Good Consumers Will Show Up for Good Security Measures

Data Insecurity
Part 3
For as long as we've had threats to transacting online, there's been a data-security industry poised with a vast array of solutions to protect us, anxiously awaiting evidence of a compelling business case to get things started. But for just as long, it's been axiomatic that consumers just don't show up when it comes to protecting themselves?they simply won't bear any cost or inconvenience in order to transact securely. No show, no dough. While that presumption might have been true in the past?largely for reasons of the payment industry's own doing?it's not true any longer. Events have transcended even the bank card's clumsy and sometimes self-defeating efforts to wire in point-of-sale-oriented signature-based cards for e-commerce. “Good” consumers just might show up after all. Go back to 1995, when buying on the Web really got under way, to see how logic got stood on its head. That's when the bank card associations worked closely with the key Internet infrastructure providers and an assortment of security firms to come up with a protocol that would provide substantive digital identification and verification of all parties to an online credit card transaction. The result was the much ballyhooed but quickly jettisoned Secure Electronic Transaction (SET) protocol. SET proved to be overkill?too slow and expensive for most consumers to use. So the first generation of e-commerce went on its merry way without it. The bank card associations didn't give up, however. Several years later, a stripped-down version of SET emerged, called 3-D Secure. 3-D means “three domains,” that is, the card- issuing bank, the acquiring processor, and the merchant all required extra digital security, but the consumer did not. All the consumer had to do was register the card and validate himself with an additional log-on each time it was used to make a purchase online. Most didn't bother. So the bank card industry decided to pre-register millions of their cards to nudge them along. When those consumers went online, they were forced to confirm the pre-registration process before they could use their cards. Not surprisingly, consumers abandoned those transactions in droves, and early-adopting e-commerce retailers quickly unhooked the troublesome 3-D Secure deployments. Meanwhile, bank card marketers touted “zero liability,” letting even the most negligent or irresponsible consumers off the hook for any fraud or mishaps, whether real or intended. As many bank card veterans will attest, the vast proportion of chargebacks and so-called friendly fraud is done by a relative handful of recidivists. A zero-liability policy lays out a welcome mat for them. And it teaches the vast body of responsible consumers not to care. High-tech solutions haven't worked either. Years ago, American Express Co. introduced the sleek, secure Blue Cards with computer chips on them, replete with free chip readers to plug in at home. Initial account signups numbered 5 million. Some 50,000 free readers were distributed. About 5,000 were installed. And only a handful ever did any chip-secured transactions. (Nonetheless, the Blue Card has been a huge marketing success, suggesting that smarter advertising and product positioning can motivate constructive consumer behavior.) Online merchants, who are responsible for fraud any way, figured out how to cope without viable bank card solutions. CyberSource Corp.'s annual fraud survey demonstrates that they have been increasingly successful at risk management, whittling down fraud rates over the past five years to a little more than 1% last year. Today's online merchants use a combination of old techniques (e.g., manual review of transactions, cardholder verification numbers, etc.) and new (e.g., IP address screening, geo-locator services, etc.) to pull this off. And guess what? Responsible consumers go along! Then came the FFIEC?an acronym that rolls off tongues in the data security industry these days as easily as, say, NBA, or MLB, or NFL. The Federal Financial Institution Examination Council, a collection of bank regulatory agencies, mandated that banks have a plan in place for a second authentication factor for online banking sessions by the end of 2006. While by some accounts as many as one-third of regulated banks did not quite meet this admittedly modest first step in online authentication, and those who did struggled a bit with somewhat clumsy deployments, it was a decidedly good start. Indications of consumer resistance were few and far between. Good, law-abiding consumers, it seems, will accept more security after all. Moreover, new research from Financial Insights and Javelin Strategy & Research shows that younger consumers are substantially more likely to be victims of ID theft and fraud than older ones; it's only logical to surmise that these are the very folks with the technology familiarity and receptivity to embrace convenient and effective solutions for enhancing security and privacy. Why not enable them to do so? In fact, Synergistics reports that three quarters of consumers are more concerned about ID theft and fraud than they were five years ago. Five out of six monitor their accounts more often, and they are much more likely to abandon both banks and merchants that don't protect them. Shouldn't all these good consumers have access to tools to protect themselves? Isn't it time for the bank card industry to finally rid itself of the one-size-fits-all mentality that ensures that merchants treat a new 16-digit BIN number and expiration date coming in from a Latvian IP address the same way they do credit card transactions from consumers who have done hundreds of transactions with them over the years? Isn't it time to quit holding the industry hostage to its relatively few bad actors?whether they be bad consumers or bad merchants? The evidence is steadily mounting that moving to a known-customer paradigm where good consumers and good merchants can identify (and protect) each other online (and via mobile devices) is the only way for e-commerce to go?even if it has to leave the bank card industry behind to get there. Thankfully, perhaps mercifully, the data-security industry is still there, just outside the door, knocking quietly to finally be let in. –Steve Mott