The European Union is set to insist on better security for online purchases, but a number of retailers are digging their heels in.
The idea, which comes from the London-based European Banking Authority, consists of urging extra security for purchases over €10, such as a user-selected passcode number. Computer Business Review is among the publications suggesting that retailers believe any extra steps in a purchase process would reduce the amount of sales actually made.
Visa Europe, for example, conducted a survey that suggested €11.2bn a year in online sales, some 2% of the whole market, would be put at risk. It also found that 61% of customers would abandon a purchase if there were an extra step involved.
One of our retail contacts, Cath D’Arcy, proprietor of online jeweller Corazon Latino, queried whether a user-generated passcode would be effective. She told us:
They are suggesting a personal ‘Pin number’ be input. However, [the] Verified by Visa/MasterCard SecureCode [schemes] already request a personal password, so if there is already a piece of data required that is only in the head of the legal card owner, why would a second make a difference?
She welcomed the idea of additional security, however, as long as it would work sensibly. She pointed out that when a fraudulent transaction happens it’s the trader who ultimately pays for the refund rather than the banks, and smaller companies in particular will suffer. Lost sales, if you add manpower, are a non-issue, she says:
There will be some lost sales as we saw when we implemented the Verified by Visa/MasterCard SecureCard [scheme]. Not because people are put off, but because people forget their password and simply can’t complete the purchase.
In our case we followed up all failures, as they show in our system as orders with pending payments if they get that far, with a call and were able to verify the person and take a card payment over the phone. Big companies would probably lose these sales as they would not invest the manpower in the follow-up.
The European Banking Authority has been gathering feedback and has said it will put solid proposals forward by the end of the month.
Bryan
Verified by Visa/MasterCard SecureCode [schemes] already request a personal password…why would a second make a difference?
Security and convenience have a nearly constant inverse relationship, so I generally don’t mind making extra effort when it accompanies better security. However, VbV and MCSC are (at best) exemplary implementations of what Bruce Schneier would call security theater. Brian Krebs’s article is enough for me, and I’ve seen far more than that to dissuade my use of VbV. If a merchant doesn’t allow me to bypass it, they lose the sale.
I wish I knew what the answer is, but I know this isn’t it.
Laurence Marks
Just returned from a cruise on which I had WiFi but no cellular. I couldn’t complete an Amazon transaction while aboard. Now I’ve forgotten what I was going to order.