Emerging eCommerce Credit and Debit Card Protocols Mark E. Peters IBM Corporation mepeters@us.ibm.com Abstract Internet sellers need guaranteed payments for goods and services. Buyers need protection from misuse of their financial accounts. Credit cards dominate the internet payment world, but merchant fraud is rampant and cardholders are scared. This paper explores emerging protocols and technologies that are being developed to eliminate card fraud and internet payment methods that will compete with credit cards. Keywords: Credit Card, Debit Card, Fraud, Cardholder Authentication, MasterCard, VISA 1. Introduction In the late nineties, dot coms were allowed by the stock markets to hemorrhage money without consequence. And hemorrhage they did, many losing millions per quarter to organized crime exploiting credit card fraud. With a sole focus on gaining market share and clicks, dot coms had no desire to push banks for fraud protection or to likewise pressure government for regulatory relief. Many sellers and several electronic cash companies have been severely crippled or failed due to excessive credit card chargebacks. Internet sellers would be much more efficient if they were able to focus more on their core competencies such as marketing, advertising, customer relationships, store design, and fulfillment. Imagine the day when all internet payments are handled without human intervention, without chargebacks, and without having to protect credit card numbers. In the meantime, eCommerce site managers, designers, and operators need to know how to minimize their risk and prepare for emerging solutions. 1.1. Credit Card Industry According to NUA ComputerScope, 90 percent of the $5 billion 2001 internet transactions are credit card based [1]. Given this dominance in the online retail world, it is important to understand the players in the credit card business. Issuers have a contractual relationship with cardholders. Acquirers have a contractual relationship with merchants. Credit card associations, such as MasterCard and VISA, make the rules that form the contractual relationships between Issuers, Acquirers, and the processing entities of the system. 1.2. Chargebacks and Fraud Chargebacks occur when a cardholder refutes a transaction. Typical chargeback types include situations where the cardholder claims he or she did not participate in the transaction, did not receive the goods, or believed the goods were not as represented by the merchant. Stolen card numbers result in the stereotypical type of fraud. Though consumers typically are not responsible for the actual chargeback amounts in these situations, they fear that it could lead to identity theft resulting in a lasting impact on their credit history. Victims of this type of fraud lose confidence in the credit card system when they notice fraudulent charges on their credit card or receive calls from their card issuer indicating that their account has exceeded the typical velocity of charges or that suspect authorizations had occurred. It is equally unnerving to many victims that they receive ongoing notices that the credit card was denied for an order the victim never placed. Even more disturbing are the cases where cardholder is informed that goods he or she never ordered have arrived or have been shipped for authorizations which initially succeeded Another type of fraud, “Friendly fraud”, occurs when a cardholder did make a transaction, but wants to deny that he made a potentially embarrassing type of adult purchase [2]. One cardholder successfully charged back $70,000 in internet gambling debt after claiming in court that the credit card companies should not have allowed the charges to succeed! [3] Credit card transactions fall into two primary categories: Card Present Card Not Present, a.k.a. Mail Order/Telephone Order (MOTO) Merchants are protected from certain chargeback reasons during card-present transactions. Card-present transactions require evidence that the card was present during the transaction. In the U.S., this means that the complete magnetic data was present in a swipe terminal transaction or that the merchant can produce a physical imprint of the card along with a signature during chargeback proceedings. In France, the smart card signature must be produced. Skimming fraud occurs when the magnetic data is stolen and placed on a fake card. It is more difficult to alter the physical card than the magnetic stripe, so clerks are required to enter the last 4 digits of the card to reduce risk. Chargebacks typically cost issuers and acquirers $25 to $75 to process. So while they may not have to bear the actual cost of the cardnot-present charge, they must minimize disputes to remain profitable. U.S. MOTO merchants use address verification service (AVS) to verify the credit card billing address as a preliminary check. Some jewelry and electronics merchants will only ship to the card billing address to reduce risk. One cardholder had several shipments of jewelry and electronics show up on her credit card statement. The goods had been shipped to the billing address, but apparently the thief was watching the shipper’s tracking site and routinely picked up the goods before