Some hidden risks of Internet commerce
The Internet has grown more than tenfold since then as measured by most traffic metrics, so what about online credit card transactions? Forrester Research (Cambridge, Mass.) estimates that they reached as high as $2.4 billion in 1997. International Data Corp. (Framingham, Mass.), another research company, first estimated $50 billion for all e-commerce for 1997, but later corrected that to $10.2 billion. Such a 500 percent correction may be indicative of some unfulfilled expectations; and even if we believe the $10.2 billion it's still just a third of what Kmart alone did in 1997.
Nonetheless, $10.2 billion is a lot of money and behind it is a terrific growth rate over the last few months. But consider also that companies did $80 billion worth of online sales orders and purchase orders in 1997 across virtual private networks using Electronic Data Interchange (EDI). The founder and head cheerleader of the Internet, the federal government, is requiring that all business with the government soon be done electronically-but on Facnet, a virtual private network, and not on the Internet .
Scott Hebner of IBM, one of the foremost companies promoting e-commerce, admitted that of the companies with significant Web sites, "only 5 percent are selling anything over the Net."
What is wrong with this picture?
The encryption formulas are now about as secure as they will get, which is quite secure, but there is more to stopping credit card fraud than encryption, not least of which is the people side of the equation. To bring this down to earth, ask yourself, "What makes me feel less secure, the possibility that someone may crack 64-bit encryption or the half dozen gas station attendants who took my credit card number this month?"
Consider the bank's view of credit card fraud, first as it applies to the card holder and then as it applies to the small merchant.
As a credit card holder, you are bound by the contract you signed with your credit card company (usually a bank) to safeguard your credit card number. If you are surprised to learn of a few thousand dollars charged to your account by someone else, the bank will not just write it off. First they will call you and ask you some questions. If you allowed your sister to go shopping with your card but didn't realize how much she would spend, the bank will tell you that is between you and your sister: you still owe the bank. If you tell the bank you wrote your credit card number on an online form and pressed the "Submit" button, will the bank conclude that you properly safeguarded your credit card number? Probably, but this will be decided by a person, not by policy. Bank policy toward the Internet is still in formation.
To the cybernauts who say there's nothing to worry about, ask them to place a quick call to their bank and get a guarantee that the bank will consider them off the hook in the event of such Internet fraud. They will hear, "We're looking into that" or, "We'd have to check into that on a case-by-case basis" or an honest, "We don't know." But they are unlikely to get as straight an answer as if they were talking about gas station attendants.
If you ask Visa International, you will hear that they have been working on developing a Secure Transaction Protocol (SET) since 1995. Stephen Herz, Visa's vice president of electronic commerce, said he hopes to have something by late 1999, though many analysts are not that optimistic.
Bankers are risk-averse people and the Internet is too new to assess the risks or to have much legal precedent. Credit card holders like us are even now setting those legal precedents and few are enjoying it.
Switching to the perspective of the small merchant that accepts credit cards, let's say the bank calls you to say that one of its credit cards has just been hit with $20,000 in fraudulent charges and you were one of the last merchants to accept a charge from the legitimate card holder. The bank learns you took the card number over the Internet . Will you or your high-priced lawyer have to explain Internet security to a poker-faced bank officer or to a judge in his 70s who never did figure out how to program his VCR? If you can't count on getting off with a summary judgment in your favor, what good is 64-bit encryption? Remember the reason for the bank's original call to you: it would like to find a home for the $20,000 loss and wants to know if you're a viable defendant. This will be decided less on its Internet merits than on the people side of your banking relationships.
If you become a viable defendant, can you rope in the secure server vendor you used for online credit card sales to help share the load? Not likely. If you check the four-point type on your software license, you will find various hold-harmless clauses.
Now we move on to Internet commerce problems beyond credit card fraud, problems you are not as likely to hear about from the Internet trade journals that tend to look for technical solutions to technical problems. In this case, the problem is entirely contractual, specifically the contract from your merchant bank allowing you to take credit cards.
That contract spells out the transaction steps you must follow-or the bank may rule against you automatically in a merchant dispute. For example, if you don't obtain an authorization code for purchases over $50, the bank can and often will refuse the draft, regardless of how you can prove the validity of the transaction. Your contract always has a clause near the end stating that the bank covers only credit card transactions explicitly described in your contract and that the rest are not covered. This is to discourage creative merchants from coming up with clever but risky or illegal new transactions. This means the bank doesn't have to understand what you're talking about, only that it does not concern one of the transactions that it does understand. Unfortunately, the Internet is too new to be explicitly covered in most standard contracts, thus allowing your merchant bank a way to leave you holding the bag.
This does not mean your bank will automatically reverse an Internet transaction. If the credit card holder pays, the bank is not looking for trouble. But let's say the bank receives a merchant dispute letter from a credit card customer and the bank learns the transaction took place over the Internet. The bank doesn't want to be a defendant in small claims court and your contract gives it a way out. In this case, you may not even get to explain 64-bit encryption, but you may be on your own to collect from the guy in Hong Kong who took delivery of your stuff.
Banks are working feverishly to come up with a way to explicitly allow Internet transactions in their standard merchant contracts. After all, they would like the credit card fees. Their problem, however, is intrinsic to the core design of the Internet, the design that makes the Internet as useful and popular as it has become. Bankers need transactions that are reliably traceable, meaning that they have independent proof that the sales order was sent and received, what the EDI folks call nonrepudiation.
At its core, however, the Internet is what is called stateless. This means that there is no centralized computer that records transactions as with America Online, CompuServe or the virtual private networks used for EDI. An Internet transaction or message is sent out with a destination address, goes down unpredictable wires via routers and switches, reaches its destination and an acknowledgment is sent back to the sender. If that acknowledgment is not received within 120 seconds, browsers will time-out with a nonspecific error message that can't guess well at why there was no acknowledgment. This lack of centralized Internet transaction control was the core survivability principal when the feds originally designed the Internet. Such a stateless system has no one component that can fail and disable the entire system.
However, the result for us is that a successfully concluded credit card transaction would leave no trace on the Internet, only on the hard drives of the parties involved. This is hardly compelling evidence when most high school kids could produce an official-looking e-mail message from you ordering 10,000 widgets. When banks overcome this problem, they will be happy to update their standard credit card contracts for small merchants-as they did after they came up with policies and procedures for phoned-in mail order transactions.
Why do we hear so little about this? Because big companies setting up big Web sites are more newsworthy. When the Gap or Barnes & Noble roll out online shopping centers, they do not sign standard credit card contracts with their merchant banks. They are larger than many banks and negotiate policies about Internet security and merchant disputes before they sign, and with the volume of bank fees they can provide they sign what they want. Remember the Golden Rule: "The one with the gold makes the rules."
This doesn't mean small merchants have to accept the hidden risks of online commerce, or that they have to sit on their hands a few more years until banks update standard contracts. There are a mixture of sensible solutions available and we'll review some of those in the next column, but they won't be a headlong charge into the hype that is heavy on technology but light on business sense.