For consumers and retailers alike, ensuring the security of online payments
is key to the future of online retailing
To look at the e-spending numbers, one wouldn’t believe that some consumers
don’t shop online because they are afraid of their credit card numbers being
ripped off. E-retail sales were up 29% last year over the year before, reaching
$52 billion.
But, depending on whose numbers you’re reading, upwards of 40% of consumers
don’t shop online as much as they otherwise would because of the fear that their
credit card numbers will be compromised. The fear is so strong, in fact, that
Forrester Research Inc.’s online shopping survey reports that 41% of consumers
who are online but have not bought online believe their credit card numbers
could be stolen in transmission from their computer to the retail site. Even
30% of online buyers believe that. “Fraud and privacy concerns have dampened
e-commerce growth,” says Christopher M. Kelley, retail analyst with Forrester.
“There’s a real need to educate consumers about the myths and realities.”
Fraud on the Internet is undoubtedly higher than fraud in stores, although
reports of how high vary. From its own experience, Certegy Inc.’s Check Services
Group reports that consumer-not-present fraud occurs at 3 times the rate of
card-present fraud. First National Merchant Solutions, a division of First National
Bank of Omaha, says it’s 1.5 to 2 times higher, although it believes its experience
is below average due to the fraud-prevention checks it has built into its system.
Friendly fraud
The explanation for the higher rate online may be as simple as the fact that,
compared to offline purchases, a disproportionate share of online buying takes
place at computer and consumer electronic retail sites. “Fraudsters won’t purchase
products online that they can’t easily resell, which is why they target electronic
gadgets,” says Robert Renzulli, vice president of product development at Omaha-based
First National Merchants Solutions, a division of the 100-year-old First National
Bank of Omaha. About 30% of First National’s processing business is in the card-not-present
environment. Other products that pose a high risk of fraud include software
and digital content. “In the case of e-retailers, high risk is often associated
with the nature of the merchant’s product offering,” Renzulli says.
But another, possibly more important phenomenon is at work as well: So-called
friendly fraud is easier to commit online than in a store and that may be attracting
otherwise honest people into trying their hands at larceny. “There’s a higher
fraud rate on Internet transactions not because criminals realize they can hack
into insecure e-commerce sites, but because consumers can buy merchandise on
the Internet with a credit card, keep it and then say to their card-issuing
banks that they want their money back,” says David Kerlin, president and CEO
of Portland, Ore.-based 9-year-old e-check processor AmeriNet Inc., which offers
the Debit-It e-check product to online retailers and call centers. “And because
the card hasn’t been swipe-read, they get their money back.”
But while fraud clearly exists, the widespread perception of Internet transactions
as being somehow less secure to the consumer than store-based transactions is
false, analysts say. “Fraud on the Internet is primarily an issue of perception,”
Kerlin says. “We as an industry have done a bad job of getting our story out
to the media, which have been focused on this whole issue of hackers creating
an identity theft problem on the Internet. The reality is the very opposite—an
Internet transaction is the most secure of payment transactions. You need to
be a very sophisticated hacker to drill into a secure site and download credit
card information. Any thief will tell you that you that there are 50 easier
ways to get card information in a brick-and-mortar environment than through
the web.”
Still, the perception exists among a significant minority of consumers that
the Internet represents a fraud and security risk. In Forrester’s survey, 32%
of online consumers who do not buy on the Internet fear that their card numbers
could be stolen from a retailer’s database. Among web buyers, that figure falls
only slightly, to 28%. Similarly, 34% of non-buyers fear that their identities
could be stolen over the Internet, with that proportion slipping only to 27%
among buyers. Conversely, a mere 16% of buyers believe that using a credit card
over the Internet is safer than using it in a store and only 4% of non-buyers
believe that.
An educational issue
An informal poll by Tony Abruzzio, executive vice president and general manager
of GO Software Inc., which targets small to mid-sized merchants with a payments
processing program that runs on PCs, confirms that grabbing card numbers from
the Internet is difficult. “Recently, I spoke to an audience of about 100 people
who were attending a fraud prevention symposium in Miami,” Abruzzio recounts.
“I asked them to raise their hand if they have ever had a credit card fraud
perpetrated against them or any of their family or any of their friends. No
one raised their hand. Sure, credit card fraud on the Internet is a problem,
but it has been overstated. It is not a huge and growing issue.”
Part
of the answer to consumers’ fears about the integrity of their card numbers
is overcoming consumers’ ignorance about how web-based payment transactions
work. “It’s a big educational issue,” says John Shirey, corporate manager of
product development for Dallas-based Paymentech L.P., a payments processor whose
customers include such well-known online retailers as Amazon.com, Art.com, PCConnection
and PCWarehouse. “Everyone talks of the Internet as a public network so people
think it’s not secure. The average online shopper doesn’t understand SSL and
HTTPS. They are mysteries to many consumers.”
