Epayments: Is The Credit Card System Failing Ecommerce? Is A Solution in Sight?

From the CommerceNet Newsletter, The Public Policy Report, Vol. 3, No.5 May 2001.
ePayments: Is the Credit Card System Failing

eCommerce? Is a Solution in Sight?
By Kaye Caldwell, CommerceNets Public Policy Director (KCaldwell@Commerce.Net)
Credit cards account for the vast majority of payments to Internet merchants. A recent Gartner
report 1 states that, while in the offline world, credit cards account for only 19% of payments,
lagging behind cash at 53% and checks at 22%, in the online world credit cards are used for 93%
of all transactions. That statistic should not surprise anyone, as to date cash and check payments
have not been available on the Internet at all, except in a few instances. At least for checks that
may change soon.
Credit Card Fraud on the Internet

Internet credit card fraud has become a major problem for merchants. Data gathered in the
second quarter of 2000 2 indicates that fraud makes up 1.1 percent of all Internet transactionsa
rate 12 times that of offline commerce. That 1.1 percent is 43 percent of all online chargebacks.
A report3 by Celent Communications Inc. of Cambridge, MA indicates that online fraud for Visa
transactions was 3% during the fourth quarter of 2000. Other sources have cited fraud and/or
chargeback rates ranging from 6 to 20 times that of offline commerce. 4
Much attention has been paid to consumer fears about online credit card fraud. To combat
consumer concerns, credit card associations have guaranteed cardholders that they can shop
online with zero risk. 5 Unfortunately, that guarantee simply means that the merchant is the one
who takes all the risk. Yes, thats right, the card associations make the guarantee, but the
merchant pays for it.
The Source of Merchant Liability

The source of this clever little arrangement is Regulation Z, promulgated by the Federal Reserve
Board. Under Reg Z, the card issuing bank is responsible for providing with the card some
mechanism for the merchant accepting the card to identify the card-holder. Thats why cards
have a space for the signature on the back. Photographs or fingerprints are also acceptable
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
CommerceNets Public Policy Report
means of identification, as is 6 electronic or mechanical confirmation. But that same regulation

also provides 7 that the cardholder may not be held liable . . . when the card itself (or some other
sufficient means of identification of the cardholder) is not presented. Since the issuer has not
provided a means to identify the user under these circumstances, the issuer has not fulfilled one
of the conditions for imposing liability. For example, when merchandise is ordered by telephone
by a person without authority to do so, using only a credit card account number (which may be
widely available), no liability may be imposed on the cardholder. Thus the regulation prevents
the card- issuing bank from holding the cardholder liable for card-not-present use of the card.
Does that then make the card- issuing bank responsible for the amount charged? Well, no. The
bankcard associations, which consist primarily of card issuing banks, have rules that any card
issuing bank or bank accepting card charges from merchants must abide by, and hold their
customers to. Those chargeback rules vary by card association, according to a September 2000
Wall Street Journal article, 8 which reports that:
MasterCard will charge back disputed transactions to merchants who havent obtained a
signature and a card imprint.
American Express requires the merchant, in order to avoid a chargeback, to prove it
shipped to the card holders billing address and obtained a signature proving the goods
were delivered.
Visa International decides on a case-by-case basis but concedes its hard for merchants to
prove their case without a signature and that a signed, imprinted sales draft is good
evidence the charge was legitimate.
These rules are all part of the service agreement that a merchant must agree to in order to obtain
a credit card merchant account. Its ironic to note that merchants are charged higher fees for
card-not-present transactions, even though it is the merchant that not only is financially
responsible for the charged back amount, but also pays chargeback fees to reimburse the banks
for their processing costs.
When the only card-not-present use of a credit card was for mail order or telephone order
(MOTO in direct marketing parlance), this arrangement probably made sense. But today
eCommerce is being hindered by those legacy rules. The big difference between MOTO and
eCommerce is that in an eCommerce transaction the Internet is presenta ubiquitous
communications infrastructure through which it would be quite possible to provide the electronic
confirmation mentioned in the official comments to Regulation Z. The question is, what
incentive do the issuing banks have to provide such confirmation when they have currently
offloaded all liability onto the merchantsand charged them more on top of it?
Merchant Fraud Costs

Merchants already pay a higher standard rate for card- not-present transactions, reported to be
approximately twice as high as the card-present rates charged for over-the-counter (card-present)
transactions. The purported justification for this is the higher risk of fraud associated with cardnot-present transactions. However, a CNET March 2000 news report 9 states, The financial
institution that issues a credit card assumes liability in about 75 percent of all fraudulent
transactions, according to John Shaughnessy, senior vice president for risk management at Visa.
May 2001, Volume 3 Issue 5

But in card- not-present transactionswhen transactions happen by mail, telephone or Internet
and no signatures are obtainedmerchants assume liability for roughly 90 percent of fraudulent
transactions.
In addition to the costs of merchandise shipped to a fraudulent purchaser, the merchant is also at
risk of being charged higher transactions fees by its bank if the bank decides that the number of
chargebacks is too high. Chargeback fees are also imposed at a rate of $15-$50 per chargedback transaction. To add insult to injury, on March 1, 2000 MasterCard implemented new
eCommerce rules 10 threatening to fine merchants that have chargeback rates above 1% of
transactions or 2.5% of total dollar volume for more than two consecutive months. Keeping in
mind that the Gartner survey cited above reports an average fraud rate of 1.1%, and the Celent
report cites a 3% fraud rate, setting a penalty threshold that is below industry standard can only
be characterized as outrageous when the card association does not require its card issuing bank
members to provide any kind of electronic means for the online merchant to authenticate the
cardholder.
To summarize, fraud costs to online merchants include:
- higher standard transaction fees than offline merchants
- costs of lost merchandise
- even higher transaction fees due to fraud rates
- chargeback fees
- fines imposed by credit card associations
Of course, in the end its the consumer who pays for the fraud costs in higher prices for goods
and services.
Online Merchant Attempts to Deal with Fraud

Merchants have available to them two bank/credit card association supported verification
mechanisms. However, while their use can eliminate some problems, they are not nearly robust
enough to rely on, nor do they protect the online merchant from chargebacks.
Credit Card Authorization
According to Card Payment Systems, 11 credit card authorization provided by the issuing bank
approves the credit card transaction. A credit card authorization number is issued and payment of
goods/services is guaranteed as long as:
- A valid card has been used by the authorized cardholder;
- The cardholder has signed the credit card sales draft ; and
- The credit card transaction is not disputed by the cardholder.
Of course in the online world, the second condition is not met, nor perhaps is the first since it is
the card number that is used, not the card itself. Furthermore, while it would seem odd that the
validity of the card is still in question when the issuing bank has authorized the transaction, that
is indeed the case. Online credit card verification only checks for reported stolen or overlimit
cards. 12 The authorization does NOT check for invalid use of card numbers. That is why card
number generating software is a problem. And of course in the online world the merchant cannot
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Ph one: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
visibly inspect the card, or the signature, or any other identifying information imprinted on the
card itself.
Address Verification System
The Address Verification System (AVS) verifies the cardholders billing address. While using
the AVS system can weed out some fraud it is not useful against fraudsters that have the
cardholders address, for international orders, or in situations where the purchase is mailed to a
different address, such as a gift, or for purchases that are not mailed at all but delivered online.
Moreover, a positive AVS match and credit card system authentication code do not relieve the
online merchant of chargeback liability, even when the merchandise is shipped to the address
verified 13 .
Third-Party Fraud Detection Services
Lacking any reliable credit card system mechanism for detecting fraud, merchants are turning to
third party fraud detection services. For a fee the service provides a fraud score which enables
the merchant to make a decision about whether to accept the order, whether to do additional
investigation, or whether to reject it. Providers of such services include CyberSource,
ClearCommerce, Digital Courier, Mindwave Software, CrediView and others.
Are Third Party Services a Good Answer?

At this point in time, third party services may be the only answer to transaction fraud detection.
However, they have their drawbacks and we cant of course compare them to issuing-bank
authentication services because there arent any in widespread use.
Some serious issues are raised, however, by the methods that merchants are forced to use in
order to protect themselves from fraud in the absence of reliable online card authentication. For
example, many merchants avoid accepting orders from customers with free email accounts, a
policy that, although necessary, essentially constitutes online redlining. International orders are
also frequently declined since the AVS system is not available due to foreign privacy laws.
Many fraud detection services operate by collecting information from all of their customers, thus
creating customer profiles against which transactions can be checked to determine whether the
current transaction fits the typical pattern. While merchants should not be taken to task for using
such services to detect fraud in the absence of better alternatives, the lack of visibility and
accountability of these services to the consumers that are the subject of their data collection and
analysis does raise concerns. Consumers that are perfectly comfortable with their credit card
issuers monitoring their purchase behavior to detect unusual patterns may be very uncomfortable
with third parties with whom they have no financial relationship doing the same monitoring.
Furthermore, consumers are usually completely unaware that these behind the scenes fraud
databases exist, leaving them completely unable to deal with errors in the database that may
cause their transaction to be declined.
Credit Card Association Responses to Fraud Concerns

Egghead Softwares recent experience illustrates that attention must be paid to both types of
major online fraud concernstransaction fraud and credit card database security. In October of
2000 CNN reported,14 in an article about online merchants preparation for holiday credit card
fraud, that Egghead.com is confident in its internally developed, everyday fraud-detection
measures and is not adding anything else for the holidays.The article quoted Eggheads senior
vice president of finance as saying, "Every transaction goes through the mechanism and looks at
[it] as if the consumer has done a fraudulent transaction before, determines whether the credit
card is fraudulent, and looks at other factors." Only two months later Egghead.com made
headlines 15 when they reported that the company's servers had been hacked and customers'
credit-card numbers potentially stolen. While they announced 20 days later that customer data
had not been compromised, at the time they took steps to protect customers by contacting credit
card companies of 3.7 million cardholders. Reissuing those credit cards costs banks millions. 16
Additional incidents at Creditcards.com17 and CD Universe, 18 where credit card numbers were
actually stolen, were also costly. And these are the cases of credit card data base theft that have
been reported.
Obviously online merchants must be concerned about both transaction fraud, involving
fraudulent use of a credit card to purchase goods or services, and security fraud, involving the
compromise of the companys database of customer credit card information.
Visas efforts, however, seem to be focused on merchant security practices instead of, or at least
ahead of, transaction fraud. Given the interrelationship between the two, that strategy may be ill
advised. If credit card data were not all that was needed to perpetrate transaction fraud, database
compromise would not be as disastrous as it now is. It is, however, easier for the credit card
associations to place obligations on others to implement security standards than on themselves to
provide online authentication.
In November of 2000 19 Visa set security standards20 for merchants, which they must live up to
by the May 2001 deadline or risk losing their ability to accept credit cards (add another merchant
fraud cost).
Transaction Oriented Anti-Fraud Technologies Are in the WorksBut Will

They Be Deployed? And Will They Protect Merchants?
Credit card associations are in the process of implementing new verification codes, which consist
of extra numbers printed, but not embossed on the card or readable in the magnetic stripe. Visas
CVV2, 21 MasterCards CVC2, and American Express CID are all in the process of being
deployed.
Visas CVV2 code must be printed on the back of all cards by January 1, 2001. Issuing banks
that do not support CVV2 authentication when it is present in the authentication request will be
limited in their chargeback rights.
All Mastercards were required to include their CVC2 codes back in 1997.
The advantage to merchants is that they will be able to make better- informed decisions by taking
into consideration the authentication response for the additional code. However, the new systems
do NOT apparently result in the online merchant enjoying a level of protection equivalent to the
over-the-counter merchantin other words the CVV2 or CVC2 transaction is still not equivalent
to the card-present transaction.
The real question here is whether merchants will see the new verification codes and the benefits
they offer as significant enough to compensate for the burdens of revising their Web sites and
also for inserting an additional step in the ordering process. Shopping cart abandonment is
already a problemrequiring consumers to provide an additional number may add to the rate of
legitimate order abandonment. Its interesting to note that few (if any) Web sites seem to be
asking for the new codes. Unless the credit card rules are changed to actually offer merchants
better protection against chargebacks when the CVV2 or CVC2 codes are used, its hard to see
what the merchant incentive would be to use them.
Long term, the question is whether this new verification system will become just as
compromised as credit card numbers and expiration dates are today. With cardholders handing
out the new verification codes to every merchant they use, how secure will these codes be over
time?
Online Authentication, a Better Solution?

Given the ease of distribution of data in the online world, and the security issues surrounding
online databases, the question naturally arises, isnt there another way?
The ATM System
Most, if not all, ATM cards are now issued as check cards, which have dual functions. They can
be used as online debit cards in conjunction with the use of the associated PIN, or can be used
essentially as a credit card, with a signature, except that the resulting transaction is deducted
from the cardholders checking account rather than charged to a credit card account. The latter is
called an offline debit. The difference is that the online debit, or traditional ATM transaction,
involves authentication by way of the PIN in real- time. For the purpose of this discussion we
will focus on the online debit transaction.
The online debit system is run by the Electronic Funds Transfer (EFT) networks, which are
typically identified on the card itself and on ATM machines so that consumers can use cards
accepted by specific networks on the appropriate machines. Examples are the Star and Plus
systems. The key to online debit security is the PIN number, which cardholders are expected to
know, and the fact that the PIN is verified online during the transaction. Fraud losses for the
ATM systems are about one-tenth as much as for the credit card systems. Indeed, fraud
prevention efforts for ATM cards focus on keeping the PIN secret and preventing physical fraud,
such as breaking into machines or robbing ATM customers, as opposed to electronic fraud
accomplished by accessing the network electronically. Furthermore, ATM online debits cannot
currently be used for mail, phone, or Internet purchases because the current system requires PIN
numbers to be entered in conjunction with the swiping of a card into specialized terminals, which
communicate directly with the authorizing and transacting network and do not rely on merchant

transmission of the transaction. Thus the merchant and their bank never see the PIN number,
cannot record it, and need not worry about keeping PIN number databases secure.
Federal law 22 governs whether, and to what extent, the cardholder can be held liable for ATM
card losses. If the missing card is reported before any unauthorized use takes place, the card
issuer cannot hold the cardholder responsible. However, if any unauthorized use takes place
before the loss or theft of an ATM is reported, the cardholders liability depends on how quickly
the loss is reported. If its reported within two days of discovery, the limit is $50; if not reported
within two days, the liability can be up to $500. The liability is unlimited if its not reported
within 60 days of the mailing of the bank statement.
Its interesting to note the differences between the ATM and credit card systems. Federal law
protects the cardholder in both cases. Federal law however does NOT address the issue of
liability for other parties in the system. For the online debit (ATM) system, only the banks are
involved and an effective online real-time verification system has been put in place. For the
credit card system, where non-bank parties (i.e., the merchants) can be forced, through the
contracts they must sign, to accept the liability, the verification systems are unreliable and
insufficient.
New Online Payment Mechanisms

