Choke Point: Preventing Credit Card Fraud

In the struggle to prevent fraudsters from turning stolen credit cards into cash online, retailers are the country's last, best defense

By Sarah D. Scalet

Page 7

Still, that's not happening on any great scale right now. Why not?

Widespread adoption would have to start with the merchants. Banks are in no hurry to speed adoption, since it increases their liability. Consumers, who have zero-liability protection against credit card fraud, have little incentive to sign up for the program. But retailers, who do have incentive, just aren't signing up.

Michael Yakel, a Visa vice president who runs the Verified by Visa program, tries to put a happy face on the numbers, noting that the program has seen a 150 percent increase from a year ago. But only about 10 percent of e-commerce volume comes from merchants that support it, and a much smaller percentage of that volume is being authenticated with the program.

"I wish it were more," Yakel says, "but we're working on it."

Incentive Issues

When asked, merchants blame the slow speed of adoption on a somewhat rocky start. Primarily, there were concerns about how the technology worked. But now that some of those concerns have been addressed, merchants raise another. In transferring the liability for online transactions, they also must transfer control over part of the checkout process. Fearful of losing sales, they simply don't want to sign up until they know consumers are on board. At ShopNBC, Radtke says the ROI just isn't there yet because "we don't see enough customers using it."

Ironically, the point at which enough retailers such as ShopNBC see the ROI of the program may be the point at which it stops having one. The 10-foot-fence principle is certainly at work: There have been reports of fraudsters trying to register stolen credit cards, phish the extra passwords or steal them via Trojans illicitly installed on customers' computers.

The problem is that although Verified by Visa and MasterCard SecureCode are improvements, they are still single-factor authenticationâ¬information the customer types in that is matched against a database somewhere. And that information, Brown points out, has a shelf life. "By the time the industry totally adopted it, the phishing attacks would make it not effective anymore," she says glumly.

The underlying issue may be that to a surprising degree, people still feel safe making purchases online. Online shopping is a victim of its own success. "The card associations have done a brilliant job convincing consumers that the cards are safe and that they have no liability," Pelegero says. So until the merchants feel either more pain from fraud chargebacksâ¬or more benefit from transferring liabilityâ¬it seems inevitable that they'll continue to pick away at the problem, trying to eliminate fraud where they can and write it off where they have to.