However, online shopping also has the highest levels of fraud and proving that the cardholder actually conducted the authorised transaction over the Internet cost Visa member banks $250m to resolve disputed charges in 2000. The problem is that 'card not present' transactions only require the card number and expiry date, so there is no way to be sure that it is the actual cardholder providing the details.
It's not surprising then that the card companies have been focusing their minds on the problem of online fraud. The challenge for them is to reduce the cost of fraud while at the same time increasing consumer confidence and encouraging more of us to buy online - whether that is through the Internet or other emerging channels including mobile phones and interactive digital TV.
Where the buck stops...
From the moment we decide to make a purchase using a credit card, there is a complex sequence of processes and organisations that handle the transaction. But in short, the key players are the card associations, the card issuers, merchants and acquirers. The card associations, also known as 'the brands', are the likes of Visa, MasterCard and Discover. The issuers are the banks who provide us with our credit cards and the acquirers are the financial services companies that process transactions on behalf of the merchants. Some large merchants will do this for themselves but most outsource to an acquirer that may also provide merchant hosting facilities.
The question of which of these parties bears the cost of online fraud is a complex one. While in most cases the cardholder is liable for his or her cards being stolen and used, the actual cost to is capped and prevented from exceeding a modest limit. The card issuer bares most of the costs associated with investigating the details of a disputed charge, which may be considerably higher if the dispute is not resolved quickly and always has the potential to damage customer relationships. However, it is the merchant that is liable for the value of the items purchased if the cardholder disputes the purchase ever happened or just refuses to pay the bill.
If it were possible for the cardholder to be authenticated before a purchase, to a reasonable level of certainty, it should be possible to reduce the likelihood of a stolen credit card number being used. Obviously the merchants and banks would benefit directly, but so would the cardholder. The process of proving identity provides a greater feeling of security and should encourage more cardholders to shop online.
The question of authentication
3D Secure is a payment authentication mechanism defined by Visa for use on all non-traditional networks such as the Internet, mobile and Interactive TV. The system puts an extra step into the checkout process that requests that the bank that issued the card verifies the online user and the legitimate cardholder. Once completed, the merchant can process the transaction as normal but is now guaranteed payment, even if the transaction is disputed. So in this case, liability shifts to the card issuer.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.