Credit card payment through the internet is rising in popularity, and there is considerable choice of software for processing such payments. Yet New Zealand consumers still have some qualms about entrusting their credit card number to the internet, banks say. And merchants still worry there aren't enough ways to identify fraudulent use of cards and compensate customers and retailers for the money lost. The charge generally comes back to the merchant.
Rob Campbell, card services manager for ASB Bank, acknowledges that there are “still significant issues with card-not-present transactions”. The bank is working to extend authentication software, by including a PIN, for example, known only to the legitimate user, and requested for internet and Eftpos transactions.
But procedures must abide by international standards, he says, and the necessary features of a piece of payment software are primarily dictated by the card companies like Visa and Mastercard.
The credit card is, perhaps unfortunately, the only payment system “configured for use with the internet according to internationally agreed standards”, Campbell says.
Alternative schemes like electronic wallets are still restricted in their use and not available to overseas visitors.
ETSL (Electronic Transaction Systems), with four of the major banks, ASB, BNZ, Westpac and National, as shareholders, provides a system integrated into its Eftpos switch. This software is provided by Australian company, QSI, which came out top two years ago in a competitive evaluation conducted by ETSL on behalf of its shareholder banks.
The essential software is the same, says ETSL spokesman Alan Martin, but each bank puts its own face on the common infrastructure, with some detail adjustments to the software and a different marketing strategy.
Given adherence to international principles, the software chosen is very bank-specific, says Errol Lizamore of the Bankers’ Association. Interoperability between banks is, however, seen as a priority and the association is currently playing a role along with the banks in working on standards in this area.
The software generating the “secure” page the internet customer sees after choosing the purchases and “going to the checkout” can be provided either by the merchant or the merchant’s bank. The customer enters his/her card details, which go to the retailer's bank via a secure internet connection. In the more advanced version of payment processing, known as the “three party model”, the retailer's bank then sends an authorisation request through the international credit card network to the authorisation system of the card-issuing bank. This approves or declines the transaction by a check on available funds and lists of stolen cards and on the validity of input information such as card number and expiry date.
The response reaches the retailer from the card issuer via the retailer's bank, typically in 10 to 30 seconds. The retailer's bank pays the retailer for the value of the goods, and sends a message through the credit card network requesting reimbursement by the card-issuing bank. The cardholder's bank posts the transaction against the customer's account and reports it on the next statement.
Such a scheme ought to mean that the merchant never sees the customer’s credit card number, and problems with poor control of the information at the merchant’s end, or simply an unscrupulous merchant, are bypassed.
This is the scheme used by ETSL’s QSI software, and available to banks that use that system. But most, says BNZ’s head of transactional payments, Russell Briant, use a “two-party” model, whereby the payment page is maintained by the merchant, who will therefore have the credit card number in its systems.
BNZ offers merchants both its BuyLine system, developed by the bank itself in 1997, and the new BNZ Secure system using the ETSL three-party infrastructure.
It’s a bit too soon in the evolution of e-commerce to "overly commoditise" and have all banks providing the same system to merchants, Briant says.
BNZ does not dictate that its business customers selling over the internet use the client end of BuyLine or BNZSecure, he says. “We’re happy to connect in ways that make sense to out customers, where that is possible”.
There are different ways for merchants to integrate their processing with ETSL’s software, ASB’s Martin says, and the choice is up to the merchant. The fundamental choice is between putting software on their own computer system or using a hosting service such as that provided by Auckland’s Direct Payment Solutions.
The card companies are working on more secure authentication for their end of the payment process; they are, after all, primarily responsible for assuring themselves, the merchant and the bank that the person presenting the card is the legitimate cardholder.
Visa is introducing internationally the “Verified by Visa” scheme (see ANZ boosts Eftpos security). This provides a user-specified password to authenticate the user to the card company and bank, and a “personal assurance message” (PAM), again selected by the user and sent to the bank on registering. The PAM is sent back when a transaction is initiated, verifying for the customer that he/she is dealing with the bank and not some interloper.
ANZ led the way in adopting Verified by Visa, in tandem with its Zed chip-card. BNZ is “in the process of deploying it”, Briant says. “In six to eight weeks [from June 28] we will receive our final specification, and we should have the system running by late this year or early next. There is a mandate from Visa International that all [Visa-issuing] banks should have Verified by Visa running by April 1, 2003.”
Mastercard is also progressing with a similar facility called SPA (secure payment application).
Retail solutions: Farmers net gambit slow and sure
Hosting services: Giving merchants freedom to move
Eftpos firm readies own net gateway