The heads of companies including Groupon South Africa, Takealot and uAfrica have formed an alliance expressing opposition to a new regulation which forces them and most other e-commerce players in South Africa to use the 3D Secure (verified by Visa and MasterCard SecureCode) fraud detection system.
The e-commerce players, which have come together under the banner of Opposition to Credit Card Fraud Alliance (OCFA), insists that 3D Secure could “inflict irrevocable harm to the local industry”.
The system, developed by Visa with the intention of improving the security of internet payments, has actually been around for a little while, but it’s only recently that South African banks have started insisting that online merchants who have accounts with them actually use it.
They reckon that implementing it will help reduce credit card fraud in the country, especially if everyone is required to use it. At face value it seems like they’re on to something too.
In most current implementations of 3D Secure, the bank prompts the buyer for a password that is known only to the bank and the buyer. Since the seller does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the person buying goods, from an e-commerce site for instance is indeed their card holder.
But OCFA believes that enforcing the system could see some e-commerce merchants taking a serious dip in sales for a number of reasons, including the fact that 3D Secure doesn’t recognise some credit cards, and also doesn’t work well on mobile, a space where an increasing number of online purchases are taking place.
A massive sales drop
In fact, a number of the websites that Memeburn spoke to in researching the alliances claims reported revenue drop-offs of between 40% and 60% when they implemented the system. “It was just a pain from the start. At UbuntuDeal we had a 50% drop off when people got to the 3D Secure step,” Jess Green told us in reference to the group-buying site he founded which was bought by Bidorbuy in early 2011.
Moreover, the group claims that by enforcing the fraud detection system, the banks would effectively be giving an unfair advantage to international companies.
Jaco Roux, technical director at UAfrica (formerly Jump Shopping and home to the South African e-commerce awards), told us that he knew of very few international sites that require 3D secure and that “local merchants would be significantly disadvantaged” if the banks forced them to use the system.
The alliance points out that some e-commerce outfits would be able to set up bank accounts in countries with banks that don’t require their customers to use 3D Secure (hurting the local economy in the process).
It claims however that a large number of companies, especially startups and other small operators, would no longer be able to compete. "It’s obviously not ideal for something to have such a massive impact, especially on a business that’s just getting off the ground," Green told us.
"The e-commerce space in South Africa is still pretty young and you want it to grow but this isn’t helping."
The banks however insist that 3D Secure is the best solution for tackling online credit card fraud. According to Jacques Celliers, currently the chief executive of FNB Business Banking, making the system compulsory will "further enhance capabilities aimed at protecting cardholders’ data".
"Sufficient time" has passed for everyone to be ready, Celliers, who will take over from current FNB chief executive and avid tweeter Michael Jordaan at the end of 2013, insists that the country’s e-commerce merchants have had more than enough time get ready for the new system: "The solution has been enabled for a number of years now allowing sufficient time for all parties to have their operations aligned and for customers to have become familiar with, both the registration processes that each of their banks offer, as well as the actual online shopping verification processes."
But in a letter addressed to the Payments Association of South Africa (Pasa), which is responsible for managing the various payments systems used in the country OCFA, lists the fact that education around 3D Secure, particularly among the general public, "remains at a very low level" as a barrier to its implementation.
The alliance also doesn’t buy the idea that 3D Secure is the best solution for preventing online fraud. In fact, its members believe that the bigger e-commerce players have already shown that their best chance of success is in building their own products.
That’s something that Green definitely agrees with. "We could have done better without using 3D Secure. There are a number of red flags that the owner of an e-commerce site could easily pick up on their own when it comes to detecting fraud," he said.
OCFA says that its preferred solution would be for them to present their argument to the banks and convince them that rolling out 3D Secure, in its current form at least, isn’t a viable option.
That line is echoed by Groupon South Africa chief executive Daniel Guasco, who told us that his company has “robust internal fraud procedures that protect our customers”.
"With these in place," he said, "we feel we have the time to ensure any industry-wide change is made with best possible outcome for our users, partners and industry. While we agree with measures that further protect our customers these need to be implemented in a timely manner, after robust consultation ensuring user experience is in no way jeopardised and proven both locally and internationally."
"If the banks want to to have something extra, that’s fine but they should sit down with us and discuss what the best solution is," Green added.
That however doesn’t seem likely, especially if they engage with individual banks.
According to Celliers: "While we always listen to suggestions and try assist retailers as much as possible to deal with changes, FNB is unfortunately not in a position to go against industry mandated rules, and take matters that affect the security of card holder data very seriously."
It's also unlikely that the alliance’s suggestion that the banks treat the e-commerce merchants on a case by basis, only enforcing 3D Secure at companies with serious fraud problems, will go through either.
"It is important to note that all companies are vulnerable to fraudulent activities no matter how good their controls are,” Celliers told us.
"At FNB we will always work as hard as possible to ensure that none of our merchants or cardholders are left vulnerable because a part of the value chain is not yet aligned to industry best practice."
If these actions don’t succeed however, OCFA claims that it is willing to go to the competition commission. It would be able to do so, it says, because implementing 3D Secure means that people with Diners Club and American Express cards would, for instance not be verified, "defeating the purpose of implementing 3D secure".
It also notes that FNB’s own PayPal service does not make use of 3D Secure. If the system were implemented therefore, the banking giant could stand to gain a serious advantage in the online payments game.
But it would be down to the commission to declare whether or not that advantage was legitimate. It seems however that the alliance genuinely does not want to have to take matters that far and believes that "some relatively minor changes that can be made that would go a long way to preserving the local industry while still addressing the major issues around credit card fraud." – Memeburn