Cyber Fraud Online: Credit card PINs will mean more online fraud
Retailers say they may have to wear an even greater share of the cost of online fraud when signatures are abolished from credit cards from August 1.
Australian Retailers Association chief executive Russell Zimmerman said he fully supports the move to remove signatures.
But he argues that by strengthening security for physical transactions, more fraud may shift online.
Merchants commonly cover the cost of "card-not-present" fraud – mainly committed online – via a "charge-back" from card companies and banks.
A charge-back occurs when the customers' bank tells the merchant's bank that the customer has disputed the transaction.
The merchant's bank pays back the amount from the merchant's account if it agrees the merchant is liable under the card company's rules. But the merchants loses the item if it has already been sent to the customer.
Banks are usually liable for fraudulent payments made in person.
"We are in 100 per cent agreeance with the move to PIN [only], but the thing we have to move very quickly towards is to remove fraud online," Mr Zimmerman said.
"Fraud in bricks and mortar [shops] will slow down considerably and probably dry up. So fraud will naturally move to online once you move to that system.
"If you order something online and then you dispute the transaction, once that transaction is disputed, the merchant has lost the goods but will also often have a charge-back against him."
Online fraud is by far the biggest source of payments fraud, accounting for 75.8 per cent of fraud on Australian issued cards in the 2013 financial year. Payments fraud accounts for just 0.02 per cent of transactions made via cards and 0.015 per cent of the value of transactions.
Security may become a 'patchwork quilt'
Lance Blockley, the managing director of payments specialist RFi Consulting, is co-ordinating the banks, card companies and merchants as they move to PIN only verification on card transactions called PINWise. He said originally the initiative did include an Australia-wide move to more secure methods for paying online, to be enacted after signatures were abolished at the point of sale.
This would have made it mandatory to use "two-factor authentication" so, for example, when someone paid for a purchase online, their bank would send them a one-time passcode via SMS to their mobile phone.
Banks already require this for some online transactions such as paying money to an external bank account. But he said some online retailers opposed this because it would discourage people from buying online, believing it leads to "shopping cart abandonment".
"Although the international card companies already offer their own forms of two-factor authentication to merchants and consumers, so far uptake rates have been low – suggesting that without some form of industry-wide effort, online security may remain a bit of a patchwork quilt," he said.
Australian Bankers Association CEO Steve Münchenberg said he can understand the logic of the ARA's view, but there are already "a whole range of ways that retailers can use to secure payments online".
These include Verified by Visa or MasterCard's SecureCode. But these require both the consumer and merchant choosing to register for these. Once they do, consumers shopping online are asked by their bank to use their online shopping PIN.
Senior officials in payments industry groups and payments regulators said mandating extra authentication for online purchases would be a costly move that could outweigh any savings from online fraud.
"I think there will continue to be a lot of effort to solve card-not-present fraud because the bulk of fraud is online," said Chris Hamilton, CEO of the industry body responsible for collecting and reporting card fraud, the Australian Payments Clearing Association.
"But any solution you land on is going to require every merchant do something on their website – so it is a sheer scale problem."
Online fraud is the biggest source of payments fraud, accounting for 75.8 per cent of fraud on Australian issued cards in the 2013 financial year.