the consumer, the consumer’s City, the consumer’s Country, the consumer’s State, and the Latitude and Longitude of the consumer at the time of the transaction. This audit trail (see Appendix C), can be downloaded by the consumer at the completion of the transaction or, in the alternative, sent to the consumer after the transaction as a PDF file via email ensuring that the consumer has a detailed history of the transaction.
This provision ensures the ability of both the merchant and the consumer having easy access to the transactional record which includes the E-signature.
After the transaction is complete, SecureBuy allows the consumer to download or receive via email a copy of the signed sales receipt from the transaction as a PDF attachment, see Appendix D. In addition, a copy of the transaction or signed sales receipt is stored within the trusted PCI compliant SecureBuy network of secured servers. Merchants can easily access the documentation after providing a login and password via the Account Login section of the SecureBuy corporate website.
American Law Reports ALR Federal 2d: Construction and Application of Electronic Signature in Global and National Commerce Act (E-Sign Act), 15 U.S.C.A. §§ 7001 to 7006;
Visa International Operating Regulations (April 10, 2011), at 455;
Mortg. Plus, Inc. v. DocMagic, Inc., 2004 WL 2331918 (D. Kan.2004);
Hugger-Mugger L.L.C. v. Netsuite, Inc., 2005 WL 2206128 (D. Utah 2005);
James J. White and Robert S. Summers: Electronic Records and Signatures in Commerce (1 WS-UCC App. B) 2006 WL 4720300;
American Jurisprudence, Second Edition, Jack K. Levin, J.D.: Computers and the Internet;
Baylor Law Review, Fall 2001: E-Commerce and E-Law; Is Everything E-Okay? Analysis of the Electronic Signatures in Global and National Commerce Act;
Business Lawyer, November 2000: Electronic Records and Signatures under the Federal E-Sign Legislation and the UETA. 56 Buslaw 293;
New York University Law Review, May, 2002: Standard-Form Contracting in the Electronic Age. 77 New York University L. Rev. 429;
Notre Dame Law Review, June 2001: The E-Sign Act of 2000: The Triumph of Function over Form in American Contract Law. 76 Notre Dame L. Rev. 1183;
Amelia H. Boss. "The Uniform Electronic Transactions Act in a Global Environment" Idaho Law Review 37.2 (2001): 275-352;
United States Code Annotated, Section 7001, et.seq. (October 1, 2000); and
House Conference Report No. 106-661, June 8, 2000: Electronic Signatures in Global and National Commerce Act (106th Congress).
 After accepting the signature, the electronic signature is stored as a graphic image file and attached to the specific document file. The electronic document is assigned its own unique transaction ID, which is embedded in the signature image in order to associate a specific electronic signature with a specific record or document. The SecureBuy technology captures certain user identifying information (e.g., Internet address, timestamp of transaction, email address and unique transaction number) and actual client-side HTML (i.e., what the consumer actually had on their screen at the time of signing) which can be used to ascertain that a consumer did in fact sign a document in question. Once a consumer signs an electronic record, the document, including the signature, is saved as a PDF file.