A Delicate Balance: Privacy, Security, And Convenience

Tempted by free shipping and a $20 coupon, Laura Ward, age 24, bought a sweater coat from Jcrew.com this fall. No big deal-she's bought over the Internet before. She'd probably do it more frequently, but the very same precautions designed to make her feel safe during the checkout process only magnify her fears about credit-card theft.

"It was such a pain," she says. "It was just page after page of confirmation and security." As a trusted brand, J. Crew Group Inc. has an advantage over its smaller competitors when it comes to shoppers like Ward: "Most sites have a lot of steps at checkout. They give you warnings--'This is secure, this is our guarantee.' But if it's a site I didn't know very well, I wouldn't necessarily give them my credit card."

In the end, the system worked: Ward made a purchase, her credit card was protected, and she'll return to the site to buy again. Probably not without another coupon or free shipping promotion, but that's another story. Such is life for online retailers.

Besides the specials to attract finicky shoppers, E-retailers have to assuage consumer fears that buying from them with a credit card is tantamount to handing it over to a cybercrook. Half of the people who go online to browse, but not buy, say they don't proceed to checkout because of concerns about credit-card security, the No. 1 reason, according to a Jupiter Media Metrix survey of 671 people. Experience does little to erase those doubts. For shoppers who have been buying online for a year or less, the figure remains nearly unchanged; one-third of those who have shopped online for five years cite security concerns as inhibiting them from buying more.

Not that credit-card companies aren't trying. They have their own interests in mind. Online fraud is 30 times higher than in stores, where cards must be physically present to conduct a transaction. It's a logistical hurdle that no amount of passwords can solve. But that's the strategy pursued by Visa U.S.A., which in early December unveiled a new service that it says adds greater online security to credit- and debit-card payments.

With Verified by Visa, card-issuing banks can validate a cardholder's identity via a password during an online checkout. Consumers register with the bank that gave them the card or through Visa; no special software is required. Then they shop as they would normally. When they make a purchase, they enter their Visa password.

MasterCard International Inc. has a similar program, dubbed secure payment application. But consumers aren't using it yet. For now MasterCard is working with security software makers Arcot Systems, the Brodia Group, Orbiscom, Trintech, and others to incorporate the application.

MasterCard plans to first deploy the secure payment application through server-based E-wallets, which automatically fill out order forms of online merchants. The new feature will create a unique cardholder authentication value for each transaction that can be verified by the issuer during payment authorization. Merchants are responsible for collecting and passing along this cardholder authentication value, and including it with other payment information, when it's authorized.

To consumers, though, the added layers of protection only get confusing. "A secure Web site doesn't mean anything to me when I don't know how they secure it," says Katie Smetak, 23, who buys on the Web about three times a year. "I'd have to do more research to figure out how they do it before I'd do more shopping online. I always read to make sure it says it's a secure site and there's protection, I'm just unsure of people getting around that."

Uninformed consumers miss another important fact: Many of them aren't liable for fraudulent online purchases with their credit cards. The government sets consumer liability at $50; Visa cardholders pay nothing under a policy that went into effect in August 1997 for unauthorized card use either online or off.

And flashing the plastic online can occasionally have hidden benefits. When Heather Whitby, 28, got into a spat last March with Priceline.com Inc. over the charge for a Miami hotel room, she called her credit-card company, Chase Visa, to complain. "It was convenient because they advised me of what steps to take next," says Whitby, who called the Better Business Bureau in Connecticut, where Priceline is located, and the Federal Trade Commission. "Chase was willing to pursue it by sending a letter to Priceline saying I had contested the purchase." In the end, she got her money back.

More than 90% of online business-to-consumer transactions are conducted via credit and debit cards, with most of the rest controlled by online-payment service PayPal Inc. Its fraud rate for the nine months ended Sept. 30 was 0.42% of its total payment volume, better than the industry average and "a very manageable level," says CEO Peter Thiel. He says the company has struck the right balance between security, convenience, and privacy. In fact, he argues, the nature of his business-sending money directly between people-is going to have a higher fraud rate than other online transactions "Precisely what makes PayPal attractive to consumers also makes it attractive to some bad people," he says. "If you're someone who's trying to steal money online and you have someone's stolen credit card, would you go to a service where you can use a credit card and get cash out or would you go to where you could buy a good that you'd then presumably have to resell? That's the trade-off."