Securing Online Payments
by Richard Moulds - VP of Marketing, nCipher - Monday, 7 April 2003
From the early days of the Internet, credit and charge card companies recognised the enormous opportunities presented to them - but they also saw challenges ahead. Credit cards are easily the best way to pay for products and services online and some 90% of all online transactions are made by credit or debit cards compared to only 28% of purchases made in person. These figures are based on research by Datamonitor who also forecast that the value of Internet transactions will reach $3.9 billion by 2005 in the US and Europe alone.

However, online shopping also has the highest levels of fraud and proving that the cardholder actually conducted the authorised transaction over the Internet cost Visa member banks $250m to resolve disputed charges in 2000. The problem is that 'card not present' transactions only require the card number and expiry date, so there is no way to be sure that it is the actual cardholder providing the details.

It's not surprising then that the card companies have been focusing their minds on the problem of online fraud. The challenge for them is to reduce the cost of fraud while at the same time increasing consumer confidence and encouraging more of us to buy online - whether that is through the Internet or other emerging channels including mobile phones and interactive digital TV.

Where the buck stops...

From the moment we decide to make a purchase using a credit card, there is a complex sequence of processes and organisations that handle the transaction. But in short, the key players are the card associations, the card issuers, merchants and acquirers. The card associations, also known as 'the brands', are the likes of Visa, MasterCard and Discover. The issuers are the banks who provide us with our credit cards and the acquirers are the financial services companies that process transactions on behalf of the merchants. Some large merchants will do this for themselves but most outsource to an acquirer that may also provide merchant hosting facilities.

The question of which of these parties bears the cost of online fraud is a complex one. While in most cases the cardholder is liable for his or her cards being stolen and used, the actual cost to is capped and prevented from exceeding a modest limit. The card issuer bares most of the costs associated with investigating the details of a disputed charge, which may be considerably higher if the dispute is not resolved quickly and always has the potential to damage customer relationships. However, it is the merchant that is liable for the value of the items purchased if the cardholder disputes the purchase ever happened or just refuses to pay the bill.

If it were possible for the cardholder to be authenticated before a purchase, to a reasonable level of certainty, it should be possible to reduce the likelihood of a stolen credit card number being used. Obviously the merchants and banks would benefit directly, but so would the cardholder. The process of proving identity provides a greater feeling of security and should encourage more cardholders to shop online.

The question of authentication

3D Secure is a payment authentication mechanism defined by Visa for use on all non-traditional networks such as the Internet, mobile and Interactive TV. The system puts an extra step into the checkout process that requests that the bank that issued the card verifies the online user and the legitimate cardholder. Once completed, the merchant can process the transaction as normal but is now guaranteed payment, even if the transaction is disputed. So in this case, liability shifts to the card issuer.

Spotlight

Lessons learned developing Lynis, an open source security auditing tool

Posted on 15 October 2014.  |  Lynis unearths vulnerabilities, configuration errors, and provides tips for system hardening. It is written in shell script, installation is not required and can be performed with a privileged or non-privileged account.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Oct 20th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //