There is nervousness in the on-line trading world that the growing threat of fraud could put a stranglehold on the expansion of e-commerce. While there has been a successful battle against fraud using stolen credit cards, on-line retailers continue to feel vulnerable. Contrary to public perception, when internet fraud occurs it has long been the retailer rather than the card issuer that faces the financial hit.
Over the last five years fraud due to lost or stolen cards has decreased. In contrast, losses from fraudulent possession of card details – commonly known as card-not-present or 'CNP' transactions – jumped by 15 per cent to £110.1 million in 2002 and losses from identity theft rose by 41 per cent to £20.6 million. In all, internet fraud leapt by 86 per cent to £28 million.
The Federation of Small Businesses wrote to E-Commerce Minister Stephen Timms with its concerns. Although certain proprietary systems have been launched which throw the responsibility for fraudulent transactions back to the card issuing bank, the FSB is unconvinced.
Typically, retailers do not just lose the price of the dispatched goods – they also have to pay an administrative charge to the bank. One FSB member who has stopped trading on-line is David Barrett, director of Cybercomp, a computer parts retailer based in Cambridge. He closed his web site after being hit by £2,500 in chargeback costs. He thought he was protected after signing up to card payment processor WorldPay and getting authorisation for transactions from NatWest. "Authorisation means nothing," he said. "I thought if anything went wrong the bank would bear the brunt." He was wrong.
Credit cards were introduced into the UK by Barclays in 1966, followed by debit cards around 1987, and today more than 147 million UK issued plastic cards are in circulation.
However, the story of where liability for card fraud falls begins with the humble cheque.
History of liability
The effect of the Bills of Exchange Act – which dates back to 1882 – is that if a bank debits a customer's account with a cheque which has a forged signature, the bank must re-credit the account. As the burden of proof as to the signature's veracity lies with the bank, in most circumstances the customer is protected from fraudulent use of his cheques. Provided that a merchant takes reasonable care in the payment process, such as checking the signature against the guarantee card and confirming the purchase is within the card's limit, the issuing bank bears the risk of fraud.
The legislation and codes applicable to plastic cards issued in the UK have developed in a similar way, prescribing the allocation of risk for fraud between a card holder and the issuing bank, but otherwise allowing the banking industry to determine the rules as to who bears the cost of card fraud.
A card holder's liability for fraudulent use of his credit card under the Consumer Credit Act 1974 has always been modest and was extinguished for most on-line transactions by the Distance Selling Regulations 2000. Further card holder protection is also offered by the current Banking Code, which expressly states that a card holder will have no liability where details of his credit or debit card are used without his permission in CNP transactions.
The onus of proving whether a card transaction has been authorised by the card holder is also borne by the issuing bank. In essence, if the issuing bank cannot demonstrate that the card holder authorised the transaction, a bank has no authority to debit the purchase from the customer's account and will bear the risk of fraud – unless it can transfer that risk elsewhere. Currently, the fall guy is the merchant.
When a customer pays by card, the merchant sends transaction details to the merchant acquirer (the bank or building society processing transactions for the merchant) who credits the merchant's account with the transaction value, less a fee, then passes the details to the card issuer. The card issuer reimburses the merchant acquirer, and bills the customer if payment is by credit card, or debits the customer's account if by debit card.
Each card scheme provider sets a series of business rules and the basic decision on reclaiming the value of a transaction and imposing a processing penalty on a merchant – the dreaded chargeback – lies with the card issuer.
The risks of CNP fraud on-line are high. An on-line trader does not have any means to confirm if the purchaser physically holds the card as most CNP transactions are based on information shown on the card's face – information available to anyone who has sight of it. Banks are unwilling to underwrite these risks and push liability to the merchant.
This represents a significant problem for e-commerce. According to Visa, 80 per cent of chargebacks are due to card holders stating they did not authorise the transaction and e-commerce sales are 15–20 times more likely to be disputed and charged back than those conducted face-to-face.
To defeat the chargeback, an on-line merchant will be required to supply a copy of the customer's signature or proof of delivery to the customer by the notified date and to the issuing bank's satisfaction. If the merchant fails to do this, the issuing bank will impose a chargeback – the penalty portion of which can be as much as £20 per transaction.
On-line merchants should also not be misled by the purpose of 'authorisations' given by issuing banks in the course of a transaction – these only indicate that a card number is a valid combination of digits and that the account is in funds at the time of the transaction. They do not mean the issuing bank will underwrite payment. Adding to the misery, card scheme rules usually provide for transactions to be disputed up to 18 months from the transaction date, so on-line merchants may receive requests for documents relating to sales that have long been booked in their accounts.
There is potential good news on the horizon. In the US, legislation sets out the situations when a card holder can dispute a transaction, and significantly restricts the period when disputes can be raised. Commenting on this progress, the European Commission has identified an "urgent" need for a system that establishes the right and basic conditions for refunds for disputed card transactions. Whilst not recommending that liability fall in any particular direction, the Commission noted that it would expect the "active participation" of the payments industry.
