ARTICLES AND AWARDS
Building an Online Fortress
Saturday, September 01, 2001
By Linda Punch, Credit Card Management
The incidents are becoming increasingly commonplace. A hacker breaks into a processor’s database and steals 4.5 million credit card account numbers. Another fraudster downloads software from the World Wide Web that allows him to generate actual credit card account numbers that are used to buy products and services. An organized crime ring steals account numbers from a merchant’s Web site, threatening to post them on another site if the merchant doesn’t pay a $200,000 ransom. The litany of cyberfraud seems to go on and on.
It’s hard to say just how much money online merchants, acquirers, issuers, and consumers are losing to hacker attacks and other types of cyberfraud. That’s because victims often are too embarrassed to report the incident. In some cases, merchants may not even know they’ve been attacked. “There’s been a vast underreporting of events,” says Tracey Vispoli, cyber solutions manager in Warren, N.J.-based Chubb & Son’s department of financial institutions. Chubb offers insurance that protects financial institutions from Internet-related security breaches.
What is clear is that electronic commerce is big business—Forrester Research Inc. estimates consumers spent $3.2 billion online in June alone—and crooks want their piece of the action. In 2000, fraud losses for all Internet-initiated payments totaled about $1.6 billion, and are expected to reach about $9 billion this year, according to Meridien Research Inc. And that doesn’t take into account such intangibles as the loss of public confidence when a consumer reads of a hack attack against an online merchant and takes his business elsewhere.
“Merchants are exposed to fairly significant goodwill damage when a site is hacked and consumer information is put at risk,” says Brian Buckley, Visa International vice president of international risk management.
To be sure, online fraud is nothing new. One of the first widely publicized attacks came in 1995, when hackers breached Netscape Communications Corp.’s software for navigating and doing card transactions in cyberspace. That attack, followed in short order by several similar incidents, prompted Visa International and MasterCard International to develop encryption standards for sending account numbers and other confidential information over the Internet.
What is different about the more recent breaches is that cybercrooks are becoming increasingly sophisticated and more organized in their attacks. “In the old days, it used to be kids with credit card generators filling out forms with names like Monica Lewinsky, Mickey Mouse, or Bill Clinton, things like that,” says Jeff King, director of risk management at Mountain View, Calif.-based CyberSource Corp. Software for generating credit card account numbers and white papers on how to use those numbers to defraud online merchants are readily available on the Internet, he says. In such cases, typically only a small number of cards are involved.
But today’s crooks are stealing hundreds and thousands of credit card account numbers from Web sites or skimming them off the magnetic stripe of cards used to pay at restaurants and other merchants, usually in collusion with employees, King says. “There are gangs in New York, Los Angeles, Baltimore and parts of Texas that are operating and systematically stealing identities from restaurants and other online places and using these identities online.”
The new breed of fraudsters, typically members of an organized crime ring, then make hundreds of purchases, using a different account number each time. Often purchases are routed through Internet service providers overseas and shipped through warehouses or freight forwarders to locations outside the U.S. That makes it harder to detect fraud, King says.
Crooks also are using the theft of account numbers and other confidential data to extort money from merchants, processors, issuers, and others. Indeed, the Federal Bureau of Investigation in March warned merchants to beef up their security, citing the increase in fraudulent activity by organized hacker groups in Eastern Europe.
In one high-profile case, hackers attempted to extort money from financial-services company Bloomberg L.P. after breaking into its database. The hackers were later caught after Bloomberg worked with the FBI to track them down.
These increasingly complex schemes devised by fraudsters make it less likely that any single fraud-screening measure will be effective, King says. He notes, for example, that because crooks often steal information such as billing address and phone number in addition to the account number, address verification won’t work. “What we’ve found is that almost no one (fraud-screening) test is useful anymore,” he says.
As crooks become more devious, the card associations and risk-management vendors are developing tools for protecting cardholder account numbers and other confidential information online. They range from software that allows cardholders to lock and unlock their accounts to cardholder authentication.
One of the more recent weapons being deployed to protect merchants, issuers, acquirers, and others from Internet-related fraud losses is so-called cyber-risk insurance. Policies are being offered by a handful of insurers, including Chubb Group, Lloyds of London, the St. Paul Companies, and RC Knox & Co., an insurance subsidiary of Bridgeport, Conn.-based People’s Bank.
Cyber-insurance is designed to cover e-fraud losses that don’t fall under the traditional fidelity bond and computer-crime insurance. “Fidelity bonds were developed many years ago, way before this technology was even contemplated,” says Vispoli.
For example, computer-crime insurance covers only “old-fashioned” viruses introduced by someone entering a company’s premises, “sticking a diskette into a computer, and launching a virus attack within the internal system,” Vispoli says.
Nowadays, though, viruses can enter a computer system via an Internet service provider, she says. “They’re basically being transmitted from thousands and thousands of miles away.”
Chubb’s CyberSecurity product also provides coverage if a financial institution is found liable for theft of confidential customer information, suffers a direct loss resulting from accepting a consumer’s electronic signature on secured loan agreement and the signature is later found to be fraudulent, or suffers a loss of income and incurs extra expense due to a hacker crashing its Web site by flooding it with e-mail.
CyberSecurity will even reimburse financial institutions for ransom paid to keep a fraudster from posting stolen account numbers on the Web, as well as other expenses associated with a ransom attempt, Vispoli says.
But not all insurance companies are targeting financial institutions. RC Knox in June launched the eTailer Fraud Solution Insurance Policy to protect e-merchants from catastrophic card fraud and chargebacks. RC Knox is offering the insurance in an alliance with Retail Decisions Inc., a card transactions-services business, and Risk Management Solutions, a specialist in credit card fraud insurance. Merchants signing up for the service must use Retail Decisions’ fraud protection and detection solutions.
ETailer covers not only the cost of the lost item shipped but also the profit related to that sale and the fees related to the chargeback, says Bruce Murray Jr., RC Knox vice president. The insurance policy is custom designed for each merchant, he says.
The policy will cover losses from lost or stolen credit cards, identity fraud, and counterfeit cards. Coverage begins when losses hit $100,000 for a small business, $10 million for a medium-sized business, and $250 million for a large business.
MasterCard also has partnered with Marsh, a unit of Marsh & McLennan Cos., and American International Group Inc. to offer cyber-risk insurance at preferred pricing. With MasterCard’s insurance, merchants “can be as elaborate as (they) like,” Orfei says. “You can take out a policy for $50,000 for a spin doctor to help you with managing your reputation...or it can be as elaborate as business loss, reputation damage, a number of other things,” he says. But cyber-risk insurance is the last resort for reducing card fraud losses tied to the Internet. Both MasterCard and Visa have come forward with multi-pronged technological solutions for preventing and detecting cyber-fraud, including cardholder-authentication services and database security.
MasterCard’s Secured Payment Application, launched earlier this year, uses as its base MasterCard’s Universal Cardholder Authentication Field infrastructure. UCAF is a 32-character hidden field that is embedded at the merchant’s Web site. It collects authentication data generated by issuers and cardholders, creates a unique cardholder authentication value for each transaction, and then forwards it to the issuer with the authorization request. Cardholders register for the service with their issuers. “It’s an issuer-centric solution,” says Stephen W. Orfei, MasterCard’s senior vice president of business development. “All of the intelligence will reside at the server.”
Both merchant and cardholder must register for SPA.
Under SPA, cardholders download digital-wallet software. MasterCard issuers also set up a SPA-enabled wallet server to authenticate cardholders’ identities using an issuer-defined authentication method, such as an ID or password.
When cardholders submit their order, the hidden form field automatically identifies the merchant as a SPA participant. The consumer’s wallet is then launched asks the cardholder to identify himself using the issuer’s authentication system. Once the issuer authenticates the user, the wallet becomes linked simultaneously to the merchant and issuer’s server wallet and the account authentication value is generated as a substitute for the actual card number.
When the merchant’s acquiring bank submits the AAV and transaction information, the data are routed to the issuer’s server wallet, where the merchant’s name is matched with where the consumer’s wallet indicated the buyer was shopping. Once the match is completed, the issuer authorizes the transaction.
