Professional Documents
Culture Documents
Epayments: Is The Credit Card System Failing Ecommerce? Is A Solution in Sight?
Epayments: Is The Credit Card System Failing Ecommerce? Is A Solution in Sight?
Credit cards account for the vast majority of payments to Internet merchants. A recent Gartner
report 1 states that, while in the offline world, credit cards account for only 19% of payments,
lagging behind cash at 53% and checks at 22%, in the online world credit cards are used for 93%
of all transactions. That statistic should not surprise anyone, as to date cash and check payments
have not been available on the Internet at all, except in a few instances. At least for checks that
may change soon.
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Ph one: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
visibly inspect the card, or the signature, or any other identifying information imprinted on the
card itself.
Address Verification System
The Address Verification System (AVS) verifies the cardholders billing address. While using
the AVS system can weed out some fraud it is not useful against fraudsters that have the
cardholders address, for international orders, or in situations where the purchase is mailed to a
different address, such as a gift, or for purchases that are not mailed at all but delivered online.
Moreover, a positive AVS match and credit card system authentication code do not relieve the
online merchant of chargeback liability, even when the merchandise is shipped to the address
verified 13 .
Third-Party Fraud Detection Services
Lacking any reliable credit card system mechanism for detecting fraud, merchants are turning to
third party fraud detection services. For a fee the service provides a fraud score which enables
the merchant to make a decision about whether to accept the order, whether to do additional
investigation, or whether to reject it. Providers of such services include CyberSource,
ClearCommerce, Digital Courier, Mindwave Software, CrediView and others.
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Ph one: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
The advantage to merchants is that they will be able to make better- informed decisions by taking
into consideration the authentication response for the additional code. However, the new systems
do NOT apparently result in the online merchant enjoying a level of protection equivalent to the
over-the-counter merchantin other words the CVV2 or CVC2 transaction is still not equivalent
to the card-present transaction.
The real question here is whether merchants will see the new verification codes and the benefits
they offer as significant enough to compensate for the burdens of revising their Web sites and
also for inserting an additional step in the ordering process. Shopping cart abandonment is
already a problemrequiring consumers to provide an additional number may add to the rate of
legitimate order abandonment. Its interesting to note that few (if any) Web sites seem to be
asking for the new codes. Unless the credit card rules are changed to actually offer merchants
better protection against chargebacks when the CVV2 or CVC2 codes are used, its hard to see
what the merchant incentive would be to use them.
Long term, the question is whether this new verification system will become just as
compromised as credit card numbers and expiration dates are today. With cardholders handing
out the new verification codes to every merchant they use, how secure will these codes be over
time?
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
doesnt offer either a cost or liability advantage to merchants, why would merchants adopt it?
Perhaps this analysis is too cynical,but time will tell.
The ACH System and ACH Based Internet Payments
The Automated Clearing House (ACH) works as follows: A company sends instructions to its
bank to pay all of its suppliers at various banks. These instructions are typically transmitted
electronically, although they used to be done via magnetic tapes. The bank forwards those
instructions to an ACH, which separates them according to which bank they are going to,
combines all the instructions from various payors with others to the same bank, and sends the
electronic packages of instructions to the payees banks. The Federal Reserve Bank and other
associations of banks operate the ACHs. Efforts are underway in several different projects to
create Internet payment systems that leverage the ACH system in various ways.
FSTCs eCheck Project
The Financial Services Technology Consortium (FSTC) eCheck project 24 has already been well
tested in a three-year pilot program involving the U.S. Treasury Department, U.S. Federal
Reserve, several banks, and suppliers to the Defense Department. Although eChecks were
originally designed to utilize the paper check clearing and settlement system, they can also be
used as digitally signed authorizations to conduct ACH debits and credits.
Companies such as Clareon25 and Xign 26 have developed commercial B2B payment services
based on the FSTC eCheck technology. Digitally signed payment authorizations (similar to
eChecks) are issued by payers and sent to the payees and the payment service provider over the
Internet. The payment service provider originates ACH debit and credit transactions to move the
payment amount from the payers bank account (debit) to the payees bank account (credit). By
using digital signatures, strong authorization to originate the ACH transactions is provided. It is
necessary for at least the payer to have digital signature capability, although both payer and
payee must be registered with the payment service provider. Since ACH transactions are
accepted by nearly all U.S. banks, this system allows any payer to pay any payee. Although these
services are initially targeted at businesses, there is no reason that similar services could not be
deployed to support consumers paying merchants, businesses, or even other individuals over the
Internet via email or interactive Web sessions.
NACHAs Internet-Initiated Consumer ACH Debits
NACHA has adopted a new rule enabling Internet-initiated ACH debits, 27 which became
effective in March 2001. Under the new rule merchants will obtain payment via a consumers
checking account by obtaining the account information and creating an ACH debit to the
consumers checking account. As you might imagine, the merchant will be held strictly liable for
the authenticity of the authorization to process the debit, and must meet other security standards.
The merchants bank will be held responsible for the merchant and will be held liable for their
merchants activities. This puts a heavy burden on the bank to vet their merchants and a heavy
burden on the merchants to vet the ir customers.
In order to relieve the authentication burden, merchants can use the services of companies such
as Achex, 28 which performs the consumer authentication. Like the Clareon and Xign payment
services, both payee (merchant) and payor (consumer) sign up with Achex. Achex obtains the
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Ph one: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
10
A significant advantage to this model is that the merchant is NOT responsible for
authenticationthe customers own financial institution performs that function.
Expanded P2P Payment Systems
It is also possible that other merchant payment systems may expand out of the person-to-person
systems that have emerged to facilitate online auction sites. PayPal, for example, is expanding
into more traditional merchant environments. 30
Visas Payer Authentication33 (VPAS), announced in November of 2000 with the goal of use by
the top 100 online shopping sites by the end of 2001, seems to provide the needed online
authentication mechanism discussed above. However, the danger exists that the banks will not
deploy better online payment systems for fear of losing their lucrative credit card fees, or that
banks will not make investments in new credit card authentication technology, such as VPAS,
that would shift authentication risk away from the merchants to the banks themselves. Recent
reports 34 indicate that merchants such as Buy.com, Yahoo, and Tickets.com are implementing the
new system. It remains to be seen just how ubiquitous this new system becomes, and whether
merchants will be treated the same under it as local merchants are treated in card-present
transactions.
Conclusion
The credit card associations large market share, and federally imposed consumer protections,
may allow them to continue to provide an online payment mechanism that lays the entire
authentication risk on the merchant. If so, the best strategy for merchants may be that suggested
by payment systems and eCommerce law Professor Jane Winn 35 :
Unless the Federal Reserve Board changes its interpretation of Regulation Z regarding
the inability of card issuers and merchants to contest a cardholder's claim that a charge
is unauthorized in any transaction in which the card was not available for inspection by
the merchant, merchants will have no choice but to press for improved authentication
technology or revisions to Regulation Z. (Emphasis added.)
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
End Notes
1
See Online Fraud Prevention White Paper for the E-Commerce Fraud Prevention Network , Gartner 3/14/2001, at:
http://www.gartner.com/webletter/amex/index.html
2
See Online Fraud Prevention White Paper for the E-Commerce Fraud Prevention Network , Gartner 3/14/2001, at:
http://www.gartner.com/webletter/amex/index.html
3
See: http://www.celent.com/PressReleases/20001218/OnlineFraud.htm
4
See Ronald J. Mann, A Payments Policy for the Information Age, 1999 at:
http://papers.ssrn.com/paper.taf?abstract_id=214632, footnote 120.
5
See Visa guarantee at: http://www.visa.com/av/zero_liability/main.html, Mastercard guarantee at:
http://www.mastercard.com/ourcards/zeroliability.html, and American Express guarantee at:
http://www10.americanexpress.com/sif/cda/page/0,1641,5963,00.asp
6
See 12 C.F.R. pt. 226, supp. 1, cmt. 12(b)(2)(iii)-1 (official staff interpretations of Regulation Z).
7
See 12 C.F.R. pt. 226, supp. 1, cmt. 12(b)(2)(iii)-3 (official staff interpretations of Regulation Z).
8
http://www.info-sec.com/commerce/00/commerce_092000a_j.shtml
9
See: http://news.cnet.com/news/0-1007-200-1583717.html
10
See: http://www.newsfactor.com/perl/story/2638.html
11
See: http://www.aaaccess.com/credit_card_processing_101.html
12
See: http://www.sellitontheweb.com/ezine/howto004.shtml
13
It should be noted that if a package delivered to the cardholders billing address is signed for, American Express
may relieve the merchant of the chargeback liability. However, consumer shipments are not typically signed for.
14
http://www.cnn.com/2000/TECH/computing/10/10/fraud.prep.idg/
15
http://news.cnet.com/news/0-1007-201-4245328-0.html?tag=rltdnws
16
http://news.cnet.com/news/0-1007-201-4421335-0.html
17
http://news.cnet.com/news/0-1007-200-4115920.html
18
http://news.cnet.com/news/0-1007-200-1519088.html?tag=rltdnws
19
http://news.cnet.com/news/0-1007-200-3705714.html
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Ph one: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.
11
12
20
http://www.visabrc.com/doc.phtml?2,64,932,932a_cisp.html
http://www.visabrc.com/doc.phtml?4,71,327,286_cvv2.html
22
The Electronic Funds Transfer Act
23
See Internet Secure ATM Payments (ISAP) Description at: http://internetcouncil.nacha.org/ATMpilotdescriptionFinal_Version-20010130.doc
24
See: http://echeck.commerce.net/overview/index.html For an excellent comparison of eCheck with other payment
mechanisms, see: http://echeck.commerce.net/overview/comparison/index.html
25
http://www.clareon.com/
26
http://www.xign.com/
27
See: http://www.nacha.org/news/news/pressreleases/2001/PR031601/pr031601.htm
28
http://www.achex.com/
29
See: http://www.project-action.org/New_Concept_Paper_.pdf
30
See: https://secure.paypal.com/cgi-bin/webscr?cmd=_shop-ext and
31
See Online Fraud Prevention White Paper for the E-Commerce Fraud Prevention Network , Gartner 3/14/2001, at:
http://www.gartner.com/webletter/amex/index.html , Section VII.
32
For information on 3D-SET, see: http://www.visa.com/pd/eu_shop/merchants/3d_set/main.html and:
http://www.lafferty.com/btsecurity/archives/001122visasetpilot.shtml
For information on Visa Payer Authentication, see: http://e-visa.com/headline19.html
33
For details from the technology supplier, Arcot, see: http://www.arcot.com/landing_transfort.html
34
See: http://www.epaynews.com/index.cgi?survey=&keywords=3DSecure&optional=&subject=&location=&ref=keyword&f=view&id=98819753121212015050&block=
35
See: http://www.smu.edu/~jwinn/clashoftitans.htm Section V(A).
21
CommerceNet 10050 N. Wolfe Road, Suite SW2-255 Cupertino, CA 95014 Phone: 408-446-1260 FAX: 408-446-1268 Internet: www.commerce.net
2001 Kaye Caldwell, licensed to CommerceNet All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted in any form by any means, electronic mechanical, photocopying, recording or otherwise, without the prior permission of the author.