[February 21st, 2001]

See Also   Why You Need an Add URL Page   A Tale Of Two Sites   Don't Duplicate...Differentiate!   The Continuing Battle Against Online Fraud   Taking Care of the Pennies   How To Recession-Proof Your Business   Your Fulfillment Choices   The Silent Thief - How to Get Rid of TopText   A Checklist for Accepting Credit Cards Online   Five Questions That Will Help YOU Succeed Online   Back To "E" Basics   Beyond SET: Enhanced Security for Online Transactions   Just How Serious is Online Fraud?   Your Direct Channel to Customer Service   Online Customer Service: Best (and Worst) Practices   How to Survive the Dot.Com Shakeout   Step-by-Step to Your Own Profitable Web Business   Where Do Average People Find Business Success?   What's REALLY Required To Start An Online Home Business?   CRM in SmallBiz: Disappointing Misconceptions

The protracted demise of the Secure Electronic Transaction protocol (otherwise known as SET) is now complete. Designed to bolster fraud prevention on Internet credit card transactions, SET was beleaguered by complexities that made full implementation untenable.

Still, with the laborious passing of SET, new and improved approaches to securing online transactions are visible on the horizon. And many of these security protocols will provide the degree of consumer authentication needed to decrease problematic fraud and chargeback levels - very good news for online merchants.

Good news indeed, principally because the current SSL (Secure Sockets Layer) protocol was not designed to protect online business from fraudulent use of stolen credit cards. Though SSL provides very important encryption for credit card data - and a secure medium of transmission - consumer authentication on card-not-present transactions is not part of the SSL protocol. Similarly, SSL does not insulate credit card data on merchant servers. Unfortunately, short of deploying elaborate fraud detection systems (that attempt to flush out suspect ordering activity), cardholder authentication remains a major e-commerce snag - at least for the moment.

Designed to remedy security problems, SET was developed in 1996. However, the technical and bandwidth requirements of SET, as well as mounting complexities involved in full realization, created a situation in which SET's disadvantages outweighed it's potential benefits.

Currently, there are a number secure transaction models competing to replace SET, and each concentrates on more comprehensive protocols for authenticating customers during card-not-present transactions. In all cases, more data is required from the consumer than the current inadequate standard of credit card number combined with expiration date. Most importantly for online merchants, more and more liability for chargebacks will fall on the consumer, which should radically decrease abuse of 'consumer-friendly' credit card policies.

First, there is the Payer Authorization model in which the credit card company issues a password or PIN number to the cardholder to be used during card-not-present transactions. During a sale, a pre-authorization process requires that your customers enter a password along with the credit card number. The merchant is then notified of consumer authenticity - or potential fraud. If the card issuer verifies the password, the merchant transmits an authorization message and the pre-authorization process is concluded successfully.

American Express' 'Private Payments' model for secure transactions operates on the same principle as the Payer Authorization model - except for one key difference: for each online transaction the consumer must go to the American Express website to receive a 'disposable' transaction number to be used in conjunction with the credit card number. The transaction number can only be used once and is rendered inoperative after a transaction is made. To receive the transaction number in the first place, the cardholder must provide a user name and password at the Private Payments site.

The last model, the Visa Smart Card program, basically strives to emulate the 'swipe' of physical point-of-sale transactions combined with PIN number security. For these transactions, the card issuer must issue 'smart' credit cards loaded with microchips that can authenticate user identity. Of course, the consumer will also have to have a terminal connected to his/her PC in which to swipe the card. A PIN number then activates the credit card data locked in the smart card microchip.

Because each of these models require passwords or PIN numbers, all provide relatively strong anti-fraud protection in cases where credit card numbers are stolen or hacked en masse. As a result, these security developments should go a long way in improving consumer confidence in the Internet as a viable, secure environment for transacting business.

Of perhaps greater significance to online merchants, the authentication protocols require more consumer data than current systems and the capacity to confirm cardholder identity is greatly enhanced. This means less fraud exposure and one very significant ancillary benefit: more and more chargeback liability will rest with the consumer - and this is very good news for those e-businesses suffering from damaging chargeback fees and exorbitant fraud levels.