|
There
was a time when nervous shoppers would not buy on
the internet for fear of having their card details
stolen and their accounts looted. Today, many shoppers
are becoming rather more confident: they recognise
those little symbols that suggest you are entering
a secure site and they understand those three little
numbers on the magstripe that confirm the card’s
authenticity.
But are these savvy shoppers the majority? Perhaps
not. What is certain is that while shoppers are aware
of the issues involved and increasingly confident
about shopping online or at a kiosk, many retailers
have failed to implement as many security measures
as they might and are likely to come seriously unstuck
over changes in card issuer’s rules over the
next 18 months.
“Retailers need to do more to reduce online
losses,” says Mark McMurtrie, marketing director,
The Logic Group. “We have been encouraging our
customers to adopt card security codes [CSC] and address
verification [AVS] for quite some time but I would
estimate that less than 30 per cent are actually doing
this.”
With online fraud almost doubling last year to £23.2million,
according to APACS, obviously more vigilance is needed.
Certainly anyone who buys online regularly will have
noticed very few security checks of the type that
Figleaves.com, for example, has recently added. Its
site now points out to shoppers that: “If the
cardholder’s address and delivery address are
not the same your transaction may not be authorised.”
As McMurtrie commented: “The very fact you noticed
it shows how rare it is.”
While CSC and AVS are simple and obvious measures
to implement, the take-up for such systems as Verified
by Visa and MasterCard SecureCode – which require
additional verification techniques but do remove the
risk of fraud losses from retailers – have been
just as patchy. Again one has to ask, how many regular
online shoppers have actually been offered this as
a payment option? Or, indeed, taken up the invitation?
The answer is probably very few – but as McMurtrie
points out: there are serious problems looming. “From
mid-2007 unless websites offer MasterCard SecureCode
they may not be able to accept MasterCard credit cards.
This deadline has been public knowledge for years
but awareness of it is minimal.”
Facing
the fear
As uptake of online shopping grows, yesterday’s
early adopters who were fairly blasé about
security (reckoning that the 21st century Internet
was rather more secure that the 1990s), are being
replaced by customers who, while happy to leave a
credit card building up the tab behind a bar, think
that keying in digits on a PC is high risk. Increasing
their awareness of techniques like CSC and AVS can
help, but new systems are also emerging which can
combat these fears.
Allpay.net, for example, has launched ‘go&pay’.
This is primarily targeted at the estimated six million
UK shoppers who do not have bank accounts or payment
cards but who would still like to shop online. The
system allows customers to buy online and then pay
by cash at any Post Office. Shoppers print out a barcoded
invoice when they have chosen their goods, take that
to the Post Office and, once paid for, the barcode
is scanned and authorisation for despatch sent to
the online retailer.
While the system was originally targeted at the unbanked
it is just as suitable for customers who are worried
about Internet security and prefer not to entrust
their payment card details to cyberspace. However,
as Visa and MasterCard have already discovered, the
greatest obstacle to take up will be retailers unwilling
to offer this payment option on their sites.
Equally
innovative is MoneyGuard – a system now being
marketed here by Spectrum Message Services. This allows
cardholders to use their mobile phones as security
checks. Users register their payment cards and then
set basic rules for alerts – such as any time
the card is used in CNP mode. When this happens the
cardholder receives a test message alerting them to
the fact. While it cannot prevent initial fraudulent
use, it does enable a rapid clamp down on potential
theft and also increases consumer confidence.
According to Owain Powell-Jones, director at Spectrum,
the OTP Bank in Hungary which adopted the technology
has reduced fraud problems – admittedly running
well ahead of EU averages – by ‘300-fold’
since implementing the technology. Only around 20
per cent of OTP customers have registered for the
scheme, but fraudsters now regard all OTP cards as
high risk and opt for easier targets. Powell-Jones
maintains that the system is equally applicable to
retail storecards and could be implemented cost-effectively
as an added value service.
Mobile telephones as security devices are also being
investigated by Glue4 Technologies – only this
time as device for generating one-time security codes.
Several banks, including Barclays, have already tested
simple authentication devices. These look rather like
a pocket calculator with a card slot. Users insert
the card tap in their PIN and the device then generates
a one-time secure number based on encryption models
using existing card data. This number is then entered
online instead of specific card details. The system
can decrypt the secure number and so authenticate
the card used in the transaction.
House
of cards
The problem, of course, is that most shoppers have
several cards and no-one wants to have a pile of calculator
like devices on their desks to be used for each one.
“The device has to be more palatable for consumers,”
says Neil Garner, managing director at Glue4. “The
banks are only interested in security but to be successful
consumers will only want one authentication device
and, ideally, have that authentication technology
incorporated into another gadget so that they don’t
have yet another piece of kit to find and use.”
Glue4 is looking at incorporating the technology into
mobile phones or developing a single multi-card device
that could be used for all cards – and maybe
double as a pocket calculator as well. “The
device could be desk-top mounted as most people will
use it when they buy online,” adds Garner, “or
there could be a mobile version for use in web kiosks.”
By 2007, he expects we may see consumer electronics
retailers offering an assortment of these authentication
devices – as well as some agreement between
banks for a standard system and thus the need for
only one gizmo.
top |
