Eftpos mulls two-factor security for online payments

Pilots card-not-present transactions.

Security remains the key hurdle to a plan by Eftpos to introduce ‘card-not-present’ solutions that will allow merchants to accept payments via the internet or phone.

Currently, only scheme credit, debit or charge card providers like Visa and MasterCard facilitate card-not-present (CNP) transactions, commonly used in online sales.

Figures released last week by the Australian Payments Clearing Association (APCA) indicated that CNP was the most common method used in fraudulent transactions in 2010 (pdf).

According to the APCA, there were 332,993 incidents of fraud perpetrated in Australia on locally issued cards last year, of which 57.4 percent involved CNP transactions.

CNP fraud had increased 38 percent over the year, contributing to an overall increase of 25.4 percent (67,411) of fraud incidents in Australia since 2009.

Eftpos managing director Bruce Mansfield said the figures highlighted a “worrying trend in CNP fraud for scheme credit and scheme debit cards”.

“The trends that we are seeing in terms of fraud highlight the need to address card-not-present security challenges,” he told iTnews.

“The Eftpos promise is for a safe, secure, fast and cheap payment solution. When we take Eftpos into the card-not-payment space, we need to do it in a safe and secure manner.”

Mansfield said Eftpos would consider two-factor authentication – typically requiring both passwords and physical tokens – in CNP trials that would commence by early 2012.

He declined to disclose details of the pilot and technology involved.

In a public statement this week, APCA chief executive Chris Hamilton urged both consumers and retailers to consider fraud prevention and detection tools for internet shopping.

Hamilton linked growing rates of CNP fraud to the growing popularity of online commerce.

He called for retailers to ensure compliance with PCI data security standards and to consider implementing 3D Secure, a dynamic authentication protocol.

3D Secure offerings include MasterCard SecureCode and Verified by Visa. These require customers to initially register with their bank, after which transactions are processed via the bank’s webpage.

Two-factor versus 3D Secure

Visa’s Australian country manager Vipin Kalra said merchants were concerned that two-factor authentication would slow down the purchasing process.

The credit card network is promoting a new version of Verified by Visa that allows transactions to be “risk-scored”, so that only high-risk transactions require dynamic authentication.

Under a seven-point plan introduced by Visa in 2009, all visa cards will be enrolled in Verified by Visa by next April.

“We are working with financial institutions to accelerate the implementation of Verified by Visa and to encourage both consumers and merchants to adopt the service,” Kalra told iTnews.

“The majority of banks are in the process of implementing or upgrading existing services with dynamic authentication.”

Visa also upgraded fraud detection mechanisms on its VisaNet processing platform in January, and planned to mandate the use of cardholders’ three-digit, CVV2 code by January 2012.

By blocking attempts to make multiple transactions in quick succession, and identifying fraud trends in real time, Visa expected the VisaNet upgrade to reduce fraud by US$1.5 billion ($1.43 billion) a year – a 29 percent improvement from 2009.

A MasterCard spokeswoman told iTnews that the credit card company would mandate the use of 3D Secure by April 2013 for transactions worth more than $200.

American Express claimed to experience "considerably lower" levels of fraud than other major Australian financial institutions.

It offered merchants the ability to request customers' billing details and four-digit "batch code", which functioned like Visa's CVV2.

An American Express spokeswoman said merchants could also request "additional data elements", but declined to provide further details for commercial reasons.

While Eftpos’ Mansfield noted that there were “lots” of technological security mechanisms available, he said the payments industry needed to “do a better job to make [payments] more secure”.

He held up Canada’s Interac Online as an example of a secure online payment service which, like 3D Secure, processed payments on a bank’s – rather than a retailer’s – website.

Mansfield said Eftpos would initially consider enabling CNP payments for bills rather than purchases, since the implied, existing relationship between biller and payer reduced the likelihood of fraud.

Mobile phones could also play a role in Eftpos’ two-factor CNP trial; Mansfield said that new smartphone capabilities would bring about the “re-emergence of the wallet”.

Eftpos was also monitoring the development of mobile phone near-field communications (NFC), with a view to consider offering contactless payments in future.