Visa to stop Australian online merchants from storing credit card numbers

Australian internet stores will be stripped of their ability to store consumer credit card numbers on in-house IT systems under a radical payments security overhaul launched by Visa this week that mandates the use of tokens for online transactions.

The move to roll-out tokenisation technology in Australia by the global payments giant comes amid unprecedented pressure from the Reserve Bank of Australia and other financial regulators for banks and payments schemes to clean-up ballooning levels of online card fraud.

Online payments fraud on all Australian cards hit a whopping $476 million for the 2017 calendar year, surging from $418.1 million in 2016 according to official statistics from industry body the Australian Payments Network released in August.

The release of the figures sent shock waves across both government and the financial services industry.

In proportional terms, online fraud on all cards now accounts for 85 percent of local card fraud volume, up from 78 percent in 2016 and a sharp climb from the previous five years that all sat below 80 percent.

The stubborn growth in online fraud has prompted high-level rethink of payments regulations, especially because banks for the most part pass through online fraud losses to increasingly angry merchants forced to pick up the tab.

Over the last decade, the growth in online that has resulted in most fraud liability being shifted from institutions to merchants, creating what many believe is a perverse incentive for card issuers and payments processors to pay just lip service terms of fixing the issue.

Visa is now betting its latest move will change all that.

Under the tokenisation standard - dubbed “credential-on-file” (COF) by Visa – payments gateways and facilitators that merchants use will take the lead in implementing the new system by connecting to the Visa Token Service.

The grand vision is that that the switch to tokens will largely be seamless for consumers after years of usability heartache related to clunky PCI-DSS upgrades that too often resulted in frustrated online shoppers dumping their carts at the checkout.

Gateways and facilitators in the frame for the tokenisation push in Australia include CyberSource, Adyen, Rambus, G+D Mobile Security, SecureCo, Ezidebit, eWAY and Bambora who will all plug into Visa Token Service to let merchants “tokenise stored details.”

“COF tokenisation replaces card details with unique digital identifiers (‘tokens’) that are used for payment without exposing a cardholder’s sensitive information,” Visa said in a statement.

“Each token is merchant-specific, so can only be used with the merchant where it is stored, removing any incentive for hackers to try to steal the account data.”

Industrial grade merchant data breaches aimed at stealing customer payment card and online identity credentials are widely regarded as a fundamental plank of the global cybercrime industry because of the ability to efficiently monetise stolen data.

Despite broad agreement that online credit card and payments fraud needs to be addressed, differences between banks, payment schemes, merchants and regulators have often frustrated progress because of the questionable efficacy and cost of security solutions, especially PCI-DSS.

A key issue for banks in recent years has been that the implementation cost of security innovations promoted by competing schemes has sometimes outweighed the cost of fraud – a scenario that translates to the cost of a solution being more than the problem.

Visa’s latest Australian move could change that.

A number of payments industry sources on Tuesday told iTnews they believed the move to tokenisation would make a material dent in online fraud.

Australian banks in particular have a vested interest in making the fraud trend go south to avert the very real prospect of regulatory intervention to make them pick up the tab for losses now borne by online businesses.

Visa’s Australian head of digital product and partnerships, Matt Wood, wasted no time in spruiking the upside of the tokenisation push.

“The collective commitment to drive tokenisation across the industry represents a win for Australian merchants, consumers, financial institutions and payments companies alike,” Wood said.

“This technology enhances the customer experience, enables greater conversion and loyalty for merchants, and protects against fraud.”

Visa also appears acutely aware of the need to sell the new solution as major boost for consumer usability as opposed to previous clunkers at the checkout.

“COF tokenisation enables merchants to have consumer payment details instantly updated when a card is lost, stolen or expires, meaning there is no need for the customer to log in and update their details, or the business to lose out on that payment cycle,” Visa’s statement said.

However merchants, especially smaller ones, still copped a slap courtesy of proprietary research from Visa that pegged consumers’ trust of how their card details were handled.

According to numbers cited by Visa just five percent of Australians trusted “trust individual merchants most” with their card details versus 35% for banks and 20% for payments providers.

“Yet if tokenisation is in place protecting their card details, 41% of Australians said they would be more likely to purchase from small retailers, 39% would be more trusting of online businesses and 40% said they would buy from retailers they hadn’t bought from in the past,” Visa said.