Accepting credit cards over the Web can be a costly business

1pixclear.gif
1pixclear.gif
1pixclear.gif
So how do these transactions hurt merchants?
Here's the step-by-step math to show where the pain is:


+ $19.95 Purchase
-19.95 Loss of purchase
-19.95 consumer payback
-25.00 charge back to credit card company
= $69.40 Merchant loss*


*does not include up to 7% “processing fee” for risky, card-not present environment.

Online merchants are red in the face about what they say is a credit card authorization system stacked against them and ripe for fraud.

The problem, say more than a dozen merchants, is that even when credit card companies preauthorize charges, the authorizations are too often reversed. Merchants pay a premium rate for this service: about 7% to collect credit over the Internet compared with 1% to 3% in the physical world. And then they pay $20 to $45 in chargeback fees when the card company's own preauthorization systems fail.

"It's quite frightening, actually," says Lisa Gerry Whittaker, who runs a Web hosting business in Oregon. "The banks authorize transactions, but they're not holding any of the responsibility. Last month, I caught over $3,000 in would-be fraudulent charges that were preapproved by the credit card companies. That's more than I earn in a month."

According to Meridien Research Inc. in Newton, Mass., Internet payment fraud worldwide will reach $15.5 billion in 2005 without widespread technological intervention. The problem especially impacts the small online merchants, who are now forming grass-roots groups like Merchant911.org to share information and learn technical procedures to reduce chargebacks.

"Charge-back fraud in particular has slowed the growth of e-commerce by keeping a lot of smaller merchants from putting their wares on the Web," says Theodore Iacobuzio, a senior analyst at TowerGroup in Needham, Mass. "Nothing's going to happen until credit card companies can positively authenticate every consumer buying from a Web site."

This lack of identification is exactly what card fraudsters count on. Criminals are flocking to take advantage of the Web the way they did when telephone and mail-order charges became prevalent in the 1980s, says John Shaughnessy, senior vice president of risk management at Foster City, Calif.-based Visa International Inc.

Both Visa and New York-based MasterCard International Inc. say they're working hard to lower chargebacks to Web retailers through new authorization programs they plan to roll out by the end of the year.

A payer authentication program called Verified by Visa is in pilot testing now. And MasterCard's Secure Payment Application (SPA) should be in pilot by the end of fall. Both products will be available to merchants directly from Visa and MasterCard and also marketed through third-party payment application and services providers, such as QSI Payments Inc. in Los Gatos, Calif., and Arcot Systems Inc. in Santa Clara, Calif., to card-issuing banks, which in turn offer them to affiliated merchants.

Verified by Visa is a fee-based program that, through a software agent installed on the merchant's Apache Web server, prompts the customer for a password when he clicks on the Buy button. The password is issued by and stored on servers at the cardholder's issuing bank, which verifies or denies the password and returns a denial or an authorization to the retailer.

MasterCard's SPA generates a unique, one-time token each time a cardholder makes a transaction. This is used to authenticate the account holder value and is verified by a personal identification number (PIN) or password that's also checked against the cardholder's issuing bank. If approved, the cardholder's value is populated into a hidden field on the online merchant's Web site. The MasterCard system lies on top of its current payment-authorization infrastructure and is set up to take any form of authentication, including smart cards.

Visa's program is already being talked about nervously about on carder (credit card trader) news groups like ccTrade, which was recently evicted from Yahoo Groups. And online merchants say they welcome the MasterCard and Visa programs if they really translate to more reliable preauthorizations.

But merchants don't like paying more for more accurate authorization services from their banks, something for which they say they already pay a premium. "Once again, the merchants would get it in the back," Whittaker adds.

MasterCard and Visa are vague on pricing. Visa's program would cost Web retailers $300 to thousands of dollars, depending on complexity of the application, according to a spokesperson. And MasterCard won't yet release its pricing.

But both authentication programs do come with the risk relief these online merchants have all asked for.

"In return for the placement of these hidden fields on the pay page, SPA will provide a guarantee to stand behind approvals when that field is populated with user value," says Steve Orfei, MasterCard's senior vice president of business development for global e-business. Visa also says it will stand behind any approved transactions that flow through its system.

