Ed Kountz of jupiter in his recent blog on Alternative online Payments offers an opinion that credit and debit cards where not designed for the Internet. It is interesting to reflect back in history and remember when it was not the magnetic strip that was important to the execution of the transaction but the numbers printed on the front of the card a merchant could simply would say into a phone or type onto their telephone keypad to get an authorization.
Move to the Internet and instead of asking the merchant to type in the account number and expiry date we ask the consumer to fill in an Internet form. How can one argue that ISO7810-3 cards where not built for the Internet.
Back in the day, circa 1993, when we began to think about how we would secure payments over the Internet and address words like dis-intermediation. It was clear that by any definition the ubiquitous credit card was already a vehicle for enabling eCommerce. All the internet did was to take mail order and catalogue business and give it the power to become a global operation; no longer limited by the cost of a telephone call or postage. Nowadays, of course, the internet has become such a vital part of our everyday lives, with people looking up things like “internet in my area” to make sure that they are getting the best deals possible so that they can be confident that their connection won’t let them down.
And, of course, Mr Kountz is correct, there is a real issue with security and the Internet. Yet the issue is no greater than what was faced when Card Not Present transactions started happening as telephone ordering became common place. Did the payment associations attempt to keep up? MAYBE!
First we saw the introduction of CVC2/CVV2 and address verification as tools to address the risks of someone who had captured the data on the face of the card from employing that card maliciously. Not a bad solution, if the merchant was willing to make the changes to their web sites and call center procedures.
Next came SET, now here was the perfect solution, yet at a cost that simply did not offer anyone a reason return on investment; even if Card Not Present Fraud was an issue. Since then the payment associations tried to develop a simpler yet equally secure solution called 3D-Secure, Verified by Visa or SecureCode. The idea is sound. The issue of adoption came down to the simple issue of figuring out how to get the consumer to go through the additional step of activating their 3D-Secure password and better yet remember it. Versus what became the reality, they simply said this is too difficult, I don’t need to buy that today, so they abandon the shopping cart. Merchants saw 3D-Secure as a way to lose potential business and at a rate alarmingly larger than the cost of fraudulent transactions.
So what is the answer? Create new means of payment that are designed for the specific trading environment (mobile, Internet, Mail Order, telephone Order, face to face …) or figure out how to get everyone to work together to come up with a workable solution that exploits the power of the Visa, Discover, MasterCard and American Express Brands.
In my opinion it is about communications and working together as a team. Not once has the merchant been asked to participate in developing more secure solutions to payments. They are simply told through compliance and rule changes this is what they shall do.
Maybe the new Visa and MasterCard will find that merchants are now shareholders and bringing them to the table is in the interest of everyone especially the consumer. Or is it time for a new payment Brand that is built to serve the merchant and operated by the Banks?