Cardholder authentication “is essential if we’re going to realize the promise of the Internet,” Orfei adds, noting that 80% to 83% of chargebacks in the e-commerce channel can be attributed to ‘cardholder-not-authorized transactions.’ “We have to remove the opportunity to deceive.”
Under MasterCard rules, online merchants must accept chargebacks if they can’t validate transactions by showing a cardholder’s signature. “If (an online) merchant fulfills an order and the cardholder says they never authorized that transaction, very often the merchant ends up absorbing the cost,” Orfei says.
But SPA gives merchants the electronic equivalent of a cardholder signature. “Obviously, our intent here is to extend MasterCard’s guaranteed payment into cyberspace,” Orfei says.
Issuers also will save money under SPA, because lower chargebacks mean less costs, Orfei says. “Issuers have to manage the chargebacks, they have to manage the costs associated with that, they have to handle customer service, they have to manage that whole cardholder relationship,” he says.
Visa also has developed a cardholder-authentication model, with implementation under way in the U.S., and pilot programs in Canada, Europe, and the Asia-Pacific region. Visa in July announced that discount chain Target Corp. is one of the first e-merchants to adopt Visa Payer Authentication. U.S. cardholders will be able to enroll in the program through participating banks this fall.
Visa has been working for over a year with about 60 vendors, including Accenture, Cap Gemini Ernst & Young, IBM, Microsoft and Sun Microsystems, to develop the program.
Visa began developing its cardholder-authentication product two years ago after the Secure Electronic Transaction protocol—developed with MasterCard to protect account numbers and other confidential information online—failed to catch on with issuers and merchants, says Tom Manessis, Visa vice president of eCommerce authentication. “We really needed a simpler approach (than SET) that models more the physical world,” he says.
The goal was to develop a “pretty lightweight technology with some pretty basic requirements,” Manessis says. Visa wanted to be able to authenticate the consumer without having to provide specialized software or hardware to the consumer; it wanted a system it could integrate with merchant sites without affecting the merchants’ existing store-front checkout process; and it wanted to leverage its existing payment system, he says.
“The key element is that we didn’t want to impact our existing legacy system between issuing banks, acquiring banks, and Visa,” Manessis says.
The Verified by Visa authentication system is based Visa’s 3-D Secure Global interoperability standard. Under the system, cardholders will need to enroll in the program. When the cardholder makes a purchase, the bank identification number on their offline debit or credit card is routed to a Visa server, which routes the transaction information to the proper issuer for authentication and authorization.
The issuer’s server than opens up a box on the cardholder’s screen asking for a password, similar to a personal identification number-prompt at the point of sale. The cardholder authenticates himself by entering the password. The issuing bank sends a message back to the merchant authorizing the transaction. The transaction is processed within 10 to 15 seconds, “very similar to what you encounter as you’re checking out at a Safeway grocery store,” Manessis says.
Once rolled out globally, Visa expects 3-D Secure to reduce Internet disputes by at least 50%, Manessis says. Currently, Visa’s dispute rate for Internet transactions is about five to eight times higher than the overall dispute rate of 0.1%, he says. Internet transactions represent 2% to 3% of Visa’s total transaction volume of $1.9 trillion.
But authenticating cardholders isn’t the sole focus of MasterCard and Visa. Both associations also are developing data-protection programs merchants can use to secure sensitive cardholder data on their Web sites.
“The biggest issue (in online fraud) is protecting data-base information,” says Jeanne Capachin, an analyst with Meridien. “Do we need to store credit card information on all these merchant databases?”
The MasterCard Site Data Protection Service offers a suite of products to help merchants keep their databases secure, including the Guide to MasterCard Rules and Best Practices for Web Merchants and Acquirers. The guide lists measures merchants can take while conducting business, and discusses the coding of e-commerce transactions, risk monitoring, cardholder disclosure, consumer privacy, and the protection of transaction data.
The SDP service also offers an online automated self-assessment survey designed to evaluate a merchant’s security measures and provide an electronic report that compares results to industry peers. In addition, merchants can use MasterCard’s security scan, which scans a Web site and determines its vulnerabilities. The scan is completed within an hour and a security report issued. “What is really slick about it is it not only shows...how one could attack your site and perpetrate a hack, but also tells you how to fix those vulnerabilities,” Orfei says.
