Lack of timely bank protection for retailers against fraud on the internet could stymie the growth of internet shopping or force retailers to take the law into their own hands, says one large retailer.
If a buyer operates with a stolen physical credit card, the process of notification by the owner to the bank and on to retailers is fairly swift, says Woolworths e-commerce manager Richard Harrison, because the card's legitimate owner usually tells the bank quickly. But if the offender has simply noted down a credit card number without stealing the card, the process takes much longer.
With internet fraud the true owner of the number will only detect an unaccounted-for transaction on a monthly card statement. The bank has to then check that out. If the transaction proves fraudulent, the bank notifies the retailer involved and other merchants. The time between transaction and notification can be as long as two or three months, says Harrison – “by that time, the trail’s gone cold”, and the retailer cannot find the original buyer. This means the retailer has to bear the cost of the transaction.
Harrison says banks charge a higher fee for processing an electronic transaction than a manual one; they explain that as a measure of the increased risk inherent in electronic buying and selling compared to bricks-and-mortar trade. “But then if there’s a fraud, we end up paying the cost of it anyway, so we’re effectively being charged twice,” Harrison says.
Woolworths tries to minimise the risk by “profiling” the characteristics of people who have signed up to its electronic channel and put through fraudulent transactions. Any new subscriber with similar characteristics is checked out extra carefully. Harrison has described to Computerworld some of the characteristics Woolworths looks for, but does not want them published for obvious reasons.
He says, though, that the number of defaulters on direct debit arrangments currently exceeds those operating with credit cards.
He doubts whether the time lag in notification can be reduced, as it relies on the customer’s speed of response. He suggests rather that the banks put in more effort up front, perhaps by requiring a PIN to be attached to every credit card and required to process any transaction.
Card issuers have recently introduced a modicum of increased protection against misusers of credit card slips by including another three or four digits after the card number, printed on the back of the card, where it makes no impression on the slip. But if someone gets a chance to handle the physical card, they can note down that number, Harrison says. “What we need is a number that is known only to the legitimate cardholder.”
If the banks don’t tackle the problem, retailers may be forced to take unilateral action and begin swapping dubious credit card numbers among themselves without the banks’ aid, he says - adding that this would obviously raise serious privacy concerns.
But if something is not done, the proportion of merchants willing to accept online transactions may level off or even shrink, says Harrison.