Choke Point: Preventing Credit Card Fraud

In the struggle to prevent fraudsters from turning stolen credit cards into cash online, retailers are the country's last, best defense

After a customer loads up an online shopping cart, after he hands over a credit card number and a shipping address, after he hits the "buy" button—after all that, there is a moment of truth that has profound implications for the U.S. economy. That is the moment when the retailer decides whether or not to ship the order.

Just because the bank approves a credit card doesn't mean it's not stolen. Millions of compromised credit cards are in circulation, and many won't be replaced until they are known to have been misused. With law enforcement overwhelmed by the problem, e-commerce merchants—not the credit card associations, not the banks—are often the ones left holding the empty bag. Therefore, they must make a snap judgment about each order and suffer the consequences.

This is the choke point. Choose wrong, and the retailer loses either a legitimate sale or the merchandise and the transaction fee. "You stick your neck out every time you ship something out without [getting] an imprint and signature," says Joe Williams, CSO of the high-end retailer Sharper Image, which had $250 million of revenue in card-not-present transactions (comprising Internet, telephone and mail orders) in 2004.

Choose well, and the retailer has saved itself money and played a vital role in the fight against crime. Credit card fraud, as one vendor puts it, "is how criminals go to the bank." Says Ted Crooks, VP of global fraud solutions for Fair Isaac, a decision-management consultant and software vendor, "The most serious fraud is the place criminals surface in the legitimate economy. Fraud is the best"—meaning the least nefarious—"thing they do every day."

According to a survey by CyberSource, an antifraud service provider, companies lose about 1.6 percent of online revenue to fraud. To keep that number down, retailers are turning to an increasingly sophisticated and automated set of fraud-prevention controls. "During the first few years of the e-commerce boom, many merchants were willing just to get the sale at the expense of increased fraud," says RenÃ© Pelegero, former director of global payments for Amazon.com turned consultant. "Over the last two or three years, the tide has begun to turn."

But there is another sea change that e-commerce merchants would like to happen, and that is in the risk-sharing system with credit card issuers. Merchants fervently want not only to prevent fraud but also to transfer some of the liability onto the credit card associations and banks, as brick-and-mortar retailers have done. The credit card industry says it is addressing those concerns with programs like Verified by Visa and MasterCard's SecureCode, but adoption by retailers has been slow. (The Payment Card Industry Data Security Standard, an issue that has received attention lately, is a different program intended to make merchants improve their security by using standardized background checks, data encryption and other methods.)