the client returned home from work [4]. Merchants with excessive numbers or percentages of chargebacks face steep fines, despite the fact that internet merchants have no means to authenticate a cardholder online. Only the financial institution that issued a particular credit card can vouch for the identity and authority of a user of a particular card. Until card-issuing institutions do their part to authenticate cardholders, internet merchants remain vulnerable to cardholder fraud and chargeback fines. Merchant fraud occurs when merchants authorize and capture fraudulent charges against credit card numbers without cardholder authorization. Consider the case where a person sets up a corporation, opens merchant accounts with several credit card brands, announces he has the latest gaming console before everyone else, collects a thousand credit card numbers, receives money from those cards into his checking account, withdraws the money, and flees the country before the cardholders dispute the transactions. There are checks in place to prevent such a runaway case, but this is an acquirer’s worst nightmare. Factoring is the term often used in the credit card world to describe a scenario where a merchant account is shared between more than one merchant. Consider the previous fraud scenario, but where the fraudster conned a separate “merchant” into collecting funds for the fake purchases. After the fraudster collects the deposited funds from the merchant and flees the country, the merchant, not the acquirer, will be liable for the losses. Merchants are often victims of blackmail when hackers steal credit card number databases. CD Universe was one of the first publicized cases of such attempted fraud. Customer relationships were severely damaged when CD Universe was forced to email thousands of customers to disclose the theft. 1.3. SSL Security While SSL is used to protect numbers in transit, many merchants do very little to encrypt their data store. Even SSL private keys might be discovered based on an attack articulated by nCipher. In this attack, a CGI program running with the same user as the web server scans the web server memory or a system dump for the private key [5]. Aside from the nCipher attack, almost all SSL servers use software-based private keys stored on disk with a hardcoded key in a stash file to permit unattended server restart. Any hacker who manages to access these files can easily determine the key. This is particularly troubling given the high percentage of insider attacks claimed in numerous trade press articles. A hacker in possession of the SSL private key who is also capable of eavesdropping on SSL sessions could decrypt credit card information. A hacker who is also capable of changing the DNS listing of the server could successfully impersonate the server to obtain credit card information. Holes in shopping cart software or improperly secured shopping cart software files provide additional means for hackers to obtain credit card numbers. 1.4. Merchant Fees Merchants pay a one to five percent fee per credit card transaction. This fee covers transaction verification, cardholder billing, dispute processing, cardholder loyalty rewards, and fraud. Obviously, a competing payment system that could reduce overhead is poised to have some financial advantages over the status quo. If, for example, the Automated Clearinghouse (ACH) network could develop an online account-holder authentication system that was inexpensive to implement, resulted in no transaction disputes or failures, while incurring little more than the existing pennies-pertransaction checking account debit fee, then it would threaten the online credit card dominance. However, there are many inhibitors to success, even for inexpensive payment options. The primary inhibitor is that merchants want to offer the payment options that consumers desire to use, and in many cases the consumers want to use an option that rewards them with loyalty premiums such as frequent flyer miles or rebates. Merchants are hesitant to directly pass the credit card fees onto the consumer because shoppers tend to choose merchants who do not surcharge. As long as the market will bear consumers’ choosing payment options that are more expensive to merchants, less expensive payment options will languish. Many government agencies offer to collect taxes, fines, and fees online via credit cards, but they typically surcharge the three percent merchant fee. While some citizens may pay a dollar to quickly pay a parking ticket online, most are going to pay vehicle or real estate property taxes with a check to avoid enormous surcharges. 1.5. Debit Transactions Credit card brands are also leveraging their way into debit transactions. Formerly, PIN-based ATM cards were the only cards linked to a checking account. VISA and MasterCard have produced signature-based debit cards that incur a much higher merchant fee because the risk model is equivalent to credit cards. Banks like these cards because they produce more revenue. In fact, some banks have started charging the consumer $1.50 for usage of a PIN-based ATM card at the point of sale to encourage signaturebased debit. Because PIN-based transactions require two factors of authentication, they have a much lower fraud rate than signature transactions. Wal-Mart started what has now become a class action lawsuit to recover the discrepancy in fees between these two types of debit. Merchants were forced to take signature debit transactions if they took MasterCard and VISA, which the merchants claim was monopolistic and unfair. The growth of signature-based debit at the expense of PIN-based debit results in higher merchant overhead and an increase in fraud, which increase the price of goods to consumers. 