Credit cards: Unsuitable for online payments

The credit card was originally designed for making cashless purchases at stationary retailers. The idea was that the cardholder would produce the signed card when paying. When he or she then signed the receipt, the two signatures would be compared, conclusively confirming the link between the cardholder and the card.

In some cases, picture ID was even asked for as irrefutable proof of the cardholder’s identity. The card’s second – and perhaps even more important – purpose was to provide the cardholder with credit, repayment of which was not due until the end of his or her billing cycle.

The credit card was a success, becoming the world’s most popular payment method after cash. As, in the 1990s, e-commerce became increasingly significant, it also became an approved method of payment for online purchases. As a result, however, fraud figures skyrocketed. “Card-not-present” transactions (in which the card is not physically provided) lack crucial control mechanisms like signature or photo comparisons, and chip-and-PIN processes cannot be implemented online.

The Challenge – Credit Card Security

Over the past 20 years, therefore, the credit card industry has made various attempts to stem the accelerating fraud.

With the introduction of the PCI-DSS standard, security guidelines were implemented to secure data that had been stored or collected. A 12-point list details the security requirements for retailers’ IT environments and those of Payment Service Providers. If companies cannot adhere to these requirements, they are not permitted to perform credit card transactions. This affects mostly small retailers, whose lack of PCI certification means that their credit card transactions are performed by PSPs with high security standards. Unfortunately, this has not prevented the details of millions of cards from being stolen over the past few years, particularly from major retailers.

Other approaches to online credit card use have involved providing the expiry date and cardholder's address. The latter can, however, be verified in very few countries – and then only incompletely. In 3-D Secure, the industry thought it had scored its greatest hit. During this payment process, cardholders were redirected to the banks which issued their credit cards and asked to enter a secret code in a popup window. This requirement, however, led to customers terminating orders during the final step, either because they had forgotten their code or because they hadn’t registered with 3-D Secure. Nowadays, most sites merely require their customers to enter the security code (CVC, or Card Validation Code) printed on the back of their card. As these codes may not be stored by the retailer or by any other partner involved in the transaction, this method provides a certain measure of security for the cardholder. It is, however, useless if the card is stolen or photocopied.

Security at the Expense of Convenience

The latest approach to securing online credit card transactions is known as “tokenisation”. In order to carry out this process, credit card companies store a numerical “token” for each credit card in a database. This token is then shared with the retailer during the online payment process, rather than sharing the credit card number itself. The payment is authorised by automatically comparing the token with the credit card company’s database. The original idea was to assign a new token for each transaction, but retailers offering the popular one-click payments need static tokens, which can be stored and re-used for each payment.

The bottom line is that numerous efforts to make the credit card a secure method for online payment have had no lasting effect. Instead, criminals have always found loopholes. After all, processes to increase online security are always implemented at the expense of convenience, and making things more complicated causes rises in cancelled orders. When it comes to card payments, there is, unfortunately, no solution to this dilemma. These payments must always be initiated by retailers, who require data to be transmitted or stored in some form. There is, therefore, always a back door open for data thieves.

Conclusion: “Pull” payments, those initiated by retailers, are less appropriate for online purchases, and on top of that retailers incur the additional risk of chargebacks. Originally designed to provide security for dissatisfied customers by enabling them to dispute charges and receive their money back, this concept has established itself as a playground for swindlers. In “friendly fraud”, customers simply maintain that they did not place a particular order, or that they never received their items. In such cases, retailers are almost always left holding the baby.

Credit cards are an integral part of online shopping, but a “healthy mix” is recommended. Online retailers should always offer push payment methods as well, including invoicing, prepayment and real-time bank transfer systems.

These include schemes like giropay in Germany, iDEAL in the Netherlands, and Przelewy24 in Poland, all of which prevent misuse of sensitive data by not collecting it in the first place.

Ralf Ohlhausen is the Payment Expert and Chief Strategy Officer for PPRO Group