Secure online transactions require stakeholders' cooperation

Payment service providers need to profile retailers to discern their risk levels, while merchants should pick the right provider according to their policies to better secure online transactions yet maintain user convenience.

There is a need for payment service providers to strike a balance between security and providing convenience to their customers. To do so, operators should engage in merchant profiling to assess individual organization's risks while merchants should pick a service provider able to meet its specific needs, industry watchers advise

An incident involving PayPal cast a spotlight on this issue at the start of August, when the founder of PreRace Jorge Espinoza related his frustrating experience with the payment service provider to the New York Times(NYT).

According to Espinoza, his Web site which allows bicyclists and runners to sign up for races took in more than US$1 million in three days. This spate of activities raised the suspicions of PayPal though, which resulted in them freezing PreRace's account and nearly putting the company out of business.

"They created such a massive headache," Espinoza told NYT.

Commenting on this incident, Dickson Seow, director of corporate communications at PayPal Asia-Pacific, told ZDNet Asia its anti-fraud measures are based on "thousands of algorithms from the previous history of buyers' and sellers' behavior" and these were meant to create trust within the closed-loop ecosystem between the company, merchants, and sellers.

Another payment service provider Visa said it has a similar measure of holding on to money for "exceptional" cases until the acquiring bank and merchant bot verify the actual cardholder has indeed made the payment.

Ingo Noka, country risk management head of Visa Asia-Pacific, Europe, Middle East, and Africa, said this is to protect all parties in the payment process and prevent services being rendered or goods being shipped to criminals.

Marc Bown, SpiderLabs managing consultant at Trustwave Asia-Pacific, commiserated with the payment service providers, saying transacting financial dealings is a risky business. This is because these providers and their customers stand to lose large sums of money quickly should security slacken, he said.

These anti-fraud rules thus help service providers to limit potential losses, Bown explained. The mechanisms are designed to protect not only the operator but the customers on both sides of the transaction, and there are a wide variety of techniques to employ to determine if a specific transaction or organization is risky, he added.

Conduct merchant profiling
That said, the consultant noted many payment service providers do not profile their merchant customers which results in them not being able to discern what is a normal transaction or not and take erroneous actions as experienced by PreRace and Jorge Espinoza.

Payment service providers must realize different transactions also carry different fraud profiles and a normal transaction for one business might be considered anomalous to another, he added.

An example of creating a merchant profile would be to know, for example, an online store would sell the same five items at roughly the same price and volume month after month. For this e-tailer, an unexpected spike in sales activity may then indicate its account is being compromised, Bown explained.

However, a merchant which was set up specifically to accept donations for a 24-hour telethon would have a very different profile. This account could have a very low or non-existent transaction flow but would see an unforeseen flurry of activities during the 24-hour event. After the event, transaction volumes would drop to zero again, he stated.

Pick payment service provider to meet needs
On the other hand, merchants should also play a part in securing their transactions by picking a payment service provider that is able to meet its needs, the consultant advised.

"If a merchant has specific needs--for example, it cannot be in a situation where its funds are locked for a significant amount of time--it may need to discuss non-standard terms with its service providers," he said. This might require the retailer to provide some evidence to the payment service provider its business processes would not pose any unacceptable risks, Bown added.

As such, retailers will need to review the payment provider's policies carefully and agree to its terms knowing that these will not disrupt their businesses before signing up, he urged.