News

Payment Pain

eStar chief technology officer Matt Neale asks why are the banks holding retailers hostage?

Unfortunately, fraud is part and parcel of retail trading online. But I have a question. Why are retailers still being forced to carry the risk of ‘card-not-present’ credit card transactions, which account for around 60% of online retail sales?

By contrast, in a ‘card-present transaction’ the issuing bank carries the liability for any fraud (or ‘chargebacks’) arising, all based on the premise that the merchant and the bank can validate the customer is the rightful user of the card.

But for online transactions, the merchant (apparently) can’t verify the customer, and simply because the card is not physically present the merchant carries the liability for any and all fraud.

Yet ‘card-not-present’ transactions have multiple layers of protection, must pass information securely, only go through organisations assessed for stringent levels of security, take appropriate steps to secure and protect the information on the card, and do this in such a way that they can be assessed to ensure the safety of it.

And all the while ‘card present’ transactions get away with much less. How many layers of security exist in 99% of taxis, restaurants, train stations, supermarkets and other places where you drag your card out? When was the last time anyone checked your signature?

Simply by taking your card out of your wallet these days, you’re at risk from any number of cameras capturing the front and back of your card with today’s amazingly photogenic detail. Yet the banks are saying card present is a secure, risk free transaction, when clearly it’s not. But when those compromised details are used online, it’s no longer their problem?

I call that nonsense – it’s entirely the banks’ problem – it’s their mechanism, it’s their card! It even says so, in legible print, that ‘your’ card remains the property of the bank. Surely then, they are responsible for keeping it safe?

We’ll accept they share a responsibility with the cardholder, but tell me when a merchant, taking all precautions when processing, is responsible for a fraud arising from circumstances completely out of their control?

It’s become apparent that banks are hiding behind their latest parapet – the CNP Fraud Mitigation Framework. There is nothing wrong with the goals of the framework itself, in fact as I’ve opined previously, it’s a sensible framework. But it’s not being used to help retailers, it’s being used as a weapon against them, if only to do nothing more about liability for card-not-present fraud.

Right about now, the banks will poke their heads up from behind their parapet and say, “but we have a way of validating customers (for online transactions), and we’ll accept the liability”. It’s called 3D-Secure.

3DS goes by the name of MasterCard SecureCode, Verified by Visa. Sounds like the perfect solution, right? Except, it’s not. It’s a scary and terrible process for consumers who just want to buy more frocks, it was never fit for retail purposes, and remains that way.

In Australia, merchants who’ve used 3DS have reported conversion (sales) losses consistently in excess of 12%, and so – unless your credit card fraud is at least 12% of your sales – why bother?

It’s simply cheaper for a retailer to accept the fraud, than prevent the fraud.

It’s unconscionable in this online age, that legitimate merchants carry all the risk, all the cost, and the threat of fines simply because of the abject failure of the banks and card brands to provide a truly secure and convenient payment technology.

I want to see change. I want to see the banks and cards take responsibility and keep up. In contrast, every single one of the new buy now, pay later providers accept this responsibility.

Retailers as a whole, need to take charge of this. You need to push back and challenge your banks to do better to prevent online fraud. Tell them they need to upgrade their payment mechanisms, and take the risk from those archaic and insecure numbers on those little plastic cards.

Payment Pain

0 Comments