Accepting credit cards over the Web can be a costly business

Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare Windows Vista® Migration: What Really Happens? A Customer's Perspective Real-time collaboration and development with IBM Rational Team Concert streamlines any project Beyond consolidation: five reasons why you should start virtualizing The Total Economic Impact of the Altiris Total Management Suite Software Securing and Managing the Endpoints: The Case for Convergence SaaS Solutions for Remote Systems Management Compterworld Technology Briefing: Intelligent Users Use Business Intelligence Computerworld Report- Large Enterprises Pay More for IPAM Sign up to receive Default Resource Alerts

August 3, 2001 (Computerworld) --

	So how do these transactions hurt merchants? Here's the step-by-step math to show where the pain is: + $19.95 Purchase -19.95 Loss of purchase -19.95 consumer payback -25.00 charge back to credit card company = $69.40 Merchant loss* *does not include up to 7% “processing fee” for risky, card-not present environment.

Online merchants are red in the face about what they say is a credit card authorization system stacked against them and ripe for fraud.

The problem, say more than a dozen merchants, is that even when credit card companies preauthorize charges, the authorizations are too often reversed. Merchants pay a premium rate for this service: about 7% to collect credit over the Internet compared with 1% to 3% in the physical world. And then they pay $20 to $45 in chargeback fees when the card company's own preauthorization systems fail.

"It's quite frightening, actually," says Lisa Gerry Whittaker, who runs a Web hosting business in Oregon. "The banks authorize transactions, but they're not holding any of the responsibility. Last month, I caught over $3,000 in would-be fraudulent charges that were preapproved by the credit card companies. That's more than I earn in a month."

According to Meridien Research Inc. in Newton, Mass., Internet payment fraud worldwide will reach $15.5 billion in 2005 without widespread technological intervention. The problem especially impacts the small online merchants, who are now forming grass-roots groups like Merchant911.org to share information and learn technical procedures to reduce chargebacks.

"Charge-back fraud in particular has slowed the growth of e-commerce by keeping a lot of smaller merchants from putting their wares on the Web," says Theodore Iacobuzio, a senior analyst at TowerGroup in Needham, Mass. "Nothing's going to happen until credit card companies can positively authenticate every consumer buying from a Web site."

This lack of identification is exactly what card fraudsters count on. Criminals are flocking to take advantage of the Web the way they did when telephone and mail-order charges became prevalent in the 1980s, says John Shaughnessy, senior vice president of risk management at Foster City, Calif.-based Visa International Inc.

Both Visa and New York-based MasterCard International Inc. say they're working hard to lower chargebacks to Web retailers through new authorization programs they plan to roll out by the end of the year.

A payer authentication program called Verified by Visa is in pilot testing now. And MasterCard's Secure Payment Application (SPA) should be in pilot by the end of fall. Both products will be available to merchants directly from Visa and MasterCard and also marketed through third-party payment application and services providers, such as QSI Payments Inc. in Los Gatos, Calif., and Arcot Systems Inc. in Santa Clara, Calif., to card-issuing banks, which in turn offer them to affiliated merchants.

Verified by Visa is a fee-based program that, through a software agent installed on the merchant's Apache Web server, prompts the customer for a password when he clicks on the Buy button. The password is issued by and stored on servers at the cardholder's issuing bank, which verifies or denies the password and returns a denial or an authorization to the retailer.

MasterCard's SPA generates a unique, one-time token each time a cardholder makes a transaction. This is used to authenticate the account holder value and is verified by a personal identification number (PIN) or password that's also checked against the cardholder's issuing bank. If approved, the cardholder's value is populated into a hidden field on the online merchant's Web site. The MasterCard system lies on top of its current payment-authorization infrastructure and is set up to take any form of authentication, including smart cards.

Visa's program is already being talked about nervously about on carder (credit card trader) news groups like ccTrade, which was recently evicted from Yahoo Groups. And online merchants say they welcome the MasterCard and Visa programs if they really translate to more reliable preauthorizations.