1.6. Cardholder Authentication Issuers have no desire to pay for the infrastructure to authenticate internet cardholders or for any increased liability incurred if the authentication system is defeated. The reduction of chargeback costs is the only current incentive for issuer adoption of cardholder authentication. Until issuers have adequate motivation, many cardholder authentication schemes will fail to gain traction. The goal is to make all transactions “card present” by authenticating cardholders and having them validate the proposed purchase. The challenge is that the solution must offer the right benefit to the right parties with the right timing. 2. Attempted Solutions To keep from repeating mistakes of the past, it is important to study why previously attempted solutions have failed. 2.1. SET Secure Electronic Transaction™ The first attempted solution for reducing internet credit card fraud was SET. While this was an elegant solution that met all of the stated requirements and was available from a large number of interoperable vendors, it proved to be too burdensome and did not have buy-in from the necessary parties. Why SET Failed… Banks resisted liability. Card-issuing banks are quite happy with the status quo, since direct losses are borne by the merchant. SET has been successful in geographies where the government has threatened to reduce overall fraud through regulation to correct this imbalance of power. Lacked member support. VISA and MasterCard are associations of financial institutions who issue credit cards and acquire transactions from merchants. The associations had good intentions that fit their mission when they created SET, but they never truly had buy-in from their stakeholders for the final solution. Merchants didn’t care about losses at the time SET needed momentum. They were focused on market share. Merchants have no power. With only a handful of domestic credit card brands from which to choose in a given geography and cardholders who only hold one or two brands in their wallet, merchants must choose the dominant brands or lose sales. Banks and Brands gain revenue from chargeback penalties. Not only are direct losses borne by merchants, but many of the larger internet merchants pay penalties on the order of tens of thousands of dollars per month because they exceed certain chargeback limits imposed by the brands. Banks and Brands make money selling fraud services and data. In an odd twist of fate, the lack of security inherent in internet credit card transactions creates an opportunity to sell fraud analysis of cards and transactions. Insecure alternatives were not corrected. SET would have looked very attractive if credit card brands had required appropriate security measures for nonSET transactions. For example, if merchants had been required to harden their storage of credit card numbers and provide the same level of protection for their SSL credentials as with their SET credentials, then SET would have appeared to be an incremental step. Scope of SET protocol was too large. The protocol met some strict requirements regarding the protection of credit card numbers. While meeting these requirements, there were some fairly burdensome messages and interactions between the merchant and acquiring institution. In hindsight, these would have been better left out of the scope by using other tactics such as surrogate card numbers. Certificate Management was burdensome. SET was one of the first mature adopters of public key infrastructure (PKI). In hindsight, SET may have been easier to deploy and manage if cardholder public keys were registered at the issuer rather than requiring cardholder certificates. Likewise, surrogate card numbers that would be useless without cardholder signatures would have obviated merchant and payment gateway certificates. 2.2. Surrogate Card Numbers American Express failed to gain traction in its “Private Payments” initiative, which was a surrogate card number scheme. It also tried to use a server-based wallet in conjunction with its free card readers for the Amex Blue card, which it ceased operating in 2001 after the failure of Globeset (the technology provider of the wallet). Other card providers have also attempted surrogate card number schemes. These require software on the cardholder’s machine to substitute the temporary card number into merchant shopping forms along with software changes at the issuer. Ease of use and difficulty working with surrogate numbers during returns and repudiation as well as the marginal cardholder authentication protection offered by these schemes give them a very short-term benefit. Often the benefit does not provide adequate return on investment. 