APACS moving (slowly) forward on card-not-present fraud

It's fascinating to read about APACS and its ambitious plans to introduce quite complex card security systems for online and telephone card transactions.

The ideas are quite valid, of course, but the problem is that - unlike the introduction of Chip & PIN in February of last year - there is no fixed date for a protection system becoming mandatory.

According to The 3rd Man, a fraud protection specialist, there is a danger that APACS could introduce an over-complicated system and even alienate genuine customers.

Paul Simms, The 3rd Man's CEO, said that, during 2006, tremendous strides have been made with fraud prevention overall, particularly for retailers, but the problem must be put into perspective.

"Many retailers are able to comfortably manage the threat and do so with little or no impact on their genuine and honest customers. Why conjure up further techniques to alarm and confuse genuine consumers?," he said.

According to Simms, the current crop of `solutions' are not really solutions, but are indicative of the card issuers shifting the blame for fraud.

"This is not so much about preventing fraud as it is about shifting blame - and there have been precedents," he explained.

"Take Chip and PIN for example. On February 13th 2006, if a card was swiped in a store and a signature obtained at the time of authorisation, then the majority of the risk lay with the card issuer. Since February 14th, 2006, with Chip and PIN now mandatory, the real issue is that the risk of fraud lies with either the retailer or the cardholder, not the bank," he said.

In e-commerce, Simms says that a similar scenario is playing out with Verified (Terrified? -Ed) by Visa and MasterCard Securecode.

If a cardholder authenticates a transaction, then he blame is with the cardholder. If a transaction is not authenticated then the blame lies with the retailer, not the bank.

"The key here," said Simms "is that the cardholder who had virtually no liability with card-not-present fraud will now be at threat if password or authentication details are compromised - and that is exactly what the fraudsters will seek to do."

"Furthermore the key to preventing card not present fraud lies with the retailers who now will only care about receiving fully authenticated orders," he added.

The newer, dynamic passcode authentication is a much stronger solution as it is more difficult to compromise the authentication process.

Simms notes that the weakness with the new and dynamic system of authentication proposed by APACS, however, is that the solution relies on 100 per cent adoption.

"And as long as there are banks who do not support it, or cardholders who don't have one of the little gizmos, then retailers will still need to makejudgement calls, just like they do today," he added...