Chip and PIN cards are heralded by the banking industry as the principal way that card fraud will be reduced in the next 10 years. However, Chip and PIN cards are designed to be inserted into terminals which may limit their use to online purchasers, and the FSB fears that the safety introduced by Chip and PIN offline will encourage fraudsters to ply their trade on-line.
Of more immediate interest are new card schemes from Visa and MasterCard which are based on shared secrets (i.e. passwords or PINs agreed with the issuing bank) and specifically designed for internet use. Both are similar. With 'Verified by Visa', the important hook for online merchants is that, in most cases, payments are guaranteed for CNP transactions, so liability for transactions which are repudiated by the card holder is shifted to the card issuer. Best of all, the liability shifts just by the merchant joining the scheme – so it does not matter that currently only a tiny proportion of consumers globally have compatible credit cards. MasterCard's 'SecureCode' has still to go live in the UK but it will operate in a similar way.
Visa admits that it is currently targeting only the household names on-line to sign up – and some have been attracted by its incentive of shifted liability. One of the first was Dabs.com, the UK's largest on-line retailer of IT and electronics products. According to the company, prior to implementing 'Verified by Visa' this year, fraud cost Dabs.com approximately £30,000 to £50,000 every month. It still incurs chargebacks, but costs are down to £15,000 to £20,000.
However, the Visa and MasterCard systems are not necessarily the panacea for credit card fraud. Apart from only applying to cases where the card holder denies authorising the transaction, the merchants must also implement the systems.
For SMEs, there are vendors offering off-the-shelf solutions and some payment processors that have implemented one or both schemes; for larger companies, integration may be more complex if they have a proprietary payment system in place. For some, the schemes are simply too clunky. Amazon.com's director of corporate development has commented: "From our standpoint, the amount of friction that Verified by Visa introduces for the customers outweighs the benefit from reducing fraud. It would turn one-click ordering into four-point, three-click ordering." And the FSB is suspicious about the costs.
The FSB says neither Visa nor MasterCard have been transparent in their pricing. "We know of no small business in the UK using the schemes," added the FSB's Parliamentary Officer, David Bishop. "They've only got a few thousand members throughout all of Europe – which is a drop in the ocean."
On the upside, some small businesses might be using the schemes without knowing it. WorldPay was among the first card processors to get on board. Owned by The Royal Bank of Scotland Group, WorldPay has over 20,000 businesses using its on-line payment services, mostly in Britain. It is gradually rolling out the authentication solutions to existing clients' sites and it expects to have most up to speed by Christmas. It is also including the services as standard for all new customers using its off-the-shelf payment processing packages – with no added fees.
When this was put to David Bishop, he gave a cautious welcome. "If it really is the case that these systems will transfer liability and do not involve further or higher charges, then that's a massive step in the right direction," he said. "But until we see whether that is the case, and until we see if these schemes take off or fall, we'll reserve judgement."
Admittedly, plastic cards were never designed for use over the internet. But currently Visa, MasterCard and Switch handle over 90% of online payments in this country and for the foreseeable future their grip on the market looks secure. The new authentication schemes sound attractive in principle, albeit that they don't deal with all types of card fraud, MasterCard's scheme is not yet operational with UK merchants, and Switch has no equivalent. So, as the FSB notes, we do need to wait and see.
Until a workable alternative to today's system reaches critical mass, on-line merchants will need to rely on their own internal checks to minimise the impact of chargebacks – or develop some very deep pockets.
How to protect against fraud
- Make sure basic web site security is in place – e.g. all card holder data must be encrypted before transmission, and reject orders placed by other means, such as e-mails containing credit card details.
- To reduce "honest" customer mistakes turning into disputed transactions, ensure full details of goods and services are clearly set out on the web site.
- Ensure your payment system uses an Address Verification Service, e.g. to check the house number and postcode for the card holder's statement address and postcode with the issuing bank.
- Request the Card Security Code from the customer (the last three italicised digits on the signature strip on the back of the card) and check this with the issuing bank.
- Cross check card numbers against the Industry Hot Card file.
- Introduce automated pattern cross-checks into payment process – Is the same postal address being used with a variety of card numbers and names? Is the same card being used for multiple purchases? For unusually large or suspect purchases, consider reverting to offline verification.
- Consider refusing orders with delivery addresses in high risk countries, such as Nigeria or Romania.
- Consider signing up to Verified by Visa and MasterCard's SecureCode or choosing a payment processor like WorldPay that has already signed up.
- If you are using a payment processor which has not signed up to or rolled out the schemes to you, check what other card holder verification checks they carry out.
- Remember, you can only minimise rather than eliminate the risk of chargebacks for card fraud.
For more information contact: firstname.lastname@example.org