There are multiple funds transfer/payment mechanisms in the offline worldpaper checks,
credit cards, ATMs, electronic funds transfers, ACH (Automated Clearing House, used for funds
transfers between accounts held at different banks) and others, which offer opportunities in the
online world. Several of them are the subject of pilot projects or other efforts to Internetize
them. Well take a brief look at some of them to see how likely they are to offer alternatives to
merchants that are more reliable than credit cards.
NACHA-Internet Councils ISAP Pilotthe ATM Networks Internet Version
The NACHA Internet Council is undertaking a pilot23 designed to allow consumers to use
Internet enabled ATM/debit cards to make Internet- initiated debit payments from the ir checking
accounts. Given the prevalence of cash and checks in the offline world, this concept would seem
to have promise. However, it is based on the use of bank- issued digital signatures and either
cards/card readers or software issued by banks. It also requires merchants to acquire technology
for accepting these payments from their own banks. While the consumer would be protected in
this system by the Electronic Funds Transfer Act and its implementing Regulation (Reg E),
chargeback rules would again be network-agreement based and may or may not be better for
merchants than the rules for the credit card systems.
There is a fundamental conflict at play here:why would banks pay to develop and implement a
system where they would have the chargeback liability? Some have pointed out that this is
exactly the reason for the failure of the credit card associations first digital signature enabled
technology (SET)bank unwillingness to pay for the deployment of new technology that
resulted in transferring liability from the merchants to the card issuing banks. Thus the
likelihood of the new ISAP network agreement imposing chargeback liability on the merchants
is high. The other conflict is costsif the banks make less money from ISAP cha rges than they
do on credit cards, why would they deploy the technology? On the other hand, if the technology
doesnt offer either a cost or liability advantage to merchants, why would merchants adopt it?
Perhaps this analysis is too cynical,but time will tell.
The ACH System and ACH Based Internet Payments
The Automated Clearing House (ACH) works as follows: A company sends instructions to its
bank to pay all of its suppliers at various banks. These instructions are typically transmitted
electronically, although they used to be done via magnetic tapes. The bank forwards those
instructions to an ACH, which separates them according to which bank they are going to,
combines all the instructions from various payors with others to the same bank, and sends the
electronic packages of instructions to the payees banks. The Federal Reserve Bank and other
associations of banks operate the ACHs. Efforts are underway in several different projects to
create Internet payment systems that leverage the ACH system in various ways.
FSTCs eCheck Project
The Financial Services Technology Consortium (FSTC) eCheck project 24 has already been well
tested in a three-year pilot program involving the U.S. Treasury Department, U.S. Federal
Reserve, several banks, and suppliers to the Defense Department. Although eChecks were
originally designed to utilize the paper check clearing and settlement system, they can also be
used as digitally signed authorizations to conduct ACH debits and credits.
Companies such as Clareon25 and Xign 26 have developed commercial B2B payment services
based on the FSTC eCheck technology. Digitally signed payment authorizations (similar to
eChecks) are issued by payers and sent to the payees and the payment service provider over the
Internet. The payment service provider originates ACH debit and credit transactions to move the
payment amount from the payers bank account (debit) to the payees bank account (credit). By
using digital signatures, strong authorization to originate the ACH transactions is provided. It is
necessary for at least the payer to have digital signature capability, although both payer and
payee must be registered with the payment service provider. Since ACH transactions are
accepted by nearly all U.S. banks, this system allows any payer to pay any payee. Although these
services are initially targeted at businesses, there is no reason that similar services could not be
deployed to support consumers paying merchants, businesses, or even other individuals over the
Internet via email or interactive Web sessions.
NACHAs Internet-Initiated Consumer ACH Debits
NACHA has adopted a new rule enabling Internet-initiated ACH debits, 27 which became
effective in March 2001. Under the new rule merchants will obtain payment via a consumers
checking account by obtaining the account information and creating an ACH debit to the
consumers checking account. As you might imagine, the merchant will be held strictly liable for
the authenticity of the authorization to process the debit, and must meet other security standards.
The merchants bank will be held responsible for the merchant and will be held liable for their
merchants activities. This puts a heavy burden on the bank to vet their merchants and a heavy
burden on the merchants to vet the ir customers.
In order to relieve the authentication burden, merchants can use the services of companies such
as Achex, 28 which performs the consumer authentication. Like the Clareon and Xign payment
services, both payee (merchant) and payor (consumer) sign up with Achex. Achex obtains the