One way to achieve that education is by constant forceful reminders. Forrester’s
research found that donations that many retailers accepted after Sept. 11, 2001,
went a long way toward recruiting new online shoppers and Kelley believes that
was due in part to the sites’ constantly reinforcing that the transaction was
safe. Forrester reports that 82% of consumers who had never bought online but
went online to make a donation became online buyers as a result of their experience.
“Those sites displayed links throughout that said things like Why your payment
is secure,” Kelley says. “It’s that sort of thing right in the purchase process
that people need. Unfortunately, those messages are missing from most sites.”
Such messages are the first step in an education process that many others
believe is crucial to the continued success of online retailing. “The real problem
with credit card fraud on the Internet is not from the losses resulting from
the fraud itself—it’s the potential sales that e-retailers lose because they’ve
allowed the perception to fester that consumers are risking fraud on the Internet,”
says AmeriNet’s Kerlin. “I don’t know of any effort to remind customers that
they don’t have any risk when they use their cards for payment on the Internet.”
Fewer eyes looking
The truth is that most Internet transactions are more secure than store transactions,
simply because fewer eyes see an online transaction than see a store transaction.
“If you give someone a check in the store, not only does the clerk see it but
the bookkeeper might see it, the processors at all the banks along the way will
see it, and it’s carrying all kinds of identity information like Social Security
number, driver’s license number, bank account number, bank number,” says Jerry
Mossbacher, senior vice president of TeleCheck, a division of First Data Corp.,
which sells e-check services. “A check transaction online is much safer and
more secure.”
Overcoming consumers’ misperceptions is difficult, though, partly because
the issue does not always sway to rational arguments. “There is an emotional
factor here,” Renzulli says. “Even though you know the card will be replaced
and you have no financial risk whatever if your card account is stolen, people
still feel violated. They feel something has been taken from them.”
The other side of the fraud question rests with retailers. While consumers
may be perceiving fraud as greater than it is, merchants are indeed experiencing
fraud—and paying for it. Whether outright fraud or friendly fraud, issuing banks
almost always charge a disputed credit card transaction back to the merchant,
who then must prove that the cardholder actually bought and received the merchandise.
For web-based transactions, that’s usually not an easy task. In store-based
retailing, the merchant can retrieve the receipt with the customer’s signature
and as long as the signature is valid, the customer is held responsible. But
no such record exists for online transactions, and so merchants and payments
processors have focused on catching fraud before it happens.
Those efforts at preventing fraud take a number of forms, both proprietary
to individual processors and common to the market, such as Verified by Visa
or MasterCard’s SecureCode. The proprietary solutions range from authorizing
transactions against massive databases of customer behavior and payment history
to scoring transactions by merchant, customer, time of day and other criteria
to systems that capture the card verification values on signature panels on
the backs of cards.
The proprietary solutions generally favor a passive approach to authorization—neither
merchant nor consumer need do anything out of the ordinary to effect payment.
“Merchants want to reduce friction as much as possible during checkout,” says
Mossbacher of TeleCheck. “Consumers prefer their online shopping experience
to mirror what they do face-to-face in a store.”
TeleCheck, which started life as a check authorization service for store retailers,
relies in part on its database of 547 million records to combat fraud. It has
built that database over 40 years from 306,000 subscriber locations. When a
customer checks out at a TeleCheck merchant site, TeleCheck grabs whatever consumer
data it can from the checkout process, such as customer name, address, ship-to
address, and uses that to create an authorization request. It runs the data
against such elements in its database as known fraudulent accounts, names of
banks that criminals use to set up bogus accounts, check-writing histories as
well as such less exotic data as name, address and account number. “We treat
it just as we would an authorization request from the point of sale,” Mossbacher
says.
TeleCheck also offers consumers an option to register with a password so that
when they shop at Telecheck merchant sites again they will feel secure about
how their data is being used. But retailers’ focus on making their sites—especially
checkout—easy to use has doomed similar previous offerings, some of which asked
customers to answer certain questions in order for the processor to authorize
a transaction. Some consumers didn’t know the answers to questions that the
processor generated from its own database (what is the name of your mortgage
company? how much is your monthly payment? etc.). Others balked at having to
complete another step to checkout.
The consumer library
And merchants often
didn’t like the process. “There’s been a movement away from that kind of security,”
says Jan Whitfield, vice president of consumer not present payment solutions
at Alpharetta, Ga.-based Certegy, which started as Telecredit Inc. in 1961,
was acquired by Equifax Inc. in 1990 and spun off from Equifax in July 2001
It serves 329,000 retail customers and provides e-check services to such major
online and direct-to-consumer retailers as Sears Parts Direct, Gateway Inc.
and Dell Computer Corp. Certegy previously offered a service called PayNet that
required consumers to register, then authorized transactions by asking them
a series of qualifying questions. “Merchants weren’t sure how customers would
react to the questioning,” Whitfield says. “Certain merchants have always been
reluctant to ask for sensitive information.”
