| Navigation bar disconnected -- please see text links at bottom of the page |I-Commerce



Net Prophet - by Dylan Tweney

July 20, 1998

Retail dilemma: balancing security, ease of ordering


Not many businesses brag about how often their customers ripped them off. But that's just how CyberSource accounts for its expertise in the realm of Internet-commerce.

After opening its online software store, Software.net (at http://www.software.net), CyberSource was deluged by orders placed with stolen or fake credit card numbers. In fact, at times the company was receiving more fraudulent orders than legitimate ones.

CyberSource quickly realized that it needed to fight back. The company developed automated systems to combat online retail fraud and was able to get the number of bogus orders down to about 1 percent of total orders.

CyberSource has been offering its fraud-combating expertise to other online retailers for more than a year now, and it's become a major player in the Internet-commerce service business. What it sells is an online payment-processing service -- with extra fraud screening that goes above and beyond basic credit card authentication. (See http://www.cybersource.com.)

CyberSource Vice President Steve Klebe explained the company's system to me over lunch recently. When a Web merchant using the CyberSource service receives an order, it's sent in encrypted form to CyberSource's servers, which run more than 150 fraud tests on the order. For example, the system checks to see if the customer's e-mail address matches the IP address; whether the mailing address and area codes match; and it also looks for obviously fake names, such as "John Qwerty."

Once the tests are done, the CyberSource server issues a recommendation to the merchant, who can choose whether to accept the order. If the merchant accepts the order, then CyberSource submits the payment through the usual credit card-processing channels.

In return for these services, CyberSource charges a one-time setup fee ranging from $800 to $5000, a monthly subscription fee of $95 to $300, and a per-transaction fee of 10 to 50 cents.

According to Klebe, the risk of fraud can never be reduced to zero -- at least not without encumbering I-commerce with a host of awkward, time-consuming, and annoying safeguards.

"If you try to eliminate risk, you eliminate commerce," Klebe told me.

Instead, companies need to balance an acceptable level of fraud risk against their need to offer customers an easy, comfortable buying experience.

"The only way Internet commerce is going to succeed," Klebe said, "is if it's going to be a very automated, seamless process."

Demand for CyberSource's service has been picking up recently due to the swelling of consumer commerce over the Internet. The truth is, although much of the concern about I-commerce security has centered on the risk to the consumer, merchants doing business online are at much greater risk than individual purchasers.

Stealing credit cards from encrypted Internet transactions is like panning for gold -- you might get a few valuable grains after days of hard work, but the amount of worthless sand you have to sift through means it's rarely worth the effort.

By contrast, hacking into credit card databases at the merchant's site is like mining gold from the mother lode. That's why merchants need to guard against intrusions, with firewalls and careful attention to site security.

They also need to ensure that the orders they're taking are legitimate ones. The volume of Internet commerce is still small relative to retail sales overall; this means that organized retail fraud on a large scale is quite unlikely in the near future. But even without organized crime, there's still enough small-scale fraud on the Internet that demands the attention of merchants. As their online businesses grow, the importance of guarding against fraud will only increase.

The catch? You've got to implement these security measures while making it as easy as possible for your customers to spend their money at your site. So how is your company striking the balance between security and ease of use? Write to me at dylan@infoworld.com.


Dylan Tweney has been covering the Internet since 1993. He edits InfoWorld's intranet and Internet-commerce product reviews.


Missed a column?
Don't worry -- just click here to catch up.


Please direct your comments to InfoWorld Electric.

Copyright © 1999 InfoWorld Media Group Inc.

IBM is the proud sponsor of the I-Commerce section on InfoWorld Electric.

| SiteMap | Search | PageOne | Reader/Ad Services |
| Enterprise Careers | Opinions | Test Center | Features |
| Forums | Interviews | InfoWorld Print | InfoQuote |