Internet shopping: is it time to cart away all the stupid security hurdles?

I feel I may soon know how the guy felt when he suggested the world wasn’t flat. I’m no where near as visionary – but I may get vilified all the same…
When technology doesn't mirror life - why Internet security is wrong.
Imagine this scene… You walk into a retailer – any retailer – with a stolen wallet. You pick a range of expensive goods. As long as you have the PIN or the cash, you can take away whatever you want, unchallenged.

No checks, no ID, no second glance. Now, let’s go online…

Wow – what’s with all the hurdles?

Let’s take a look at the inconsistencies in how we deal with retail fraud in the UK. These frauds are Cardholder Present (CP) and Cardholder Not Present (CNP). First, CP fraud, a conventional, in-store type fraud.

CP In-store fraud

When an in-store fraud is detected, it usually leads to an arrest and conviction. The trail will often lead back to others involved and goods will be recovered. Further frauds are therefore prevented and others identified and dealt with.

While the payback for CP fraud detection is high, controls preventing it are few. Online, CNP fraud is quite different…

CNP Internet fraud

Internet buying is like commerce from a different planet. Provision of a shopping cart website requires PCI compliance and bank approval.

Online stores have encrypted payment portals and pay hefty on-line fees to the payments companies. A monthly fee is charged for the service and a percentage of each transaction goes straight to the issuing bank.

But there’s more. Retailers must join the MasterCard or Visa security scheme – even though research shows this is ineffective, presenting far more of an obstacle to a legitimate cardholder than a thief!

A refusal to participate means shouldering responsibilities for any losses – potentially, a crippling penalty for an on-line retailer.

Buying online is a financial odyssey. Name, address, email, sight of the card’s CSC, CVD or CVV code and then the Mastercard or Visa check to complete.

You would think that with all these checks in place, criminals would be deterred. Not at all.

Because if the fraud is successful, you win the goods. If not, no one will track you. You’re free to improve your attack profile and try again. And again. And again.

So why the differences?

Despite the apparent disparity between methods, one common thread does exist. Poor security within the banks.

Retailers have always been charged a premium for use of PDQ hardware, software and other incidentals. While online retailers carry crippling transaction charges and fees.

The banks simply offset the cost for any card losses they suffer, so ultimately, guess what – the customer pays in higher card fees and interest rates.

It’ll come as no surprise that the banks play a big part in collecting card revenue, but a small role in detecting fraud in the first place.

In-store detection is instigated by the retailer, never by the bank or card issuer – and that’s why clear-up rates are higher.

Another example of the banks giving us a bad deal. So what am I suggesting?

My world is round moment

I feel its the responsibility of the banks alone to manage all forms of card security. I believe there should be parity between in-store and online card transactions – you’d just enter your pin on-line.

Chip and PIN is only checking the PIN against the cardholder anyway!

Abuse of either CP or CNP card processing could carry a higher bank charge – but not unless repeated losses have occurred.

Why shift responsibility to the banks?

Because the banks own every transaction, end to end. They know spending profiles, cardholder details and authenticity. They are advised about card losses. Why not make them use that information properly?

We don’t carry our cash round in an armoured car, or have a bank vault at home. Should we jump though card security hoops just because banks are lazy?

Why should we, once again, carry the burden of protecting the banks?