3. Emerging Solutions Due to SET’s failure to gain traction, VISA and MasterCard have each come up with their own schemes. At one time, there was a plan by both parties to allow either scheme to be chosen by participants to provide cardholder authentication. However, this agreement did not work out [6]. As a result, online merchants will be forced to support a cardholder authentication protocol for every brand. Both schemes accomplish their primary goal of authenticating cardholders during approval of a transaction. Each approach has advantages and disadvantages. The schemes have been described in enough detail to understand in articles and on the brand web sites. However, the complete specifications have not been made public, which means that some of the more meaningful analysis of potential weaknesses and performance implications cannot be published at this time. 3.1. VISA Initiative Verified By VISA™ works without the need for any program installed on the cardholder’s computer. 1. The cardholder enters the VISA card number and expiration, along with other information asked today. 2. The merchant queries to see if the cardholder participates. 3. If so, the user is presented with a web page from his or her card issuer asking for the password to approve the transaction. 4. A digitally signed message is sent to the merchant, which validates that the issuer approves and that the merchant is afforded some transaction protection. 5. The authorization and capture proceeds normally, though some additional information to track the transaction will be sent. [7] 3.2. MasterCard Initiative MasterCard Secure Payment Application (SPA) requires a small client piece of software to be installed on the merchant system. 1. The merchant form has particular field names 2. The MasterCard client detects the field names and asks the user to login to the server-based wallet where he or she is prompted to approve the transaction based on the merchant and transaction information. 3. A token is generated to by the serverbased wallet and is entered by the client into the web form along with the real or surrogate card number. 4. The authorization includes the token. If the authorization succeeds, then the token is deemed good and the transaction is guaranteed.8 3.3. Comparison The MasterCard scheme is much easier to implement and deploy from a merchant and issuer point of view. It requires no certificates and no special documents or digital signatures. It does require cardholder software as well as changes to the traditional card authorization process. Both schemes permit smart cards or other authentication technology to be used by the issuer. Depending on how the VISA smart card support is implemented, VISA may also find itself requiring program installation on the client. As for mobile support, VISA has a private specification that purports to support mobile scenarios, though whether WIM or other authentication technologies are supported is unclear. The VISA scheme could be implemented without transmitting any data in the traditional card authorization, but it requires many messages between VISA, the cardholder, and the merchant. In addition, the messages are in XML format and many are digitally signed, which might overwhelm some merchant servers. The MasterCard scheme boils down to the transmission of a token to the merchant. Thus, it is suitable for non-browser communications provided that the client application piece can be satisfied in non-browser environments. The VISA scheme is fairly tightly bound to browser redirection. One potential weakness in the VISA scheme is the possibility of a “man-in-the-middle” attack. If an attacker were able to modify the redirection given to the cardholder by the merchant, then the cardholder could be redirected through a site controlled by the attacker. The attacker could impersonate the issuer to the cardholder and the impersonate cardholder to the issuer. The cardholder would have to notice that the issuer site was not legitimate to detect this attack. If the attack is successful, then the transaction succeeds and the user would not detect that the attacker gleaned the account password. The attacker then uses the password to shop at other sites. The card issuer would bear liability in this scenario. 4. Payment Technologies To Watch 4.1. ACH ACH is used for payroll deposits and many business-to-business and recurring consumer-tobusiness payments in the United States. There is effort underway to expand this outside the U.S. There are networks similar to ACH in many countries. ACH transactions are inexpensive and efficient. Firms such as BankServ currently offer ACH transactions that behave like credit card transactions. The consumer enters a checking account number during checkout and money is pulled from the consumer’s account via ACH. In this form, the chargeback risks mimic those of credit cards. The ACH network currently supports a consumer push model, but there is no pervasive solution that would redirect an account holder to his bank to initiate the push. As soon as ACH solves the problem of accountholder authentication or bank redirection and reduces transaction time to 24 hours, it will prove to be a formidable adversary to the credit card status quo. Some predict that ACH will surpass credit card usage online within 5 years. the wireless carriers will have to develop and manage the merchant relationships. However, if WIM can be used to eliminate repudiation and if wireless providers can learn how to manage credit risk beyond basic liability for phone calls, then wireless providers have a credible opportunity for efficient low and medium value credit transactions. In addition, they have an opportunity to tap a community of unbanked individuals by leveraging prepay accounts to pay for goods and, quite possibly, to pay bills. 