But merchants don't like paying more for more accurate authorization services from their banks, something for which they say they already pay a premium. "Once again, the merchants would get it in the back," Whittaker adds.

MasterCard and Visa are vague on pricing. Visa's program would cost Web retailers $300 to thousands of dollars, depending on complexity of the application, according to a spokesperson. And MasterCard won't yet release its pricing.

But both authentication programs do come with the risk relief these online merchants have all asked for.

"In return for the placement of these hidden fields on the pay page, SPA will provide a guarantee to stand behind approvals when that field is populated with user value," says Steve Orfei, MasterCard's senior vice president of business development for global e-business. Visa also says it will stand behind any approved transactions that flow through its system.

But for these guarantees, all parties in the transaction -- the consumer, the online merchant and the issuing bank -- must participate, something that will likely take at least two years, says Mark Redding, vice president of technology development for online ticketing agent, Tickets.com in Costa Mesa, Calif. Tickets.com installed and successfully tested the Visa plug-in last month.

Until then, merchants must learn to better protect themselves the way Malibu, Calif.-based CardCops.com and Merchant911 members are doing. Start by following the security requirements outlined by the leading card associations. And subscribe to neural networks such as the Internet Fraud Screen co-developed by Visa and CyberSource Corp., an Internet retail services vendor in Mountain View, Calif.

But even these interim measures offer no guarantees. So electronic merchants are also learning to do a little detective work of their own.

Malibu, Calif.-based Phoenix Interactive, which runs Crew Net, a job-placement bulletin board for actors and crew in the motion picture industry, lowered its chargeback rates from 2.5% to less than 1% by developing its own history and demographics database to check against suspect applications.

Small online merchants are also sharing fraud and security tips and doing their own Internet investigations to see if purchasers are trying to hide their identities or locations.

When all else fails, Web retailers like Barry Laden, owner of Laden Online Ltd. in London, also use an older and slower technology -- telephone -- to call the issuing banks for additional verification before shipping a package.

Bruce A. Townsend, special agent in charge of financial crimes division at the U.S. Secret Service in Washington, lauds the growing savvy of electronic merchants. He also says the card companies participate more in investigations than ever before.

But from the Secret Service's perspective, credit card fraud is getting worse. In Secret Service cases alone, victim losses went from $230 million in 1999 to $300 million last year, even with fewer arrests.

Internet chargeback rates are about .25 to .28 cents per $100, compared with .7 to .8 cents per $100 for chargebacks across all merchandising media, such as brick-and-mortar shops, telephone, mail order and the Internet, according to Jean Bruesewitz, Visa's senior vice president for advanced risk solutions. And online merchants are pointing fingers at credit card associations. One merchant services vendor in June filed an e-mail complaint to the U.S. Department of Justice (DOJ) claiming the chargeback fee structure is illegal, which a DOJ spokesperson was unable to track down by deadline.

Townsend cautions that all parties -- the consumer, the merchant and the card companies -- need to work together to combat a technically advanced form of fraud that will be more difficult to stop. "The combined effects of the IT revolution and globalization have changed the whole landscape of fraud," he adds.

Chargeback fees go up considerably when e-merchants surpass chargeback rates of 1% of gross sales, which isn't hard to do, says Dan Clements, CEO of CardCops.com, a fraud investigative service for Web retailers. Among CardCops' 200 members, chargebacks average between 2% and 8% of gross sales, he says.

The two largest card associations, Visa, with over $1.6 trillion in products and a 56% share of the payments market last year, and MasterCard, which processed $857 billion last year, defend these chargeback fees. According to Visa, chargeback fees collected are shared between the card associations and the associate bank responsible for a card to cover the administrative costs to reverse charges and investigate disputes.

How cards go bad

• Skimmers: Criminal gangs use point-of-sale workers to swipe cards and PINs into palm-size card readers, mostly at restaurants, gas stations and, in some cases, automated teller machines, according to Bruce A. Townsend, special agent in charge of the financial crimes division at the U.S. Secret Service in Washington.



