|
Chairman Stearns, Ranking Minority
Member Towns, and Members of the Subcommittee, my name is Mark MacCarthy, and I
am Senior Vice President for Public Policy for Visa U.S.A. Inc. Thank you for
the invitation to participate in this hearing on Online Fraud.
The Visa Payment System is a
membership organization comprised of 21,000 financial institutions licensed to
use the Visa service marks. It is the
largest consumer payment system in the world.
Over 1 billion Visa-branded cards are accepted at over 20 million
locations worldwide. Consumers use
their Visa cards to buy over $1.8 trillion in goods and services
worldwide. Visa U.S.A., which is part
of the Visa Payment System, is comprised of 14,000 U.S. financial
institutions. U.S. customers carry
about 350 million Visa-branded cards and use them to buy over $800 billion
worth of goods and services annually.
Electronic commerce is vital to the
U.S. economy and to the prospects for our continued economic growth. The size of electronic commerce is difficult
to measure and there are gaps of tens of billions of dollars in estimates
between different consulting groups.
There is no doubt that electronic commerce is a large, growing and
permanent new channel for the sale of goods and services to consumers. The Department of Commerce estimates, for
example, that online retail sales grew from less than $5.2 billion in the
fourth quarter of 1999 to almost $8.7 billion in the same quarter one year
later. Sales projections for the
electronic commerce market range from $35 billion to $76 billion by the year
2002. By any measure, this counts as
explosive growth.
Visa
is the leading consumer electronic commerce payment system in the world. Payment cards now account for some 95
percent of online consumer transactions and Visa accounts for 53 percent of the
payment card portion. We expect 10
percent of Visa’s overall transaction volume to come from Internet purchases by
2003, up from 2 percent today.
There are some who suggest that online
commerce is lagging because people are afraid to shop online. But increasing numbers of people are
shopping online, and we expect that comfort levels will grow, as more people
become familiar with this new channel of commerce. This is certainly what happened with mail order and catalog and
telephone order transactions in the past.
In
our view, consumers should continue to feel comfortable using their Visa
payment cards to shop online.
Fraudulent use of Visa payment cards is at an all-time low. Fraud as a percentage of our total volume
has declined over time. In the late
1980s, fraud accounted for about 0.20 percent of total Visa card volume; in the
early 1990s, it was about 0.15 percent; today it's a mere 0.07 percent.
Visa
has taken steps to promote consumer confidence in this new channel of
commerce. These steps include:
·
A zero
liability policy for unauthorized use of our payment cards.
·
Guidance
for consumers shopping online.
·
A range of
programs designed to help Internet merchants reduce the risk of unauthorized
card use.
·
A tough new
security program that went into effect on May 1, 2001 to protect cardholder
data housed in web merchant databases.
·
An
effective system for resolving consumer disputes with online merchants through
our chargeback procedures.
·
Steps to
insure online privacy protections for electronic shoppers.
ZERO LIABILITY
Under Federal regulations, credit card
issuers are required to limit liability for unauthorized use of credit cards to
$50. Visa has chosen to go beyond this
requirement to ensure that cardholders are fully protected against any monetary
losses due to fraudulent use of their payment cards.
In
April 2000, a new Visa operating regulation went into effect that eliminates
consumer liability in cases of unauthorized use of Visa payment cards. This zero liability policy covers the use of
all Visa consumer card products -- including debit and credit cards. As a result of this new policy, a consumer
will not be held liable for unauthorized use of any Visa consumer payment
card.
This zero liability policy applies to
online transactions as well as offline transactions. Customers are protected online in exactly the same way as when
they are using their cards at a store, ordering from a catalog by mail, or
placing an order over the phone. In
case of a problem, Visa provides 100 percent protection against unauthorized
card use, theft, or loss. If someone
steals a payment card number from one of our cardholders while the cardholder
is shopping, online or offline, our customers are fully protected -- they pay
nothing for the thief’s fraudulent activity.
We took this step in part to make
sure that our cardholders know that it is safe to shop online, despite all of
the recent attention to Internet security.
Although card fraud numbers are very small, Visa's zero liability policy
takes away risk of unauthorized use that cardholders face shopping online.
FRAUD
CONTROL PROGRAMS
One type of fraud occurs when someone uses a cardholder’s
account number to engage in an unauthorized transaction online. For example, a person may steal a consumer’s
credit card number and use it to order merchandise online. The theft might occur in a variety of
ways -- for example, by breaking into a
merchant’s database that contains consumer account numbers, or by intercepting
a consumer’s credit card billing statement sent to the consumer’s home.
It is important to keep in mind that account information
can be stolen offline, and then used to engage in an unauthorized transaction
online. The fact that unauthorized transactions
take place on the Internet does not mean that the Internet itself is a risky
place for consumers to shop. If the
thief has obtained a card account number, but does not actually have the card,
it is only natural for him to use this account information in a channel of
commerce, such as the Internet or mail order and telephone order, in which the
card does not have to be present in order for the transaction to take
place. For this reason, mail order and
telephone order and Internet transactions show a higher incidence of
unauthorized use. The fraud rate for
all Visa transactions is about 0.07 percent.
For card-not-present transactions it is 0.15 percent. This, of course, does not mean that it is
more risky for consumers to use these channels of commerce. It simply means that those who gain
unauthorized access to card information are more likely to try to use that
information to engage in fraud in a card-not-present environment.
It is in the interests of Visa,
consumers, merchants, and Visa’s members to prevent fraud. Fraud prevention protects merchants from
absorbing the costs of fraud and protects consumers from the higher prices that
they would have to pay in order to cover fraud losses. Fraud prevention further protects consumers
from the trouble of having to exercise their rights in connection with
unauthorized transactions. For these
and other reasons, preventing fraud involving Visa credit and debit cards is a
top priority for Visa and its members.
Fraud prevention also is essential to protecting the integrity of the
Visa brand and maintaining the confidence of consumers and merchants that use
the Visa system. Through significant
investments in technology, cooperative efforts between Visa, its members, and
law enforcement agencies, and a wide variety of educational initiatives, the
incidence of Visa-system fraud in recent years is at an all-time low, even as
the volume of Visa card transactions has grown dramatically.
Visa and its member financial
institutions have developed a varied arsenal of fraud control programs that
help merchants reduce the incidence of unauthorized use of Visa payment
cards. These programs are especially
important in addressing fraud in a card-not-present environment like the
Internet. These include the Address
Verification Service, Cardholder Risk Identification Service, an Exception
File, Card Verification Value, and a new pilot program for Payer
Authentication.
·
The Address
Verification Service is a fraud prevention system that allows merchants to
verify automatically that a shipping address provided by a cardholder at the
time of purchase matches the cardholder’s billing address and other
information. This service helps
merchants minimize the risk that they will accept fraudulent orders from
persons using stolen cardholder information.
·
Visa’s
Cardholder Risk Identification Service (“CRIS”) is a transaction scoring and
reporting service that employs advanced neural network technologies to develop
artificial intelligence risk-scoring models that help identify fraudulent
transaction patterns. Issuers can use
CRIS as a stand-alone fraud detection system or together with their own
internal fraud detection methods.
·
Visa’s
Exception File is a worldwide database of account numbers of lost/stolen cards
or other cards that issuers have designated for confiscation, referral to
issuers, or other special handling. All
transactions routed to Visa’s processing system have their account numbers
checked against the Exception File.
·
The Card
Verification Value (CVV) is not printed on the card itself, but can be found on
the card’s signature strip on the back of the card. These codes help merchants confirm that cardholders are in
possession of the actual card. Online merchants and other merchants in
situations where the card is not present at the merchant’s premises during the
transaction can verify that their customers have the actual card in their
possession by requesting the customer to provide the CVV from the signature
strip.
·
Visa’s
Payer Authentication service is currently a pilot program. This service will enable issuers to confirm
a cardholder’s identity to the merchant during the virtual (on-line) checkout
process. This process will be accomplished
using a password that the cardholder registers with his or her issuer. The process will help reduce fraud by
enabling merchants to confirm the cardholder’s identity at the time of
purchase.
