Choke Point: Preventing Credit Card Fraud

In the struggle to prevent fraudsters from turning stolen credit cards into cash online, retailers are the country's last, best defense

1 2 Page 2
Page 2 of 2

The ongoing challenge for retailers, whether they build or buy, is managing the tools. This means tweaking the rules. Continually. "That is an art," Brown says, "because if you set [the bar] too high you're reviewing too many orders and losing good customers and losing good money. If you set it too low, the fraudsters will figure out where your thresholds are set and try to attack you in a different way."

The Liability Game

CompUSA has plenty of antifraud protections churning along, both homegrown and purchased. These include AVS, order screening, and an internally developed order and ranking system. The company also uses IP geolocation, which is part of a contract with CyberSource. But the privately held big-box electronics retailer took the bait on new services being offered separately by Visa (about three years ago) and MasterCard (about one year ago) that aim to make e-commerce a less risky proposition for everyone.

The programs are known, individually, as Verified by Visa and MasterCard SecureCode. The idea is that a cardholder signs up for the card-protection service with her credit card company, picking an extra password to authenticate herself online. Then, whenever she completes a transaction with an online merchant that has also signed up for the service, a third-party authenticator asks for the passwordideally, as a seamless part of the checkout process.

"If you don't know the password, you can't use the card," says Steve Javery, CompUSA's director of e-commerce, development and integration.

The way it works is through a software package called 3D Secure, which hooks into the merchant's order processing and does the confirmation for both programs. Javery is a pretty good, if unofficial, spokesman for Visa. He says the implementation cost was low. "It took just one developer less than a couple weeks to get this up and running and tested and deployed," he says, noting that the system paid for itself in "a short time frame" and did not increase the number of shoppers who abandoned their shopping carts.

The payoffbeyond lower fraud ratesis exactly what merchants have been clamoring for for years. According to Visa, retailers who sign up for Verified by Visa get a 5 percent to 10 percent reduction in the rate they pay to process all Visa transactions that involve a consumer credit card or debit card. (MasterCard declined requests for an interview.) What's more, if the customer enters the Verified by Visa password, the liability for that transaction shifts to the bank that issued the card if it turns out to be fraudulent.

Right after the holidays, MasterCard announced similar incentives; merchants who support SecureCode will be eligible for rates that the company describes as "comparable to those for face-to-face transactions," or up to 16 percent lower than previous rates.

Avivah Litan, vice president and research director at Gartner, has been watching the situation for years, and she is heartened by the card associations' taking on more risk. "Before, it was every online retailer on their own when it came to online commerce fraud control, and they were all duplicating their efforts," Litan says. "It was extremely decentralized and extremely inefficient. But places like Citibank and Bank One have spent hundreds of millions of dollars protecting against fraud over the past years, and they've gotten really good at it. You're just shifting the liability around, but if you can shift it to someone who can fight it effectively, we're much better off."

Still, that's not happening on any great scale right now. Why not?

Widespread adoption would have to start with the merchants. Banks are in no hurry to speed adoption, since it increases their liability. Consumers, who have zero-liability protection against credit card fraud, have little incentive to sign up for the program. But retailers, who do have incentive, just aren't signing up.

Michael Yakel, a Visa vice president who runs the Verified by Visa program, tries to put a happy face on the numbers, noting that the program has seen a 150 percent increase from a year ago. But only about 10 percent of e-commerce volume comes from merchants that support it, and a much smaller percentage of that volume is being authenticated with the program.

"I wish it were more," Yakel says, "but we're working on it."

Incentive Issues

When asked, merchants blame the slow speed of adoption on a somewhat rocky start. Primarily, there were concerns about how the technology worked. But now that some of those concerns have been addressed, merchants raise another. In transferring the liability for online transactions, they also must transfer control over part of the checkout process. Fearful of losing sales, they simply don't want to sign up until they know consumers are on board. At ShopNBC, Radtke says the ROI just isn't there yet because "we don't see enough customers using it."

Ironically, the point at which enough retailers such as ShopNBC see the ROI of the program may be the point at which it stops having one. The 10-foot-fence principle is certainly at work: There have been reports of fraudsters trying to register stolen credit cards, phish the extra passwords or steal them via Trojans illicitly installed on customers' computers.

The problem is that although Verified by Visa and MasterCard SecureCode are improvements, they are still single-factor authenticationinformation the customer types in that is matched against a database somewhere. And that information, Brown points out, has a shelf life. "By the time the industry totally adopted it, the phishing attacks would make it not effective anymore," she says glumly.

The underlying issue may be that to a surprising degree, people still feel safe making purchases online. Online shopping is a victim of its own success. "The card associations have done a brilliant job convincing consumers that the cards are safe and that they have no liability," Pelegero says. So until the merchants feel either more pain from fraud chargebacksor more benefit from transferring liabilityit seems inevitable that they'll continue to pick away at the problem, trying to eliminate fraud where they can and write it off where they have to.

After all, there's just one thing that's worse for online retailers than arriving at that moment of truth, that moment after a customer loads up an online shopping cart, after he hands over a credit card number and shipping address, after he hits the "buy" button and the merchant has to decide whether or not to ship the order.

It's not arriving at that moment at all.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies