After a slow start the online credit card verification scheme set
up to save UK retailers millions of pounds a year lost to online
fraud is finally beginning to grab their attention. Daniel Thomas
investigates why retailers have been slow to take up the
technology
When credit card giant Visa launched an online payment
authentication service in April it appeared to be an ideal way for
online retailers to protect themselves against card-not-present
fraud, which cost UK retailers £95m last year.
"Sign up to the Verified by Visa service and you will no longer be
liable for the majority of disputed online payments," e-retailers
were told. The password-based service, Visa claimed, could save UK
retailers up to £55m a year by reducing the number of e-commerce
disputes by 80%.
Despite these promises progress has been slow. More than six months
after the scheme's launch, only four UK-based online retailers -
all owned by the same company - have signed up.
However, there may finally be some movement on the retailer front.
In the week that HSBC became the third acquiring bank to sign up to
Verified by Visa, the credit card company said a number of major UK
retailers are due to join the programme in the next month.
"Our effort so far has been with the acquirers such as Barclaycard
and Royal Bank of Scotland, which cover 80% of all Visa's
e-commerce volume," said Sandra Alzetta, senior vice-president at
Virtual Visa.
"Phase two is to target all the key retailers and payment
processing companies such as WorldPay. There will be some
significant retailer announcements in November."
Visa has been criticised by some industry figures for the slow
progress of its initiative, but Alzetta insisted it is fully
committed to the fight against online fraud. "Visa has been
pioneering safe shopping online," she said. "We have changed all
our business rules by moving the liability away from the retailer
to the issuing bank."
Alzetta also moved to dispel fears that online retailers will have
to adapt their systems to ensure consumers can use both Verified by
Visa and Securecode, a similar service from rival credit card firm
MasterCard.
"We have reached an agreement by which an acquiring bank which
issues both cards can implement both systems," she said. "This
means retailers will be able to use the same message format when
authenticating users."
James Roper, chief executive of online trade body the Interactive
Media in Retail Group (IMRG), who has been heavily critical of Visa
and MasterCard, welcomed the news that retailers were beginning to
sign up to the initiatives.
"It looks like MasterCard and Visa's programmes are finally
becoming a reality," he said. "They will help to close off
repudiation [where the consumer denies any knowledge of a
fraudulent purchase]."
Preventing repudiation is one step but it is not enough in itself,
Roper said. This is why the IMRG is this month launching an
industry-wide anti-fraud database, which will allow participants to
check customer orders against a list of known rogue consumers.
"Repudiation has to be allied with a resource that deals with the
names of those involved," Roper said.
So far, 10 IMRG members, including Argos, Blockbuster, Carphone
Warehouse and Ocado, have given their backing to the "warm card"
file service, which will be accessible via a secure Web
browser.
"It is important that this is retailer-based because experience has
shown us that banks will use any information against the
merchants," Roper said. "It will give retailers more control over
their data, which will put them in a stronger position when
negotiating with banks and payment schemes."
The not-for-profit service, developed in conjunction with
e-payments provider CyberSource, will allow online retailers to
check, in real time, names, postcodes and first-line addresses of
online shoppers suspected of fraud.
E-mail addresses, credit card numbers and IP addresses could be
added in the future.
Retailers decided to take action themselves because the police,
banks and payment schemes have ignored online fraud for too long,
Roper said. It will have three main benefits, "It will act as a
practical tool to fight against fraud; as a deterrent to fraudsters
who currently see the Internet as a soft touch; and will hopefully
result in more police action," Roper said.
"At the moment, police ignore individual cases of online fraud
because they see it as too small, but if we can get together as an
industry we can, hopefully, draw more attention to the
matter."
Bill Briggs, chairman of the data and information group at industry
body the British Retail Consortium, said sharing crime incident
data is a must for both online and offline retailers. "Our own
loss-prevention information can only take us so far," he said.
"Selling for profit is a competitive issue but protecting our
profit from crime should not be."
Sharing data can help retailers to identify particular trends and
take counter measures, Briggs said. "For example, when mobile phone
retailers began suffering a number of devastating burglary attacks
in June last year they shared their incident information and, as a
result, were able to justify substantial spending on
countermeasures," he said. "Sharing information will give us the
edge against the criminal community."
Sharing information across subsectors could prove to be vital,
agreed Roper. Typically, fraudsters concentrate on stealing from a
particular retail sector. A thief who has successfully acquired an
airline ticket, for example, will invariably hit other airlines and
try his luck on their Web sites, Roper said.
While Roper is confident that the warm card file service, together
with Visa and MasterCard's initiatives, can help to cut levels of
online fraud, he warned that there are a number of challenges
ahead.
"The card schemes are desperate to see this [type of service] come
into play to cut fraud but the challenge is convincing the banks to
take on the liability," he said. "Also, convincing consumers to
sign up will be difficult because there is no practical benefit.
They are well protected as it is and will just see the transactions
slowing down."
The online retailers are the ones who really need these services
but cannot utilise them without the other parties, Roper
said.
"Retailers will have to cajole consumers to sign up, probably with
some sort of opt-in mechanism, which will be the future of
e-commerce," he said. "The [Internet] network is the future and we
want it to be safe - the only reason there is resistance is that
people do not want to change the status quo."
"We are seeing progress," Roper added. "But it looks like they will
move as slowly as they can."
Online fraud initiatives
Verified by Visa
According to Visa, 80% of all disputed transactions occur when the
cardholder states that they did not participate in or authorise a
transaction. Verified by Visa helps to reduce these numbers and
eliminate the associated handling costs by introducing a password
element, the company said.
The service allows cardholders to use personalised passwords to
verify their identities when shopping online. The card-issuing bank
authenticates the cardholder and notifies the retailer that the
buyer is legitimate.
The service is based on technology called 3-D Secure, developed in
conjunction with BT Ignite, which is designed to easily integrate
with online retailers' existing payment systems.
IMRG's Warm Card File Service
The IMRG's warm card file
service is centred around a database that is designed to allow
retailers to safely share lists containing data about fraudsters,
including their names, credit card numbers and address
details.
The IMRG said the service can be offered either as part of a
broader fraud screening service utilising other neutral checks and
links to the Visa/MasterCard model or as a standalone service. All
data will be stored in compliance with EU data protection laws, the
trade body said.