To combat digital crime and promote the Internet as a safe, secure virtual shopping mall, leading credit card brands have implemented a Visa technology called 3-D Secure to authenticate users. Is it safe to go shopping online? Actually, it couldn't be safer.

The Internet may not have turned out to be the planet-transforming tool trumpeted during the dot.com heyday, but it certainly has had a huge impact on the retail world. Merchants quickly realized that cyberspace represented a completely different way to reach potential customers—perhaps the first entirely new sales channel since the emergence of the mail-order catalog in the 19th century.

Not surprisingly, however, the advent of online shopping was accompanied by the emergence of online fraud. And today, some e-commerce players cite security and privacy issues as factors that continue to hinder growth in the channel. But help is on the way: In an effort to combat digital crime and promote the Internet as a thriving and secure virtual shopping mall, the leading credit card brands have implemented a technology co-developed by Visa for authenticating users. And in a major policy shift aimed at spurring adoption among merchants, the banks that issue the cards are beginning to accept liability for fraudulent transactions.

"Authentication is the key to the safe conduct of business on the Internet," says Jim McCarthy, senior vice president for product deployment at Visa USA. "Consumers are still very concerned about security. Authentication answers their concerns."

Early fears about e-commerce focused on malicious hackers stealing credit card numbers as they were sent across the global network between consumers and merchants. However, the development of strong encryption technology, especially the secure socket layer (SSL) format, has made it almost impossible for electronic con artists to download these valuable numbers during a transaction. The greater fear today is that criminals can obtain credit card numbers and other personal information on a merchant site and then use the data to order merchandise with an innocent—and unaware—consumer's account number.

The concerns are valid. Online shopping accounted for about six percent of Visa's total volume in 2002, and it's Visa's fastest-growing sales channel. Securing the e-commerce channel is important to its future growth. And according to MasterCard data, "I didn't do it" or "cardholder nonauthorization" disputes represent an increasingly large percentage of e-commerce charge-back expenses (more than 80 percent in recent years), posing a serious dilemma for merchants interested in tapping into Internet shopping.

MasterCard research also shows that 90 percent of people who don't buy online worry that their personal and financial information may fall into the hands of hackers and that 71 percent are worried about credit card fraud. This level of concern is a very real barrier to building business online.

According to McCarthy, the industry has been looking for a way to authenticate online transactions—to make sure the person ordering that high-definition TV set is really the person he claims to be and that he plans to pay for it. That's why Visa and MasterCard have implemented a security technology called 3-D Secure, which Visa created for the industry.

Eliminating Fraud

At its most basic level, 3-D Secure is simply an additional registration layer, allowing consumers to register their individual credit or debit cards with the banks that issued them. The program ensures that the person using a card online is the owner of the card and can eliminate the potential for fraudulent transactions, even if the account numbers have been compromised.

How does it work? Consumers making an online purchase will be redirected, through a window in their browser, from the merchant's Web site to the bank's. There they'll be asked to register their card number and create a personal password. Once they've completed the registration, they continue the transaction with the merchant.

During the checkout process, the Internet shopping site will again route customers, through another pop-up window, to the bank's servers, which will ask customers to authenticate themselves with their password. A criminal may have been able to dig up an account number and the corresponding billing address but not the password, which is stored only in the cardholder's memory. The result is a simple step that verifies the shopper as the person authorized to use a specific credit card.

Arcot Systems and Sun have partnered in providing the 3-D Secure technology and platform to financial institutions looking to build the volume and value of their online business.

"What we're talking about is security and reliability," says Pam Kline Smith, vice president of marketing at Arcot, the software company that helped Visa develop the security technology and pilot the authentication process.

Although adopting this technology will require the banks to install additional hardware and software to enroll users, store identity information, and verify transactions, the payoff should be more transactions and increased revenue. Sun Microsystems platforms are ideal for this imitative, offering the scalability to support both pilot programs and full deployment, which probably will eventually involve millions of users.

Visa went live with its technology in December 2001, using the product name Verified by Visa. The company has also offered 3-D Secure as an open format to the financial services industry, where it is starting to gain wide acceptance. MasterCard unveiled its own authentication service based on 3-D Secure, called MasterCard SecureCode, last September. The service complements MasterCard's proprietary security technologies, which use smart chips in the cards and software that links individual cards to specific computers.

"I think this is going to be a big year for all of us," says McCarthy. "Our common goal is for the entire card industry to be using the same authentication technology for all online transactions..."

The Idea's Simple; the Technology's Not

Although this idea may seem simple, the technology behind it is not. Arcot was contracted by Visa to develop software that would allow a seamless transition from a merchant's site to the bank's servers, creating a speedy link that would also be transparent. When customers enter their unique password, that connection is invisible to the online vendor, even though the window on a customer's desktop may be lying on top of the window for the merchant's page—it is impossible for anybody to eavesdrop while individuals verify their identity. Arcot is also working with MasterCard and Visa to deploy the software at issuing banks around the world.

"A lot of work went into making this secure," says Smith. "There's no point in having a real-time online authentication system if it's not secure."

Now that the system is in place, credit card companies are trying to promote widespread adoption, and they are offering a very big carrot. Until now, fraud liability for online transactions rested with merchants. If merchant shipped an expensive digital camera to Joe Smith in Chicago but the real Joe Smith lived in Miami and never ordered a digital camera, the merchant had to shoulder the blame—and the loss.

The result, according to Tom Maxwell, director of e-commerce and emerging technologies at MasterCard, is that many Internet outlets have been reluctant to offer their most expensive products online, and that has been holding down the growth of e-commerce.

But with 3-D Secure, the liability is beginning to shift. MasterCard-issuing banks in Europe have already started to take on liability, and Visa-issuing banks around the world have done so, starting in April. For Visa, some 50 significant Internet merchants in the U.S. currently use the service, and another 50 in the U.S. will be coming on shortly, according to McCarthy.

"In the real world, the merchant gets a signed receipt as evidence of a transaction, and with 3-D Secure, the merchants and the acquirers get some evidence of an online transaction," says Maxwell. And because the banks are now able to authenticate users, they're more willing to take on the risk of fraud.

When the merchants don't have to worry about liability, they'll be willing to push even more valuable products through the Internet. Couple that with increased consumer confidence from another layer of security, and we'll see a surge in e-commerce, both MasterCard and Visa executives predict.

Says McCarthy, "We are creating an environment in which people are no longer worried about shopping." 

» Get more information about Arcot Systems. » Give me more information on the Arcot/Sun solution. » Read more about the MasterCard/Arcot/Sun partnership. » Read about Sun's role in Visa's Direct Exchange project, which aims to provide a VisaNet platform for business expansion beyond card-based services. » Get an overview of financial industry trends and Sun's role in finding solutions to difficult problems ahead. » See why Sun holds the keys to e-solutions in capital markets, corporate banking, retail banking, and insurance.