Practical Ecommerce

Interview: The Future Of Credit Card Fraud

The risk of credit card fraud and identity theft remain important issues for many potential ecommerce consumers. Practical eCommerce asked John Munsell, founder and CEO of Bizzuka, a web design and development firm, his views on the evolution of online fraud.

John Munsell

PeC: The risk of a stolen credit card number or stolen identity prevents many consumers from purchasing products online. Do you see this risk increasing or decreasing in coming years and why?

MUNSELL: Most people think that buying online is risky, but when you look at Internet fraud as a whole and take out spyware, viruses, phishing, etc., you’ll find that online transactions (ecommerce) only account for .3 percent of all identity thefts. Stated differently, you’re 99.7 percent more likely to have your identity stolen from some method other than buying from an online vendor.

With PCI [Payment Card Industry] compliance, vendors are required to harden their code and make access to personal information more secure. For instance, in order for our ecommerce engine to maintain its PCI certification, we are scanned by a third-party every night, and then we are tested to ensure we’re not exposed. If we are, we’re notified and we have between 24 and 72 hours to seal the leak, so-to-speak. If we miss the deadline, we lose our certification until we’ve completely sealed off the vulnerability.

The bottom line is, PCI compliance makes online purchasing much more secure.

PeC: Speaking of PCI, there is much confusion concerning PCI compliance among merchants and consumers. What is PCI compliance? Are merchants responsible? Is it voluntary or mandatory for merchants to comply?

MUNSELL: PCI compliance is, in essence, a joint venture between American Express, MasterCard, Visa, Discover and JCB [a Japan-based credit card issuer] to protect cardholders from identity theft with an emphasis on security breaches. It is a set of security standards set forth by these major credit card companies, and failure to comply can result in fines, from the credit card companies, ranging from $5,000 to $25,000 per month. In 2006, Visa alone levied almost $5 million in fines.

They’ve broken compliance for merchants down into four areas of risk: Level 1 merchants, Level 2 merchants, Level 3 merchants and Level 4 merchants. These levels are arranged by the transaction volume of the merchant, where Level 1 is a merchant handling over 6,000,000 transactions per year and Level 4 merchants handle fewer than 20,000 transactions per year. Compliance at all levels is mandatory, but reporting and scanning requirements differ depending upon transaction volume.

PeC: Five years from now, what types of fraud will merchants be dealing with, in your view? What are the new types of fraud prevention software and tools that you see in the future?

MUNSELL: That’s a crystal ball question if ever there was one! Secure ecommerce vendors and hackers have a relationship kind of like police radar gun manufacturers and the radar detector industry. As long as there is a lust for money, there will be people out there creating new ways to cheat people out of it. And, in the online world, as soon as someone creates software to deliver a secure transaction, someone will be out there trying to figure out how to defeat it.

PeC: Many states have enacted laws that make merchants liable for insecure websites. Is this a legal trend that will continue, in your view?

MUNSELL: Absolutely. But these laws won’t just stop at holding merchants accountable. I’m certain that acquirers (the banks that manage the account relationship with the merchant and clear the transaction) will also be brought into the legislation as part of their fiduciary responsibilities.

PeC: Other thoughts on online fraud?

MUNSELL: Sure. Shoppers should always check for PCI compliance before buying online. There are a number of companies out there that scan ecommerce sites to ensure PCI compliance. A list of approved vendors can be found here:

Make sure that the vendor site displays one of these vendor symbols and click on the symbol to verify that it is, in fact, authentic. Scan Alert (Hacker Safe logo), Control Scan, Cybertrust, and VeriSign are some of the more commonly-known vendors out there.

Merchants evaluating website or ecommerce solution providers should make sure that their vendors provide PCI compliance before proceeding with that vendor. Merchants should also check to make sure that compliance by the vendor is ongoing, and not just during the delivery phase of the website. I’ve seen a lot of merchants buy a shopping cart that was PCI compliant at the time of delivery, but 48 hours later, the cart became non-compliant and the vendor either disappeared or asked for more money to retain compliance.

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Legacy User October 30, 2007 Reply

    Great interview. While it's less likely that a card number is stolen during an online transaction, and PCI compliance makes that even less likely, the online merchant is also at risk because a card number stolen elsewhere is often used online. The thief sees this as anonymous and relatively safe. Card company rules make the merchant liable for the full amount of the loss in such 'card not present' transactions. Online merchants might want to look into automated solutions to limit this exposure. A company called Accertify offers one such solution, and others can be found through search engine searches.

    — *Gary Doernhoefer*

  2. Legacy User October 30, 2007 Reply


    I found this very interesting… I'm writing on protection against credit card fraud myself, feel free to visit me.

    — *Al*

  3. Legacy User October 30, 2007 Reply

    Here is a company to keep an eye on in this space:

    — *Nissim*

  4. Legacy User October 30, 2007 Reply

    This article could clear up a lot of questions merchants currently have about PCI/CISP. It is an aspect of their business that they rarely factor into the costs of opening a business online. Opening an online store without going through the steps of being compliant is a risk no merchant should take. I have spoken to businesses that were compromised already, and going through the steps of opening a store again after being blackballed and fined by Visa isn't easy for anyone.

    Michelle Greer

    — *Michelle Greer*