GUIDANCE FOR CONSUMERS SHOPPING ONLINE
Visa
provides consumers with information on how to protect their cardholder
information online. Visa’s website, for
example, provides an Internet Shopping Guide for consumers, with suggestions
for how consumers can shop safely on the Internet. Some of these suggestions are:
·
Shop with
merchants you know and trust and visit Better Business Bureau Online if you
have questions about a particular merchant.
·
Look for
signs of security. Symbols like an
unbroken lock or key, a URL that begins https://, or the words Secure Sockets
Layer (SSL) mean that no one but you and the merchant can view your payment information.
·
Never send
payment information via e-mail.
Information that travels over the Internet (like e-mail) is not fully
protected from being read by outside parties.
·
Shop with
reputable merchant sites that use encryption technologies that will protect
your private data from being read by others as you conduct an online
transaction. When you pay online, make
sure that you are using a secure browser.
·
Make a
point of reading a merchant’s privacy policy to find out what type of
information is captured and how it is used.
SECURITY REQUIREMENTS FOR CARDHOLDER DATA
Some consumers express
concern that the account information they provide to merchants during online
transactions might be subject to unauthorized access after the transaction is
complete. The account information might
be transmitted to web merchants in a secure fashion, but not maintained
securely in the web merchant’s database.
Reports of intrusion by hackers into web merchant databases have
increased this concern. It should be
noted, however, that the security of merchant databases of account numbers is
not related to whether a transaction is conducted over the Internet, rather it
is related to the accessibility of the database from the Internet.
To address this concern about
unauthorized access to merchant databases, Visa has developed new security
requirements for cardholder data. These
requirements apply to any entity holding card data -- including web merchants,
gateways and Internet service providers.
These requirements prescribe how these companies should store, encrypt
and grant access to cardholder data.
For example, they require Internet merchants to install firewalls, to
keep security systems up-to-date, to encrypt stored data, and to use anti-virus
software, among other things. These
requirements became effective May 1, 2001.
Visa offers assistance to Internet
merchants that accept Visa cards in meeting these requirements for safeguarding
their customers’ payment card data. We
provide merchants with training sessions, interactive reviews, compliance and
monitoring consultation and information on third-party firms specializing in
testing and compliance.
The new program requires the top 100
e-commerce merchants -- who account for 70 percent of Internet commerce in the
Visa system -- to have their online security procedures validated by an outside
accounting or Internet security firm.
Other online retailers will be subject to random security reviews by
Visa.
The twelve requirements of the new
security program are:
1.
Install and
maintain a working network firewall to protect data accessible via the
Internet.
2.
Keep
security patches up-to-date.
3.
Encrypt
stored data.
4.
Encrypt
data sent across open networks.
5.
Use and
regularly update anti-virus software.
6.
Restrict
access to data by business “need-to-know.”
7.
Assign a
unique ID to each person with computer access to data.
8.
Do not use
vendor-supplied defaults for system passwords and other security parameters.
9.
Track
access to data by a unique ID.
10.
Regularly test security systems and
processes.
11.
Maintain a policy that addresses information
security for employees and contractors.
12.
Restrict physical access to cardholder
information.
DISPUTE RESOLUTION
Visa has an
effective way of resolving consumer disputes with online merchants through our
chargeback system. Chargebacks are
contractual ways of resolving transaction disputes involving payment cards
between the Visa banks that serve cardholders (the issuers) and the Visa banks
that serve merchants (the acquirers). A
chargeback is the return of a transaction from the issuer to the acquirer. Our chargeback system can resolve
transaction disputes, even if the merchant and the consumer are geographically
dispersed. As a result, Visa’s
chargeback process provides practical and effective consumer protections for
electronic commerce transactions.
Most chargebacks in the Visa system are for housekeeping
reasons. In a system that handles 25.5
billion transactions a year, mistakes are bound to occur. These can include double billing, no
billing, incorrectly entered amounts, failure to provide requested copies of
transactions, mismatches among accounts and so forth. These errors constitute the vast majority of
chargebacks.
In
addition to these housekeeping chargebacks, there are chargebacks involving
consumer complaints. The three most
common categories of Internet consumer complaints handled in our chargeback
system can be described by the phrases: “I didn’t do it,” “I didn’t get it” and
“I don’t want it.” Visa rules with
respect to these complaints are designed to protect cardholders. Cardholders do not have to pay if they did
not make the purchase, if they did not get what they ordered or if it was not
what they ordered.
