A customer inserts a security device (D) into the USB port of his computer (C). When a transaction request confirmation (1) is transmitted to a merchant server (M), the merchant server (M) instructs an account server (AS). The account server (AS) performs customer verification, and payment (either with a local account or remote financial institute server). The account server (AS) communicates directly (3, 5) with the customer computer (C) with an encryption mechanism utilising security data read from the security device (D) and a time stamp. A security key for the security device is updated after each transaction and an embedded hardware key is also used.