They know where you're shopping Pt II

The debate is between the consumer's right to privacy and the online merchant's right to protect himself from fraud

At the core of the problem is a fundamental shift in responsibility for credit card fraud detection from banking institutions to merchants. In the "real world", as long as a merchant can produce a charge slip with a consumer signature, banks are responsible for fraud losses. That means it's financial institutions who perform risk analysis using transaction databases from companies like HNC Software.

But online, the fraud burden shifts from banks to merchants, so they must now get in the business of examining transaction databases. Jost admits many consumers might expect banks to have access to transaction data, but be surprised that online merchants and companies like Cybersource track the data.

"I do firmly believe [merchants] have a right to use that data to prevent fraud losses," Jost said. "But merchants should indicate they do that on their sites. There are many good merchants I know who do that."

But only some alert their users they might share private data with credit card verification companies in their privacy policies. A quick survey of privacy policies at the sites Hughes used shows varying degrees of disclosure.

Amazon's privacy policy does not include reference to the possibility that personal information may be shipped to third-party firms for credit checks. But Amazon spokesperson Bill Curry said despite Cybersource's consistent assertion that Amazon is a partner, the Web e-tailer only uses Cybersource's service for its auction marketplace -- Cybersource's fraud screen process is not used at Amazon's retail store.'s policy is explicit: "Billing information is used to correctly charge the right person for the books they've ordered and is provided to our third-party credit card processor CyberSource." suggests it might pass on personal information: "We may use third parties to help us fulfill orders, to help process payments... We give them access to the information needed to do their job. Sometimes that includes your personal information." doesn't indicate it may send your information to a third party. Its policy says: "During the registration process, we ask you to provide us with contact information, such as name, billing address, shipping address, email address, telephone number and a valid credit card number. We use this information to verify your account when you order."

Another Cybersource partner,, indicates on its Web site that "Mercata will disclose your personal information to our credit card validation and alternative payment method service providers to screen, validate and authorise your offer."

Despite the presence of such privacy policies, consumers may still be surprised by the extent of information that is stored by companies like Cybersource, the company admits.

"I can absolutely understand [the privacy concerns]," said Cybersource's Wilk. "If I was any consumer, I would say 'Gee, that worries me'... Unless I understood it was to help protect me."

Wilk and others in the industry say they need the extensive consumer data in order to effectively fight fraud. Suddenly erratic purchasing behaviour, for example, is among the best indicators of fraud after a credit card is stolen -- but there's no way to establish "normal" buying behavior without having access to historical buying patterns.

"There is something called 'The Public Good'," said Joe Barrett, co-founder of the Internet Fraud Prevention Advisory Council. "Our general belief is none of us would have this data if [detecting fraud] were an easy thing to do."

There is little question fraud is a big problem on the Net. According to a recent GartnerGroup study, frequently cited by credit card verification firms, chargeback rates are about 15 times higher on the Internet than they are in the real world. Chargebacks occur when end consumers don't pay off credit card companies, as is the case in fraudulent charges -- the card issuers then "chargeback" the merchants. And there's another important distinction online: there's no way to obtain a signature from the consumer. And without signatures to compare, a merchant's only option is data-driven risk analysis.

"In order to do good risk management, more data is better," said Barrett, also an executive at online e-commerce firm "In order to really do it well, you want all the data you can get."

Protecting online merchants from fraud is big business, and the use of extensive consumer databases recently became more prevalent. Last week, Cybercash unveiled a new service to compete with Cybersource's Internet Fraud Screen service, in a partnership with HNC Software. Cybercash's new Internet fraud database includes input from over 25,000 merchants. That includes 50 billion transactions, of which about 50 million come from Internet e-commerce sites.

"I know it is scary for consumers," said Craig Sablosky, director of marketing and communication for Cybercash. "But there are other scary things, like credit card number generators which are on the Net."

Still, the notion of a big consumer purchase database in the sky -- particularly one that would be a surprise to consumers -- bothers privacy advocates.

"You always worry when data is being passed around a lot," Smith said. "When you are in business at a Web site, you are going to be sharing data with service providers. In the privacy policy a lot of times they leave that fact out... That has to be disclosed more."

Go back to Pt I/ They know where you're shopping

Take me to the e-commerce special.

What do you think? Tell the Mailroom. And read what others have said.