Good summary of some of the changes developing in the credit card industry.

Relevance to Bankwatch:
The message here is that there is no magic bullet, and despite the several initiative listed here, liability fraud is not eliminated, and liability remains with the card issuer in many situations.

SECPay – Online Credit Card Security and the PSP Sector

Note: About SECPay

SECPay is the UK’s largest independently owned processor of secure, real-time, online credit and debit card transactions. Specialising in the provision of payment services for merchants on the Internet, through Call Centres and for Mail Order Fulfilment Houses. SECPay handles the capture, authorisation and settlement of credit and debit card payments and all the associated electronic and physical security required.

Despite the early fears surrounding e-commerce transactions, using credit cards online has become safer due to the steps taken by key industry members. Chris Dipple, Technical Director at leading real-time payment service provider, SECPay, explores how online credit card security has improved and what still needs to be done to ensure all online credit card transactions are as secure as possible.According to the IMRG, Internet Shopping is expected to be worth around £17 billion in the UK this year, representing around 7% of all retail sales. The IMRG predicts that 400 million orders will be made by the UK’s 16 million internet shoppers. With this phenomenal level of financial transactions, online payment methods have evolved significantly over the last decade.

Market dynamics, namely business profitability soon separated e-commerce sites able to stay financially afloat from weaker market offerings. The shake-up in the sector made e-retailers heavily scrutinize their business models, resulting in key business functions, which were not driving revenue being outsourced. The dotcom survivors soon approached specialist Payment Service Providers (PSP’s) to handle their online credit card transactions, because it left them able to remain focused on their core business.

The selected PSP had to be responsible for providing the maximum level of security when conducting transactions on behalf of their merchants. The industry quickly dictated that all credit card data transmissions were ‘highly-encrypted’ to avoid any possible security breaches or hacking attempts. Although data transmission encryption has now become standard, other solutions have been introduced to further reduce the threat of online fraud.

Specific credit card verification systems that have been developed to reinforce the PSP’s security offering include the quickly adopted AVS and CVV2 authentication systems. This method cross–checks an individual’s address and last three digits on the back of their credit card, against the PSP’s secure database, which provides an effective barrier to large scale fraudulent transactions.

Another notable development for ring-fencing credit card security has been the steps recently introduced by the leading card issuers, MasterCard and Visa, who have delivered SecureCode and Verified by Visa. These systems have considerably benefited credit card security across the industry, although they have not eliminated the threat of online fraud entirely.

The MasterCard and Visa systems work by checking previously registered identification details to confirm a cardholder’s identity, be it via PIN or password. The systems help to ensure that the risk of fraud stays with the card issuer, rather than the merchant, and adds an extra level of security to all online transactions between merchants and their customers. SECPay currently offers this service as a free additional benefit to all its merchants and resellers.

However merchants need to be aware when relying on the schemes for credit card fraud protection that there may be circumstances where liability does not shift to the card issuer. There are moves in the market to make authorisation mandatory for high value transactions i.e. you cannot rely on the fact that just the merchant and not the card holder is registered with the scheme for the liability shift.

Although schemes like 3D Secure are a definite step in the right direction, the industry can’t afford to rely solely on these authentication systems to defeat fraudulent online credit card transactions. Currently we’re seeing fraud increase regardless of the systems being introduced by either PSP’s or the card issuers. At SECPay we constantly monitor all of our transactions coming through, which ultimately proves effective when run alongside the existing authentication systems.

In summary the industry has made giant leaps forward in combating fraud, however the industry can’t afford to become complacent about fraud, either online or offline. Fraudsters are always looking for their next con, the industry needs to not only keep pace but actively anticipate their next steps.