Fear can be a powerful motivator. It can make people keep the closet light on at night. It can keep people from flying in airplanes. And it can keep people from shopping online.
In spite of the great gains that online shopping has made in the past couple years—e-retailing volume in 2001 was 20% greater than in 2000 and double 1999’s volume—there is still a vast body of consumers who are afraid to shop online. In fact, the Washington D.C.-based National Consumers League reports that 43% of adults say their biggest worry about online shopping is that their credit card numbers will be stolen. Furthermore, 59% believe it is safer to pay with a check or money order online than with a credit card.
Few know that most credit card issuers offer zero liability for fraud charged to consumers’ cards online. “The perceived fear is real and it’s enough to keep the e-commerce market down,” says Susan Grant, vice president for public policy at the National Consumers League and director of the Internet Fraud Watch program, where consumers can report online fraud and get information. “It needs to be addressed.”
Three major card issuers, a credit card processor and a technology vendor believe they have devised a way to address those concerns: throw-away credit card numbers. Card issuers American Express Co., Discover Card Services and MBNA, transaction processor First Data Corp. and New York-based security vendor Orbiscom Inc. are promoting the use of unique, substitute card numbers to consumers.
So far, usage has been limited and some critics argue that the rise of such programs as Verified by Visa and MasterCard’s Secure Payment Application could make disposable card numbers obsolete before they even get widespread distribution. But proponents note that single-use card numbers are easier to implement than MasterCard and Visa identification verification programs and that consumers already have accepted them.
More Spending
Merchants and transaction processors don’t have to do anything different to accept one-use card numbers. As far as the merchant is concerned, the consumer is using a credit card number like any other. The merchant passes the transaction to its processor the same way it does every other credit card transaction. “The retailer makes no investment and there is no re-wiring of internal infrastructure,” says Orbiscom Executive Vice President Tom Seltzer.
MasterCard, however, believes that its soon-to-be-mandated security products will require minimal system upgrades and can be used in conjunction with single-use card numbers. Furthermore, the association says its payment authentication system can expand merchants’ global reach as well as give them guaranteed payments.
As for consumers, proponents point out that disposable account numbers have made users so comfortable that shoppers who use them spend more online than shoppers who don’t. “Consumers are spending more with disposable card numbers—the average ticket size is going up in excess of 23% and they transact 1.3 to 1.6 times more frequently per month because they have confidence in the security,” Seltzer says. “The ROI from more transactions and higher card balances is the real opportunity for merchants and card issuers.”
Furthermore, the National Consumers League survey revealed 81% of consumers would use the single-use cards. “We even heard from consumers who already shopped online but who liked the idea of single-use card numbers because they were still nervous about their card numbers online,” Grant says.
400 milliseconds
Here’s how disposable numbers work:
Consumers download a software program from their card issuers onto their PCs. When the consumer is ready to check out from a merchant’s site, the program automatically activates and asks for a password from the consumer. After the consumer enters the password, the program links to the card-issuing bank which generates a single-use number that it sends back to the consumer. The consumer enters that number instead of the real credit card number in the merchant’s payment information field.
The transaction then proceeds as a normal credit card transaction: The merchant sends it to its bank, which sends the transaction to the issuing bank for approval. The issuing bank recognizes the surrogate number and compares it against the actual account before sending back an OK. The card number remains active typically for less than 30 days, long enough to allow for returns.
The bottom line for security is that the real card number never goes online—only the passwords and disposable numbers pass through the Internet. The whole process adds only about 400 milliseconds to the online transactions, which is hardly noticeable—if at all—to the consumer, analysts say.
Exposure to 1,400 issuers
Orbiscom charges card issuers a licensing fee based on varying factors, including card volume, the number of card accounts and volume of transactions processed. While it won’t reveal how much issuers pay, Orbiscom says the system pays itself back in reduced fraud losses and increased spending, which generates higher interchange revenue for the issuer and possibly higher interest-generating balances. Interchange is a percentage of each transaction that a merchant’s bank pays the card-issuing bank for accepting the risk and floating the loan. While American Express and Discover don’t have interchange, because they are both the issuing bank and merchant bank on each transaction, the appeal to them with single-use cards is the potential for reduced fraud.
So far, the biggest issuers using Orbiscom’s technology are Discover and MBNA, which both use Orbiscom’s Controlled Payment Number technology. Orbiscom expects to announce this spring that another large U.S. credit card issuer will use the technology. American Express uses single-use card technology that it developed in-house.
Orbiscom also signed a partnership deal last August with First Data Resources, a major transaction processor, to market the service to First Data’s 1,400 card issuing clients, starting in the second quarter of this year. “Our partnership with Orbiscom makes it more economical for card issuers to have access to this technology because we are an integrated core authorization engine,” says Henry Tsuei, senior vice president of ventures and emerging technologies.
First Data is collaborating with Orbiscom on marketing materials and is inviting First Data’s card-issuing customers to forums where they can test the technology. Tsuei says the product is entering acceptance testing in the second quarter and should be available to clients by mid-year, when the company plans to step up advertising and additional sales and marketing efforts.
In February 2000, Discover Card Services became the first card issuer to employ disposable card technology. The company uses Orbiscom’s technology, which Discover calls the Single Use Card Number product, as part of its online DeskShop program. Discover recently implemented its third version of the product, which the company says cardholders are accepting in record numbers.
“Usage of Deskshop is up substantially since we introduced the new version,” says Colleen Zambole, vice president of e-commerce at Discover. The company reports that in the first three months of the 3.0 launch (November, December and January), transaction volume for the product increased 522% compared to version 2.0’s first three months a year ago. “The average ticket is higher so people feel secure enough to spend more. People don’t worry about security and then decide not to complete their online transaction,” she says. Discover and Orbiscom co-market the card using e-mail promotions and sweepstakes for consumers who download the software, says Zambole
Formidable competition
New York-based American Express Co. also offers single-use card technology with its proprietary Private Payments product, which it launched in fall 2000. One of the first card companies to develop a disposable card number security option, AmEx requires cardholders to go through its web site to access the Private Payments product before shopping online.
In spite of the backing of such important credit card organizations as American Express, Discover, MBNA and First Data, single-use card numbers face significant barriers to widespread market acceptance. For one thing, they seem to compete with MasterCard’s and Visa’s identification-verification systems in providing issuers and consumers with an online security method. The card associations have the added benefit of being able to mandate acceptance in the form of adjustments to fees and interchange revenue for members who use the verification services. “Programs from Visa and MasterCard are likely to supersede disposable card number options mainly because merchants and issuers will be forced to comply with the new security systems,” says Ken Kerr, a research analyst at The Gartner Group Inc., Stamford, Conn.
Programs like Verified by Visa and MasterCard’s Secure Payment Application are more complex systems aimed at authenticating the actual cardholder. They operate by asking for a registered password during a transaction. The card-issuing bank authorizes the password before approving the transaction. MasterCard and Visa claim that having the issuing banks take responsibility for the customer’s transaction mitigates the risk of chargebacks for merchants. On the other hand, single-use card numbers are aimed at encouraging security-conscious consumers to shop online by masking their card numbers online. While the goal of Visa and MasterCard is to spread liability among all the parties involved in online transactions, the goal of single use cards is to make consumers more comfortable with using cards online so they can get more online shoppers or get shoppers to buy online more frequently.
Different investments
Another big difference is the level of investment. The Visa and MasterCard programs will require everyone in the online transaction process to comply with a system upgrade to support the program. That means banks have to market it to consumers, consumers have to sign up, banks have to add information fields in their authorization connection, the processors have to send more information back and forth and the merchants must install software to accept such transactions.
MasterCard and Visa have traditionally considered it their jurisdiction to dictate how banks must upgrade systems to improve transaction security and both associations are setting deadlines for compliance within the next two years. But several banks and retailers already have voiced objections to adopting the card associations’ systems without proof that they will mitigate fraud, observers say.
With single-use card numbers, only the issuing bank and consumer have to do anything and in both cases, it’s the decision of each party whether to utilize it. Furthermore, it is not onerous to install for either party. Vendors say it takes only a few minutes to download the software necessary for banks to issue the numbers. And consumers, who already have shown that they want to use a security measure to shop online, must download a small applet onto their desktops.
MasterCard’s Secure Payment Application program, which will be mandated as part of routine system upgrades in April, should not be onerous to system users either, the association says. “Merchants simply need to implement hidden fields on the web site to collect authentication data from the issuer security solution, and once collected as part of the order submission process, the merchant passes this authentication data to their acquirer as part of the authorization request message,” says Bruce Rutherford, vice president of e-business and emerging technologies. MasterCard is also partnering with leading technology vendors and payment service providers to enable their infrastructures to simplify merchant implementations and enable their gateways to MasterCard acquirers.
On the issuing side, MasterCard is working with vendors to help bank members and merchants add the Secure Payment Application to their existing infrastructures. Pricing will vary depending on which vendor technology solution is selected and if the issuer has already deployed a client-based solution, in which case the Secure Payment Application would just need to be integrated. “SPA leverages existing issuer security programs, minimizing integration and deployment costs for merchants, acquirers and issuers,” says Rutherford.
MasterCard and Visa, though, need to back up their programs with incentives for merchants to implement them, says Avivah Litan, vice president and research director of Gartner Inc.`s GartnerG2 research group. Although the associations are planning reduced fees, she says merchants will continue to pay higher fees for Internet payments: 2.5% on average for the web vs. 1.5% in stores. " Consumers are interested in using these new security systems, which can significantly reduce online fraud," she says. "The credit card companies should back up their belief in these systems by lowering fees for all merchants who support them."
In spite of the early endorsement by such major card issuers as MBNA and Discover—and the undisclosed issuer that Orbiscom was preparing to announce this spring—the future of single-use card technology for online payment is far from certain. “The success of this kind of product,” says Michael Cottrell, senior vice president in the products group, alliance partners and strategy with Phoenix-based transaction processor Vital Processing Services, “has to do with marketing and the readiness and willingness of issuing banks to understand and endorse the program.” l
