Fear Of Fraud

Stacey Pinkerd wants to clarify a few things about Internet credit-card fraud. First, it's rare that thieves snatch credit-card numbers during online transactions. Chances are, the numbers came from paper, thanks to a dishonest waitress or a receipt fished out of a garbage can, or perhaps they were randomly generated by a cybercrook's software program. And yes, fraud is far more likely to occur online than in a store, but it's still rare-1.14% of all transactions, according to IT advisory firm Gartner.

"I don't think consumers understand exactly how fraud is happening or the infrequency of fraud. Most consumers haven't been exposed to this," says Pinkerd, senior VP of E-commerce products at Visa U.S.A., which says that only 0.25% of all its online transactions are fraudulent. To top it off, customers are rarely stuck with the bill.

Despite all that, fear of cyberthieves remains the biggest drag on the growth of E-commerce. The major credit-card companies and banks, along with a few dozen E-retailers, are trying to address that by developing password-based systems to reduce fraud and quell consumers' fears. Yet the credit-card companies haven't come together to agree on a standard approach to security, and that could mean slower adoption of anti-fraud tools. And the card companies and banks that issue credit cards aren't offering the kind of direct financial incentives that could prompt merchants to adopt the programs more quickly.

The timing is critical. Until it's considered secure, E-retailing has no hope of moving from its current status as a nifty but niche sales channel, garnering about 1% of retail sales, into a genuine mass-market shopping avenue.

Pinkerd is evangelizing about the security of online shopping because he's heading Visa's latest anti-fraud initiative, called Verified by Visa, which the credit-card company is rolling out in a big-budget ad campaign with about two dozen E-retailers after two years in development. MasterCard International Inc. and Discover Financial Services Inc. also are deploying improved security programs for their cardholders and online retailers. Pinkerd estimates that as many as 60 million people in the United States have Web access but go online only for E-mail or research. Survey after survey points out that fear of having a credit-card number stolen is the No. 1 reason for online-shopping jitters.

Online merchants have an obvious stake in improving confidence in E-commerce: more sales, plus the chance to gather personal data directly from customers, making it easier to track who's buying what. The data helps merchants with everything from marketing to supply-chain management. The credit-card companies have a stake as well, because E-commerce helps them reach a valuable market. "The people online tend to be higher income and lower credit risk," says Jupiter Media Metrix analyst James Van Dyke.

However, credit-card companies and retailers face a problem-getting consumers excited about these new anti-fraud initiatives. Discover, MasterCard, and Visa already exempt customers from paying online fraud charges, going beyond the government-mandated $50 consumer-liability limit for fraudulent purchases. Yet for the new safeguards to succeed, consumers must sign up-which they have little incentive to do. If cardholders pay nothing for bogus charges, why should they care about fraud-prevention programs? So far, the credit-card companies haven't offered any new ideas to entice them.

Credit-card companies also need more retailers and banks to get on board. The programs' advocates face a chicken-and-egg problem: Online merchants won't bother until there's sufficient consumer interest; the banks that issue the cards will wait until merchants and customers sign up; and consumers won't see the benefit until their favorite sites comply. "That's why adoption is so tricky. You've got all these camps that have to try it," Van Dyke says.

Ashford.com, which in November became one of the first merchants to unveil Verified by Visa, moved quickly because its expensive merchandise-mostly diamonds, jewelry, and watches-makes it a likely target for fraud. "If thieves can talk us out of a $10,000 Omega watch, it's a big deal," deputy CIO Darrell Starnes says. During the past holiday season, when the Houston company did half its annual business, the average order was $500. Few of those orders were covered by Verified, because customers are slow to take up new features. Other fraud-protection procedures in place on the site-such as asking for billing and shipping addresses listed as approved addresses by the cardholder-caught about a dozen attempted thefts in a two-month period. But the site will continue to use Verified because it helps the customers who use it feel more comfortable shopping online, Starnes says. "This is another tool in our arsenal to reduce fraud."

Because all credit-card companies face the problem of fraud, it might seem logical for them to team up on a program to make life easier for the whole industry. "The card brands need to jointly design, launch, and promote these fraud-reducing technologies together," Jupiter's Van Dyke says. "Unless they do that, the worst case is the new technologies will never be adopted, and the best case is they'll be adopted slowly."

The problem is, the card companies already tried that, and it didn't work. In February 1996, MasterCard and Visa teamed to create a technical standard to safeguard E-commerce. The standard, based on encryption technology developed by RSA Security Inc. and known as Secure Electronic Transaction, used digital certificates to authenticate cardholders and merchants. The fatal flaw was that it required consumers to download a 4-Mbyte software file onto their PCs. Shoppers balked at the hassle, and the standard died. Visa has eliminated the need for consumer downloads in this generation of its software. Discover and MasterCard still require software downloads, though MasterCard says its program is now smaller and easier for consumers and merchants to use. "There's a balance between the underlying technology and the consumer experience, and the consumer experience has to be paramount," Pinkerd says. "Trying to explain digital certificates to a consumer is a hopeless cause."

When a Verified by Visa shopper clicks the "buy" button at a participating retailer's site, a software module on the site confirms the number is from a Visa card and sends a message to Visa's directory server to see whether the issuing bank participates in the program. If it does, the merchant then redirects the cardholder's browser to the issuing bank, which opens a window on the screen. It looks like a receipt, listing the merchant's name and order amount, and asks the shopper for a password, which the bank then validates.