The “I didn’t do it” dispute relates
to situations where the cardholder claims that the transaction was processed
without the cardholder’s permission.
This is the most common category of Internet disputes. It covers fraud, but it also covers
situations where the cardholder does not recognize the charge as it appears on
the monthly bill. Confusion often can
arise when the merchant uses a different billing name or address than the
expected trade name. About 50-60
percent of these disputes are resolved by giving the cardholder additional
information about the charge.
The
“I didn’t get it” category of consumer complaint covers untimely receipt or
non-receipt for goods. This dispute
involves situations where a cardholder claims that he or she did not receive
ordered merchandise at the agreed-upon location or by the agreed delivery date. An issuer can charge back a transaction on
the cardholder’s behalf if the cardholder sends a letter to the issuer
supporting his or her claim. Proof of shipment by the merchant is
irrelevant; the Visa member acquiring the transaction can only counter the
chargeback on the merchant’s behalf by providing proof of delivery, signed by
the cardholder or another authorized person.
The “I don’t want it” category of
Internet disputes includes “quality” disputes, such as when merchandise is
received broken, not as ordered (e.g.,
wrong color or size) or not as described.
It is the most difficult type of dispute to deal with because value
judgments are involved.
Only a tiny
percentage of all Visa transactions are charged back, about 0.07 percent or 7
for every 10,000 transactions.
Chargebacks for Internet transactions also are a small portion of all
Internet transactions. Even though
chargebacks are rare occurrences, they are more common for Internet
transactions than for other types of transactions. However, it is difficult for us to say how much more common. Merchants are supposed to report their
Internet transactions to the Visa system using an E-commerce code. Not every merchant that operates both in the
Internet and the ‘real’ world -- the so-called ‘bricks and clicks’ merchants --
report and break down their sales by channel.
So the statistics available are not as comprehensive as we would
like. That being said, the Visa
chargeback rate for Internet transactions is estimated to be about 0.5
percent. Put another way, only about 50
out of every 10,000 electronic commerce transactions are charged back.
There are a number of reasons for this. The Internet is a new channel, much the way
mail order and telephone order transactions were new a decade ago. Not all merchants have developed the back
office and customer service facilities that consumers have come to expect, and
those consumers use the Visa chargeback system to help them resolve their
problems with merchants.
In addition, the Internet is a channel of
commerce, in which, like mail order and telephone order, the card is not
presented to the merchant when the transaction takes place. This naturally creates greater opportunity
for unauthorized use of card account information. In this regard it is useful to note that chargebacks for mail
order and telephone order transactions are 0.39 percent, or 39 per 10,000
transactions. The fact that there is
greater use of chargebacks for payment cards used on the Internet or through
mail order or telephone order does not mean that these channels of commerce are
inherently more risky for consumers.
Other factors contribute to the higher
chargeback rate for Internet transactions.
Cardholders are doing business with unfamiliar merchants, or with
individuals at auction sites. In some
cases, these merchants or individuals are unscrupulous. In other cases, cardholders deny valid
charges. In addition, digital goods
present some special difficulties. Some
digital good subscriptions require the use of a payment card account number for
access and this sometimes results in customer confusion on the nature of the
subscription terms and payments. Buying
and delivering digital goods like software and music can be difficult on the
Internet. For example, the Internet
connection may be lost during long downloads.
Or a cardholder might repeatedly hit the buy button on a site when the
link does not respond quickly.
The Visa chargeback system operates in
compliance with federal laws that provide a number of important consumer
protections. The Truth in Lending Act,
implemented through Regulation Z, gives cardholders various rights regarding
billing error resolutions. And it
allows the cardholder to assert claims and defenses against the card
issuer. The Electronic Funds Transfer
Act, implemented under Regulation E, applies to debit cards and also contains
error resolution procedures. These
legal protections apply to online transactions as well as to face-to-face
transactions.
These legal protections are just the start
of the consumer’s protection. There are
more protections that are provided voluntarily by competing payment
systems. And there can be even more
protections provided within systems, bank-by-bank, to meet the needs of
cardholders. The payment card business
is intensely competitive, with all competitors seeking to gain the business and
loyalty of cardholders. Banks are
extremely interested in having satisfied customers, as are merchants. Each will do what they can to continue
customer relationships. In fact, a
joint venture system, like Visa, enhances competition generally because it
provides for bank-to-bank competition as well as system competition.
