SAFETY IN NUMBERS
E-tailing has had a slow start in Asia, mainly because of security concerns. That could be about to change.
By Enid Tsui

Mohamed Saleem is lucky to have a job. As manager of electronic resources planning for Mohamed Mustafa & Samsuddin (Mustafa), a US$150 million-a-year retail group based in Singapore, Saleem helped launch the group's e-tailing initiative in early 1999. Initially all went well. The orders poured in for its goods, which ranged from coffee makers to entertainment systems. Backed up by credit cards, the orders were filled at a sizzling speed.

Unfortunately, payments from the credit card companies were arriving at an agonizingly slow speed. Saleem quickly discovered that a frighteningly high number of customers were placing orders with stolen credit card numbers. Within months, the company found it had no choice but to bear the entire cost of fraudulent transactions, amounting to US$300,000, and shut down the site.

Saleem managed to pick up the pieces and hold on to his job. Today he manages the security of his relaunched site by manually checking each credit card number before a transaction is processed. This may seem like an extreme solution, but Mustafa's troubles are not unique. US-based Gartner Group reckons that on-line retail Internet fraud happens at 12 times the rate of off-line fraud. And according to another American technology research firm, Meridien Research, 8 percent of all on-line transactions conducted last year were fraudulent. Meridien predicts that number will grow to 14 percent by 2003.

But despite all this, e-tailing is slowly gaining strength in Asia. Security-conscious Asian customers, it appears, are willing to buy on-line. Most card-issuing banks in the region now guarantee full refund for Internet purchases that cardholders claim they have not made. The bad news for finance managers, however, is that the banks have simply shifted the burden of payment for fraudulent transactions back on to the e-tailers themselves.

Game, Set and Match

For the company with ambitions in on-line sales, then, today's challenge is finding a dependable way to prevent fraudulent transactions from happening in the first place. This is harder than it looks. Saleem, in fact, did not do a bad job setting up Mustafa's website. Its security system relied on the two dominant security protocols available - secure socket layers (SSL) and secure electronic transaction (SET).

SSL has become a de facto standard for web-based transactions. The approach ciphers data that is being transmitted between the customer's browser and the merchant's server so that it is not transparent to anyone who is tapping the connection. It's popular because a customer needs nothing more than a fairly recent version of a web browser, which can be set to enable SSL protection by default. But the drawback is obvious. Hackers claim they can decipher any encryption, and they are not bluffing. SSL suffers because its encryption device is somewhat similar to Enigma, the supposedly impenetrable encryption machine used by the Nazis in WWII. (British code-breakers cracked Enigma in 1940 and helped the Allies win the war.)

The SET protocol was developed more recently by Visa and MasterCard. To buy on-line using SET, customers have to apply for software known as a digital wallet from a card-issuing bank. With each transaction, a purchase order is sent to the merchant's server, together with a digital certificate issued by the digital wallet that verifies the customer's identity (that is, the order is made by the legitimate owner of the quoted credit card). The data is then sent directly to the merchant's acquiring bank, which authenticates the credit card and sends an all-clear message back to the merchant. The transaction can then proceed.

With SET, the cardholder pays up in the event of fraud. The banks are so convinced that SET is safe that they think that if the digital certificate is faked, it is probably because the cardholder has been careless with his digital wallet. The set-up cost of SET for merchants is US$20,000, plus an annual fee of US$1,200. It's free for customers, who also benefit from the fact that credit card numbers reach the acquiring bank without ever being passed to the merchant.

It sounds ideal. But there have been very few takers so far - mostly because SET authenticates the computer, not the body that sits in front of it. This means that a cardholder cannot make on-line SET orders from a computer that isn't installed with his own digital wallet. Mohamed Saleem had allowed customers to opt for both SET and SSL on the old Mustafa website, but he claims that not one single buyer used SET. "SET would make it a lot safer for the merchant but we can't force it on our customers. That will drive away most of the trade. It's up to the banks to market it - and they haven't done a good job," he says.

