Have you seen FICO’s interactive map on card fraud in Europe yet? One of the most revealing findings from the research is that card not present (CNP) fraud has grown in severity over the last few years. The reason for this development is simple: widespread adoption of ‘Chip and PIN’ technology in Europe has made card present fraud in shops a riskier business for criminals. As criminals naturally target the weakest link, they have migrated online in droves to find easier targets.
But wait a minute… Why isn’t Internet shopping inherently secure? After all, we now have plenty of measures to make online transactions safer such as the static card verification code/value (the three digit code printed on the reverse side of the card), the 3D Secure protocol (used in Verified by Visa and SecureCode by MasterCard) and tokens that add a second layer of authentication by requesting you to produce a code received via something you have, like card readers or smartphones.
The problem is that merchants are faced with a dilemma when it comes to online security and fraud. It’s very expensive for store owners to upgrade their systems to accommodate all the new security measures and types of authentication. Consumers also don’t like these measures as they impact convenience. Consequently, many merchants prefer to risk losses from CNP fraud rather than invest in improved security.
The last thing merchants want is for online consumers to abandon their shopping carts. In the case of 3D Secure, merchants are forced to redirect the customer to the card issuer for an extra authentication step before the purchase transaction can be completed. Consumers often abandon their purchases at this stage because they have forgotten their password, haven’t registered the card or simply find it too cumbersome. Even though merchants are not liable for fraud on online transactions if they implement 3D Secure, this is still not a big enough incentive for many to upgrade their systems.
Merchants have also resisted other authentication methods, such as those that use EMV payment cards with bank-issued card readers, where typically a one-time passcode is generated. This process conforms to the MasterCard CAP and Visa DPA standards (known generically as EMV authentication) and is available for use in online retail transactions. To date few merchants have adopted this method largely for the same reasons that 3D Secure has experienced limited adoption – integration effort required by the merchant and inconvenience for the consumer in having to carry around a dedicated reader. A more convenient token based on a mobile phone is how the market is likely to evolve which will at least start addressing the customer inconvenience problem. We are likely to see a rise in smartphone soft token adoption amongst consumers in the near future as smartphones continue to penetrate the market and banks try to find more ways to leverage this ubiquitous token while still maintaining high levels of security.
Let’s face it, the average person these days doesn’t leave their house without their chosen mobile device, and therefore will always have a more convenient device readily available to provide authentication for both online transactions and online banking. This has cost saving advantages for the banks, the expectation of easier integration for merchants and improved ease of use for consumers. More progress in this area is expected in the near future, possibly in conjunction with the mobile wallets being developed by the card schemes and larger banks.
It’s clear that merchants, especially smaller ones, will need more compelling incentives to improve the measures they take to secure online payments without increasing the burden on customers. Could the payments industry even develop a standard way for merchants to deploy authentication online such as through a centralised standards-based portal that offers simple integration with existing merchant systems? Whatever happens, until the merchant dilemma is resolved, CNP fraud will remain a major problem for the foreseeable future.