Security Key When Choosing Credit Cards for Online Shopping

‘Tis the season to read about e-tailers’ dreams of record-breaking profits during the holiday shopping frenzy.

Meanwhile, amid anxious promotions and analyst promises, there are plenty of credit card companies with their own holiday hopes. Remember, merchants pay tiny transaction fees that add up to big bucks for MasterCard, Visa and other credit card firms.

Much like consumers, then, merchants have the power to choose which credit cards they will favor — and which they won’t. In the days of abundant credit card fraud that is costing merchants millions of dollars, cautious e-tailers are looking for card issuers that offer the latest in security.

Indeed, where there are online opportunities, it seems there are online predators seeking to steal identities, cheat merchants, and otherwise profit from illegal scams in the midst of the hectic holiday season.

Fraudsters will steal more than US$2.8 billion from e-commerce in 2005, an 8 percent increase over the year before, according to CyberSource’s annual fraud survey.

International e-commerce continues to be a far greater risk, with order rejection and fraud rates about three times higher than the overall rate. And CyberSource figures chargeback rates may understate actual fraud rates by as much as 50 percent.

“Merchants used to be able to just throw people at this problem,” said Doug Schwegman, director of market and customer intelligence for CyberSource. “But there’s an inherent limitation to that solution. The bad guys have put the larger merchants in a challenging situation.”

Setting Security Standards

This challenging situation is leading merchants to choose card issuers that are employing the latest trends in ID security. The Payment Card Industry Data Security Standard, or PCI, is spurring many of the latest innovations. But it’s also putting the onus back on the merchant.

PCI — the unified security standard developed by major card associations — requires online merchants to implement appropriate safeguards and security procedures designed to protect the card issuer, the cardholder and the merchant alike. These include installing and maintaining a firewall configuration to protect data and not using vendor-supplied defaults for system passwords, for starters.

Merchants also must protect stored data, encrypt transmission of cardholder information across public networks, use and regularly update anti-virus software, restrict access to sensitive data on a need-to-know basis, and execute a myriad of other mandates.

David Grant, director of product marketing for Watchfire, an enterprise software and service provider focusing on online privacy, security and quality, told the E-Commerce Times the 12 PCI components are important to the success of what promises to be the busiest e-commerce season ever.

“Consumers are absolutely starting to be more cautious because of all the security breaches we’ve seen this year,” Grant said. “As retailers try to drive more customers to the online channel as the channel of preference, they need to concentrate on meeting these standards to reduce the security risks.”

Pushing Payer Authentication

According to CyberSource’s annual fraud survey, mid- to large-sized merchants employ twice as many tools as smaller firms, on average. Larger merchants are also twice as likely to install automated decisioning systems.

Merchants have adopted two basic tools: Address Verification Systems (used by 75 percent of merchants) and Card Verification Numbers (used by 66 percent of merchants).

The Address Verification System is a check built into the payment authorization request that compares the address on file with the card issuer to the billing address provided by the cardholder.

The Card Verification Number technique is a check of additional digits printed on the back of the card. Over half the merchants in CyberSource’s survey said they were currently using or intended to implement MasterCard’s SecureCode or Visa’s Verified by Visa payer authentication systems before year-end 2006.

Vic Dolcourt, senior product manager for risk products at CyberSource Corporation, told the E-Commerce Times that merchants initially feared such authentications would slow down the payment process and turn off customers.

“More and more merchants are using these authentications now,” Dolcourt said. “That’s because they see the value in asking the cardholder to do something to identify himself or herself better as fraud rates continue to increase.”

Indeed, after several years of flat or declining fraud loss rates, mid-to-large merchants reported a reversal of that trend in 2005.

For mid-sized merchants selling $5-$25 million online, average fraud losses increased from 1.5 percent of revenue in 2004 to 1.8 percent in 2005. Large online merchants selling over $25 million reported a slight increase from 1.1 percent to 1.2 percent of revenue, according to CyberSource.

Passing the Mark

Newer technologies from companies like Passmark Security offer two-factor, two-way authentication without requiring end-users to install new software. Web sites can deploy Passmark’s patent-pending online authentication system as part of a layered approach to security, say experts.

Matt Ornce, COO of EPX, a payment processing company that works with Visa, MasterCard, Discover and American Express, told the E-Commerce Times this two-factor authentication trend started in the United Kingdom and is beginning to make its way to the U.S.

“There is a move by banks to use a token device or some other piece of authentication to identify their consumers on the Web,” Ornce said. “It’s two-factor authentication that uses a picture that would be recognized by the person who set up the account. If you don’t see the picture, you know the site is not legitimate.”

CyberSource’s Dolcourt said these programs make online shoppers feel safer and protect merchants from fraudsters. But the bottom line is that they impact the bottom line. In other words, it is costing merchants to implement these technologies.

“About half the cost of fraud technologies is paid to manual reviewers to look at the transactions, but reviewers can get confused and may not be able to spot fraud. Or a good transaction might look like a bad transaction,” Dolcourt said. “What merchants need today is greater efficiency, greater intelligence, and technology breakthroughs.”