In recent years eCommerce consumer sales have ballooned. Due to a growing appetite for purchasing a wide range of goods and services online, European consumers spent almost E40 billion over the Internet in 2002.

Yet, despite this impressive growth, there is some concern that rising online card fraud is deterring some consumers from transacting payments online or from doing so as frequently as they would like. The major card schemes such as Visa, MasterCard and Maestro have sought to address this problem by developing security initiatives that make it more difficult to use a credit or debit card fraudulently online. Most recently the card schemes have launched Verified by Visa, MasterCard SecureCode and Maestro's eCommerce.

CNP fraud on the increase

Although it is widely believed that credit cards remain a safe way to purchase goods and services online, it is also recognized that online card fraud is on the increase. For example, Visa USA has revealed that fraud related to eCommerce now accounts for 10% of the fraud it records despite eCommerce accounting for only 5% of sales volumes.

Card not present (CNP) fraud, of which online fraud is a component, is also rapidly increasing in significance. According to Visa EU statistics, CNP fraud now accounts for 23% of total card fraud up from 20% in 2000 and 8% in 1997.

Authentication in the online environment problematic

In an offline environment credit cards can be authenticated at the point of sale. The merchant verifies that the individual making the purchase is also the person to whom the card belongs by checking the signature the cardholder provides with that on the reverse of the card. If the signatures match, and the card is verified, the sale is agreed.

In an online environment, and indeed via other channels such as mail order and over the telephone, authentication is more difficult. The merchant is unable to see the card or to verify a signature. This weakness gives rise to CNP fraud since ultimately anybody can provide anybody else's credit card details and, assuming the card has not been reported lost or stolen and the funds are available, the sale will be agreed.

Card scheme security initiatives have checkered history

A number of card scheme security initiatives have been launched over the last decade in order to tackle the problem of online card fraud. Secure Electronic Transaction (SET) was launched in 1996 following co-operation between Visa, MasterCard and American Express. SET built upon the security provided by Secure Sockets layer (SSL) by not only encrypting information transferred between customer and merchant but also by authenticating both parties using digital certificates issued by a trusted issuing authority.

However, SET never really caught on, achieving only limited rollout in Scandinavia and continental Europe. Critically, it failed to become established in the US, which is so often the global leader in this field. It was ultimately too complicated and engaging for cardholders and merchants especially since it required both parties to download additional software.

SET evolved into 3D-SET. 3D-SET sought to improve on SET by being server rather than customer based. However, it too failed to garner the interest of consumers, merchants and card issuers.

Visa, MasterCard and Maestro have all launched initiatives

Several new card scheme security initiatives have been launched within the last few years. Visa's Verified by Visa is based on the 3D-Secure protocol and requires that cardholders enroll at their card issuer's website. Once enrolled they are able use the service to purchase goods and services from any participating online merchant. At the payment page they are requested to pass through an authentication procedure. Once the merchant and card issuer have verified the input the sale can be completed.

MasterCard's Securecode functions in a similar way to Verified by Visa, although in this case it is based on the Secure Payment Application (SPA) protocol and the cardholder is required to download a digital wallet from their card issuer. Maestro's eCommerce program is based on the Online Debit Solution and functions by replacing the 19-digit debit card number with a 12-19 digit 'credit-card-like' Internet-only number. This pseudo card number is entered in the same way as a credit card number and is stored by a wallet downloaded by the cardholder.

Liability shift will help ensure merchant acceptance

To encourage merchant uptake of their security initiatives the card schemes have removed the liability for 'chargebacks' (where the consumer denies they made a card purchase for which they have been billed) from merchants. Consequently, Visa announced that from April 2003 merchants will not have to meet the cost of chargebacks regardless of whether the card issuer is participating in Verified by Visa or whether the cardholder is enrolled.

From November 2002 MasterCard announced that card issuers would no longer be able to pass the cost of a fraudulent transaction on to merchants, assuming the cardholder is enrolled in SecureCode and used the system to make the purchase in question. This year MasterCard will consider shifting the liability for all transactions away from merchants in cases where the cardholder is authenticated by the merchant.

The liability shift from merchants to card issuers should be regarded as a masterstroke by the card schemes. As merchants pass on liability to card issuers there will be added incentive for card issuers not only to adopt the security initiatives but also to promote cardholder uptake. It is at the card issuer's website that consumers enrol for the initiatives and hence it is card issuers who will be in the best position to promote adoption.

Higher rates of cardholder adoption will encourage more merchants to adopt the technology and hence generate even more incentive for card issuers to promote further adoption. Thus, the card schemes have generated a self-perpetuating system of cardholder and merchant adoption and card issuer promotion.

Verified by Visa is growing rapidly

Visa is so far winning the race to ensure maximum merchant and issuer acceptance and cardholder adoption. More than 100 merchants in the US and EU now accept payments made using Verified by Visa and more than 6,000 card issuers now offer Verified by Visa to their cardholders.

The number of cardholders enrolled in Verified by Visa is now believed to be well in advance of 10 million. MasterCard and Maestro are some way behind Visa in terms of the number of merchants, issuers and cardholders enrolled. Both card schemes are, however, working on merchant and card issuer acceptance and are likely to launch major cardholder focused marketing campaigns in the near future.

An increasing need for card scheme security initiatives

Research predicts that consumer eCommerce payment volumes will continue to increase in coming years such that volumes could surpass E200 billion by 2007. However, the growth of eCommerce volumes will be followed by a coincident rise in online card fraud as measures to tackle offline fraud make headway. Success in preventing offline fraud will encourage fraudsters to seek opportunities in the online space; and the card scheme security initiatives are not extensive enough to provide much of a deterrent.

Given this situation, the card schemes must work hard to boost acceptance and enrollment as quickly as possible. The card schemes are already doing this to a degree, although there is much more that they can do. Additional action is critical, as only widespread acceptance and enrollment by all parties will guarantee the initiatives' success.