4.2. Mobile Phones 4.3. PayBox There are many varieties of mobile devices capable of performing various flavors of payments. The penetration of mobile phones throughout various socioeconomic groups is staggering. Many phones are capable of wireless internet browsing and 2 way text messaging. As soon as the Wireless Identity Module (WIM) permits users to digitally sign transactions with the likes of a smart card, users could leverage this representation of their identity to sign transactions. Users could enroll their WIM with a financial provider to grant transactions signed by a WIM key to authenticate the transaction. WIM could also be leveraged for Bluetoothbased vending machine or other low-value transactions when a cellular signal is not available. There is much debate in the wireless and financial industries over who owns the WIM credential and whether the wireless provider can take a cut of transactions for financial use of the credential. There are also branding considerations. VISA, MasterCard, Citibank, and other financial institutions want users to see their logo on the piece of plastic used to perform the transaction. As a result, there is also debate over whether a second smart card slot should be provided in phones. There are many standards organizations looking at how to leverage mobile phones in payment scenarios. They each have staked out various types of transactions or parts of the payment lifecycle, such as message format, digital signing, credential management, etc. Examples of such standards bodies include WAP Forum, DoCoMo, MeT, GMCIG, mSign, and Mobey. Another trend by wireless providers is to permit a variety of mobile phone scenarios to result in charges that appear on the user’s phone bill. Non-phone charges will often appear on a separate bill due to customer sensitivity about phone service costs. The primary inhibitor is that One primitive way to perform payments with GSM phones is for a consumer to enroll his or her phone number and credit card number with a merchant, vending machine organization, or payment service provider such as Paybox. With a quick scan of a barcode at a vending machine or by entering the number in by hand into a machine or web form, a payment server calls the phone and the user confirms with a touch-tone PIN. The call-establishment security built in to GSM makes this a fairly secure process as long as the phone number mapping and user authentication is correct. No account information is transmitted over the phone. Paybox claims to have over 2 percent of the German market. Paybox charges users $4.50 per year along with a 3 percent transaction fee charged to the merchant. Both the cardholder and merchant must be enrolled. Deutsche Bank owns half of Paybox, but is considering adding partners in other countries to facilitate payments in each country [9]. 4.4. Qpass Qpass seeks to minimize the investment by wireless carriers by providing technology to manage the financial transactions and merchant relationships. Consumers use their wireless device to access fee-based content and purchase goods. Qpass allows consumers to choose to pay for small dollar goods and content with their wireless account and high dollar goods with credit or debit cards. 4.5. PayPal Paypal permits person-to-person payments. Each user registers an email address which is used by others to route payments. The email address and a logon password secure a user’s “account”. An account can be funded by a credit card or by a bank account. This form of credit card funding is a type of factoring, but VISA and MasterCard have permitted it to continue (likely because PayPal does a decent job of authenticating cardholders). Paypal passed an important U.S. FDIC investigation to see if it broke federal banking laws since it holds member funds. It is still being investigated by states and by other countries. PayPal is primarily used by online auctions by individuals too small to hold a credit card merchant account. However, even larger merchants use it because Paypal charges much less for credit card transaction fees than is charged by Internet payment service providers. 