By Alex Salkever
When American Express rolled out its so-called disposable credit-card program in September, 2000, online security buffs cheered. Its "Private Payments" system creates a different credit-card number each time a customer uses American Express to pay for a purchase online. Should a cyberthief try to use that number again, the transaction would be rejected. The idea was to assuage customers' fears about having their info stolen online -- long cited as the No. 1 barrier to consumers feeling truly comfortable making online purchases.
Well, the private-payments system is a nice option for paranoid consumers. But it turns out that for retailers, it's a pain in the neck. The problem: Merchants usually use credit-card numbers to track shipments through their databases and respond to customer inquires on order status. In American Express' disposable credit-card system, customers will have to go back to the American Express Web site to pull out the credit-card number attached to that transaction. Alternatively, customer-service folks can search for customers by name. But that's a cumbersome process that takes more time and costs more man-hours, says Julie Fergerson, a vice-president at online purchasing software provider ClearCommerce.
Indeed, as credit-card companies get more serious about Net security, they're discovering Murphy's Law all over again -- that if anything can go wrong, it will. "People don't like to be slowed down or encumbered by some protocol, even if you tell them, 'This will save your financial life.' They will say, 'What is going to be faster for me?'" explains Bob Aguirre, manager of the special investigations unit at merchant-transaction processor Cardservices International.
You can't blame the credit-card companies for trying new antifraud strategies. Although the exact figures for credit-card fraud online remain murky, the losses likely range into tens of millions of dollars each year and are rapidly heading skyward. "Internet fraud is constantly going up. With the credit card, that is a big problem," says Steven Schutze, the director of the American Bankers Assn.'s eStrategies unit.
But changing too much too fast may prove to be an even bigger problem. For merchants, new protocols can involve costly redesigns of software and payment-processing systems. On the customer side, these alterations could mean more cumbersome transactions and, therefore, more aborted sales.
That would be on top of sky-high aborted-transaction rates already present in e-commerce. More than half of all online shoppers have called it quits before finalizing their purchases, according to Zona Research. The cancellations mainly occur due to problems with browsers or because consumers become frustrated with the buying process and just give up. Adding an extra complication would seem to be unwise.
But that's just what Visa USA plans to do. The company is in the process of rolling out a program called Verified by Visa. The plan will allow issuing banks to request an additional personal-identification number (PIN) from a cardholder to complete a transaction, according to Tom Manessis, Visa USA vice-president for E-commerce authentication. That PIN will be requested via a secure pop-up browser window. The customer must register the PIN with the card-issuing bank.
Banks could alternatively design the system so that digital certificates are placed on the user's computer to verify identity. Or smart cards could be used. Or banks could ask for any combination of these authentication steps to validate a transaction.
Sounds like a wise move. But while well intentioned, the system could mean just one more thing for the customer to remember -- not a good scenario in a world already awash in barely remembered and often forgotten online passwords.
The credit-card companies say they're just trying to find out what works and what doesn't in the new frontier of e-commerce. And they have stepped in with some laudable initiatives. For example, many merchants now use as an additional verification a three- or four-digit number (often called the CVM code or, in the case of American Express, CID) found on most credit cards. The algorithm that generates these numbers hasn't yet been broken, unlike those used to generate the 16-digit sequences that serve as the primary credit-card number. And American Express blazed new ground last year with its Blue Card program. These smart cards contain encrypted authentication chips that can be swiped through a credit-card reader attached to a computer.
But the best way to achieve security online is to look to the offline world, where ATMs have enjoyed high rates of adoption and security. The combination of a magnetic card -- similar to a credit card -- and a PIN code already works quite well for ATMs, with a minimal amount of fraud. Rather than create a new PIN code system, credit-card companies and card-issuing banks should assign their customers the same PIN they use on their primary bank account. Easy to remember, that number could be used to verify online transactions.
At the same time, Visa, American Express, and MasterCard should offer to foot the cost of building smart-card readers into the majority of keyboards sold on PCs today. AmEx already gave away thousands of free card readers to hook up to PCs when it first launched the Blue Cards. Cardservices' Aguirre estimates the cost of such terminals would be between $4 and $12, a pittance for credit-card companies when compared to their average annual per-customer take. These smart-card chips are far harder to defeat than any type of software -- such as a digital certificate -- because they're very difficult to hack.
The two mechanisms together would be an unbeatable combination of solid security and relative ease of use. Sure, fraud would still happen. But this two-step process would go a long way toward making people about as safe on the Internet as they are standing at the ATM machine, at minimal cost to all parties involved.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecht