The online retailer
Online retailers face a delicate balance when designing their payment systems. The payment system must be secure to protect against fraudulent purchases. It must also be quick and easy to use to ensure the maximum number of sales.
Research shows that the lengthier the payment process is (measured in the number of security data fields to be filled in) the more likely a shopper is to drop out of the purchase. This is why sites such as Amazon and eBay have implemented 1-Click buy processes, the customer registers credit card details once and every purchase then requires only one click to pay.
The online retailer faces a choice: ask the shopper to fill in more security questions and risk losing the shopper or ask fewer security questions and risk fraudulent purchases. The retailer makes the decision based on a balance between the cost of losing customers who do not want to fill in extra fields against the cost of fraud.
What choices do online retailers make?
Newcastle University surveyed the top 400 online retailers to identify their payment security choices. We got 389 responses. Here they are presented as a pie chart:
You can see a larger version in this downloadable pdf.
We categorised the results as follows:
Lowest security settings
26/389 (7%) online retailers will accept a payment based on only the 16 digit card number and the expiry date of the card.
Recommended security settings
291/389 (75%) online retailers required the 16 digit card number, the expiry date and the security number (CVV) of the card. Including the CVV meets the minimum set of payment security fields recommended by Visa and MasterCard for online payment.
Enhanced security settings
25/389 (6%) online retailers additionally required the customer to enter their billing address, giving additional security over the minimum recommended.
47/389 (12%) online retailers implemented 3D secure (Verified by Visa / MasterCard Secure Code).
Are retailers like Amazon incurring high levels of fraud?
Let us look at how Amazon secures its transactions. We see that ease of payment is paramount for Amazon. It realises that many of its customers want convenience, and otherwise may be turned away from buying at Amazon. They therefore use the lowest security settings requiring their customers to enter only the 16 digit card number and the expiry date of the card. Amazon also implement 1-click buy remembering the customer card details once they have been entered.
When we suggested to Amazon that not asking for the CVV code may pose security risks to its customers, they confirmed that they have other security mechanisms in place to combat fraud.
So what kind of things may they have in place?
The modern way of detecting fraudulent payments is based on customer profiling algorithms. These are algorithms that analyse large amounts of data looking for patterns — if the data shows behaviour that deviates from the norm, this may suggest fraudulent behaviour. Many of us have experienced such triggers when using credit cards: the credit card company phones you up if their customer profiling algorithms spot suspicious transactions. Amazon, the big company it is, may be able to detect fraud in this manner, but smaller web retailers won’t, they have to rely on traditional fraud prevention methods.
© Newcastle University