Written by David Adams
Although online is now an important part of many retailers’ businesses, they face a dilemma: how do they manage the huge volumes of money spent in a payment channel which has an increased risk of fraud and security issues? David Adams reports
There’s a nice YouTube clip of American comedian Louis CK on a chat show, pointing out the many ways in which technology has improved life since the days when, for example, if you tried to pay for something with a credit card the retailer “would have to call the President to see if you had any money.” We certainly have moved on since then. The sheer amount of money now changing hands via online payments is staggering. UK shoppers spent £58.8 billion online in 2010, up 18 per cent from 2009, according to the Capgemini IMRG Index.
Yet developing efficient and secure online payment systems has been a struggle. In part this is because online retail has become more attractive to fraudsters, as online sales increased and chip and PIN was introduced in stores. Many retailers have also found it hard to comply with the increasingly complex PCI (Payment Card Industry) data security standards for storing customer payment details, leading many to outsource this and other aspects of online payments to payment services providers (PSPs).
High Street retailer Cash Generator has worked with the PSP SecureTrading since 2009. Cash Generator is a franchise network, with about 20 corporate stores and 100 franchises. So a customer visiting the website might end up buying a TV from a franchise in Glasgow and a DVD player from a corporate store in Manchester. “The customer journey has to be seamless, but we need to receive the money for the DVD player while the TV money goes to Glasgow,” says Dan McGrath, financial controller at Cash Generator.
The SecureTrading solution manages this process. “It works fine,” says McGrath. “I don’t get any complaints from the franchisees about (the solution) - and they’re quick to complain!”
McGrath says the retailer was surprised at how quickly it was targeted by fraudsters when it started trading online. The threat is always there. According to figures from payments technology specialist CyberSource’s 2011 UK Online Fraud report the proportion of fraudulent orders rose from 1.6 per cent of the total to 1.9 per cent between 2009 and 2010 (although the overall average percentage of annual online revenue lost to fraud fell from 1.8 per cent to 1.6).
Dr Akif Khan, director of products and services at CyberSource, notes that while almost eight out of ten (77 per cent) of the 200 merchants interviewed for the Online Fraud report anticipate an increase in online revenues this year, 59 per cent don’t expect an increase in their fraud management budget and 10 per cent expect it to shrink. “Within most fraud management processes there’s an element of manual review, but 75 per cent of those surveyed anticipated no change in staffing and 12 per cent expected a decrease in headcount,” he adds. “Merchants are going to have to do more with less.”
The answer, he believes, is automated screening to spot fraudulent transactions. These solutions can deliver high levels of accuracy at very high speeds. For example, Retail Decisions (ReD) can provide a decision inside 400 milliseconds.
3D Secure technologies like Verified by Visa or MasterCard’s SecureCode have also proved a useful tool for verifying card not present (CNP) transactions. They are not perfect - they have been targeted by sophisticated phishing attacks, suffer from the inherent weaknesses of a password-based system and can, in some circumstances, annoy customers to the point of abandoning a transaction.
Nevertheless, says Kevin Smith, senior vice-president for fraud management at Visa Europe: “(3D Secure) has had the greatest impact on improving the security of online payments. Fraud rates on Verified by Visa transactions are about three times lower than on other non-authenticated Visa e-commerce transactions.”
But Carl Clump, chief executive at ReD, is not a big fan.
“3D Secure is an intrusive way of providing security - you have another screen and you have another password to remember,” he says. “It’s an inconvenience for retailers and an even greater inconvenience for consumers.”
Yet, as he readily concedes, it is effective. Nor are the card schemes resting on their laurels. In December the first commercial launch of Visa’s CodeSure system was announced by Cornèr Bank in Switzerland. CodeSure cards incorporate a mini digital display and keypad, running on a built-in battery with a three year life-span. Cardholders enter their PIN to generate one-time secure codes to authorise a transaction. The cost of the cards will hold back adoption for a while, but perhaps not forever.
The other technology that has helped is device fingerprinting, which takes basic information from the computer placing an order to create a unique fingerprint for that device. In December fraud detection specialist 41st Parameter announced its patent for Time Differential Linking (TDL), an enhancement to its DeviceInsight fingerprinting tool. It helps avoid dependency upon software cookies, which can conflict with privacy regulations
Strengthening of the PCI standards has also helped and has encouraged many retailers to outsource card details storage to PSPs, which may then send a token of no intrinsic value to a merchant during a transaction to confirm that details offered at payment match.
One retailer to make this move is luxury hotel guide and booking website Mr & Mrs Smith. It has grown over the past decade from a two-person operation in south London into a business with offices in Melbourne and New York and around 80 employees. It has used a solution provided by the PSP PayPoint.net (a subsidiary of PayPoint plc) since 2003.
“When you’re dealing with finance you want a safe pair of hands; you don’t want to take any risks, because if something goes wrong (customers won’t) blame PayPoint, they’re going to blame you,” says Tamara Heber-Percy, CTO at Mr & Mrs Smith. “So you need a solution that’s secure with no downtime and can handle volumes as you grow your business.”
Online payments can become even more challenging if a retailer uses the internet to sell to consumers in other countries. PSPs like ReD and Ogone take pride in their ability to process payments for retailers using payment methods popular in various countries across Europe and beyond.
The website Just Eat, which helps customers in 10 countries to find restaurants that make home deliveries in their local area, started working with Ogone in 2010 to process payments in Ireland, Spain and Belgium. “Ogone uses a lot of the payment methods we were looking for, like Laser Card in Ireland and Mr Cash in Belgium,” says Giorgio Ponticelli, group operations director at Just Eat. “They also provide a lot of the payment methods we have in our other countries. We’re looking to use (Ogone) more in future.”
It will also be interesting to see if a growth in the use of the various alternative online payment methods will take much market share from the major card schemes. In the UK credit and debit cards still account for 95 per cent of online transactions, but research from Ogone highlights more cosmopolitan payment habits elsewhere. In the Netherlands credit and debit cards account for just 14 per cent of online payments, with the iDeal system and bank transfers much more popular. In Germany direct debit pay buttons are used for 60 per cent of online payments.
Another developing story is the rising popularity in the use of mobile devices to shop online, whether using a browser or an app. WorldPay estimates that about five per cent of all e-commerce transactions entail use of a mobile device, says Gabriel Hopkins, the company’s head of e-commerce products - although this might just be for research.
“It’s just a new front end,” says Michael Norton, managing director at PayPoint.net. “There’s a lot of talk, but we think it’s going to be a number of years before much happens, simply because the infrastructure has been built around the card schemes.”
Paul Rodgers, chairman of the cards and payments community Vendorcom, disagrees. “Within five to ten years you will see the consumer having the payment terminal as a personal device,” he says. “So you might go onto a website and your payment token will be on your phone and that will interface, through encrypted Bluetooth or something like it, either with your PC or directly with an online merchant’s payments provider.”
Whatever the means, the ultimate aim must be speed and simplicity. “One click shopping is the aspiration,” says Julian Wallis, country manager, UK, at Ogone. “The simpler the process, the better the conversion rate.”
In the end the technology isn’t half as important as giving customers the service they want. If you can’t do that, particularly online, then they may not be your customers for much longer.