Visa also works with cardholders,
merchants, consumer groups and seal programs to avoid consumer disputes in the
first place. One important relationship
we have established is with the online subsidiary of the Better Business
Bureau, BBB Online. BBB Online has
developed a comprehensive Code of Online Business Practices and a first-rate
Reliability Trustmark Program. The code
outlines the responsibilities of online merchants in five key areas: truthful
and accurate communications, disclosure of policies, information practices and
security, customer satisfaction and protecting children. Their Reliability Trustmark Program is one
of the most significant trustmark programs on the web, providing more than
8,800 websites with a seal to signify to potential customers the merchant’s
commitment to good customer practices.
The seal provides consumers navigating the electronic marketplace with a
reassuring sign from a well-regarded and well-known organization, the Better
Business Bureau.
On November 14, 2000, Visa joined forces
with BBB and agreed to promote its Code of Online Business Practices and its
Reliability Trustmark Program. This
includes a consumer advertising and a consumer education campaign. Many websites that provide excellent
customer service and protections are not part of the BBB Online program. But online consumers can be confident that
online sites displaying the BBB Online reliability seal have the highest level
of consumer protection.
Visa also maintains a
chargeback-monitoring program. This
program monitors a merchant’s chargeback rate.
If this rate exceeds certain levels, Visa asks the merchant’s bank to
ensure that the merchant takes steps to correct the problem. Usually, the problem is technical and is
fixed immediately. In cases where the
chargeback rate does not decline, Visa has a process of assessing fines. A merchant that does not correct a
persistent chargeback problem can ultimately be denied the right to accept Visa
payment cards for goods and services.
PRIVACY PROTECTIONS
Visa has taken steps to ensure that
privacy notices are provided by merchants who accept Visa payment cards to
consumers who shop online. Violation of
consumer privacy expectations on the Internet is simply bad business, and
consumers are right to be upset about the unwanted dissemination of information
about their online activities. To
respond to privacy concerns, in October 2000, the Visa International Board
adopted new consumer protection policies that set global disclosure standards
for web merchants. The new policies
require web merchants that accept Visa cards to display prominently on their
websites the merchant’s privacy policy and online security capabilities. These requirements become effective on June
1, 2001.
Merchant
banks must update their merchant agreements to include these requirements no
later than January 1, 2002. Banks may
satisfy this requirement by mailing a disclosure addendum to each of their
electronic commerce merchants. Many
electronic commerce merchants already disclose this information. However, Visa and its member banks provide
guidance to electronic commerce merchants that need assistance in meeting the
privacy policy requirement. For
instance, we encourage merchants to use the Privacy Policy Statement Generator
developed by the Organization for Economic Co-operation and Development.
Visa
also has taken other steps to help consumers protect their privacy online. Our website contains an extensive consumer
guide to online privacy protection. In
addition, we participate in pro-privacy industry organizations such as the
Privacy Leadership Initiative, agroup
of major corporations and associations, dedicated to promoting privacy on the
part of U.S. business and educating consumers about ways in which they can
protect their privacy.
Finally,
Visa has provided extensive legal and regulatory guidance to our member banks
to ensure that the mandated online and offline privacy protections of the
Financial Modernization Act of 1999 are fully implemented. Financial institutions must be in compliance
with the privacy provisions of this law by July 1, 2001. These rules generally require financial
institutions to disclose their privacy policies at least annually and to
provide their customers with the opportunity to opt-out of certain information
sharing practices with third parties.
These Federal privacy rules apply to information collected on websites
in connection with providing a financial product or service. Financial services websites now must comply
with notice and opt-out requirements.
Visa
appreciates the opportunity to appear before you today. We believe that our payment system
represents a reliable and secure means of conducting online transactions in
which the rights of consumers are well protected. Visa will continue to adapt to new technologies and
practices. Combating fraud and
maintaining information security are top priorities of Visa and its member
financial institutions.
I will be happy to answer any questions that you may have.
|
