The risk of credit card fraud and identity theft remain important issues for many potential ecommerce consumers. Practical eCommerce asked John Munsell, founder and CEO of Bizzuka, a web design and development firm, his views on the evolution of online fraud.
PeC: The risk of a stolen credit card number or stolen identity prevents many consumers from purchasing products online. Do you see this risk increasing or decreasing in coming years and why?
MUNSELL: Most people think that buying online is risky, but when you look at Internet fraud as a whole and take out spyware, viruses, phishing, etc., you’ll find that online transactions (ecommerce) only account for .3 percent of all identity thefts. Stated differently, you’re 99.7 percent more likely to have your identity stolen from some method other than buying from an online vendor.
With PCI [Payment Card Industry] compliance, vendors are required to harden their code and make access to personal information more secure. For instance, in order for our ecommerce engine to maintain its PCI certification, we are scanned by a third-party every night, and then we are tested to ensure we’re not exposed. If we are, we’re notified and we have between 24 and 72 hours to seal the leak, so-to-speak. If we miss the deadline, we lose our certification until we’ve completely sealed off the vulnerability.
The bottom line is, PCI compliance makes online purchasing much more secure.
PeC: Speaking of PCI, there is much confusion concerning PCI compliance among merchants and consumers. What is PCI compliance? Are merchants responsible? Is it voluntary or mandatory for merchants to comply?
MUNSELL: PCI compliance is, in essence, a joint venture between American Express, MasterCard, Visa, Discover and JCB [a Japan-based credit card issuer] to protect cardholders from identity theft with an emphasis on security breaches. It is a set of security standards set forth by these major credit card companies, and failure to comply can result in fines, from the credit card companies, ranging from $5,000 to $25,000 per month. In 2006, Visa alone levied almost $5 million in fines.
They’ve broken compliance for merchants down into four areas of risk: Level 1 merchants, Level 2 merchants, Level 3 merchants and Level 4 merchants. These levels are arranged by the transaction volume of the merchant, where Level 1 is a merchant handling over 6,000,000 transactions per year and Level 4 merchants handle fewer than 20,000 transactions per year. Compliance at all levels is mandatory, but reporting and scanning requirements differ depending upon transaction volume.
PeC: Five years from now, what types of fraud will merchants be dealing with, in your view? What are the new types of fraud prevention software and tools that you see in the future?
MUNSELL: That’s a crystal ball question if ever there was one! Secure ecommerce vendors and hackers have a relationship kind of like police radar gun manufacturers and the radar detector industry. As long as there is a lust for money, there will be people out there creating new ways to cheat people out of it. And, in the online world, as soon as someone creates software to deliver a secure transaction, someone will be out there trying to figure out how to defeat it.
PeC: Many states have enacted laws that make merchants liable for insecure websites. Is this a legal trend that will continue, in your view?
MUNSELL: Absolutely. But these laws won’t just stop at holding merchants accountable. I’m certain that acquirers (the banks that manage the account relationship with the merchant and clear the transaction) will also be brought into the legislation as part of their fiduciary responsibilities.
PeC: Other thoughts on online fraud?
MUNSELL: Sure. Shoppers should always check for PCI compliance before buying online. There are a number of companies out there that scan ecommerce sites to ensure PCI compliance. A list of approved vendors can be found here: Pcisecuritystandards.org.
Make sure that the vendor site displays one of these vendor symbols and click on the symbol to verify that it is, in fact, authentic. Scan Alert (Hacker Safe logo), Control Scan, Cybertrust, and VeriSign are some of the more commonly-known vendors out there.
Merchants evaluating website or ecommerce solution providers should make sure that their vendors provide PCI compliance before proceeding with that vendor. Merchants should also check to make sure that compliance by the vendor is ongoing, and not just during the delivery phase of the website. I’ve seen a lot of merchants buy a shopping cart that was PCI compliant at the time of delivery, but 48 hours later, the cart became non-compliant and the vendor either disappeared or asked for more money to retain compliance.