In response, the credit card companies are offering authentication programs such as Verified by Visa (VBV) and MasterCard's Secure Payment Application (SPA). But these programs are targeted at allaying consumers' concerns that their credit card numbers might be hijacked during transmission over the Web. Merchants wanting to decrease their costs and exposure are on their own for the next 12 to 18 months, but they can put the time to good use.
In the short term, the banks are trying to boost online credit-card usage at the same time they're charging higher percentages for Internet transactions (2.6 percent vs. 1.5 percent for what's known as "card-present" transactions) as well as higher fees (30 cents per online transaction vs. 5 cents per offline transactions). They're trying to convince consumers that online transactions are safe when, in reality, they always have been. "The issuers get their cake and eat it too," says Litan.
Why do the merchants go along? "They see the upside of online retail," says Forrester Research analyst Christopher Kelley, with its ability to sell goods without the cost of a physical store. "They have a lot of gain financially." But the paradox remains: credit card companies are talking about security to the group that has the least to lose.
To be fair, credit card companies have tried to deploy security measures in the past. But consumers have rejected them as being too complicated, whether it was the public key infrastructure (PKI)-based Secure Electronic Transactions that Visa and MasterCard tried, or American Express' Private Payment system that generated "disposable," one-time-only authentication numbers; only 4 percent of Blue cardholders use that system, according to Litan.
Starting in April, in fact, when merchants support smart-card applications that use the Universal Cardholder Authentication Field (UCAF)--a standard piece within the SPA--chargeback liability will shift from the merchant to the issuing bank, according to MasterCard senior vice president Bruce Rutherford. Visa plans a similar shift of liability in 2003.
Unfortunately for U.S. merchants, smart card readers haven't been a booming success in the U.S. either. But the credit card companies argue that at least VBV and SPA provide an evolutionary step forward because the technology can be easily adapted to handle authentication via smart cards. Consequently, online merchants should start perfecting smart-card solutions, studying their ramifications in terms of security, authorization, customer acceptance, and links to CRM applications. If merchants deny 5 percent of their transactions, when only 2.5 percent are fraudulent, that means they're losing legitimate business. They need to figure out how to avoid that loss.
The effort won't be wasted, given that American Express, MasterCard, and Visa have already agreed on a smart card standard dubbed EMV (for Europay MasterCard Visa). They're also working together in the Liberty Alliance which, like Microsoft's Passport, will give consumers a single sign-on capability for transactions. If all the credit card companies are pushing consumers and merchants in the same eventual direction to increase security, the paradox of who's motivated to prevent online fraud will eventually be solved.