For protection, passwords remain separate from the merchant's system. The way Visa designed the authorization is more complicated than a typical credit-card authorization. Orders are held in limbo for several seconds while consumers interact with their issuing banks. This worries an industry that already struggles with shoppers bailing out during the buying process-what retailers call abandoned shopping carts. "The No. 1 rule in online retail is when the user is in the shopping cart and getting ready to check out, you don't send them someplace else," Ashford's Starnes says. But he says the five to 10 seconds Verified adds to the checkout process isn't significant.

Under Verified by Visa, card-issuing banks must install their own authentication systems to register new Verified passwords for Visa cardholders. Or they can link Verified registration to their existing bank-authentication systems for online banking so members can use the same passwords. Most of the banks involved are working with third-party processors such as Arcot Systems, ClearCommerce, and CyberSource to build systems to support Verified by Visa.

Discover's Deskshop program, launched in November 2000 and now in its third version, never lets a card number travel over the Internet. Instead, it generates a number that will work for purchases at a single online retailer. The advantage is that merchants don't have to do anything to adopt the system, and because Discover issues its own cards, it avoids headaches with banks. Deskshop requires consumers to download a 460-Kbyte file. The system relies on a "wallet" on the consumer's PC that fills in online checkout forms and links to Discover's database of account information for authentication. The number is generated by software from Orbiscom Inc. Discover Financial Services is the fourth-largest credit-card issuer in the country, with 50 million cardholders.

MasterCard requires consumers to download a 100-Kbyte applet onto their PCs. Issuing banks can use MasterCard's secure-payment application or another technology, such as a chip or smart token, to fill in a hidden field in a merchant's checkout form. The applet opens a window with the issuer and asks for a user name and password. If the issuer's server validates these, it generates a 32-character account-holder authentication number and transmits it to the applet, which fills in the hidden field. That authentication number incorporates elements specific to the transaction and binds the account holder to a transaction with a particular merchant for a given sale amount. The rest of the transaction proceeds as usual, with merchant and customer passing along the authentication number.

Retailers and banks are taking a cautious approach to the programs, and cost is a big reason. "There don't seem to be large budgets to implement these standards. They're all taking a pilot-based approach," says George Burne, chief technology officer at software vendor Trintech Group plc, which will help an undisclosed European bank install MasterCard's system in the next couple of months. To get Verified by Visa up and running using outside consultants, merchants will spend $10,000 to $20,000 and take three weeks, plus any software-license fees a vendor would charge, Burne estimates. The cost for banks depends on the number of cardholders it has, but he estimates it would be $100,000 to $200,000 plus annual maintenance fees.

For retailers, the payback may be worth the cost. Credit-card issuers hit retailers with chargebacks of $10 to $25 for each fraudulent purchase, on top of the cost of eating the transaction itself. By verifying card numbers before purchases, retailers could reduce those charges significantly. Visa and MasterCard are associations, owned by banks that issue credit cards. A bank can spend as much as $50 in labor and administrative costs fielding one consumer's complaints and investigating a disputed charge, Visa's Pinkerd says, not including the potential loss in consumer online confidence.

Yet the credit-card companies have been slow to offer direct incentives to get merchants involved. In the thin-margin world of retail, saving money on each transaction could give a nice lift to the bottom line. If Visa told retailers it would cut processing fees to around 1.3%, merchants would jump, predicts Avivah Litan, VP and research director at Gartner. "If Visa had more confidence its system would be adopted and used, it should be able to lower its fees accordingly. It's obviously not confident yet," Litan says. Pinkerd counters that Visa's goal is to eliminate costs associated with fraud-for both the retailer and Visa.

Still, the odds are slim that merchant fees will fall anytime soon. "Credit-card companies are huge, amorphous groups, and getting them to lower fees for merchants is like getting the Titanic out of the path of a humongous iceberg," Litan says. "They'll be slow to make any significant changes." In fact, as early as next year, companies that process credit-card transactions could raise their rates for retailers selling goods more likely to be stolen for resale, or for those that do a poor job of preventing fraud and have a high chargeback rate, says Jeff King, director of risk-product management at security vendor CyberSource.

MasterCard, which has 256.2 million cards in the United States, this spring will try a different financial incentive for merchants to sign on to its program. Next month, MasterCard will debut its Secure Payment Application, the company's latest and most secure system. By November, merchants worldwide that support the system will no longer be liable for fraud, regardless of the issuer and cardholder. "There's a need to accelerate the liability shift to accelerate adoption of secure payments," says Bruce Rutherford, MasterCard's VP of E-business and emerging technologies. "We're anticipating significant demand from merchants without substantial payment infrastructure changes."

Visa could speed adoption simply by requiring issuing banks and retailers to join the program, but it has no plans to do so yet. "Our goal would be that this becomes the standard way cardholders shop online," Pinkerd says. By next month, enough of Visa's largest issuing banks will have registered for Verified by Visa to make more than half of its 340 million U.S. cards eligible for this service.

What concerns Trintech's Burne is Verified's potency, or lack of it. Protecting consumer passwords from merchants is a good idea, but it doesn't change the fact that shoppers still type in their credit-card numbers on a merchant's site. "When the merchant has the card number, the opportunity for fraud exists," he says. Once Visa scrapped the Secure Electronic Transaction effort with MasterCard and began work on new software that emphasized consumer friendliness, it lost some teeth to prevent fraud. "If you have no security at one end and SET at the other, Verified is closer to no security at all than something like SET," Burne says. "It's much, much weaker technically."

It becomes a balancing act. Retailers and credit-card companies need something tough enough to stop crooks, yet simple enough that online customers will use it. "We don't want to mess with the customer experience," Pinkerd says. "We didn't want to sacrifice convenience because of security." The problem is, unless consumers are confident that their transactions are safe, there won't be enough E-shoppers to make it an issue.

Illustration by Allen Crawford