It's easy to see why online merchants feel they are waging a lonely, uphill battle against card fraud. They've grown accustomed to law-enforcement agencies that turn a deaf ear to their pleas for help unless fraud losses number in the six figures. And they've struggled to curb fraud in card systems that seem to protect every party but e-merchants.
But that may be changing. Frustrated online retailers are coming together to develop fraud-prevention measures of their own. And the bank card associations and American Express Co. are taking notice.
In mid March, a group of online merchants and related companies met in Las Vegas, Nev., to launch an organization to help e-merchants in their war against card fraud. The new Merchant Risk Council is a merger of two earlier groups, the Merchant Fraud Squad, founded by American Express Co., and the Internet Fraud Round Table, a group of 65 large e-merchants.
It's understandable why Web merchants are looking for relief. A 2002 Gartner Inc. survey found that fraudulent transactions comprise 1% of total online transactions, 15 times higher than fraud in the physical world. Online retail sales increased 27% to $45.6 billion last year, according to the U.S. Census Bureau.
And an e-merchant's losses can extend beyond the actual cost of the product or service charged to a fraudulent card. Because they operate in a card-not-present environment, e-merchants also are subject to the card associations' highest interchange rates, the portion of each transaction paid by acquirers to issuers in return for guaranteed payment. Visa's interchange rate for e-commerce is 1.80% of the sale plus 10 cents. That compares with Visa's card-present retail rate of 1.39% plus 10 cents. Under MasterCard's interchange rates, Internet merchants pay 1.90% plus 10 cents, compared with 1.40% plus 10 cents for card-present retail transactions.
Increases in interchange typically are passed along to merchants.
"It's like they get them coming and going," says Jeff Foster, vice president of Providence, R.I.-based risk-assessment software vendor Retail Decisions.
What's more, online merchants face stiff fines and could lose their right to accept cards if their fraud and chargeback rates rise above a certain level. That could be devastating.
To be sure, there are a wide variety of fraud-protection tools that have proved effective in the physical world. But the most common ones, including the associations' address verification service, are of limited value to the Web merchant.
"Tools like AVS were not really designed for Internet transactions," says Steve Klebe, vice president for strategic alliances for Mountain View, Calif.-based risk-management and payment technology developer CyberSource Corp.
Even the new cardholder authentication products designed to cut online fraud-including Verified by Visa and MasterCard's SecureCode-have flaws. Authentication technologies that use pop-up windows for passwords can be blocked if cardholders have installed software to disable pop-ups, Klebe says.
But Bruce Rutherford, MasterCard vice president of e-business and emerging technologies disagrees. "There are ways of working the implementation to minimize the impact of such software," he says.
Further, Web merchants don't like to adopt technologies that make it cumbersome for cardholders to make purchases. "Probably the biggest problem ... is that now the associations are putting in this additional step in the checkout process," Foster says.
For that reason, many online merchants are turning to a low-tech antifraud measure-manual review of transactions. Manual review was the second most popular method for managing online fraud after the use of the address verification service during the authorization period, CyberSource found. On average, merchants manually reviewed 20% of online orders last year. As a result, most e-merchants incurred extra staff costs, including hiring and overtime, CyberSource says.
E-merchants' distrust of the card industry runs deep, and leaves many unconvinced that any fraud-prevention measures offered by the card companies will provide relief, says Avivah Litan, vice president and research director at Gartner Inc., a Stamford, Conn.-based market-research firm. She notes that merchants' doubts are fueled in part because some issuers refuse to help Web retailers verify a cardholder's name on suspect transactions.
Many e-merchants feel that issuers' alleged lack of cooperation will extend to MasterCard's and Visa's new cardholder-authentication schemes, Litan says. Under both programs, liability for online fraud shifts to the issuers for all authenticated transactions. Without authentication, e-merchants are liable for fraud losses.
"There is considerable skepticism among merchants that the liability will be shifted even if they implement the programs," says Litan. "They just think the card issuers will re-classify the chargebacks to codes that then make the merchant responsible."
Many online merchants also complain that when hackers steal credit card numbers and other confidential data out of a database, the card associations and issuers generally don't pass that information on to e-tailers.
"Merchants are upset that cards aren't cut off in a timely manner when they're at risk financially," says Dan Clements, chief executive of CardComs.com, a company that sells data on compromised cards.
And even sophisticated anti-fraud technologies don't guarantee fraud will be detected in such a situation. "A freshly hacked database of cards will slide under the radar of most of these programs until the cards are cut off," Clements says.
Likely contributing to e-merchants' dim view of the card associations is the fact that Visa and MasterCard are not experienced in working directly with merchants, some observers say. The two associations pass on changes in rules and regulations to their member merchant acquirers, but "sometimes the message gets through (to e-merchants) and sometimes it doesn't," says Julie Fergerson, vice president of ClearCommerce Corp., an Austin, Texas, provider of processing and risk-management software. ClearCommerce was a member of the Merchant Fraud Squad and is participating in the Merchant Risk Council.
What many online merchants want is to work closely with Visa, MasterCard, AmEx, Discover and JCB, says Rene Pelegero, formerly director of global payments for Amazon.com and head of Retail Payments Global Consulting. "The biggest (complaint) is that the card associations and the card companies put out new tools or new features without consulting the merchants."
But the card associations and card companies say they want the same thing that e-merchants want-to improve the security of e-commerce. "The underlying common agenda across all parties is to try to grow e-commerce profitably," MasterCard's Rutherford says. "That benefits the merchants and the acquirers as well as the card issuers."
That's not to say that e-merchants only have gripes against the card associations. Many e-merchants' also believe they get short shrift from law enforcement. That's because agencies like the cybercrime unit of the Federal Bureau of Investigation are "much more worried about terrorism than nefarious activities on the Web," Litan says.
For many e-merchants, finding solutions to fraud can't come too soon. But the fact that AmEx, MasterCard and Visa sponsored the risk council's initial meeting shows that the card industry is taking e-merchants' plights seriously, Fergerson says. "They recognize they need to help merchants," she says. "That was a great first step."
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In