Visa program will target online fraud

Visa's "best-practices" guide, which will be released within the next several weeks, will be similar to those the credit card giant has created for catalog companies that accept credit cards by mail or telephone without signatures. But the newest guide will target e-commerce companies for the first time, with tips on how to minimize hacker attacks on databases and spot potentially fraudulent orders before products are shipped.

"Internet merchants haven't always come out of the old catalog business, and sometimes they have little experience in business," said Dave Richey, vice president for card operations at Visa. "They're often new and often focused on IPOs and other stuff. Communication between merchant and cardholder is key in avoiding misunderstandings."

For some e-tailers, Visa's security tips could be considered a case of "better late than never": Credit card fraud has marred several high-profile and relatively established online companies in recent months.

Expedia, Microsoft's online travel affiliate, announced earlier this month that it will record a fiscal third-quarter charge of $4 million to $6 million to cover the cost of fraudulent transactions on its Web site. The Bellevue, Wash.-based company said stolen credit cards were used to book travel reservations.

In January, nearly 350,000 credit card numbers were stolen from music site CD Universe and posted online. A hacker going by the name "Maxus" claimed to have the numbers and tried to extort $100,000 from the Web site.

The focus on credit card fraud coincides with intense scrutiny of e-commerce companies by Wall Street investors, many of whom worry that security breaches could dent revenue.

Unlike credit card transactions at brick-and-mortar companies, in which the bank that issued the card is usually liable for fraudulent transactions, online merchants are typically forced to cover the losses.

The financial institution that issues a credit card assumes liability in about 75 percent of all fraudulent transactions, according to John Shaughnessy, senior vice president for risk management at Visa. But in "card-not-present" transactions--when transactions happen by mail, telephone or Internet and no signatures are obtained--merchants assume liability for roughly 90 percent of fraudulent transactions.

Although it's impossible to quantify how much money online merchants have lost to fraudulent charges, experts say the total as a percent of revenue is anywhere from 1 percent to 30 percent, depending on the retailer and industry. In general, computer and electronics vendors are more at risk for fraud than vendors of less-expensive items, such as books, videos or CDs.

"Security is going to be the critical issue," said Ben Sim, an expert on e-commerce for New York-based C.E. Unterberg Towbin. "A lot of these merchants don't understand the implications of fraud, and they're using home-grown solutions that simply don't work. If you're getting someone from Romania ordering $50,000 of books, the fraudulent transaction's not going to happen. But thieves are getting much more sophisticated, and merchants' security systems aren't necessarily getting better."

According to an Unterberg Towbin study in 1998, more than 50 percent of disputed (or potentially fraudulent) charges at the Visa European division came from Internet transactions. However, Net transactions represented only 2 percent of the division's total transaction volume.

Although many e-commerce executives downplay fraud, their attorneys and accountants don't.

"Security breaches that result in access to confidential information could damage our reputation and expose us to a risk of loss or liability," music retailer CDNow stated in a 10K filed with the Securities and Exchange Commission in 1998. "We may be required to make significant expenditures and expend considerable personnel effort to protect against security breaches or remedy problems caused by these breaches. We cannot assure that our security measures will prevent such breaches."

Other companies are even more blunt:

"We cannot assure you that our security measures will prevent security breaches, and such breaches could expose us to operating losses, litigation and possible liability," read a 10Q filed by Egghead.com last November.

Amazon.com stated in a fall 1999 10Q filing: "Computer viruses, physical or electronic break-ins, and similar disruptions could cause system interruptions, delays and loss of critical data and could prevent us from providing services and accepting and fulfilling customer orders.

"Although we have developed systems and processes to mitigate fraudulent credit card transactions, failure to prevent such fraud may impact our financial results."

Tom Holland, director of fraud detection and prevention for Amazon, said such warnings are worst-case scenarios, not daily concerns.

"Amazon's fraud losses in comparison to sales revenues--it's minuscule," Holland said. "I can't tell you the dollar figure. It's large, but as a percentage of sales, it's insignificant."

Holland said the company is continually upgrading its security system and cooperating with law enforcement to tackle fraud. Amazon and the sheriff of Fairhope, Ala., just completed a case in which a ring of thieves were using card numbers secured from an online "hack shack" of credit card numbers to buy books.

"They'd go to a house for sale, rip down the for-sale sign, and have deliveries go there," Holland said. "They took us for $3,000, but we're getting it all back."

Although online credit card fraud can damage retailers, security experts say, Internet transactions are extremely safe for consumers.

Consumers whose cards are used fraudulently online rarely are responsible for the bills because they don't sign a receipt. In the physical world, consumers must pay up to $50 of fraudulent transactions if they fail to report a stolen card or carelessly distributed credit card information.

"The people who end up eating it are the merchants," said Paul Wasserman, chief executive of Internet shopping portal Ebates.com and a former high-tech crime prosecutor in Silicon Valley. "If you're a merchant exercising due diligence, you're supposed to be off the hook. But the reality is that most of the financial institutions don't let them off."

Many e-commerce executives complain of an adversarial relationship with issuing banks. Holland said that often, when Amazon calls banks to verify addresses, the company doesn't get help.

"They can be blas?," Holland said of the issuing banks. "The e-commerce companies don't get any respect. We're Rodney Dangerfield."