Online Credit and Debit Card Security Report
by Berislav Kucan - Thursday, 17 April 2003
The history of card scheme security initiatives has been a chequered one

A number of card scheme security initiatives have been launched over the last decade in order to tackle the problem of online card fraud. Secure Electronic Transaction (SET) was launched in 1996 following co-operation between Visa, MasterCard and American Express. SET built upon the security provided by Secure Sockets layer (SSL) by not only encrypting information transferred between customer and merchant but also by authenticating both parties using digital certificates issued by a trusted issuing authority. However, SET never really caught on achieving only limited roll-out in Scandinavia and continental Europe, and critically not in the US so often the global leader in this field. It was ultimately too complicated and engaging for cardholders and merchants especially since it required both parties to download additional software.

SET evolved into 3D-SET. 3D-SET sought to improve on SET by being server rather than customer based. However, it too failed to garner the interest of consumers, merchants and card issuers.

Initiatives have now been launched by Visa, MasterCard and Maestro

The most recent card scheme security initiatives have been launched within the last few years. Visa's Verified by Visa is based on the 3D-Secure protocol and requires that cardholders enrol at their card issuer's website. Once enrolled they are able use the service to purchase good and services from any participating online merchant. At the payment page they are requested to pass through an authentication procedure. Once their input is verified by the merchant and card issuer the sale can be completed.

MasterCard's Securecode functions in a similar way to Verified by Visa although in this case it is based on the Secure Payment Application (SPA) protocol and the cardholder is required to download a digital wallet from their card issuer. Maestro's eCommerce program is based on the Online Debit Solution and functions by replacing the 19-digit debit card number with a 12-19 digit 'credit card like' Internet-only number. This pseudo card number (PCN) is entered in the same way as a credit card number and are stored by a wallet downloaded by the cardholder.

The liability shift will help ensure merchant acceptance of the card scheme security initiatives

In order to encourage merchant uptake of their security initiatives the card schemes have removed the liability for 'chargebacks' i.e. where the consumer denies they made a card purchase for which they have been billed, from merchants. Consequently, Visa announced that from April 2003 merchants will not have to meet the cost of charge backs regardless of whether the card issuer is participating in Verified by Visa or whether the cardholder is enrolled. From November 2002 MasterCard announced that card issuers would no longer be able to pass the cost of a fraudulent transaction on to merchants assuming the cardholder is enrolled in SecureCode and used the system to make the purchase in question. This year MasterCard will consider shifting the liability for all transactions away from merchants, in cases where the cardholder is authenticated by the merchant.

The liability shift from merchants to card issuers should be regarded as a masterstroke by the card schemes. As merchants pass on liability to card issuers there will be added incentive for card issuers not only to adopt the security initiatives but also to promote cardholder uptake. It is at the card issuer's website that consumers enroll for the initiatives and hence it is card issuers who will be in the best position to promote adoption. Higher rates of cardholder adoption will encourage more merchants to adopt the technology and hence generate even more incentive for card issuers to promote further adoption. Thus, the card schemes have generated a self-perpetuating system of cardholder and merchant adoption and card issuer promotion.

The number of merchants, issuers and cardholders enrolled in Verified by Visa is increasing rapidly

Visa is so far winning the race to ensure maximum merchant and issuer acceptance and cardholder adoption. More than 100 merchants in the US and EU now accept payments made using Verified by Visa and more than 6,000 card issuers now offer Verified by Visa to their cardholders. The number of cardholders enrolled in Verified by Visa is now believed to be well in advance of 10 million. MasterCard and Maestro are some way behind Visa in terms of the number of merchants, issuers and cardholders enrolled. Both card schemes are, however, working on merchant and card issuer acceptance and are likely to launch major cardholder focused marketing campaigns in the near future.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th