Credit-Card Firms Bump Up Security

No one knows definitively what effect wavering e-confidence has on e-commerce.

No one knows definitively what effect wavering e-confidence has on e-commerce. But credit-card companies arent waiting for conclusive evidence to try to assuage consumer fears about online shopping.

U.S. online retail revenue is supposed to leap from $24 billion in 2000 to $118 billion in 2004, according to Jupiter Media Metrix. But the consensus of several recent reports on consumer feelings about online transactions indicates that faith in Internet security is still severely in doubt. In a telephone survey conducted by, 45 percent of respondents said online buying threatened their privacy.

Its enough to force credit-card companies — which provide the primary payment mechanisms on the Internet — to take more serious measures. MasterCard International this month announced the Secure Payment Application, a system designed to better authenticate Internet credit-card users. The SPA issues unique identifiers to cardholders for each online transaction through an e-wallet, which automatically fills out order forms on e-merchants Web sites.

That unique transaction identifier is authenticated by the credit-card issuer, thus removing the responsibility for such headaches as "charge-backs" — costs incurred when a purchaser disputes a charge — from the e-merchant, according to MasterCard.

"Were trying to lay the foundation for authentication, whereby a security schema thats deployed will be able to provide explicit evidence that a cardholder shopped online at a given merchant for a given transaction amount," says Bruce Rutherford, MasterCards vice president of global e-business.

MasterCard has also developed Site Date Protection, a consulting service for merchants and financial institutions that is designed to help reduce network vulnerabilities to hacker intrusion. MasterCard will offer the SDP service in the fourth quarter of 2001 in conjunction with three security consulting companies: Marsh, Predictive Systems and Ubizen.

Adopting MasterCards new security technology is in the best interests of e-merchants, says Theodore Iacobuzio, senior analyst at TowerGroup, a financial services research firm. For one thing, the credit-card hacking schemes "coming out of Russia and Eastern Europe right now are amazingly sophisticated," Iacobuzio says. "I dont think its terribly hard work to implement [SPA], and its something theyre going to have to do to stay in business anyway."

Visa U.S.A. has taken its online security procedures a step further: It has required merchants to implement them as part of its Cardholder Information Security Program (CISP), which outlines 12 measures that a merchant must take to continue offering Visa as a payment option for customers. Most of the requirements are basic, such as maintaining a firewall, encrypting stored data and regularly updating antivirus protection.

The deadline for complying with Visas CISP was May 1. Now, to make sure e-merchants are taking the program seriously, Visa has begun assessing its top 100 Internet customers — which account for 70 percent of Visas online business — as well as randomly testing smaller merchants.

"The biggest factor to make this successful is consumer confidence," says Jean Bruesewitz, senior vice president at Visas advanced risk solutions division. "Therefore, were making the consumers feel as safe in the e-commerce community as they do at [offline] points of sale."

Meanwhile, American Express approach to preventing fraudulent online purchases has been to let consumers choose their level of safety. American Express Blue cards contain a smart chip that works with either a smart-card reader that customers can acquire free from American Express, a Compaq Computer keyboard with a smart-card reader that sells for $59.99 to American Express customers or most standard smart-card readers.

American Express also has a Private Payments program, which allows consumers to enter a one-time number — not associated with their actual credit-card number — each time they make an online transaction.