MasterCard members and merchants enrolled in the program can receive additional security services, offered independently from MasterCard’s alliance partners, at a discounted rate. The services include ethical hacking, in which a team of experts attempt to attack a network to uncover potential weaknesses; intrusion detection, Web-site monitoring, and firewall monitoring. MasterCard’s preferred vendors are Predictive Systems Inc. and Ubizen.
Compliance
Like MasterCard, Visa’s Cardholder Information Security Program is built on compliance with a series of best practices and standards for e-commerce (“Visa Takes Aim at Database Thieves,” Card Watch, April). The guidelines include required activities such as updating security systems, encrypting stored data, and using anti-virus software. Visa merchants must comply with the standards by Nov. 1.
Visa is working with the largest merchant enterprises in each of its six regions to make sure “they’re aware of the standards and making efforts to adopt the standards,” Buckley says. He adds that the majority of the largest e-commerce merchants have extensive security programs under way already.
Merchants that fail to comply ultimately face fines, Buckley says. The initial fine for non-compliance is $50,000 and for a second incident is $100,000. Visa management will levy a “more significant fine” if there is a third incident of non-compliance within a rolling 12-month period, according to Visa.
But for now, Buckley says, the focus is on educating merchants and helping them to comply with the standards. “This is something merchants need to adopt in their own best interests, not simply because Visa says it’s a requirement,” he says.
Needless to say, the associations aren’t alone in the quest for online security. ClearCommerce offers FraudShield, a combination of rules-based and neural-network technology which allows merchants to set the criteria for screening out fraud based on their needs, says Julie Fergerson, chief technical officer. “What we’ve found is that a neural network is good for some kinds of fraud and rules-based is good for other kinds of fraud,” she says.
In addition, ClearCommerce offers integration with external security services, for example, address-verification services and the bankcard associations’ card-verification methods; automatic lock-outs which protect merchants from schemes that generate credit card numbers; negative and positive lists; and case-management tools. “We’ve been doing this for six years and seen a whole lot of fraud happen,” Fergerson says. “We’ve learned to recognize (fraud) patterns.”
Rules
CyberSource also uses a combination of neural-net and rules-based technology, in its Internet Fraud Screen product co-developed with Visa. CyberSource provides the information it has culled in its fraud-prevention efforts, for example, e-mail addresses or ISPs that have high incidence of fraud, King says. Visa provides the payment information. “We had this wealth of data but what Visa has is the end results of every transaction—was it credited back, was it chargeback fraud, things like that,” King says.
Another company has come forward with a new variation on so-called one-use numbers. PrivaSys is offering a credit card that issues a new account number when the cardholder enters a password or code on a personal identification number pad on the card. The transaction is then routed to the issuing bank for authorization and settlement. The number is derived from an algorithm that combines the cardholder’s actual account number and other data, such as type of merchant, says David Patterson, PrivaSys executive vice president of business development.
Meanwhile, Transale U.S.A. Inc. has developed a program which allows cardholders to turn their cards on or off by sending an e-mail message to the card issuer. “For a security feature to be worthwhile...it has to be utilized by cardholders,” says Michael Mooney, chief executive officer. “By making (Transale) as simple and intuitive as we do, we think that’s the way it’s going to be successful.”
Just what technologies will succeed won’t be known for some time. While all the products will be effective against fraud, “the question is, what will consumers use, and what will merchants and issuers be willing to install,” says Jaime Punishill, senior analyst of emerging technologies at Forrester Research.
Consumers want the “best of both worlds” when shopping online, he says. “We want the ease of one-click shopping at Amazon.com with the utter security of having to sign 5 million documents and show 14 IDs,” he says. “Those are untenable desires.”
What’s more, people’s fears about the technology of online shopping won’t be allayed by more technology, he says. “The question is, how can you minimize the work and maximize the security simultaneously?”
That’s the question the card industry must answer if e-commerce is to grow.