Certegy now authorizes transactions against what it calls a Consumer Library,
a series of databases that contain such information as personal identifiers,
shopping patterns, drivers licenses and account information associated with
particular names and other information. Certegy runs transactions against the
various databases depending on merchants’ needs. The merchant weighs the benefits
of each level of more detail against the cost of obtaining the higher authorization
and the merchant’s own risk of fraud.
Certegy’s database consists of 200 million consumer records, including information
about individual’s check writing histories. “We provide a high level of security
without going to the extreme of collecting something like a Social Security
number,” Whitfield says.
While processors like TeleCheck and Certegy offer proprietary authorization
solutions, others offer them on an outsourced basis, usually as part of a package.
Paymentech, for instance, introduced its En Garde suite of products in the middle
of last year. It offers address verification, authorization through iShopSecure
Inc. and Experian, capture of card verification values, fraud scoring through
a partnership with Fair, Isaac & Co. Inc., and others. “It’s an easier deployment
for the merchant to come through us than to go to fraud services companies directly,”
Shirey says. “We can handle all the activities related to a transaction and
return one simplified response.”
Artificial intelligence
Similarly, AmeriNet uses outside databases, including Certegy’s. And GO Software,
which has marketed to stores since 1991 and e-retailers since 2000, prefers
to leave the security functions to others. “We’ve taken the position that rules-based
verification is so customized to the merchant that it does not belong in the
payments processing piece of the transaction,” says GO Software’s Abruzzio,
who notes that GO was an early adopter of card verification values in its payments
processing software. “There are a lot of third-party vendors who have that capability
and the very big e-retailers have developed their own in-house rules-based systems.
Our core competency is payments. Rules-based verification is an auxiliary function
of the payments process that other people in the market can do very well.”
In addition to authorizing against databases, some processors have sought
to apply intelligence to their authorization decisions. For instance, First
National has purchased pre-authorization rules-based security technology from
Clear Commerce Corp. and brought the product in house as part of the PayFuse
product. Called Fraud Shield, this layer of security allows merchants to customize
rules-based transaction screening to fit each one’s type of business, financial
requirements and credit policies. It was fully implemented last May, and 420
merchants have converted to it, including 90% of new merchant business First
National has signed in the last year. First National is working on converting
the balance of existing merchants.
“Bringing the rules-based technology in house allowed us to gain full control
of the transaction,” Renzulli says. “It allows us to know where the transaction
stands at any point, and it gives us full reporting of what happened to the
transaction from the point of entry to depositing of funds in the bank. Having
this in-house capability is a major point of distinction between us and our
competitors. And the big difference is that we can offer our merchants a more
tailored security solution, rather than having to offer a one-size-fits-all
service.” It also is implementing a fraud analyzer, also developed by Clear
Commerce, that employs neural network technology that scores a transaction for
risk based on a computer analysis of more than 20 million chargeback transactions
in the cardholder-not-present environment.
Notwithstanding merchants’ reluctance to place another step in customers’
checkout paths or the availability of sophisticated, passive authorization systems,
MasterCard and Visa are promoting verification processes by which customers
identify themselves with a password at checkout. The bank card associations’
pitch to merchants is that they will relieve merchants of all liability for
fraudulent transactions that are completed by customers using MasterCard SecureCode
and Verified by Visa systems, as these programs are known.
A defining moment
The systems work like this: Visa and MasterCard issuing banks that sign up
to participate in Verified by Visa and MasterCard SecureCode allow their cardholders
to choose passwords to use at checkout. Meanwhile, merchant banks sign up merchants
to install code to prompt cardholders to input their passwords. On transactions
where a customer enters the password and the bank approves the transaction,
the merchant incurs no fraud liability.
The program is new enough that merchants aren’t reporting a lot of use or
the effect usage has had on their fraud liability. Opinion is mixed as to whether
merchants and consumers will go for the program. On the one hand, some merchants
and merchant transaction acquirers are attracted to the protection provision.
On the other hand, merchants fear that adding a step to checkout will hinder
sales.
Shirey of Paymentech characterizes as “a defining moment in payment history”
a rule change by Visa coming in April. Under that new rule, a merchant will
incur no liability if he attempts to obtain authorization on a Verified by Visa
transaction but is unable to do so due to the issuing bank’s failure to respond
due to technical reasons, such as a system or network being down. For Visa to
require the issuer to take the liability is a radical change in how the bank
card associations have done business. “That’s a huge shift,” Shirey says. At
the same time, though, he notes, it may not be enough to entice merchants to
embrace Verified by Visa. “In our discussions with merchants, adding another
step is a very real issue,” he says. “They don’t want anyone interfering with
the shopping experience.” As a result, he adds: “Merchants to date have not
knocked on our doors in droves over for this.”
