Feature

Retailers and card issuers step up fight against online fraud

After a slow start the online credit card verification scheme set up to save UK retailers millions of pounds a year lost to online fraud is finally beginning to grab their attention. Daniel Thomas investigates why retailers have been slow to take up the technology

When credit card giant Visa launched an online payment authentication service in April it appeared to be an ideal way for online retailers to protect themselves against card-not-present fraud, which cost UK retailers £95m last year.

"Sign up to the Verified by Visa service and you will no longer be liable for the majority of disputed online payments," e-retailers were told. The password-based service, Visa claimed, could save UK retailers up to £55m a year by reducing the number of e-commerce disputes by 80%.

Despite these promises progress has been slow. More than six months after the scheme's launch, only four UK-based online retailers - all owned by the same company - have signed up.

However, there may finally be some movement on the retailer front. In the week that HSBC became the third acquiring bank to sign up to Verified by Visa, the credit card company said a number of major UK retailers are due to join the programme in the next month.

"Our effort so far has been with the acquirers such as Barclaycard and Royal Bank of Scotland, which cover 80% of all Visa's e-commerce volume," said Sandra Alzetta, senior vice-president at Virtual Visa.

"Phase two is to target all the key retailers and payment processing companies such as WorldPay. There will be some significant retailer announcements in November."

Visa has been criticised by some industry figures for the slow progress of its initiative, but Alzetta insisted it is fully committed to the fight against online fraud. "Visa has been pioneering safe shopping online," she said. "We have changed all our business rules by moving the liability away from the retailer to the issuing bank."

Alzetta also moved to dispel fears that online retailers will have to adapt their systems to ensure consumers can use both Verified by Visa and Securecode, a similar service from rival credit card firm MasterCard.

"We have reached an agreement by which an acquiring bank which issues both cards can implement both systems," she said. "This means retailers will be able to use the same message format when authenticating users."

James Roper, chief executive of online trade body the Interactive Media in Retail Group (IMRG), who has been heavily critical of Visa and MasterCard, welcomed the news that retailers were beginning to sign up to the initiatives.

"It looks like MasterCard and Visa's programmes are finally becoming a reality," he said. "They will help to close off repudiation [where the consumer denies any knowledge of a fraudulent purchase]."

Preventing repudiation is one step but it is not enough in itself, Roper said. This is why the IMRG is this month launching an industry-wide anti-fraud database, which will allow participants to check customer orders against a list of known rogue consumers. "Repudiation has to be allied with a resource that deals with the names of those involved," Roper said.

So far, 10 IMRG members, including Argos, Blockbuster, Carphone Warehouse and Ocado, have given their backing to the "warm card" file service, which will be accessible via a secure Web browser.

"It is important that this is retailer-based because experience has shown us that banks will use any information against the merchants," Roper said. "It will give retailers more control over their data, which will put them in a stronger position when negotiating with banks and payment schemes."

The not-for-profit service, developed in conjunction with e-payments provider CyberSource, will allow online retailers to check, in real time, names, postcodes and first-line addresses of online shoppers suspected of fraud.

E-mail addresses, credit card numbers and IP addresses could be added in the future.

Retailers decided to take action themselves because the police, banks and payment schemes have ignored online fraud for too long, Roper said. It will have three main benefits, "It will act as a practical tool to fight against fraud; as a deterrent to fraudsters who currently see the Internet as a soft touch; and will hopefully result in more police action," Roper said.

"At the moment, police ignore individual cases of online fraud because they see it as too small, but if we can get together as an industry we can, hopefully, draw more attention to the matter."

Bill Briggs, chairman of the data and information group at industry body the British Retail Consortium, said sharing crime incident data is a must for both online and offline retailers. "Our own loss-prevention information can only take us so far," he said. "Selling for profit is a competitive issue but protecting our profit from crime should not be."

Sharing data can help retailers to identify particular trends and take counter measures, Briggs said. "For example, when mobile phone retailers began suffering a number of devastating burglary attacks in June last year they shared their incident information and, as a result, were able to justify substantial spending on countermeasures," he said. "Sharing information will give us the edge against the criminal community."

Sharing information across subsectors could prove to be vital, agreed Roper. Typically, fraudsters concentrate on stealing from a particular retail sector. A thief who has successfully acquired an airline ticket, for example, will invariably hit other airlines and try his luck on their Web sites, Roper said.

While Roper is confident that the warm card file service, together with Visa and MasterCard's initiatives, can help to cut levels of online fraud, he warned that there are a number of challenges ahead.

"The card schemes are desperate to see this [type of service] come into play to cut fraud but the challenge is convincing the banks to take on the liability," he said. "Also, convincing consumers to sign up will be difficult because there is no practical benefit. They are well protected as it is and will just see the transactions slowing down."

The online retailers are the ones who really need these services but cannot utilise them without the other parties, Roper said.

"Retailers will have to cajole consumers to sign up, probably with some sort of opt-in mechanism, which will be the future of e-commerce," he said. "The [Internet] network is the future and we want it to be safe - the only reason there is resistance is that people do not want to change the status quo."

"We are seeing progress," Roper added. "But it looks like they will move as slowly as they can."

Online fraud initiatives
Verified by Visa

According to Visa, 80% of all disputed transactions occur when the cardholder states that they did not participate in or authorise a transaction. Verified by Visa helps to reduce these numbers and eliminate the associated handling costs by introducing a password element, the company said.

The service allows cardholders to use personalised passwords to verify their identities when shopping online. The card-issuing bank authenticates the cardholder and notifies the retailer that the buyer is legitimate.

The service is based on technology called 3-D Secure, developed in conjunction with BT Ignite, which is designed to easily integrate with online retailers' existing payment systems.

IMRG's Warm Card File Service
The IMRG's warm card file service is centred around a database that is designed to allow retailers to safely share lists containing data about fraudsters, including their names, credit card numbers and address details.

The IMRG said the service can be offered either as part of a broader fraud screening service utilising other neutral checks and links to the Visa/MasterCard model or as a standalone service. All data will be stored in compliance with EU data protection laws, the trade body said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in October 2002

 

COMMENTS powered by Disqus  //  Commenting policy