Link to Article
http://web.archive.org/web/20020612093117/http://www.cardforum.com/html/ccmissue/sep01cov.htm
Previous Posts
Tags
Archive
ARTICLES AND AWARDS
Building an Online Fortress
By Linda Punch, Credit Card Management
The incidents are becoming increasingly commonplace. A hacker breaks into a processor’s database and steals 4.5 million credit card account numbers. Another fraudster downloads software from the World Wide Web that allows him to generate actual credit card account numbers that are used to buy products and services. An organized crime ring steals account numbers from a merchant’s Web site, threatening to post them on another site if the merchant doesn’t pay a $200,000 ransom. The litany of cyberfraud seems to go on and on.
It’s hard to say just how much money online merchants, acquirers, issuers, and consumers are losing to hacker attacks and other types of cyberfraud. That’s because victims often are too embarrassed to report the incident. In some cases, merchants may not even know they’ve been attacked. “There’s been a vast underreporting of events,” says Tracey Vispoli, cyber solutions manager in Warren, N.J.-based Chubb & Son’s department of financial institutions. Chubb offers insurance that protects financial institutions from Internet-related security breaches.
What is clear is that electronic commerce is big business—Forrester Research Inc. estimates consumers spent $3.2 billion online in June alone—and crooks want their piece of the action. In 2000, fraud losses for all Internet-initiated payments totaled about $1.6 billion, and are expected to reach about $9 billion this year, according to Meridien Research Inc. And that doesn’t take into account such intangibles as the loss of public confidence when a consumer reads of a hack attack against an online merchant and takes his business elsewhere.
“Merchants are exposed to fairly significant goodwill damage when a site is hacked and consumer information is put at risk,” says Brian Buckley, Visa International vice president of international risk management.
To be sure, online fraud is nothing new. One of the first widely publicized attacks came in 1995, when hackers breached Netscape Communications Corp.’s software for navigating and doing card transactions in cyberspace. That attack, followed in short order by several similar incidents, prompted Visa International and MasterCard International to develop encryption standards for sending account numbers and other confidential information over the Internet.
What is different about the more recent breaches is that cybercrooks are becoming increasingly sophisticated and more organized in their attacks. “In the old days, it used to be kids with credit card generators filling out forms with names like Monica Lewinsky, Mickey Mouse, or Bill Clinton, things like that,” says Jeff King, director of risk management at Mountain View, Calif.-based CyberSource Corp. Software for generating credit card account numbers and white papers on how to use those numbers to defraud online merchants are readily available on the Internet, he says. In such cases, typically only a small number of cards are involved.
But today’s crooks are stealing hundreds and thousands of credit card account numbers from Web sites or skimming them off the magnetic stripe of cards used to pay at restaurants and other merchants, usually in collusion with employees, King says. “There are gangs in New York, Los Angeles, Baltimore and parts of Texas that are operating and systematically stealing identities from restaurants and other online places and using these identities online.”
The new breed of fraudsters, typically members of an organized crime ring, then make hundreds of purchases, using a different account number each time. Often purchases are routed through Internet service providers overseas and shipped through warehouses or freight forwarders to locations outside the U.S. That makes it harder to detect fraud, King says.
Crooks also are using the theft of account numbers and other confidential data to extort money from merchants, processors, issuers, and others. Indeed, the Federal Bureau of Investigation in March warned merchants to beef up their security, citing the increase in fraudulent activity by organized hacker groups in Eastern Europe.
In one high-profile case, hackers attempted to extort money from financial-services company Bloomberg L.P. after breaking into its database. The hackers were later caught after Bloomberg worked with the FBI to track them down.
These increasingly complex schemes devised by fraudsters make it less likely that any single fraud-screening measure will be effective, King says. He notes, for example, that because crooks often steal information such as billing address and phone number in addition to the account number, address verification won’t work. “What we’ve found is that almost no one (fraud-screening) test is useful anymore,” he says.
As crooks become more devious, the card associations and risk-management vendors are developing tools for protecting cardholder account numbers and other confidential information online. They range from software that allows cardholders to lock and unlock their accounts to cardholder authentication.
One of the more recent weapons being deployed to protect merchants, issuers, acquirers, and others from Internet-related fraud losses is so-called cyber-risk insurance. Policies are being offered by a handful of insurers, including Chubb Group, Lloyds of London, the St. Paul Companies, and RC Knox & Co., an insurance subsidiary of Bridgeport, Conn.-based People’s Bank.
Cyber-insurance is designed to cover e-fraud losses that don’t fall under the traditional fidelity bond and computer-crime insurance. “Fidelity bonds were developed many years ago, way before this technology was even contemplated,” says Vispoli.
For example, computer-crime insurance covers only “old-fashioned” viruses introduced by someone entering a company’s premises, “sticking a diskette into a computer, and launching a virus attack within the internal system,” Vispoli says.
Nowadays, though, viruses can enter a computer system via an Internet service provider, she says. “They’re basically being transmitted from thousands and thousands of miles away.”
Chubb’s CyberSecurity product also provides coverage if a financial institution is found liable for theft of confidential customer information, suffers a direct loss resulting from accepting a consumer’s electronic signature on secured loan agreement and the signature is later found to be fraudulent, or suffers a loss of income and incurs extra expense due to a hacker crashing its Web site by flooding it with e-mail.
CyberSecurity will even reimburse financial institutions for ransom paid to keep a fraudster from posting stolen account numbers on the Web, as well as other expenses associated with a ransom attempt, Vispoli says.
But not all insurance companies are targeting financial institutions. RC Knox in June launched the eTailer Fraud Solution Insurance Policy to protect e-merchants from catastrophic card fraud and chargebacks. RC Knox is offering the insurance in an alliance with Retail Decisions Inc., a card transactions-services business, and Risk Management Solutions, a specialist in credit card fraud insurance. Merchants signing up for the service must use Retail Decisions’ fraud protection and detection solutions.
ETailer covers not only the cost of the lost item shipped but also the profit related to that sale and the fees related to the chargeback, says Bruce Murray Jr., RC Knox vice president. The insurance policy is custom designed for each merchant, he says.
The policy will cover losses from lost or stolen credit cards, identity fraud, and counterfeit cards. Coverage begins when losses hit $100,000 for a small business, $10 million for a medium-sized business, and $250 million for a large business.
MasterCard also has partnered with Marsh, a unit of Marsh & McLennan Cos., and American International Group Inc. to offer cyber-risk insurance at preferred pricing. With MasterCard’s insurance, merchants “can be as elaborate as (they) like,” Orfei says. “You can take out a policy for $50,000 for a spin doctor to help you with managing your reputation...or it can be as elaborate as business loss, reputation damage, a number of other things,” he says. But cyber-risk insurance is the last resort for reducing card fraud losses tied to the Internet. Both MasterCard and Visa have come forward with multi-pronged technological solutions for preventing and detecting cyber-fraud, including cardholder-authentication services and database security.
MasterCard’s Secured Payment Application, launched earlier this year, uses as its base MasterCard’s Universal Cardholder Authentication Field infrastructure. UCAF is a 32-character hidden field that is embedded at the merchant’s Web site. It collects authentication data generated by issuers and cardholders, creates a unique cardholder authentication value for each transaction, and then forwards it to the issuer with the authorization request. Cardholders register for the service with their issuers. “It’s an issuer-centric solution,” says Stephen W. Orfei, MasterCard’s senior vice president of business development. “All of the intelligence will reside at the server.”
Both merchant and cardholder must register for SPA.
Under SPA, cardholders download digital-wallet software. MasterCard issuers also set up a SPA-enabled wallet server to authenticate cardholders’ identities using an issuer-defined authentication method, such as an ID or password.
When cardholders submit their order, the hidden form field automatically identifies the merchant as a SPA participant. The consumer’s wallet is then launched asks the cardholder to identify himself using the issuer’s authentication system. Once the issuer authenticates the user, the wallet becomes linked simultaneously to the merchant and issuer’s server wallet and the account authentication value is generated as a substitute for the actual card number.
When the merchant’s acquiring bank submits the AAV and transaction information, the data are routed to the issuer’s server wallet, where the merchant’s name is matched with where the consumer’s wallet indicated the buyer was shopping. Once the match is completed, the issuer authorizes the transaction.