But for these guarantees, all parties in the transaction -- the consumer, the online merchant and the issuing bank -- must participate, something that will likely take at least two years, says Mark Redding, vice president of technology development for online ticketing agent, Tickets.com in Costa Mesa, Calif. Tickets.com installed and successfully tested the Visa plug-in last month.

Until then, merchants must learn to better protect themselves the way Malibu, Calif.-based CardCops.com and Merchant911 members are doing. Start by following the security requirements outlined by the leading card associations. And subscribe to neural networks such as the Internet Fraud Screen co-developed by Visa and CyberSource Corp., an Internet retail services vendor in Mountain View, Calif.

But even these interim measures offer no guarantees. So electronic merchants are also learning to do a little detective work of their own.

Malibu, Calif.-based Phoenix Interactive, which runs Crew Net, a job-placement bulletin board for actors and crew in the motion picture industry, lowered its chargeback rates from 2.5% to less than 1% by developing its own history and demographics database to check against suspect applications.

Small online merchants are also sharing fraud and security tips and doing their own Internet investigations to see if purchasers are trying to hide their identities or locations.

When all else fails, Web retailers like Barry Laden, owner of Laden Online Ltd. in London, also use an older and slower technology -- telephone -- to call the issuing banks for additional verification before shipping a package.

Bruce A. Townsend, special agent in charge of financial crimes division at the U.S. Secret Service in Washington, lauds the growing savvy of electronic merchants. He also says the card companies participate more in investigations than ever before.

But from the Secret Service's perspective, credit card fraud is getting worse. In Secret Service cases alone, victim losses went from $230 million in 1999 to $300 million last year, even with fewer arrests.

Internet chargeback rates are about .25 to .28 cents per $100, compared with .7 to .8 cents per $100 for chargebacks across all merchandising media, such as brick-and-mortar shops, telephone, mail order and the Internet, according to Jean Bruesewitz, Visa's senior vice president for advanced risk solutions. And online merchants are pointing fingers at credit card associations. One merchant services vendor in June filed an e-mail complaint to the U.S. Department of Justice (DOJ) claiming the chargeback fee structure is illegal, which a DOJ spokesperson was unable to track down by deadline.

Townsend cautions that all parties -- the consumer, the merchant and the card companies -- need to work together to combat a technically advanced form of fraud that will be more difficult to stop. "The combined effects of the IT revolution and globalization have changed the whole landscape of fraud," he adds.

Chargeback fees go up considerably when e-merchants surpass chargeback rates of 1% of gross sales, which isn't hard to do, says Dan Clements, CEO of CardCops.com, a fraud investigative service for Web retailers. Among CardCops' 200 members, chargebacks average between 2% and 8% of gross sales, he says.

The two largest card associations, Visa, with over $1.6 trillion in products and a 56% share of the payments market last year, and MasterCard, which processed $857 billion last year, defend these chargeback fees. According to Visa, chargeback fees collected are shared between the card associations and the associate bank responsible for a card to cover the administrative costs to reverse charges and investigate disputes.

How cards go bad

  • Skimmers: Criminal gangs use point-of-sale workers to swipe cards and PINs into palm-size card readers, mostly at restaurants, gas stations and, in some cases, automated teller machines, according to Bruce A. Townsend, special agent in charge of the financial crimes division at the U.S. Secret Service in Washington.


  • Card generators: These are able bypass credit companies' address-verification systems, as long as the cards have the right ZIP codes.


  • Web attacks: These include sniffers that catch card numbers in the clear; text-string attacks to confuse merchant order-form entry spaces, so servers spit up previous customer information; and brute-force attacks against poorly-protected electronic merchant servers where card information is stored.


  • Filling out fraudulent applications: "Edie," a 64-year-old disabled retiree, started getting calls from creditors in June asking for $64,000 in back payments. "Not even one of these banks bothered to check my Social Security or phone numbers," she says.


  • Trading: Groups like ccTrade, formerly at Yahoo Groups until Merchant911.org reported the group in June, made it easy to access and download attached files containing thousands of card numbers, including names, addresses, transactional records, phone numbers and even Social Security numbers, PINs and CVVs (card verification numbers on the back of the card in the signature boxes).
SPA_UCAF_chart.gif

Copyright © 2001 IDG Communications, Inc.

  
Shop Tech Products at Amazon