SAN MATEO (03/10/2000) - Fraud is one of the worst fears any businessperson faces, whether running an online shop or a brick-and-mortar enterprise. What if the customer is passing bad checks or bad credit cards?
Keeping an eye out for fraud comes with the territory, but what may come as a serious wake-up call to a number of aspiring e-commerce entrepreneurs is the level of personal risk involved when it comes to protecting against the age-old enemy.
Virtually every online transaction requires vendors to take it on faith that credit information is accurate. In retailing lingo, it's called a "card not present" transaction, which means there's no actual credit card being presented at the time of the sale, and online retailers have little choice but to accept this. Firewalls, VPNs, and other standard security devices designed to thwart hacks and intrusions may get all the headlines, but what good is a locked door if buyer authentication is compromised?
The price for negligent Internet-business fraud practices can do much more than create a small hole or two in a company's revenue stream: It could ultimately bring an online commerce operation to its knees.
"We had a period where we had more fraud than legitimate sales. We almost went out of business with the volume of fraud we were seeing," said Bill McKiernan, CEO and chairman of CyberSource Corp. "We learned the hard way the issues a lot of companies face when they move from simply using their Web site to disseminate information for customers to selling products and commerce over the Net. Secure transactions are a big part of that."
Not only is this a concern for business-to-consumer enterprises, it's also increasingly a concern for business-to-business commerce, where suppliers must make sure their business customer is on the up-and-up.
CyberSource began business life as a merchant that sold software via the Web.
However, in 1997, the company decided to outsource e-commerce risk management solutions to online companies, including fraud detection. It spun off its sales division into what has become Beyond.com.
McKiernan said CyberSource's Internet Fraud Screen (IFS) service, which analyzes 150 different characteristics of each transaction to identify levels of potential fraud, is beginning to move from the business-to-consumer marketplace into business-to-business areas.
Online vendors are aggressively jumping on board to shore up infrastructure risk management. That's because they absorb 100 percent liability for every online fraudulent transaction, whether they know it or not, said Joe Marino, an analyst at Current Analysis, in Sterling, Va.
"There's increasing awareness that you have to do more to manage your risk than [just doing] address verification," Marino said.
Much to their chagrin, Web vendors are discovering that the traditional credit card method of battling fraud, Address Verification Search, isn't sufficient for the massive playing field of cyberspace, Marino said.
Elevated fraud rates or elevated charge-back rates may force banks to charge e-merchants a higher expense fee for doing business with them.
When a merchant processes a credit card charge and the consumer questions that charge as possibly fraudulent, the merchant has to cover the cost. And the charge-back may in fact cost the merchant more than the cost of the goods sold under question due to bank penalties.
Merchants who sell digital goods that customers can download are particularly vulnerable, because there's no paper trail requiring the customer's signature to confirm the receipt of goods.
The fraud screening market is still new, and some small and midsize e-commerce merchants can't afford to buy complete protection. Eventually, competition among vendors to provide fraud screening, coupled with new technology, will cause fraud protection costs for merchants to drop, said David Schatsky, director of Commerce Infrastructure Strategies at Juniper Communications in New York.
Online merchants are already beginning to see the benefits of customizing their own set of fraud rules depending on their specific e-commerce needs through companies such as ClearCommerce, which offers the capability as part of its product suite.
A customer of ClearCommerce and user of eHNC's eFalcon, Dermot McCormack, CTO of Web gift certificate vendor Flooz.com in New York, said his company has depended on secure fraud protection from day one.
"Eventually, we may live in a world where smart-card readers and digital certificates do the protecting, but until then we have to use the mechanisms out there," said McCormack. "The consumers are not going to pay; you as a merchant will pay. So it's really up to you to do your own policing and cover your own bases."
Locating precisely where an online fraud transaction took place isn't easy. In many cases, that's because spoofing (the false use of someone else's credentials) is a common method of disguise.
CertifiedMail.com has developed a "round-trip" means of tracking and securely replying to transactions using an embedded SSL (Secure Sockets Layer) Web link built into the transaction by using XML.
"We synchronize with an atomic clock to the second, then we record the IP address of who sent it and who picked it up," said Bob Janacek, chief Internet strategist at CertifiedMail.com. "I can tell you exactly where it was opened and from what computer."
ValiCert grabbed a large share of the fraud protection market after it acquired Receipt.com last December. Sathvik Krishnamurthy, vice president of marketing and business development at ValiCert, said online vendors must use discretion when choosing one of a variety of fraud protection methods.
"If you're paying more for insurance than the thing you're insuring, then you have a problem," Krishnamurthy said. "I wouldn't just say that every business ought to be investing lots of time and energy on this. But all it takes is a single fraud case, and it can destroy a business."