Moshtix shores up online payment security
With most of its business conducted online, ticketing company Moshtix devotes a lot of attention to ensuring the security of payment transactions processed through its website .
Moshtix technology director, Bartek Marnane
(Credit: Moshtix)
In the euphoric moment of securing tickets to a coveted event, it's uncertain whether consumers think about online security when they surrender their credit card details.
The Australian Payment Clearing Association (APCA) recently released statistics showing that incidents of credit card fraud for non face-to-face payments increased in 2011, spurred by growth in online retail. APCA urged retailers to ramp up their online transaction security.
And Moshtix decided to do just that.
"We don't want people to feel doubt about our online services, because that's where the majority of our business comes from," Mostix technology director Bartek Marnane told ZDNet Australia.
The company began investigating 3D-secure last year, as a way to strengthen online transaction security for customers. Invented by Visa, 3D-secure is an XML-based protocol that adds a second layer of security for online credit card and debit card transactions. It has been adopted by other financial institutions and card issuers, including American Express and MasterCard.
For consumers, 3D-secure adds another step when they checkout through Moshtix online, often in the form of entering a one-time password (OTP), issued through SMS. This is only applicable for customers that have registered their credit cards with the Verify by Visa or MasterCard SecureCode programs.
"Being in online payment space, we are aware it's one of the trends Visa and MasterCard are pushing to," Marnane said. "So we proactively went through the process of implementing it."
3D-Secure is actually hosted by banks and are also the issuers of the SMS. What Moshtix had to do to implement the security measure was to ensure its IT system supported the interaction between its payment portal and the banks, which Marnane said took several weeks of development and testing.
"The way our ticketing system works is we have a payment gateway hosted by a third-party [the banks], which basically authorises or declines transactions," he said. "There was an additional step that needed to happen in there to support 3D-secure, for payments that require it."
The implementation required Moshtix to modify its payment processing system, so it could send out details of all transactions to the cardholder's bank. The bank would then decide whether the transaction required issuing an OTP.
"So, what basically changed, at a technical level, was the message we sent [through our system] to the banks has a few additional fields in there, and we have to support the response the banks send back," Marnane said.
Moshtix completed its development work in December 2011, and trialled it on ticket sales for several events at the start of 2012. There was an issue with the Moshtix system not interpreting the banks' responses correctly. Some customers were also confused by the new process, because another web browser window pops up, which prompted them to punch in an OTP, however, the majority were able to use it with ease. Therefore, the decision was made to roll it out site-wide in January.
3D-secure isn't a new technology; Marnane said that the company was waiting for adoption to ramp up, before implementing it.
"The technology has been around for some time, but when we spoke to a lot of consumers, very few people initially — when I looked at it personally — were familiar with it or had been enrolled in it," Marnane said. "It's something that will take some time to get widespread user adoption."
While he said Moshtix didn't have a huge problem with payment fraud and chargebacks, to begin with, the occurrence of these instances has fallen further since 3D-secure was put in place.
"One of the advantages of 3D-secure is that it does move the chargeback liability to the bank, instead of the merchant," Marnane said. "But, for us, it was really a case of: we're an online company, we take payments online and we want to make the process as secure and seamless for the consumer as possible."
Moshtix has an ongoing development roadmap for implementing new solutions to increase online security for its customers, though Marnane was unable to discuss the details.