Manage Subscriptions · Subscribe Now · F.A.Q.'s
HOME · Friday, May 16, 2008
Interviews & Profiles
Interview: The Future Of Credit Card Fraud
Merchants and vendors will be held responsible
By: Practical eCommerce Staff
Comments: 4
The risk of credit card fraud and identity theft remain important issues for many potential ecommerce consumers. Practical eCommerce asked John Munsell, founder and CEO of Bizzuka, a web design and development firm, his views on the evolution of online fraud.
PeC: The risk of a stolen credit card number or stolen identity prevents many consumers from purchasing products online. Do you see this risk increasing or decreasing in coming years and why?
MUNSELL: Most people think that buying online is risky, but when you look at Internet fraud as a whole and take out spyware, viruses, phishing, etc., you'll find that online transactions (ecommerce) only account for .3 percent of all identity thefts. Stated differently, you're 99.7 percent more likely to have your identity stolen from some method other than buying from an online vendor.
With PCI [Payment Card Industry] compliance, vendors are required to harden their code and make access to personal information more secure. For instance, in order for our ecommerce engine to maintain its PCI certification, we are scanned by a third-party every night, and then we are tested to ensure we're not exposed. If we are, we're notified and we have between 24 and 72 hours to seal the leak, so-to-speak. If we miss the deadline, we lose our certification until we've completely sealed off the vulnerability.
The bottom line is, PCI compliance makes online purchasing much more secure.
PeC: Speaking of PCI, there is much confusion concerning PCI compliance among merchants and consumers. What is PCI compliance? Are merchants responsible? Is it voluntary or mandatory for merchants to comply?
MUNSELL: PCI compliance is, in essence, a joint venture between American Express, MasterCard, Visa, Discover and JCB [a Japan-based credit card issuer] to protect cardholders from identity theft with an emphasis on security breaches. It is a set of security standards set forth by these major credit card companies, and failure to comply can result in fines, from the credit card companies, ranging from $5,000 to $25,000 per month. In 2006, Visa alone levied almost $5 million in fines.
They've broken compliance for merchants down into four areas of risk: Level 1 merchants, Level 2 merchants, Level 3 merchants and Level 4 merchants. These levels are arranged by the transaction volume of the merchant, where Level 1 is a merchant handling over 6,000,000 transactions per year and Level 4 merchants handle fewer than 20,000 transactions per year. Compliance at all levels is mandatory, but reporting and scanning requirements differ depending upon transaction volume.
PeC: Five years from now, what types of fraud will merchants be dealing with, in your view? What are the new types of fraud prevention software and tools that you see in the future?
MUNSELL: That's a crystal ball question if ever there was one! Secure ecommerce vendors and hackers have a relationship kind of like police radar gun manufacturers and the radar detector industry. As long as there is a lust for money, there will be people out there creating new ways to cheat people out of it. And, in the online world, as soon as someone creates software to deliver a secure transaction, someone will be out there trying to figure out how to defeat it.
PeC: Many states have enacted laws that make merchants liable for insecure websites. Is this a legal trend that will continue, in your view?
MUNSELL: Absolutely. But these laws won't just stop at holding merchants accountable. I'm certain that acquirers (the banks that manage the account relationship with the merchant and clear the transaction) will also be brought into the legislation as part of their fiduciary responsibilities.
PeC: Other thoughts on online fraud?
MUNSELL: Sure. Shoppers should always check for PCI compliance before buying online. There are a number of companies out there that scan ecommerce sites to ensure PCI compliance. A list of approved vendors can be found here:Pcisecuritystandards.org/pdfs/asv_report.html.
Make sure that the vendor site displays one of these vendor symbols and click on the symbol to verify that it is, in fact, authentic. Scan Alert (Hacker Safe logo), Control Scan, Cybertrust, and VeriSign are some of the more commonly-known vendors out there.
Merchants evaluating website or ecommerce solution providers should make sure that their vendors provide PCI compliance before proceeding with that vendor. Merchants should also check to make sure that compliance by the vendor is ongoing, and not just during the delivery phase of the website. I've seen a lot of merchants buy a shopping cart that was PCI compliant at the time of delivery, but 48 hours later, the cart became non-compliant and the vendor either disappeared or asked for more money to retain compliance.
