From The Analysts

  Internet Fra
Payment


ud And
 Security


by Paul Grill & Michael Lill

   In March 2000 the online travel agency, Expedia, announced that it would take a $4 - $6 million charge to cover the cost of fraudulent purchases made between late 1999 and early 2000. This incident highlighted the significant threat of online fraud and demonstrated that even sophisticated, major merchants are at risk. Despite the tremendous growth of e-commerce, incidents like these have made both consumers and merchants somewhat leery of doing business online. But is online commerce really as risky as we often hear in the press?
   While the threat of online fraud continues to receive attention from the press, its bark is likely worse than its bite. Early estimates for Internet chargeback rates were considerable�on the order of 15% to 30% of transactions. However, these estimates were most likely unique to certain Internet product categories, rather than applying to all Internet purchase volume (much of which takes place under the watchful eye of retailers with significant MO/TO experience.) In testimony to the Federal Trade Commission, Visa indicated that only 0.8% of Internet transactions are charged back. Although significant (perhaps 5 to 10 times the rate of physical world chargebacks), this rate is much lower than other frequently-quoted estimates like those above. Analysts may disagree over the precise magnitude of online fraud; nonetheless it does appear significant enough to warrant additional preventive tools or alternative, more secure payment options.
   Some vendors, like Orbiscom or Cyota, have developed disposable, one-time use credit card numbers. In September 2000 American Express introduced "Private Payments," their version of a one-time use card number. In October 2000 MBNA introduced their own version�"ShopSafe"�using Orbiscom's technology. The Discover product Deskshop also uses Orbiscom's technology to offer one-time use numbers. Although these products may address customers' security concerns, it is unclear how many consumers have been willing to adapt to the added inconvenience and whether this type of technology provides any benefits to merchants.
   Another way the industry is trying to address the problem of fraud is through smart cards. American Express was the first issuer to issue a chip card � "Blue" � in the U.S. After Blue's marketing success, several Visa issuers each introduced their own chip cards in 2000. Target recently announced that they would be the first U.S. retailer to offer smart cards. Other issuers will likely join this trend going forward. Despite the widespread attention these issuers have received, few users own chip card readers, and to date few online merchants have installed the necessary functionality to accept chip payments from those users who do have card readers.
   The latest online fraud reduction initiatives come from the card associations in the form of new POS authentication protocols. Visa's Verified by Visa and MasterCard's Secure Payment Application programs are designed to prompt consumers for a password at the online POS, thereby adding an additional layer of security. This type of technology could help reduce many types of Internet payment fraud, but it requires adoption by consumers, issuers, merchants, and others involved in the payments process. Visa has begun mass advertising of its program, and Bank One/First USA has signed on to offer the product to consumers. However, it is unclear whether the merchant community will be receptive to implementing this new technology. Clearly, credit cards have some drawbacks that make them less-than-perfect payment vehicles in the online world, particularly for merchants. Perhaps the new authentication systems supported by the associations will have more success and greater impact on the merchant community than previous products. However, it will likely still be several years until the risk of buying and selling goods online stabilizes at levels comparable to those of the physical world.