Chip and PIN: Caveat vendor
'Cardholder not present' liability
Comment I have recently been working on a study into electronic payments. I have also looked at the internal systems of one of the card issuers, and have been looking at the experiences of a start-up business. My conclusion is that whilst ecommerce is a win-win situation for the big banks and card issuers, it is a case of pity the poor trader!
A very good friend has just started a company that trades in stationery over the internet and he wants to be very competitive on price as well as service. Knowing that I have had an interest in electronic payments, he asked me to look at an issue he had identified. It appears that to trade over the internet he has to pay someone about 1.5 per cent of each transaction for the privilege. I was able to confirm that from my study this percentage appeared to be about the norm, and that I did not see much of a difference until trading levels increased significantly. We then got onto a subject very dear to my heart; what did he get for the 1.5 per cent? I said that as far as I could see, with the exception of maybe Datacash if you work in the online betting sector, and one or two other similar niches, you just got the basic service. This confirmed his fears. He had just been told that for "cardholder not present" transactions he would have to carry the risk of fraud. In addition, the big issuers - the big banks - do not even offer insurance for the traders to cover themselves.
This brought us back to another of my old time favourite subjects; what about Chip and PIN? It appears that if the cardholder is not present, the available checks are limited to asking for the card number, the expiry date, and the three digit security code on the back of the card (to ensure that the buyer does not just hold an image of the face of the card). So it is no wonder that the big explosion in crime at present is to intercept cards in the post! That ensures you have all the data you need, to buy what you want.
Luckily for my friend, the world of stationery is about large numbers of low value items like several thousand 12 inch rulers! But what would happen if you sell high value items like hi-fi or furniture, because surely that is what the dotcom revolution was supposed to do - replace bricks and mortar with clicks? But why cannot online systems ask for the pin number to be confirmed? I really do not understand what the point is of only protecting one aspect of electronic payments, when the big growth is in the "cardholder not present" field.
Returning to my friend's online stationery business; whilst I flippantly stated that it is a world about 12-inch rulers and erasers, they actually have a catalogue of over 17,000 items. I started to look at the large amounts of stationery I now use in my home office and to support the machine my daughters use for school, and how many trips to large stationery stores I could save by going online. Think about the paper you buy; A4 white for reports, various sizes of photo paper for your digital images, and heavier duty stuff for cards, the ink cartridges, the memory cards for your digital cameras, and you soon see this is a good couple of hundred pounds a year per electronic household. This is big business and it must be growing, even if this is supposed to be a paperless age. If the risk of trading online is being carried by the trader, that must mean that in the end they are passing it onto us, the consumer.
So once more I am left bemused by our financial services industry, which is apparently in solid good health but seems to take a very short-term view of each and every aspect of the cash cow that is its lifeblood. As I said in a previous article when I wrote about Chip and PIN, it seems to be a half-hearted approach to something which could add so much. By the way, I still see that most garages are not using Chip and PIN - even when they have the machines they still ask you to sign the confirmation! I would very much like to know what the industry intends to do to secure all electronic payments. At the end of the day it is not the big banks that pay, it is the small start-ups and ultimately the consumers, and we deserve to be treated better when the answer would appear to be there just waiting to be used. Lets see Chip and PIN implemented properly with no-one being able to override the system, and lets see the industry strive to stay ahead of the fraudster and protect us the consumers from the cost of that fraud.
Sponsored: Network DDoS protection