MANY OF MY FRIENDS and acquaintances are still reluctant to use their credit-card numbers on the Internet, even to buy from well-known merchants over secure connections, and even when their credit-card issuers offer full protection against fraudulent charges. This side of the Internet fraud problem has received much more attention than the other side: that Internet merchants have no really effective way to protect themselves against credit-card fraud.
Standard credit-card processing software will give the merchant an approval if the card account is valid, and has enough open credit to cover the sale. For cards issued by U.S. banks, there is an additional security feature called Address Verification System, or AVS. This compares the billing address associated with the card with the one entered by the merchant. The system works fairly well for goods shipped to billing addresses in the U.S.
But there are two major gaps in protection. First, and most seriously, there is no AVS for cards issued by foreign banks. In other words, there is no way for a merchant to use the standard credit-card processing system to guarantee that a foreign credit-card transaction is valid. This forces them to use heuristic, and sometimes arbitrary, measures for fraud screening. My company, for example, won’t fulfill orders from Romania, having been burned a few times too many. Customers with hotmail or other free, Web-based e-mail accounts have a point or two against them. Express shipping, ordering many items, and ordering the latest games (instead of reference or educational software) all reduce the likelihood that we’ll accept the order. The case is similar for U.S. cards when the goods are shipped to an address other than the card’s billing address.
If we guess wrong and ship an order that turns out to be fraudulent – we usually find out months later – we get a “chargeback,” meaning that the amount we received for the order is taken back from us. If we guess wrong the other way, refusing to ship a legitimate order, we risk alienating potential customers. My company manages to keep its chargbacks very low, but it’s frustrating to be in this situation where there is no way to avoid doing the wrong thing from time to time. There are commercial fraud-screening services that filter credit-card transactions automatically, applying these and other checks, but they are not perfect. We have had limited success referring fraudulent transactions to collection agencies.
How can Internet credit-card thieves work with such impunity? After all, they must give their addresses in order to receive their ill-gotten goods. Part of the answer is that most of the crimes are difficult enough to prove and small enough in magnitude that they’re never reported to the police. Even if they were, the police wouldn’t bother with them. I’d like to propose the establishment of an international online clearing-house for information about these crimes, funded in part by Mastercard, Visa and American Express. It would allow defrauded merchants to submit fraud reports electronically, making the reports easily accessible to law-enforcement officials in all jurisdictions. I’d also like to see more funds budgeted for catching and prosecuting Internet criminals.
Also to blame is the anything-goes, wild-west culture of the Internet. For some, credit-card thievery is a game like hacking into computers, totally disconnected from real life. I hope that, as more generations grow up with the Internet, young people can be taught that the Internet is part of the fabric of life, and that actions taken via computer are just as real, and have just as real consequences as actions taken in person.
Why can’t we have AVS that works for overseas cards? I can understand why it might be hard for Romanian banks to implement, but why not in France and Finland?
Some form of strong authentication of the purchaser would also help with the problem. The Secure Electronic Transaction (SET) protocol, which would have provided this, seems to be dead now. I applaud American Express for issuing its cool new Blue smart-card credit card which, when used with a smart-card reader, can definitively authenticate the purchaser to a merchant who is properly set up. Another possibility would be to redesign the Internet to strongly authenticate all users. I’ll discuss this in another column.