4.6. Microsoft Passport Microsoft is attempting to leverage its authentication technology for a variety of applications, including single-sign-on amongst unrelated companies. Microsoft appears to be targeting the authentication of online banking as well as credit cardholder authentication to leverage their operating system dominance as a means to take a share of transaction revenue. Microsoft offered $100 to anyone who would use the Passport Wallet to complete a purchase in December of 2001. Until various cardholder authentication schemes reign, there will be a place for fraud screen services. These services analyze various streams of data to judge the likelihood that a given transaction will fail. Some services collect data from merchants, much like TeleCheck does for checking accounts. Others buy data from the card brands. Very few of the fraud screens operate on useful real-time data. Thus, the overall effectiveness is questionable if most issuers can freeze suspect accounts in the first 12 hours, which would cause authorizations to fail anyway. Much like the checking account screening services, credit card fraud services can also insure transactions. However, most merchants deem this too expensive for their operations. Data collected for these services include billing and shipping address data, source IP address, types of goods, etc. Preliminary checks on whether the IP address is in the locale of the card’s billing address, how easily the goods can be fenced, and whether the goods are being shipped to a bad neighborhood, provide the most value for these fraud score algorithms. Many retailers have in-house fraud detection departments that analyze these types of statistics. 4.9. Authentication via Credit Check 4.7. RFID Tags There are a variety of radio frequency identification tags in use today. These tags use contactless technology to convey a user identity to the payment system. Eavesdropping is possible because this passive approach employs no active cryptography nor does it typically employ PINs or other secondary authentication factors. One early success story is the New York EZPass system that permits commuters to have road and bridge tolls deducted from their account. Recent successful adoptions are in the retail point of sale area, such as Mobil’s SpeedPass to pay at the pump and in the store. Speedpass claims to have over 5 million users. The tag fits on a user’s keychain, costs Mobil about $2 each, and is free to users. Customers can even purchase a tag built into a Timex watch. Each purchase results in a debit to a credit card or checking account. Implementers of these systems claim that the transaction time is greatly reduced and that customer loyalty has increased [10]. 4.8. Fraud Screening Services Equifax started a rather novel service for cardholder authentication when purchasing high dollar goods, which BankServ and others now support. At checkout, the cardholder is asked some information that the fraudster is unlikely to know, such as the monthly mortgage payment, or last months credit card bill, etc. The consumer’s answers and the current credit card number being used are compared to data in the credit report. Mismatches result in a denied transaction. The cost and inconvenience of this service makes it unlikely that it will be used for most typical transactions, but it is an interesting way for a credit-reporting agency to increase revenue while insuring credit card transactions. 5. Conclusion Credit cards are the payment method to beat in today’s internet commerce environment. More efficient payment systems pose a long-term threat, but there are no clear leaders given political power and customer loyalty considerations. The world needs one cardholder authentication technology, not one per brand or one per country. Merchants bear the direct losses of most internet card fraud. Since issuers are currently only responsible for losses due to cardholder nonpayment that occurs, they are unwilling to assume liability for authenticated payments and are unwilling to pay the infrastructure required to perform cardholder authentication. Mobile technologies lend some promise for cardholder authentication and for very pervasive payment solutions. There is no free ride. Consumers and stockholders, not sellers or banks, ultimately pay for credit card fraud through increased cost of merchandise, credit card fees, and devaluation of stock. It is in everyone’s best interest to understand and eliminate payment system fraud. 6. Reference Material “Protecting Commercial Secure Web Servers From Key-Finding Threats” http://www.ncipher.com/products/rscs/downloads/ whitepapers/pcsws.pdf [1] “Visa to evaporate merchant liability”, Cards International, March 22, 2002, p8, Lafferty Publications Ltd [2] Bennett, Robert A., “I didn't do it”, USBanker, 12 Dec 2001, P48-52 [3] Ullman, Ellen, “Denied”, Ziff Davis Smart Business, May 1, 2002 [4] Conversation between Mark Peters and a friend who is a local banker, 2001 [5] “Protecting Commercial Secure Web Servers From Key-Finding Threats”, nCipher Inc., November 1999, http://www.ncipher.com/products/rscs/downloads/ whitepapers/pcsws.pdf [6] Bennett, pp48-52 [7] “Visa to evaporate merchant liability”, Cards International, March 22, 2002, p8, Lafferty Publications Ltd [8] “VISA 3D Secure vs. MasterCard SPA”, http://www.gpayments.com/pdfs/GPayments_3D_vs_SPA_Whitepaper.pdf [9] Bright, Julian, “Paying By Numbers”, Communications International, Nov, 2001, p66, EMAP Media Ltd. [10] “Credit, Debit or Speedpass?” Card Technology, v2, n9, September 2001, p18, Thomson Financial Inc.