Cardholder authentication “is essential if we’re going to realize the promise of the Internet,” Orfei adds, noting that 80% to 83% of chargebacks in the e-commerce channel can be attributed to ‘cardholder-not-authorized transactions.’ “We have to remove the opportunity to deceive.”
Under MasterCard rules, online merchants must accept chargebacks if they can’t validate transactions by showing a cardholder’s signature. “If (an online) merchant fulfills an order and the cardholder says they never authorized that transaction, very often the merchant ends up absorbing the cost,” Orfei says.
But SPA gives merchants the electronic equivalent of a cardholder signature. “Obviously, our intent here is to extend MasterCard’s guaranteed payment into cyberspace,” Orfei says.
Issuers also will save money under SPA, because lower chargebacks mean less costs, Orfei says. “Issuers have to manage the chargebacks, they have to manage the costs associated with that, they have to handle customer service, they have to manage that whole cardholder relationship,” he says.
Visa also has developed a cardholder-authentication model, with implementation under way in the U.S., and pilot programs in Canada, Europe, and the Asia-Pacific region. Visa in July announced that discount chain Target Corp. is one of the first e-merchants to adopt Visa Payer Authentication. U.S. cardholders will be able to enroll in the program through participating banks this fall.
Visa has been working for over a year with about 60 vendors, including Accenture, Cap Gemini Ernst & Young, IBM, Microsoft and Sun Microsystems, to develop the program.
Visa began developing its cardholder-authentication product two years ago after the Secure Electronic Transaction protocol—developed with MasterCard to protect account numbers and other confidential information online—failed to catch on with issuers and merchants, says Tom Manessis, Visa vice president of eCommerce authentication. “We really needed a simpler approach (than SET) that models more the physical world,” he says.
The goal was to develop a “pretty lightweight technology with some pretty basic requirements,” Manessis says. Visa wanted to be able to authenticate the consumer without having to provide specialized software or hardware to the consumer; it wanted a system it could integrate with merchant sites without affecting the merchants’ existing store-front checkout process; and it wanted to leverage its existing payment system, he says.
“The key element is that we didn’t want to impact our existing legacy system between issuing banks, acquiring banks, and Visa,” Manessis says.
The Verified by Visa authentication system is based Visa’s 3-D Secure Global interoperability standard. Under the system, cardholders will need to enroll in the program. When the cardholder makes a purchase, the bank identification number on their offline debit or credit card is routed to a Visa server, which routes the transaction information to the proper issuer for authentication and authorization.
The issuer’s server than opens up a box on the cardholder’s screen asking for a password, similar to a personal identification number-prompt at the point of sale. The cardholder authenticates himself by entering the password. The issuing bank sends a message back to the merchant authorizing the transaction. The transaction is processed within 10 to 15 seconds, “very similar to what you encounter as you’re checking out at a Safeway grocery store,” Manessis says.
Once rolled out globally, Visa expects 3-D Secure to reduce Internet disputes by at least 50%, Manessis says. Currently, Visa’s dispute rate for Internet transactions is about five to eight times higher than the overall dispute rate of 0.1%, he says. Internet transactions represent 2% to 3% of Visa’s total transaction volume of $1.9 trillion.
But authenticating cardholders isn’t the sole focus of MasterCard and Visa. Both associations also are developing data-protection programs merchants can use to secure sensitive cardholder data on their Web sites.
“The biggest issue (in online fraud) is protecting data-base information,” says Jeanne Capachin, an analyst with Meridien. “Do we need to store credit card information on all these merchant databases?”
The MasterCard Site Data Protection Service offers a suite of products to help merchants keep their databases secure, including the Guide to MasterCard Rules and Best Practices for Web Merchants and Acquirers. The guide lists measures merchants can take while conducting business, and discusses the coding of e-commerce transactions, risk monitoring, cardholder disclosure, consumer privacy, and the protection of transaction data.
The SDP service also offers an online automated self-assessment survey designed to evaluate a merchant’s security measures and provide an electronic report that compares results to industry peers. In addition, merchants can use MasterCard’s security scan, which scans a Web site and determines its vulnerabilities. The scan is completed within an hour and a security report issued. “What is really slick about it is it not only shows...how one could attack your site and perpetrate a hack, but also tells you how to fix those vulnerabilities,” Orfei says.