• Card generators: These are able bypass credit companies' address-verification systems, as long as the cards have the right ZIP codes.



• Web attacks: These include sniffers that catch card numbers in the clear; text-string attacks to confuse merchant order-form entry spaces, so servers spit up previous customer information; and brute-force attacks against poorly-protected electronic merchant servers where card information is stored.



• Filling out fraudulent applications: "Edie," a 64-year-old disabled retiree, started getting calls from creditors in June asking for $64,000 in back payments. "Not even one of these banks bothered to check my Social Security or phone numbers," she says.



• Trading: Groups like ccTrade, formerly at Yahoo Groups until Merchant911.org reported the group in June, made it easy to access and download attached files containing thousands of card numbers, including names, addresses, transactional records, phone numbers and even Social Security numbers, PINs and CVVs (card verification numbers on the back of the card in the signature boxes).

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Windows users indifferent to Microsoft patch alarm, says researcher Tech jobs down sharply but not out Apple yanks antivirus advice from its Web site More top stories...

Microsoft slates 8 bug updates for year's final Patch Tuesday De Beers tries to force spoof news Web site offline over fake ad Microsoft confirms Yahoo's Lu to run online services

Review: The new MacBook Air, now with extra SSD goodness Thin as ever, the latest Air offers up to twice the storage and snappy performance. Cool Stuff: Your 2008 Holiday Gift Guide We've got an array of economical, expensive, and just plain weird tech gifts for your friends and family. Massive botnet returns from the dead, starts spamming The spam-spewing 'Srizbi' botnet that was shut down two weeks ago has been resurrected and is again under criminal control, say security researchers. Elgan: Why you can't trust 'friends' on Facebook Facebook is popular and growing -- especially with criminals. Here's why they love it. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

Turning information into a Competitive Advantage Turning information into a Competitive Advantage View this webcast now! Go to the webcast  Solving Real World Storage Problems Download this whitepaper now. As your storage needs grow, the cost of managing it need not spiral out of control.Our vision - Universal Distributed Storage - is about: mainstreaming high endstorage functionality solutions built on industrystandard hardware a broad partner ecosystem Our next generation of Server and NAS products - Windows Server 2003 R2 and Windows Storage Server 2003 R2 - will help you further reduce your storage costs. Download this executive briefing  Six Key Issues - Strategies for Virtual Machines and the Data Center Download this white paper today! (Source: Juniper) Virtualization of servers is the strongest trend in today's data center. While virtualization can reduce costs in many ways, it has a variety of implications in disaster control, capacity planning, system management, and security. This white paper focuses on six key issues - and strategies for dealing with them - that will occur when application servers are combined into large virtual machine servers. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. 8 Things You Need to Handle Today's Network Traffic Next-Gen Load Balancing: 3 Keys to Successful Delivery of Advanced Web Apps Building a Reliable and Dynamic Data Center with PAN Manager by Egenera View more whitepapers

• Windows users indifferent to Microsoft patch alarm, says researcher
• Microsoft slates 8 bug updates for year's final Patch Tuesday
• Tech jobs down sharply but not out
• More top stories 

Security Directions: Strategies and Tactics for Protecting Your Enterprise in 2009 Attend the Security Directions virtual event, with sessions available live on December 16, 2008 and available on-demand from December 17 though March 17, 2009. Some topics that will be covered include: Best Practices around Data Leak Prevention (DLP). What exactly is security due diligence and why does it matter? Cloud security and privacy. End-point security - rising gas prices have caused an increase in the number of remote workers, which leads to more security issues. Register now for this event that happens on December 16, 2008, but will also available on-demand from December 17 - March 17, 2009. Register Now!

Five Ways ERP Can Help You Implement Lean Getting in operational shape or becoming lean has been a primary goal of many companies over the last few years. Why is Lean so popular? Because it delivers what is truly needed in today's highly competitive world: shorter lead times, improved quality, reduced cost, increased profit, improved productivity, and enhanced customer service. Download this white paper now!