consumers account information and authenticates the consumer by asking for information which
it then verifies with a credit agency. Once both merchant and consumer are registered by Achex,
which on the consumer side does not require any new hardware or software, consumers can pay
for goods and services purchased online using their checking account. (Of course, the merchant
Web site must be modified to handle the Achex payments.) The system offers benefits to both
parties. Merchants have the authentication obligation handled for them, and can optionally have
additional payment guarantees provided by Achex. For consumers, Achex offers a single point of
information disclosure. Instead of providing account information and authentication information
to each merchant, which many consumers are not comfortable doing, the information is provided
only to Achex. When the merchant site takes an Achex payment the consumer is linked to an
Achex site to log in and authorize the payment. Achex then creates the required ACH
transactions transferring the funds from the consumer account to the merchant account.
Consumers are protected by Regulation E under this system. (NACHA operating rules apply to
the network participantsthe banksand include provisions governing the banks agreements
with their ACH using customers.) The system offers significant privacy benefits to consumers
who need not provide financial information to every merchant they deal with. In fact, using
Achex provides much more privacy than using credit cards online or off, and more privacy than
using a check would when dealing with the same merchant in an over-the-counter transaction.
Since paying by check does not offer the extremely high level of cons umer protection with
respect to the merchandise that paying by credit cards does, paying by Achex may not be
appropriate in all online situations. But in a large number of situations it will be, such as paying
well known merchants that the customer would feel comfortable paying by check over-thecounter, paying local merchants such as grocery delivery services, paying utility bills, and in
situations where surcharges are imposed on credit card payments, such as payments to
government entities. Achex is already available at Bluelight, K- marts online store. One other
feature should make Achex VERY attractive to merchants (and government entities): the
transaction cost is a very reasonable flat rate.
NACHAs Project ACTION (Formerly DirectPay)
Usable for bus iness-to-business payments (B2B), spontaneous consumer Internet purchases
(C2B), and electronic bill presentment and payment (EBPP), NACHAs Project ACTION29
initiative envisions a payment mechanism in which consumers link to their financial institutions
to authorize and send payments from their checking and/or savings accounts. ACTION does not
send consumer account number information to the merchant, therefore the consumer is likely to
feel sufficiently protected and favor this payment mechanism over others offering less data
protection. It can also utilize a transactional model similar to the Achex model, but where the
consumers bank handles the payment origination.
Because the ACTION system would use a push model, in which consumers are authenticated
by their own financial institution and originate the transaction, it is felt that the risk of rescission
or return is reduced. In addition, if the ACH system is used, the 60-day right-of-return for ACH
debits would not apply since the transaction is an ACH credit, which is final at the time of
settlement (2 to 3 days after initiation). Thus the merchant could be comfortable shipping goods
in a timely manner.
10
A significant advantage to this model is that the merchant is NOT responsible for
authenticationthe customers own financial institution performs that function.
Expanded P2P Payment Systems
It is also possible that other merchant payment systems may expand out of the person-to-person
systems that have emerged to facilitate online auction sites. PayPal, for example, is expanding
into more traditional merchant environments. 30
Will Credit Card Associations Provide Better Authentication?

