Banks maintain they are doing their part to guard against fraudulent internet credit-card transactions rebounding on online retailers.
Woolworths e-commerce manager Richard Harrison last week suggested bank slowness could imperil the expansion of online retailing (see Woolworths warns banks over net fraud).
WestpacTrust Bank spokesman Peter Thornbury says there is a risk attached to transactions where the card is not physically sighted. “If the merchant wants to offer such transactions, it must take a measure of that risk.
“We encourage our users to read their card statement carefully, so any possibly fraudulent transactions will be identified as early as possible. But we can only act if a customer complains,” and verifying the complaint inevitably takes “some period of time”.
One solution suggested by Harrison, of requiring a PIN with every transaction, poses its own privacy and security problems, Thornbury says. The cardholder is not supposed to disclose the PIN to anybody, including a merchant.
“Merchants can do quality control on their customers,” he says, ensuring that they pay particular attention to transactions that look suspicious.
“If [Woolworths] had prompter notice of possible fraud, what would they do with that information?" Thornbury asks.
Says Harrison: “If we had the information within a few weeks, we could go to the premises where the goods were delivered, and there would be a good chance the person was still there. Months afterwards, they’d probably be gone.”
WestpacTrust, on discovering an instance of fraud, will blacklist the card number on online authorisation services, so a future transaction using it will be rejected by any merchant, says Thornbury.
The ANZ Bank also claims time lags in the investigation process. "Due to international regulations, timings for this [investigation] can be up to six months from the date of the transaction," says spokesman Peter Fisher. This time-lag cannot be reduced "at this stage", he says, though measures to shorten it are being explored.
As an earlier intervention measure, the ANZ is proposing use of tools from US-based HNC Software. Falcon Credit Card Fraud Detection has been approved for ANZ implementation, and a business case is being drawn up for Eagle Merchant Risk Management.
"Both systems analyse large samples of historical card data to produce highly predictive statistical models. For example, if a cardholder generally uses his card to buy petrol near his home in Auckland every Monday morning, a purchase on his card of stereo equipment in Queenstown at 10pm Saturday night will certainly attract Falcon's attention," says Fisher.
"Eagle performs in a similar way but its focus is on fraud activity targeted at specific merchants. By processing information from data feeds including transactions and authorisations, Eagle identifies fraudulent activity by unscrupulous employees and potentially compromised merchant facilities."
Fisher says ANZ and other banks are considering upgrade of software platforms and procedures to enable the merchant to request the CVC2 or CVV2 digits - three or four additional digits printed on the back of the card where it makes no impression on a receipt slip. A small number of US and European websites already request this. But, as Harrison points out, that number can be acquired by anyone who has examined the back of the card.
ASB Bank's card services general manager, James Mitchell, says any measures to shorten investigation time "have to be addressed at an industry level". Banks taking initiatives on their own may compromise the universal acceptability of cards on the same terms anywhere, he says.
"The best measure is prevention," he says, agreeing with WestpacTrust that distribution of the cardholder's PIN is undesirable. Some US websites require a buyer's zip code against which to check an address.
"Everyone [in the banking industry] is aware of the issues," he says. "but you can't wait until you've got all the solutions before you go out to try and get business."