Online Credit and Debit Card Security Report

Independent market analyst Datamonitor, released a new report focused on the situation of online credit and debit card security. E-Commerce payment volumes will continue to increase in coming years, and the analysts predict those surpassing 200 billion Euros by 2007. With this rise, we will see a coincident rise in online card fraud. The report covers the past, present and future of the card scheme security initiatives. The following couple of paragraphs explain the situation related to card scheme security initiatives and card fraud.

Card scheme security initiatives explained
In recent years eCommerce consumer payment volumes have ballooned. Due to consumers’ appetite for purchasing a wide range of goods and services online Datamonitor estimates that European consumer online spend i.e. the value of goods and services purchased and paid for online using any payment mechanism, in 2002, amounted to almost EUR40 billion. Yet, despite this impressive growth there is some concern that rising online card fraud is deterring some consumers from transacting online or from doing so as frequently as they would like. The major card schemes such as Visa, MasterCard and Maestro have sought to address this problem by developing security initiatives that make it more difficult to use a credit or debit fraudulently online. Most recently the card schemes have launched Verified by Visa, MasterCard SecureCode and Maestro’s eCommerce.

Card not present (CNP) fraud is on the increase
Although it is widely believed that credit cards remain a safe way to purchase goods and services online, it is also recognised that online card fraud is on the increase. For example, Visa USA has revealed that fraud related to eCommerce now accounts for 10 per cent of the fraud it records despite eCommerce accounting for only five per cent of sales volumes. Card not present (CNP) fraud, of which online fraud is a component, is also rapidly increasing in significance. According to Visa EU statistics, CNP fraud now accounts for 23 per cent of total card fraud up from eight per cent in 1997 and 20 per cent in 2000.

Authentication in the online environment is problematic
In an offline environment credit cards can be authenticated at the point of sale. The merchant verifies that the individual making the purchase is also the person to whom the card belongs by checking the signature the cardholder provides with that on the reverse of the card. If the signatures match, and the card is verified, the sale is agreed. In an online environment, and indeed via other channels such as mail order and over the telephone, authentication is more difficult. The merchant is unable to see the card or to verify a signature. This weakness gives rise to CNP fraud since ultimately anybody can provide anybody else’s credit card details and assuming the card has not been reported lost or stolen and the funds are available, the sale will be agreed.

The history of card scheme security initiatives has been a chequered one
A number of card scheme security initiatives have been launched over the last decade in order to tackle the problem of online card fraud. Secure Electronic Transaction (SET) was launched in 1996 following co-operation between Visa, MasterCard and American Express. SET built upon the security provided by Secure Sockets layer (SSL) by not only encrypting information transferred between customer and merchant but also by authenticating both parties using digital certificates issued by a trusted issuing authority. However, SET never really caught on achieving only limited roll-out in Scandinavia and continental Europe, and critically not in the US so often the global leader in this field. It was ultimately too complicated and engaging for cardholders and merchants especially since it required both parties to download additional software.

SET evolved into 3D-SET. 3D-SET sought to improve on SET by being server rather than customer based. However, it too failed to garner the interest of consumers, merchants and card issuers.

Initiatives have now been launched by Visa, MasterCard and Maestro
The most recent card scheme security initiatives have been launched within the last few years. Visa’s Verified by Visa is based on the 3D-Secure protocol and requires that cardholders enrol at their card issuer’s website. Once enrolled they are able use the service to purchase good and services from any participating online merchant. At the payment page they are requested to pass through an authentication procedure. Once their input is verified by the merchant and card issuer the sale can be completed.

MasterCard’s Securecode functions in a similar way to Verified by Visa although in this case it is based on the Secure Payment Application (SPA) protocol and the cardholder is required to download a digital wallet from their card issuer. Maestro’s eCommerce program is based on the Online Debit Solution and functions by replacing the 19-digit debit card number with a 12-19 digit ‘credit card like’ Internet-only number. This pseudo card number (PCN) is entered in the same way as a credit card number and are stored by a wallet downloaded by the cardholder.

The liability shift will help ensure merchant acceptance of the card scheme security initiatives
In order to encourage merchant uptake of their security initiatives the card schemes have removed the liability for ‘chargebacks’ i.e. where the consumer denies they made a card purchase for which they have been billed, from merchants. Consequently, Visa announced that from April 2003 merchants will not have to meet the cost of charge backs regardless of whether the card issuer is participating in Verified by Visa or whether the cardholder is enrolled. From November 2002 MasterCard announced that card issuers would no longer be able to pass the cost of a fraudulent transaction on to merchants assuming the cardholder is enrolled in SecureCode and used the system to make the purchase in question. This year MasterCard will consider shifting the liability for all transactions away from merchants, in cases where the cardholder is authenticated by the merchant.

The liability shift from merchants to card issuers should be regarded as a masterstroke by the card schemes. As merchants pass on liability to card issuers there will be added incentive for card issuers not only to adopt the security initiatives but also to promote cardholder uptake. It is at the card issuer’s website that consumers enroll for the initiatives and hence it is card issuers who will be in the best position to promote adoption. Higher rates of cardholder adoption will encourage more merchants to adopt the technology and hence generate even more incentive for card issuers to promote further adoption. Thus, the card schemes have generated a self-perpetuating system of cardholder and merchant adoption and card issuer promotion.

The number of merchants, issuers and cardholders enrolled in Verified by Visa is increasing rapidly
Visa is so far winning the race to ensure maximum merchant and issuer acceptance and cardholder adoption. More than 100 merchants in the US and EU now accept payments made using Verified by Visa and more than 6,000 card issuers now offer Verified by Visa to their cardholders. The number of cardholders enrolled in Verified by Visa is now believed to be well in advance of 10 million. MasterCard and Maestro are some way behind Visa in terms of the number of merchants, issuers and cardholders enrolled. Both card schemes are, however, working on merchant and card issuer acceptance and are likely to launch major cardholder focused marketing campaigns in the near future.

Alex Boorman, Datamonitor financial services analyst and author of the report noted: “Our research predicts that consumer eCommerce payment volumes will continue to increase in coming years such that volumes could surpass EUR200 billion by 2007. However, the growth of eCommerce volumes will be followed by a coincident rise in online card fraud as measures to tackle offline fraud are successful, encouraging fraudsters to seek opportunities in the online space; and the card scheme security initiatives are not extensive enough to provide much of a deterrent. Given this situation the card schemes must work hard to boost acceptance and enrolment as quickly as possible. The card schemes are already doing this to a degree, although there is much more that they can do. That they do so is critical for only widespread acceptance and enrollment by all parties will guarantee the initiatives’ success.”