I read a great article today written by Steve Mott of Better By Design that was published in Digital Transactions about online security for ecommerce merchants. It provides a nice historical overview of online security and outlines the debate that is currently going on between issuing banks, credit card processors, and merchants. It also provides some needed context to my previous post Verified by Visa is not working.
Go back to 1995, when buying on the Web really got under way, to see how logic got stood on its head. That's when the bank card associations worked closely with the key Internet infrastructure providers and an assortment of security firms to come up with a protocol that would provide substantive digital identification and verification of all parties to an online credit card transaction. The result was the much ballyhooed but quickly jettisoned Secure Electronic Transaction (SET) protocol. SET proved to be overkill-too slow and expensive for most consumers to use. So the first generation of e-commerce went on its merry way without it.
The bank card associations didn't give up, however. Several years later, a stripped-down version of SET emerged, called 3-D Secure. 3-D means "three domains," that is, the card- issuing bank, the acquiring processor, and the merchant all required extra digital security, but the consumer did not. All the consumer had to do was register the card and validate himself with an additional log-on each time it was used to make a purchase online.
Most didn't bother. So the bank card industry decided to pre-register millions of their cards to nudge them along. When those consumers went online, they were forced to confirm the pre-registration process before they could use their cards. Not surprisingly, consumers abandoned those transactions in droves, and early-adopting e-commerce retailers quickly unhooked the troublesome 3-D Secure deployments.
Meanwhile, bank card marketers touted "zero liability," letting even the most negligent or irresponsible consumers off the hook for any fraud or mishaps, whether real or intended. As many bank card veterans will attest, the vast proportion of chargebacks and so-called friendly fraud is done by a relative handful of recidivists. A zero-liability policy lays out a welcome mat for them. And it teaches the vast body of responsible consumers not to care.
Today's online merchants use a combination of old techniques (e.g., manual review of transactions, cardholder verification numbers, etc.) and new (e.g., IP address screening, geo-locator services, etc.) to pull this off. And guess what? Responsible consumers go along!
Then came the FFIEC-an acronym that rolls off tongues in the data security industry these days as easily as, say, NBA, or MLB, or NFL. The Federal Financial Institution Examination Council, a collection of bank regulatory agencies, mandated that banks have a plan in place for a second authentication factor for online banking sessions by the end of 2006. While by some accounts as many as one-third of regulated banks did not quite meet this admittedly modest first step in online authentication, and those who did struggled a bit with somewhat clumsy deployments, it was a decidedly good start. Indications of consumer resistance were few and far between.
Good, Isn't it time for the bank card industry to finally rid itself of the one-size-fits-all mentality that ensures that merchants treat a new 16-digit BIN number and expiration date coming in from a Latvian IP address the same way they do credit card transactions from consumers who have done hundreds of transactions with them over the years? Isn't it time to quit holding the industry hostage to its relatively few bad actors-whether they be bad consumers or bad merchants?
The evidence is steadily mounting that moving to a known-customer paradigm where good consumers and good merchants can identify (and protect) each other online (and via mobile devices) is the only way for e-commerce to go-even if it has to leave the bank card industry behind to get there.