Finger Pointing

Yong Chai Yim, head of risk management of the United Overseas Bank of Singapore's credit card center, was among the first in Singapore to help merchants set up SET transactions. He blames the poor response on a lack of support from Visa, MasterCard and other banks. "We were ready to go all out with SET but unfortunately very few merchants in the rest of the world support the protocol. So, very few cardholders out there think it worth their while to get an SET certificate," he says.

Finance managers also believe that banks need to work harder. Joseph Tsai, CFO of Alibaba.com, the Hong Kong-based B2B portal, has recently launched an on-line payment center for mainland China users. It's a groundbreaking setup catering to large-sum electronic transactions in China, and, like most B2B payment transactions, it does not involve credit cards. On the other hand, Alibaba.com has only minimal SSL protection for credit card payments of products it sells directly to consumers. For these transactions, Tsai uses HSBC's payment system. "We don't have SET protection for our B2C transactions. To be honest, our B2C business is only marginal so we can afford the risk. But what is frustrating is that HSBC is really a conservative bank and we need to ask for permission every time we sell a new product on our website. The bank is constantly worried that we can't deliver what we promise our customers," he says.

Saleem, for his part, now talks regularly with finance and government institutions in an effort to find a solution that works for everybody, but has yet to succeed. He relaunched the Mustafa on-line shop in the summer and now verges on the paranoid when it comes to security. For example, only local Singaporean credit card holders can buy from the website. Every buyer is contacted by email or by phone and asked to fax a copy of the credit card to Mustafa. Mustafa then phones up the issuing bank to authenticate each card before completing the transaction.

A laborious process, but Saleem insists it is the only way. Like Tsai, he despairs of the fact he does not enjoy the same level of security as his customers or B2B merchants. No surprise, he's decided not to expand the retailer's on-line service to other countries for now. To get around this problem, a B2B portal will link the shop in Singapore with its overseas resellers. "That should be absolutely safe because we will only deal with resellers who we have a long and trusting relationship with," Saleem says. "It simply takes too much time and labor to check on overseas-issued credit cards."

Private Parts

Visa and MasterCard, meanwhile, are not sitting by idly. They are collaborating on the launch of a simplified version of SET called 3-Domain Secure, due in the first half of 2001. It is expected to be more user-friendly than the current version, though the two credit card companies still insist SET is underappreciated.

American Express disagrees. In September, it launched a free service, called Private Payments, for US card members and merchants. The cardholder visits the Amex website and applies for a separate one-off card number. The temporary number, rather than the real credit card number, is given to the merchant and the order is processed in the normal way. As soon as the transaction is completed the number expires, and the cardholder will need to apply for another one next time he buys on-line.

There are other ways merchants can shore up defenses. US-based companies such as Clear Commerce, CyberSource and HNC Software offer services that compare a shopper's email address with their Internet protocol address and shipping address. These screening systems work because they build up a database with transaction records from all on-line merchants worldwide who use the software.

Software companies use the records to track recurring patterns of fraudulent transactions. For instance, an order should be examined if the same card has been used in a rush of large-sum transactions. Typically, swindlers enter a free email address, which can be obtained anonymously, such as Yahoo! or Hotmail. CyberSource, which is used by Amazon.com to scan orders, has developed a checklist of 150 telltale signs of illegal activity. But there's a limit to what such software can do. More than a thousand portals provide anonymous, free email accounts. CyberSource executives admit it is impossible to keep up.

Herman Cheng, regional solution integration director of Web Connect, an Internet consultancy, advises clients to adopt fraud detection software - but warns that it is only as good as merchants want it to be. "On-line merchants have to balance their risk threshold against the level of convenience they want to offer their customers," he says. "You can, set your server to automatically reject any transaction that does not come with the credit card billing address, but you will drive away business whenever you ask customers to give extra information."

Despite the hassles, most retailers still believe it is important to maintain an on-line presence. As John Lauderdale, senior manager of global risk management solutions for PricewaterhouseCoopers in Hong Kong reasons: "The only way to completely avoid on-line credit card fraud is not to set up an on-line shop at all. Brick and mortar shops face the same dilemma. It is not possible to prevent all shop-lifting, but few shop owners would close down their shops just because they lose 1 percent of their revenue to petty thieves."

Enid Tsui is a senior writer at CFO Asia