If any of these significant new payment mechanisms are widely deployed, credit card
associations may find it necessary, for competitive reasons, to better serve the needs of
merchants for a reliable credit card payment system. The Gartner Group reports 31 that new
initiatives are being pursued in this area 32 :
MasterCard has reported that a roll-out of 3D-SET in the United States is imminent. MasterCard
is said to be developing a gateway service on the acquiring side using 3D-SET and to be working
with U.S. merchants on possible implementation.
As for another interesting development, American Express launched its "Blue Card" in September
1999. The card, which uses a magnetic-stripe, smart-chip hybrid, is designed to evolve into a
multifunction smart card to make Internet purchases easier and more secure. Its significance as a
digital certification device has been, so far, underwhelming.
Visa is currently rolling out Visa Payer Authentication, or VPAS. They plan to shift the liability of
the fraudulent order from the merchant back to the issuer. Visa is currently rolling this out to a few
merchants in pilot. This method uses a combination of card registration and PIN number.
Visas Payer Authentication33 (VPAS), announced in November of 2000 with the goal of use by
the top 100 online shopping sites by the end of 2001, seems to provide the needed online
authentication mechanism discussed above. However, the danger exists that the banks will not
deploy better online payment systems for fear of losing their lucrative credit card fees, or that
banks will not make investments in new credit card authentication technology, such as VPAS,
that would shift authentication risk away from the merchants to the banks themselves. Recent
reports 34 indicate that merchants such as Buy.com, Yahoo, and Tickets.com are implementing the
new system. It remains to be seen just how ubiquitous this new system becomes, and whether
merchants will be treated the same under it as local merchants are treated in card-present
transactions.
Conclusion
The credit card associations large market share, and federally imposed consumer protections,
may allow them to continue to provide an online payment mechanism that lays the entire
authentication risk on the merchant. If so, the best strategy for merchants may be that suggested
by payment systems and eCommerce law Professor Jane Winn 35 :
Unless the Federal Reserve Board changes its interpretation of Regulation Z regarding
the inability of card issuers and merchants to contest a cardholder's claim that a charge
is unauthorized in any transaction in which the card was not available for inspection by
the merchant, merchants will have no choice but to press for improved authentication
technology or revisions to Regulation Z. (Emphasis added.)

