A major storm looks set to rock the South African online scene as some of the country’s largest ecommerce players square up against its biggest banking powers over online fraud detection.
The heads of companies including Groupon South Africa, Takealot and uAfrica have formed an alliance expressing opposition to a new regulation which forces them and most other ecommerce players in South Africa to use the 3D Secure (Verified by Visa and MasterCard SecureCode) fraud detection system.
The ecommerce players, which have come together under the banner of Opposition to Credit Card Fraud Alliance (OCFA), insists that 3D Secure could “inflict irrevocable harm to the local industry”.
The system, developed by Visa with the intention of improving the security of internet payments, has actually been around for a little while, but it’s only recently that South African banks have started insisting that online merchants who have accounts with them actually use it. They reckon that implementing it will help reduce credit card fraud in the country, especially if everyone is required to use it.
At face value it seems like they’re on to something too. In most current implementations of 3D Secure, the bank prompts the buyer for a password that is known only to the bank and the buyer. Since the seller does not know this password and is not responsible for capturing it, it can be used by the issuing bank as evidence that the person buying goods, from an ecommerce site for instance is indeed their card holder.
But OCFA believes that enforcing the system could see some ecommerce merchants taking a serious dip in sales for a number of reasons, including the fact that 3D Secure doesn’t recognise some credit cards, and also doesn’t work well on mobile, a space where an increasing number of online purchases are taking place.
A massive sales drop
In fact, a number of the websites that Memeburn spoke to in researching the alliances claims reported revenue drop-offs of between 40 and 60 percent when they implemented the system.
“It was just a pain from the start. At UbuntuDeal we had a 50% drop off when people got to the 3D Secure step,” Jess Green told us in reference to the group-buying site he founded which was bought by Bidorbuy in early 2011.
Moreover, the group claims that by enforcing the fraud detection system, the banks would effectively be giving an unfair advantage to international companies. Jaco Roux, technical director at UAfrica (formerly Jump Shopping and home to the South African ecommerce awards), told us that he knew of very few international sites that require 3D secure and that “local merchants would be significantly disadvantaged” if the banks forced them to use the system.
The alliance points out that some ecommerce outfits would be able to set up bank accounts in countries with banks that don’t require their customers to use 3D Secure (hurting the local economy in the process). It claims however that a large number of companies, especially startups and other small operators, would no longer be able to compete.
“It’s obviously not ideal for something to have such a massive impact, especially on a business that’s just getting off the ground,” Green told us. “The ecommerce space in South Africa is still pretty young and you want it to grow but this isn’t helping”.
The banks however insist that 3D Secure is the best solution for tackling online credit card fraud. According to Jacques Celliers, currently the CEO of FNB Business Banking, making the system compulsory will “further enhance capabilities aimed at protecting cardholders’ data”.
‘Sufficient time’ has passed for everyone to be ready
Celliers, who will take over from current FNB CEO and avid tweeter Michael Jordaan at the end of 2013, insists that the country’s ecommerce merchants have had more than enough time get ready for the new system:
“The solution has been enabled for a number of years now allowing sufficient time for all parties to have their operations aligned and for customers to have become familiar with, both the registration processes that each of their banks offer, as well as the actual online shopping verification processes”.
But in a letter addressed to the Payments Association of South Africa (PASA), which is responsible for managing the various payments systems used in the country OCFA, lists the fact that education around 3D Secure, particularly among the general public, “remains at a very low level” as a barrier to its implementation.
The alliance also doesn’t buy the idea that 3D Secure is the best solution for preventing online fraud. In fact, its members believe that the bigger ecommerce players have already shown that their best chance of success is in building their own products.
That’s something that Green definitely agrees with. “We could have done better without using 3D Secure. There are a number of red flags that the owner of an ecommerce site could easily pick up on their own when it comes to detecting fraud,” he said.
OCFA says that its preferred solution would be for them to present their argument to the banks and convince them that rolling out 3D Secure, in its current form at least, isn’t a viable option.
That line is echoed by Groupon South Africa CEO Daniel Guasco, who told us that his company has “robust internal fraud procedures that protect our customers”.
“With these in place”, he said, “we feel we have the time to ensure any industry-wide change is made with best possible outcome for our users, partners and industry. While we agree with measures that further protect our customers these need to be implemented in a timely manner, after robust consultation ensuring user experience is in no way jeopardised and proven both locally and internationally”.