Blinklist | Del.icio.us | Furl | Ma.gnolia | Newsvine | Spurl | Reddit | Technorati
Published on Monday, October 29, 2007
Comments:
Hello,
I found this very interesting... I'm writing on protection against credit card fraud myself, feel free to visit me.
http://iamcreating.blogspot.com/
Posted by: Al
Tuesday, October 30, 2007
Here is a company to keep an eye on in this space:
www.fraudsciences.com
Posted by: Nissim
Tuesday, October 30, 2007
This article could clear up a lot of questions merchants currently have about PCI/CISP. It is an aspect of their business that they rarely factor into the costs of opening a business online. Opening an online store without going through the steps of being compliant is a risk no merchant should take. I have spoken to businesses that were compromised already, and going through the steps of opening a store again after being blackballed and fined by Visa isn't easy for anyone.
Regards,
Michelle Greer
http://www.volusion.com
Posted by: Michelle Greer
Tuesday, October 30, 2007
Ecommerce Articles
- Browse All Articles
- Browse our complete archive of ecommerce articles.
- Accounting, Management & Legal
- Ecommerce articles related to managing a small business including ecommerce accounting, business strategy and legal considerations.
- Conversion & Usability
- Online business articles about converting web site visitors into customers and how to gauge and improve your business website's usability.
- Development & Programming
- Articles to help designers, developers and programmers create successful, search engine friendly ecommerce websites and improve existing ones.
- Hosting, Infrastructure & Software
- Articles for ecommerce businesses about ecommerce web hosting, business infrastructure, business strategy and helpful ecommerce & small business software.
- Interviews & Profiles
- Interviews with prominent ecommerce business personalities and profiles of successful online businesses.
- Inventory & Shipping
- Ecommerce articles about inventory management, ecommerce order fulfillment and product shipping considerations.
- Marketing & Revenue Growth
- Articles relating to online marketing, email marketing and using the Internet to growing your business.
- Search Engine Optimization
- Search engine optimization articles for ecommerce business owners, strategists, marketers and developers.
- Shopping Carts & Online Payments
- Articles covering ecommerce shopping cart platforms and options for choosing an online payment gateway.
- Training & Education
- Tutorials and articles providing training and education for ecommerce business owners and developers of ecommerce websites.
Search Articles
Ecommerce Community
- Ecommerce Blogs
- Read our blogs about ecommerce topics written by industry professionals.
- Community Forum
- Connect with other ecommerce professionals to trade advice and answers in our community forum.
- Podcasts
- Check out our ecommerce podcasts covering topics ranging from interviews to tutorials.
- RSS Content Feeds
- Subscribe to our RSS feeds and have fresh ecommerce content delivered to you.
Ecommerce Resources
- Free Email Newsletter
- Sign up for Ecommerce Notes, our free email newsletter for ecommerce business owners and developers.
- Ecommerce Directory
- Browse our directory of ecommerce products and services, or submit your own listing in our directory.
- Ecommerce Glossary
- Familiarize yourself with terminology or submit terms to help others with our Ecommerce Glossary.
- Events Calendar
- Find out about upcoming ecommerce events or invite other ecommerce professionals by posting your own event.
- Press Releases
- Browse ecommerce related press releases and post your own press release for distribution.
- Ecommerce Store & Back Issues
- Pick up back issues of Practical eCommerce magazine along with other merchandise from Practical Ecommerce
About Practical eCommerce
- Frequently Asked Questions
- Look at frequently asked questions regarded using our website, subscribing to our magazine and more.
- Advertising Information
- Information about advertising in Practical eCommerce magazine, on our website, or in our email newsletters.
- Editorial Sharing
- Learn about options for sharing our content with your visitors, customers or employees.
- About Us
- Learn more about Practical Ecommerce magazine and meet our staff.
- Contact Us
- Contact Practical Ecommerce at any time for more information. We'd love to hear from you.
Copyright 2007 Confluence Distribution, Inc. and Practical eCommerce.
All Rights Reserved.
Great interview. While it's less likely that a card number is stolen during an online transaction, and PCI compliance makes that even less likely, the online merchant is also at risk because a card number stolen elsewhere is often used online. The thief sees this as anonymous and relatively safe. Card company rules make the merchant liable for the full amount of the loss in such 'card not present' transactions. Online merchants might want to look into automated solutions to limit this exposure. A company called Accertify offers one such solution, and others can be found through search engine searches.
Posted by: Gary Doernhoefer
Tuesday, October 30, 2007