If improved authentication technology is not both developed and deployed, merchants only hope
for a solution may be either a revision to Regulation Z or a similar legal compulsion for banks to
provide online authentication.
Such a revision would have to require issuing banks to provide an effective online authentication
mechanism, such as a secret PIN number or password verified online in real time that provides
authentication that the merchant can rely upon to prevent chargebacks based on denial of the
transaction. Is such a change reasonable? From the consumer point of view, requiring the card
issuing bank to authenticate the customer online reduces the need for merchants to maintain or
consult secret databases about customers. Furthermore, assuming that liability should be imposed
on the entity best able to reduce the risk, it makes sense to impose the authentication
responsibility on the party best able to perform authentication. Between the merchant and the
bank, it is the bank, which already is obligated to know its customers, that is in the best position
to control the authentication risk associated with online transactions.
We seem to be at a turning point: new authentication technology has been developed and is being
tested, but the question remains whether it will be widely adopted by the banks and whether the
contractual agreements merchants must sign to participate will give them adequate protections.
Or will we see another SET- like failure, where the technology was developed, the legal
agreements were modified, but the technology was never deployed, at least not in the U.S.?
End Notes
1
See Online Fraud Prevention White Paper for the E-Commerce Fraud Prevention Network , Gartner 3/14/2001, at:
http://www.gartner.com/webletter/amex/index.html
2
http://www.gartner.com/webletter/amex/index.html
3
See: http://www.celent.com/PressReleases/20001218/OnlineFraud.htm
4
See Ronald J. Mann, A Payments Policy for the Information Age, 1999 at:
http://papers.ssrn.com/paper.taf?abstract_id=214632, footnote 120.
5
See Visa guarantee at: http://www.visa.com/av/zero_liability/main.html, Mastercard guarantee at:
http://www.mastercard.com/ourcards/zeroliability.html, and American Express guarantee at:
http://www10.americanexpress.com/sif/cda/page/0,1641,5963,00.asp
6
See 12 C.F.R. pt. 226, supp. 1, cmt. 12(b)(2)(iii)-1 (official staff interpretations of Regulation Z).
7
See 12 C.F.R. pt. 226, supp. 1, cmt. 12(b)(2)(iii)-3 (official staff interpretations of Regulation Z).
8
http://www.info-sec.com/commerce/00/commerce_092000a_j.shtml
9
See: http://news.cnet.com/news/0-1007-200-1583717.html
10
See: http://www.newsfactor.com/perl/story/2638.html
11
See: http://www.aaaccess.com/credit_card_processing_101.html
12
See: http://www.sellitontheweb.com/ezine/howto004.shtml
13
It should be noted that if a package delivered to the cardholders billing address is signed for, American Express
may relieve the merchant of the chargeback liability. However, consumer shipments are not typically signed for.
14
http://www.cnn.com/2000/TECH/computing/10/10/fraud.prep.idg/
15
http://news.cnet.com/news/0-1007-201-4245328-0.html?tag=rltdnws
16
http://news.cnet.com/news/0-1007-201-4421335-0.html
17
http://news.cnet.com/news/0-1007-200-4115920.html
18
http://news.cnet.com/news/0-1007-200-1519088.html?tag=rltdnws
19
http://news.cnet.com/news/0-1007-200-3705714.html
11
12
20
http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html
http://www.visabrc.com/doc.phtml?4,71,327,286_cvv2.html
22
The Electronic Funds Transfer Act
23
See Internet Secure ATM Payments (ISAP) Description at: http://internetcouncil.nacha.org/ATMpilotdescriptionFinal_Version-20010130.doc
24
See: http://echeck.commerce.net/overview/index.html For an excellent comparison of eCheck with other payment
mechanisms, see: http://echeck.commerce.net/overview/comparison/index.html
25
http://www.clareon.com/
26
http://www.xign.com/
27
See: http://www.nacha.org/news/news/pressreleases/2001/PR031601/pr031601.htm
28
http://www.achex.com/
29
See: http://www.project-action.org/New_Concept_Paper_.pdf
30
See: https://secure.paypal.com/cgi-bin/webscr?cmd=_shop-ext and
31
http://www.gartner.com/webletter/amex/index.html , Section VII.
32
For information on 3D-SET, see: http://www.visa.com/pd/eu_shop/merchants/3d_set/main.html and:
http://www.lafferty.com/btsecurity/archives/001122visasetpilot.shtml
For information on Visa Payer Authentication, see: http://e-visa.com/headline19.html
33
For details from the technology supplier, Arcot, see: http://www.arcot.com/landing_transfort.html
34
See: http://www.epaynews.com/index.cgi?survey=&keywords=3DSecure&optional=&subject=&location=&ref=keyword&f=view&id=98819753121212015050&block=
35
See: http://www.smu.edu/~jwinn/clashoftitans.htm Section V(A).
21

Epayments: Is The Credit Card System Failing Ecommerce? Is A Solution in Sight?

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Epayments: Is The Credit Card System Failing Ecommerce? Is A Solution in Sight?

Uploaded by

Copyright:

Available Formats

From the CommerceNet Newsletter, The Public Policy Report, Vol. 3, No.5 May 2001.

ePayments: Is the Credit Card System Failing

Credit Card Fraud on the Internet

The Source of Merchant Liability

CommerceNets Public Policy Report

means of identification, as is 6 electronic or mechanical confirmation. But that same regulation

Merchant Fraud Costs

May 2001, Volume 3 Issue 5

Online Merchant Attempts to Deal with Fraud

CommerceNets Public Policy Report

Are Third Party Services a Good Answer?

May 2001, Volume 3 Issue 5

Credit Card Association Responses to Fraud Concerns

Transaction Oriented Anti-Fraud Technologies Are in the WorksBut Will

CommerceNets Public Policy Report

Online Authentication, a Better Solution?

May 2001, Volume 3 Issue 5

New Online Payment Mechanisms

CommerceNets Public Policy Report

May 2001, Volume 3 Issue 5

CommerceNets Public Policy Report

Will Credit Card Associations Provide Better Authentication?

May 2001, Volume 3 Issue 5

CommerceNets Public Policy Report

You might also like