Credit cards have been around in their current form since the middle of last century and including debit and prepaid cards, they remain one of the most widely used forms of electronic payment. With an ever-increasing number of services available online, ranging from shopping to paying bills, it’s therefore not surprising that credit cards continue to be a highly popular method of payment. Many sites only require a single click to complete a transaction – what could be easier?
There is a downside to credit cards, though: their popularity means they’re frequently targeted by fraudsters. The payment card industry now accepts fraud simply as a cost of doing business, and rather than aiming to eliminate criminal transactions completely, card schemes such as Visa and MasterCard focus on limiting the damage. The result is a number of safeguards designed to make sure that credit card use remains quick and easy, while minimizing the risks. With fraud losses on UK-issued cards alone totalling £249.9 million in the first half of 2015 , security clearly remains a pressing issue for the industry.
Security measures may be mandated by legislation or by the card schemes themselves. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants and service providers to secure payment card data which they have stored or collected in the course of a transaction. It also sets out detailed requirements for the IT environments of merchants and payment services providers and anyone who doesn’t meet these requirements isn’t permitted to perform credit card transactions. However, adherence to these standards has not prevented the continued theft of credit card details, often from major merchants.
While card-present transactions can be verified securely using the card’s chip, e-commerce transactions over the Internet often rely only on basic security measures involve verifying information such as the card expiry date, the billing address, or the security code printed on the back of the card. However, this data is not required to process a transaction in all cases and is also relatively easy for fraudsters to obtain, for example through data breaches or phishing. As a consequence, many card issuers implement pattern matching systems to try and block fraudulent transactions but will also often block legitimate transactions resulting in customer dissatisfaction.
In order to bring e-commerce transactions up to the same security level as Chip and PIN, the payment card industry introduced 3-D Secure: Customers using a card to pay over the Internet are redirected to their card issuer’s website, and then asked to enter a secret code in a pop-up window. Unfortunately, many customers then abandon the transaction, either because they’d forgotten their code, or because they had never registered with 3-D Secure in the first place. While this approach, which puts responsibility for security on the bank and the customer, may be relatively effective in terms of safeguarding card data, it continues to have a negative impact on merchant conversion rates.
Tokenisation is the latest measure being implemented to secure credit card details, whereby the merchant uses a temporary, surrogate card number instead of the real card number (PAN). This method is already being used for mobile payment (ApplePay), and is now being expanded to e-commerce payments performed through scheme operated wallets such as Visa Checkout and MasterCard’s MasterPass. Currently this strategy only works for one-time payments because a new token is required for each transaction, but both Visa and MasterCard are working to expand their tokenization services to allow “card on file” transactions including recurring billing as well as single-click shopping.
While new technologies such as tokenisation are very promising, their use is still not widespread, and merchants still struggle to balance higher sales and a good customer experience against the risk and cost of chargebacks and scheme penalties for allowing fraudulent transactions.
In the absence of a magic bullet, merchants and payment service providers are coming to realise that offering a range of non-card payment options with more advanced security features may be the best way of avoiding fraudulent transactions without reducing sales.