“If the banks want to to have something extra, that’s fine but they should sit down with us and discuss what the best solution is,” Green added.
That however doesn’t seem likely, especially if they engage with individual banks.
According to Celliers:
“While we always listen to suggestions and try assist retailers as much as possible to deal with changes, FNB is unfortunately not in a position to go against industry mandated rules, and take matters that affect the security of card holder data very seriously”.
It’s also unlikely that the alliance’s suggestion that the banks treat the ecommerce merchants on a case by basis, only enforcing 3D Secure at companies with serious fraud problems, will go through either.
“It is important to note that all companies are vulnerable to fraudulent activities no matter how good their controls are,” Celliers told us. “At FNB we will always work as hard as possible to ensure that none of our merchants or cardholders are left vulnerable because a part of the value chain is not yet aligned to industry best practice.”
If these actions don’t succeed however, OCFA claims that it is willing to go to the competition commission. It would be able to do so, it says, because implementing 3D Secure means that people with Diners Club and American Express cards would, for instance not be verified, “defeating the purpose of implementing 3D secure”. It also notes that FNB’s own PayPal service does not make use of 3D Secure. If the system were implemented therefore, the banking giant could stand to gain a serious advantage in the online payments game. But it would be down to the commission to declare whether or not that advantage was legitimate.
It seems however that the alliance genuinely does not want to have to take matters that far and believes that “some relatively minor changes that can be made that would go a long way to preserving the local industry while still addressing the major issues around credit card fraud”.
The letter, sent out today, follows below:
5th August 2013
OCFA (Opposition to Credit Card Fraud Alliance)
Payments Association of South Africa (PASA)
Re: Industry Opposition to Compulsory use of 3D Secure for all online credit card transactions
As stakeholders in the South African eCommerce industry, the Opposition to Credit Card Fraud Alliance (OCFA), has the best interests of the local industry at heart. This includes improving the perception of transacting online amongst consumers, the growth and development of the industry as well as the prevention of fraud.
As such we would like to express our serious concern over the proposed blanket requirement for all merchants using South African acquiring banks to have 3D Secure (Verified by Visa and MasterCard SecureCode) imposed upon their customers for every online credit card transaction.
While we support any measures aimed at reducing online fraud, this cannot be at the expense of inflicting irrevocable harm to the local industry, which we believe will be the case if 3D Secure is imposed across all transactions in its current form. The reasons for our concern include:
- There are still a large number of credit cards that technically cannot enroll for 3D Secure. As an example corporate cards do not have this requirement.
- Education by the general public of 3D Secure remains at a very low level.
- In general, the user experience when signing up and transacting through the web interfaces for 3D Secure is poor.
- 3D Secure is not able to differentiate between auth and settle. Online auction companies and group buying websites do not settle all payments as either the tipping point or the minimum bid is not achieved. In both cases these types of businesses would not be able to function should 3D Secure be mandated.
- Existing merchants that have turned on 3D Secure in a blanket fashion have experienced a significant drop off in the number of successful transactions.
- Not all card associations implement 3D Secure e.g. American Express and Diners Club transactions would not be verified.
- Many local merchants have invested heavily in their own in-house fraud detection systems, which are more efficient and effective than 3D Secure.
- eCommerce companies are seeing increased usage in mobile devices on which 3D Secure does not work seamlessly across mobile applications.
- If a blanket use of 3D Secure is enforced in its current form, it is likely to result in some of the larger local merchants moving their acquiring services to International banks that do not have this requirement thereby harming the local economy and industry overall.
- For those local merchants that do not move their business internationally, they will be prejudiced as International merchants will have an unfair advantage by not requiring their customers to make use of 3D Secure.
We welcome the opportunity to engage with the relevant industry bodies and banks to discuss this matter further. We believe there are some relatively minor changes that can be made that would go a long way to preserving the local industry while still addressing the major issues around credit card fraud.
Please direct all correspondence for the OCFA to email@example.com
Members of OCFA
CEOGroupon South Africa
Managing Director Yuppiechef.com
Country Manager South Africa Travelstart.co.za
Carey van Vlaanderen
CEO 4D Innovations Group (Pty) Ltd t/a ESET Southern Africa
Silicon Cape Siliconcape.com
Managing Director Associated Media Publishing
Managing Director Webtickets.co.za
Managing Director Citymob.co.za
Managing Director Methys Group
Managing Director Powertime.co.za
Managing Director Runwaysale.co.za
Founding Partner Silvertree Capital