The answer to credit-card security?

The solution to credit-card fraud on the Web may be much simpler than you think; PIN looks set to prevent fraudulent transactions.

- by Randy Barrett

4 May 2000 - Credit-card fraud against electronic merchants is on the rise, but some say the solution to the problem is only four digits long: the length of a new personal identification number for e-commerce transactions.

Charge plate personal identification numbers (PINs) have been used for years, mostly as an extra security identifier that allows customers to withdraw money from bank automated teller machines with their credit cards. Some online merchants are now asking why the same technique can't be used to authenticate card purchases on the Net.

"The technology is already there to deal with PIN numbers," says Mike Lester, chief executive of Internet provider Galaxy Star Systems in Oklahoma. Lester is leading a one-man crusade to promote e-commerce PINs but says he hasn't received any meaningful response from Visa International or MasterCard International yet.

In theory, the idea makes sense: Supply credit-card holders with a special e-commerce PIN that must accompany all online transactions. Many merchants say it would radically cut down on the use of fraudulent or stolen cards.

Most important, an e-commerce PIN would cut the number of transactions later rejected by card owners who didn't authorize a purchase - so-called "charge-backs." Both Visa and MasterCard have cracked down on the number of allowable charge-backs. Now, many online retailers aren't allowed to generate charge-back rates of more than 1 percent of monthly transactions. Net businesses that fail to meet the new requirements face fines of up to $100,000 per month.

Visa publicly supports the idea of adopting a new "payer authentication" platform, but is leaning toward a more intricate public/private key scheme.

"We view payer authentication as one of the next key steps to driving mass adoption of electronic commerce, which will allow our member banks to fully participate in the business opportunity," a Visa spokesman says.

But some electronic merchants are dubious about credit-card issuer interest in the whole advanced authentication concept. "There is no way they will consider it," says Roger Baer, president at TransMark, a third-party card processor. "They don't want anything that will impede the use of their credit cards."

MasterCard officials could not be reached for comment.

While PINs may seem the perfect answer, experts say it's not an airtight solution. "It has been tried many times," says Steve Klebe, vice president of payment industry alliances at transaction security firm CyberSource. "It raises its head every two or three years and never gets any traction."

A primary stumbling block is that the PINs can be easily stolen on the Net. "You're actually creating more security risk," Klebe says.

Ken Musante, vice president and manager at Humboldt Bank in Eureka, Calif., says the infrastructure to handle a new PIN would take significant resources to set up. Humboldt is a leading "acquiring" bank and serves thousands of Net merchant accounts.

Klebe agrees: "If the issuing banks [Visa and MasterCard] want to get really aggressive and spend a couple of hundred million [dollars] promoting the concept, then power to them."

Another sort of solution is already in the works. Visa and MasterCard are adding three new digits to all credit cards, under a program called Card Verification Value 2. Musante says it "should have a dramatic impact" in reducing charge-backs, because credit-card numbers will become harder to fake.

Meanwhile, Lester is trying to grab consumer attention about the card fraud problem through unorthodox means. He plans to send out spam e-mail to millions of Netizens, advising them to start charging back items they've bought from large online companies like Amazon.com, so they will generate unacceptable charge-back percentages. While the legality of the proposed campaign is still in question, Lester is determined to get his message out.

"My position is that credit-card fraud is at an all-time high, but it's not the merchant's fault," Lester says.