Proposed new solutions include a cardholder inserting their chip and PIN card into a hand-held card reader and entering their PIN, as they would do in a store. On confirming the PIN entered, the reader generates a unique, one-time only passcode which the cardholder provides, when prompted, for authentication with the cardholder’s bank. This solution, says APACS, will ensure that the person conducting business online or over the phone is the genuine customer and will make these types of transaction even safer.
Commenting, CEO of the 3rd Man, Paul Simms, says: “With the introduction of Chip and PIN in 2006, strides have been made with fraud prevention overall, particularly for retailers, but the problem must be put into perspective. Many retailers already comfortably manage the threat and do so with little or no impact on their genuine and honest customers. Why conjure up further techniques to alarm and confuse genuine consumers?”
Some of the latest solutions such as 3D-Secure, which requires a password to authorise transactions, or Token-Based Authentication, which challenges the cardholder to input another passcode generated by a hand-held gizmo, are being promoted heavily by APACS and the banking industry.
“This is not so much about preventing fraud as it is about shifting blame –and there have been precedents,” argues Simms. “Take Chip and PIN for example. On February 13th 2006, if a card was swiped in a store and a signature obtained at the time of authorisation, then the majority of the risk lay with the card issuer. After February 14th, with Chip and PIN now mandated, the real issue is that risk of fraud lies with either the retailer or the cardholder, not the bank.”
In e-commerce, a similar scenario is playing out with Verified by Visa and Mastercard Securecode. If a cardholder authenticates a transaction, then the blame is with the cardholder. If a transaction is not authenticated then the blame lies with the retailer, not the bank. “The key here,” explains Simms,” is that the cardholder who had virtually no liability with card not present fraud will now be at threat if password or authentication details are compromised – and that is exactly what the fraudsters will seek to do. Furthermore the key to preventing card not present fraud lies with the retailers who now will only care about receiving fully authenticated orders.”
The newer, dynamic passcode authentication is a much stronger solution as it is more difficult to compromise the authentication process. “The weakness, however, is that the solution relies on 100% adoption, and as long as there are banks who do not support it, or cardholders who don’t have one of the little gizmos, then retailers will still need to make judgement calls, just like they do today,” says Simms.
“So we are addressing a problem which many retailers cope with just fine at present, and we are using new technology that will impact the shopping experience of all our genuine customers but very few fraudsters.
“Bank led initiatives are all useful in preventing fraud. However the justification to implement must be made based on the discounted rates that the banks have agreed to give retailers as inducements. Negotiate a better fee on the basis of improved security. Retailers must remember that alone these measures will not solve card not present fraud.”
Kaynak : 