Part of the low demand is the result of little marketing thus far, some processors
say. While Visa has promoted Verified by Visa to top-tier retailers and has
undertaken a consumer ad campaign, the program has registered very little so
far, says Abruzzio of GO Software. “It hasn’t penetrated anything beyond the
top-tier e-merchants,” he says. “A lot of second- and third-tier merchants haven’t
even heard about it, and there has been no data to show its economic benefit.
It’s so new you haven’t seen much yet from Visa on how it’s working in the market.”
While credit card rules that favor consumers necessarily require more technology
to protect merchants against friendly fraud, processors of electronic checks
note that they offer a payment option that protects merchants and does not require
additional steps. “The e-check is less vulnerable to consumer fraud because
the consumer has to go down to his bank and sign an oath in front of a bank
officer that he did not perform the transaction,” Kerlin says. “Criminals do
not go down to banks, sign affidavits and take oaths.”
Checks as a preference
E-check guarantees are not automatic, however. Merchants can choose the level
of guarantee and authorization they want to pay for with checks. Each has a
different need and each must weigh the costs and benefits. “Every merchant has
a different need and level of capability,” says Shirey of Paymentech. “In a
high-value order with anything suspicious about it, the merchant will want full
authentication and i.d. verification,” he says. With Paymentech, merchants can
choose the service they want by transaction, setting certain parameters that
trigger a higher level of authorization.
While checks still constitute only a small minority of online transactions,
web merchants have been receptive to the notion of accepting checks, processors
say. “We point out to merchants that there is a large group of people who prefer
to pay by check and will continue to do so,” says Certegy’s Whitfield. In fact,
an estimated 37% of the adult population of the U.S. do not have credit cards
and online shoppers probably mirror that level, researchers say. Certegy also
encourages online merchants to look at the total cost of accepting credit cards,
including not only the discount fees, but also chargebacks and the internal
costs of reviewing chargeback data. “We tell them: ‘Understand what you’re paying
for credit card transactions and understand the people you are not reaching
if you’re not accepting checks,’” Whitfield says.
Whether processors are authorizing checks or credit cards, the goal is the
same: reducing online payment fraud to a level equal to offline. “That’s the
golden vision and definitely what we’re trying to do,” says Renzulli of First
National. “It’s going to mean a huge benefit for online merchants: more advertising
of the web, more upselling and a lot more web shopping.”
CCH places its bets on the future of
online sales tax
As it evolves, online retailing is becoming more like real-world retailing.
Retailers are trying to make the shopping experience—from finding products,
to cross-selling to checking out—more like the store experience.
That is even likely to extend to one area where there has been huge disagreement
about whether the web should reflect store-based retailing—the collection of
sales tax.
Taxation has been a hot topic almost since the commercialization of the Internet.
One camp is adamantly opposed to any kind of taxation—even sales tax—because,
they contend, taxation will kill a still-developing technology. Another camp
is equally strong that Internet commerce should be taxed like other commerce,
especially, they argue, since the web is not just creating new transactions
but is diverting transactions from other channels.
CCH Inc., provider of tax information, is betting on the future of sales tax.
Last year, it acquired esalestax.com and is offering its automated tax calculation
product integrated into a retailer’s payment process. When a checkout transaction
occurs, the retailer’s server contacts the CCH server, which then calculates
the sales tax, based on ship-to address, and sends the amount back to the retailer.
Every time the customer updates the shopping cart, the retailer’s server contacts
the CCH server for an update. Round trip on a tax calculation takes about 0.6
seconds. All data is moved under SSL encryption. “We have very elaborate security,”
says Mike Blandino, CCH’s chief technology officer.
CCH’s acquisition is clearly a bet that sales tax will become part of doing
business on the Internet. To that end, it has submitted esalestax.com’s system
to the Streamlined Sales Tax Project as a solution to how to sort out the tax
demands of 7,500 jurisdictions. The Streamlined Sales Tax Project is a coalition
of 30 states and the District of Columbia that is working, as its name implies,
to simplify taxes for online sales. With CCH’s software available to instantly
calculate sales tax from all jurisdictions, CCH believes the role of the Streamlined
Sales Tax Project should be to simplify the definitions of products rather than
simplify the taxes. “What is really needed is universal product definitions,”
Blandino says. “We need universally accepted policies and practices.”
In addition to calculating the sales tax applicable on each transaction, CCH
also automatically records all sales tax collected for each jurisdiction, provides
the forms for filing and facilitates payment of tax through the ACH. It also
maintains all the detail data so retailers can drill into the data to understand
what they owe, why and to whom.