MasterCard members and merchants enrolled in the program can receive additional security services, offered independently from MasterCard’s alliance partners, at a discounted rate. The services include ethical hacking, in which a team of experts attempt to attack a network to uncover potential weaknesses; intrusion detection, Web-site monitoring, and firewall monitoring. MasterCard’s preferred vendors are Predictive Systems Inc. and Ubizen.
Compliance
Like MasterCard, Visa’s Cardholder Information Security Program is built on compliance with a series of best practices and standards for e-commerce (“Visa Takes Aim at Database Thieves,” Card Watch, April). The guidelines include required activities such as updating security systems, encrypting stored data, and using anti-virus software. Visa merchants must comply with the standards by Nov. 1.
Visa is working with the largest merchant enterprises in each of its six regions to make sure “they’re aware of the standards and making efforts to adopt the standards,” Buckley says. He adds that the majority of the largest e-commerce merchants have extensive security programs under way already.
Merchants that fail to comply ultimately face fines, Buckley says. The initial fine for non-compliance is $50,000 and for a second incident is $100,000. Visa management will levy a “more significant fine” if there is a third incident of non-compliance within a rolling 12-month period, according to Visa.
But for now, Buckley says, the focus is on educating merchants and helping them to comply with the standards. “This is something merchants need to adopt in their own best interests, not simply because Visa says it’s a requirement,” he says.
Needless to say, the associations aren’t alone in the quest for online security. ClearCommerce offers FraudShield, a combination of rules-based and neural-network technology which allows merchants to set the criteria for screening out fraud based on their needs, says Julie Fergerson, chief technical officer. “What we’ve found is that a neural network is good for some kinds of fraud and rules-based is good for other kinds of fraud,” she says.
In addition, ClearCommerce offers integration with external security services, for example, address-verification services and the bankcard associations’ card-verification methods; automatic lock-outs which protect merchants from schemes that generate credit card numbers; negative and positive lists; and case-management tools. “We’ve been doing this for six years and seen a whole lot of fraud happen,” Fergerson says. “We’ve learned to recognize (fraud) patterns.”
Rules
CyberSource also uses a combination of neural-net and rules-based technology, in its Internet Fraud Screen product co-developed with Visa. CyberSource provides the information it has culled in its fraud-prevention efforts, for example, e-mail addresses or ISPs that have high incidence of fraud, King says. Visa provides the payment information. “We had this wealth of data but what Visa has is the end results of every transaction—was it credited back, was it chargeback fraud, things like that,” King says.
Another company has come forward with a new variation on so-called one-use numbers. PrivaSys is offering a credit card that issues a new account number when the cardholder enters a password or code on a personal identification number pad on the card. The transaction is then routed to the issuing bank for authorization and settlement. The number is derived from an algorithm that combines the cardholder’s actual account number and other data, such as type of merchant, says David Patterson, PrivaSys executive vice president of business development.
Meanwhile, Transale U.S.A. Inc. has developed a program which allows cardholders to turn their cards on or off by sending an e-mail message to the card issuer. “For a security feature to be worthwhile...it has to be utilized by cardholders,” says Michael Mooney, chief executive officer. “By making (Transale) as simple and intuitive as we do, we think that’s the way it’s going to be successful.”
Just what technologies will succeed won’t be known for some time. While all the products will be effective against fraud, “the question is, what will consumers use, and what will merchants and issuers be willing to install,” says Jaime Punishill, senior analyst of emerging technologies at Forrester Research.
Consumers want the “best of both worlds” when shopping online, he says. “We want the ease of one-click shopping at Amazon.com with the utter security of having to sign 5 million documents and show 14 IDs,” he says. “Those are untenable desires.”
What’s more, people’s fears about the technology of online shopping won’t be allayed by more technology, he says. “The question is, how can you minimize the work and maximize the security simultaneously?”
That’s the question the card industry must answer if e-commerce is to grow.
Link to Article
http://web.archive.org/web/20020612093117/http://www.cardforum.com/html/ccmissue/sep01cov.htm
Previous Posts
Tags
Archive