Yahoo Stores features ‘automatic’ PCI compliance for secure payments, among other options.
The throw-away culture comes to card payments on the web. Single-use card numbers could be the answer to online fraud.
Fear can be a powerful motivator. It can make people keep the closet light on at night. It can keep people from flying in airplanes. And it can keep people from shopping online.
In spite of the great gains that online shopping has made in the past couple years-e-retailing volume in 2001 was 20% greater than in 2000 and double 1999’s volume-there is still a vast body of consumers who are afraid to shop online. In fact, the Washington D.C.-based National Consumers League reports that 43% of adults say their biggest worry about online shopping is that their credit card numbers will be stolen. Furthermore, 59% believe it is safer to pay with a check or money order online than with a credit card.
Few know that most credit card issuers offer zero liability for fraud charged to consumers’ cards online. “The perceived fear is real and it’s enough to keep the e-commerce market down,” says Susan Grant, vice president for public policy at the National Consumers League and director of the Internet Fraud Watch program, where consumers can report online fraud and get information. “It needs to be addressed.”
Three major card issuers, a credit card processor and a technology vendor believe they have devised a way to address those concerns: throw-away credit card numbers. Card issuers American Express Co., Discover Card Services and MBNA, transaction processor First Data Corp. and New York-based security vendor Orbiscom Inc. are promoting the use of unique, substitute card numbers to consumers.
So far, usage has been limited and some critics argue that the rise of such programs as Verified by Visa and MasterCard’s Secure Payment Application could make disposable card numbers obsolete before they even get widespread distribution. But proponents note that single-use card numbers are easier to implement than MasterCard and Visa identification verification programs and that consumers already have accepted them.
Merchants and transaction processors don’t have to do anything different to accept one-use card numbers. As far as the merchant is concerned, the consumer is using a credit card number like any other. The merchant passes the transaction to its processor the same way it does every other credit card transaction. “The retailer makes no investment and there is no re-wiring of internal infrastructure,” says Orbiscom Executive Vice President Tom Seltzer.
MasterCard, however, believes that its soon-to-be-mandated security products will require minimal system upgrades and can be used in conjunction with single-use card numbers. Furthermore, the association says its payment authentication system can expand merchants’ global reach as well as give them guaranteed payments.
As for consumers, proponents point out that disposable account numbers have made users so comfortable that shoppers who use them spend more online than shoppers who don’t. “Consumers are spending more with disposable card numbers-the average ticket size is going up in excess of 23% and they transact 1.3 to 1.6 times more frequently per month because they have confidence in the security,” Seltzer says. “The ROI from more transactions and higher card balances is the real opportunity for merchants and card issuers.”
Furthermore, the National Consumers League survey revealed 81% of consumers would use the single-use cards. “We even heard from consumers who already shopped online but who liked the idea of single-use card numbers because they were still nervous about their card numbers online,” Grant says.
Here’s how disposable numbers work:
Consumers download a software program from their card issuers onto their PCs. When the consumer is ready to check out from a merchant’s site, the program automatically activates and asks for a password from the consumer. After the consumer enters the password, the program links to the card-issuing bank which generates a single-use number that it sends back to the consumer. The consumer enters that number instead of the real credit card number in the merchant’s payment information field.
The transaction then proceeds as a normal credit card transaction: The merchant sends it to its bank, which sends the transaction to the issuing bank for approval. The issuing bank recognizes the surrogate number and compares it against the actual account before sending back an OK. The card number remains active typically for less than 30 days, long enough to allow for returns.
The bottom line for security is that the real card number never goes online-only the passwords and disposable numbers pass through the Internet. The whole process adds only about 400 milliseconds to the online transactions, which is hardly noticeable-if at all-to the consumer, analysts say.
Exposure to 1,400 issuers
Orbiscom charges card issuers a licensing fee based on varying factors, including card volume, the number of card accounts and volume of transactions processed. While it won’t reveal how much issuers pay, Orbiscom says the system pays itself back in reduced fraud losses and increased spending, which generates higher interchange revenue for the issuer and possibly higher interest-generating balances. Interchange is a percentage of each transaction that a merchant’s bank pays the card-issuing bank for accepting the risk and floating the loan. While American Express and Discover don’t have interchange, because they are both the issuing bank and merchant bank on each transaction, the appeal to them with single-use cards is the potential for reduced fraud.
So far, the biggest issuers using Orbiscom’s technology are Discover and MBNA, which both use Orbiscom’s Controlled Payment Number technology. Orbiscom expects to announce this spring that another large U.S. credit card issuer will use the technology. American Express uses single-use card technology that it developed in-house.
Orbiscom also signed a partnership deal last August with First Data Resources, a major transaction processor, to market the service to First Data’s 1,400 card issuing clients, starting in the second quarter of this year. “Our partnership with Orbiscom makes it more economical for card issuers to have access to this technology because we are an integrated core authorization engine,” says Henry Tsuei, senior vice president of ventures and emerging technologies.