“During the first few years of the e-commerce boom, many merchants were willing just to get the sale at the expense of increased fraud,” says RenĂ© Pelegero, former director of global payments for Amazon.com turned consultant. “Over the last two or three years, the tide has begun to turn.”
Merchants fervently want not only to prevent fraud but also to transfer some of the liability onto the credit card associations and banks, as brick-and-mortar retailers have done. The credit card industry says it is addressing those concerns with programs like Verified by Visa and MasterCard’s SecureCode, but adoption by retailers has been slow. All the while, online credit card fraud continues its inexorable rise, with the CyberSource study pinning 2005 losses at $2.8 billion, 8 percent more than the year before.
If a cardholder reported that a charge was fraudulent, the bank issued what’s known as a “chargeback”—essentially, the bank took back the money and gave it to the cardholder. If the merchant then submitted the cardholder’s signature, the merchant didn’t have to pay the chargeback. If merchants didn’t follow the rules or racked up too many chargebacks, the card associations could ban them from accepting credit cards. They can’t get a regular signature, and they are leery of introducing anything into the checkout process that slows down the transaction. This means that merchants who do business online are being forced to invest in antifraud defenses—both technological and human—like they’ve never had to before.
The billing address is used for the address verification service (AVS), which allows a merchant to find out whether the billing address provided by the customer matches the one in the bank’s records. Although the method isn’t perfect, 75 percent of online retailers use it, making it the most widely used tool, according to the CyberSource study. For physical confirmation, retailers often ask for the card verification number (CVN, sometimes called CID or CVV).
Tracy Brown, cochairwoman of the Merchant Risk Council, a trade group founded to help retailers control fraud, says that CVN was an attempt to move online credit card transactions from single-factor to dual-factor authentication. CardCops’ Clements says that now when he sees thieves advertising stolen credit cards with “full information,” it means the information includes not only the cardholder name, billing address, credit card number and expiration date, but also the CVN.
As with most retailers that have sophisticated antifraud systems, the processes at ShopNBC are largely automated. Each order goes through a complicated, proprietary decision tree. At any point, the order can be released as good, pushed along for an additional check, or flagged as suspicious and sent to a team of 20 investigators. The way it works is through a software package called 3D Secure, which hooks into the merchant’s order processing and does the confirmation for both programs. Javery is a pretty good, if unofficial, spokesman for Visa. He says the implementation cost was low. “It took just one developer less than a couple weeks to get this up and running and tested and deployed,” he says, noting that the system paid for itself in “a short time frame” and did not increase the number of shoppers who abandoned their shopping carts.
The payoff—beyond lower fraud rates—is exactly what merchants have been clamoring for for years. According to Visa, retailers who sign up for Verified by Visa get a 5 percent to 10 percent reduction in the rate they pay to process all Visa transactions that involve a consumer credit card or debit card. What’s more, if the customer enters the Verified by Visa password, the liability for that transaction shifts to the bank that issued the card if it turns out to be fraudulent.
Right after the holidays, MasterCard announced similar incentives; merchants who support SecureCode will be eligible for rates that the company describes as “comparable to those for face-to-face transactions,” or up to 16 percent lower than previous rates.
Avivah Litan, vice president and research director at Gartner, has been watching the situation for years, and she is heartened by the card associations’ taking on more risk. “Before, it was every online retailer on their own when it came to online commerce fraud control, and they were all duplicating their efforts,” Litan says. “It was extremely decentralized and extremely inefficient.
But places like Citibank and Bank One have spent hundreds of millions of dollars protecting against fraud over the past years, and they’ve gotten really good at it. You’re just shifting the liability around, but if you can shift it to someone who can fight it effectively, we’re much better off.”
Still, that’s not happening on any great scale right now. Widespread adoption would have to start with the merchants. Banks are in no hurry to speed adoption, since it increases their liability. Consumers, who have zero-liability protection against credit card fraud, have little incentive to sign up for the program. Michael Yakel, a Visa vice president who runs the Verified by Visa program, tries to put a happy face on the numbers, noting that the program has seen a 150 percent increase from a year ago.
Ironically, the point at which enough retailers such as ShopNBC see the ROI of the program may be the point at which it stops having one. “The card associations have done a brilliant job convincing consumers that the cards are safe and that they have no liability,” Pelegero says. So until the merchants feel either more pain from fraud chargebacks—or more benefit from transferring liability—it seems inevitable that they’ll continue to pick away at the problem, trying to eliminate fraud where they can and write it off where they have to.
After all, there’s just one thing that’s worse for online retailers than arriving at that moment of truth, that moment after a customer loads up an online shopping cart, after he hands over a credit card number and shipping address, after he hits the “buy” button and the merchant has to decide whether or not to ship the order.
http://www.csoonline.com/read/020106/choke_point.html