Banks are rushing to address merchant concerns over credit card fraud online after the issue was raised by merchants in Computerworld last month.
First out of the traps is ASB Bank with its Access On Line (AOL) system which promises to enable the full online authorisation of credit cards rather than the limited version available at the moment.
"It will be a great help to merchants," says Ihug's electronic commerce manager Frances Wiese, who spoke out about the issue at a meeting of merchants and bankers in May.
Wiese is trialling the software and hopes to have a package ready to roll out to merchants within a couple of weeks.
The BNZ is pointing to its online transaction process - BuyLine - which requires a high level of authorisation for credit card transactions.
As reported in Computerworld May 24 most settlement systems are designed to afford cardholders the highest levels of security. Merchants are often unable to assess whether the credit card number being offered is real or fake.
Fraudsters may use an online number generator to create false credit card details or they can steal the number from an unsuspecting card holder. The current system doesn't check to see if the card number matches the name given for the transaction. "It only checks to see if the card number could exist," says Wiese.
A full authorisation check means the bank looks at the card number, card holder's name and credit limit. If the bank then authorises the transaction, and it is subsequently proven to be false, it is the bank which carries the cost, not the merchant.
"This isn't the complete answer to fraud," says Wiese, "but it is a step in the right direction." Now merchants need no longer be concerned about having done everything right and still been caught out, she says.
"There have been cases in the US of merchants having their servers stolen by people searching for credit card details," says ASB Bank's general manager for technology, Garry Fissenden, who is aware of the merchants' concerns. ASB Bank's AOL system has used a method of triangulation to combat this kind of exposure where the customer details are passed straight to the merchant's bank, which then either accepts or declines the transaction. The merchant never sees the customer details.
"This means merchants have no way of tracking fraud," says Wiese. "They carry the whole risk of the transaction."
BNZ product manager for electronic payments, Russell Briant, says full authorisation alone will not be enough to stamp out credit card fraud online.
"There are certain levels . PIN is one and signature is another. But neither adapt well to an online environment. Things like chips and digital certificates will fill that gap in due course, but you need the critical mass around the world first."
Wiese agrees that full credit card authorisation is only the beginning. "It doesn't solve the fraud - it only moves the risk from the merchant to the bank." But she hopes more merchants will feel secure enough to move online.