By Andy Pedersen

Tony Gorjan hasn't survived 20 years in computer retail by shying away from customers. It's a volume business-his success depends on making sales, and lots of them. Every sale that he misses is a loss for his small Montreal company, Central Direct. And with every one that slips by, he loses ground to his competitors.

Yet every month, Gorjan finds himself forced to turn customers away-sometimes as many as 15 or 20 of them-because they have come to him through his Web site. If Gorjan has learned one thing in the five years since he put that site up, it's that when you're selling on the Internet, your customers can be just as dangerous as your competitors.

"The fraud attempts are always there," he says. "When it comes to the Internet, we've had to take a very cautious approach. There are an awful lot of orders that we just don't ship."

No protection

It's the dirty little secret of e-commerce: online vendors have almost no protection from credit card fraud. And since credit card numbers have proven themselves the Net's only viable currency, the opportunities for fraud are legion.

"We're trying to get out in front of this issue before it becomes too much to handle," says Michael Eubanks, vice-president of information technology and e-commerce at the National Retail Council. "The problem isn't that big right now because we're not at mass transactions on the Net yet, but it is growing."

How much credit card fraud is growing-and how much it's costing e-commerce vendors-is difficult to gauge because so few companies are willing to talk about it openly.

Expedia.com, Microsoft Corp.'s travel site, did admit last year that an organized crime ring had successfully purchased nearly U.S. $6 million in airline tickets and hotel reservations using stolen credit card numbers. Also last year, a Russian living in Reno, Nev., was charged with using 63 different credit card numbers to defraud Amazon.com of more than U.S. $70,000 worth of goods.

Other companies-smaller, or privately held ones-are less forthcoming. For one thing, they're worried that any talk about fraud and crime on the Internet will simply scare off honest customers. They're also afraid that speaking up will simply draw the attention of the fraudsters themselves.

"We have a pretty extensive credit-card fraud team that checks orders as they come in, but these are details that we keep pretty close to our chest," says a Radio Shack spokesman. "We don't want all the fraudsters out there reading about our fraud-prevention techniques. They're smart enough already."

An issue of liability

The trouble is, thieves don't actually have to be very smart to commit credit card fraud on the Net. E-commerce, which is supposed to be fast moving and hassle free, doesn't leave the online retailer much time to verify every credit card number. A customer punches in a credit card number and expects the order to be shipped the next day. If the order is not above the board, the online retailer is on the hook for it.

The issue is a matter of liability. A bricks-and-mortar merchant has no liability for credit card fraud. If he sells something-a computer, say-to somebody who's using a stolen credit card, he has nothing to worry about. So long as he saw the card, swiped it or dialed in its number and expiry date, and has a signature from the customer, he will receive his money from the credit card company. A month later, when the legitimate owner of that card gets her bill and complains to the card company that she didn't buy that computer, it's the card issuer that will absorb the loss.

On the Internet, the liability is reversed. Although credit card companies will process transactions in which the vendor hasn't actually seen the card, they won't accept any liability if there's a problem. And people like Gorjan, who accept credit card purchases both online and off, are left wondering about the difference.

"It's definitely a double standard," he says. "We've had cases where people have used stolen cards in our bricks-and-mortar [store], and Visa or Mastercard stand behind any thefts that occur there. In other words, the merchant is not made to suffer."

But on the Internet-where, according to a study last year by Meridien research, 10 per cent of all orders are fraudulent (compared to just one per cent in the real world)-the merchant is made to suffer plenty. Credit card companies say they simply aren't willing to expose themselves to the risks of what they call "cardless" transactions. Online merchants, for their part, say the credit card companies haven't done much to reduce those risks.

Charge back

Darrin Etcovitch-also in Montreal-tries to be as discriminating as Gorjan with his orders. A club DJ by night, Etcovitch supplements his income by selling specialized music recorders-called MiniDisc recorders-through his MiniDisc-Canada Web site. Etcovitch scrutinizes every order he receives. Is it from a customer he knows? Is it from a country that he's shipped to before? Does the shipping address match the address registered to the credit card's holder? Like Gorjan, he refuses to fill orders-even lucrative ones (especially lucrative ones)-if they're the slightest bit suspicious.

But Etcovitch recently learned that even the most rigorous standards can't provide complete protection. He received a relatively small order last fall for a $200 device that lets users plug their MiniDisc recorder into their computer. The bank authorized the credit card number-which means that the card and the expiry date matched, that the card hadn't been reported stolen, and that its limit hadn't been breached.

But the bank's authorization is no guarantee, and since the order had come all the way from Malaysia, Etcovitch decided to do a little checking
himself. He got in touch with the Australian bank that had issued the card number. To his relief, the name and the address given to him matched the name and address that the bank had on file-usually solid assurance that an order is legitimate. He shipped the device.

Two months later, the credit card company came back to him. The cardholder claimed he'd neither ordered nor received anything from Etcovitch. It didn't matter that Etcovitch had proof that he'd shipped the device to Malaysia, and that somebody in Malaysia had signed for it upon delivery. All that mattered was that Etcovitch, like all other e-tailers, had to accept liability for lost and fraudulent orders. The credit card company invoked its rights and hit Etcovitch with two of the most dreaded words in e-commerce: charge back. They charged back the $200 credited to him when the sale went through, and Etcovitch was left without both his product and his money.

It wasn't a big loss; it certainly won't sink Etcovitch. But it was just one of the thousands of small cuts that threatens to bleed e-commerce dry. "I get bitter when I talk about it," he says. "The banks and the credit card companies, they could be doing a lot more to protect us. They say they're working on a new system, but nothing ever comes."

Looking ahead

Fortunately, the card companies actually are working on a new system. They've known for years that they have to change the way they deal with e-commerce before it can truly take off. They even know how they have to change. But Susan MacKeown, the head of Visa's Internet operations in Canada, says that until now, the card companies have been caught in a kind of feedback loop.

"Four years ago, we knew what all the issues were, but at the time the transaction volume was so low that it didn't justify the investment [to address those issues]," she says. "But sales numbers are going up, and the card associations are starting to treat this as a very serious problem."

To solve that problem, the card associations have developed a protocol in which every credit card is assigned a password. Once you've punched in your credit card number on a Web site, you'll automatically be sent to the Web site of the bank that issued the card. There you will be asked to type in your password. The transaction can only continue if you provide the correct password; otherwise, it will be cancelled.

"When we get to that level of identification-where we can truly authenticate a cardholder-we can consider that a fully authenticated transaction, and we can look at whether the rules should change," says MacKeown. In other words, they can look at taking the liability back from e-commerce merchants, and treating them like real-world merchants.

But as seemingly simple as the new protocol is, its use is still far from widespread. It will be put through pilot tests in Canada this summer to iron out the inevitable software problems. Then the software will have to be distributed and installed on all e-commerce sites. And then cardholders will have to be given passwords. "The earliest we'll be able to roll it out is next year," MacKeown says.

When it is rolled out, watch for e-commerce numbers to spike as merchants like Gorjan start pouring more and more effort into their online divisions. "I would be willing to commit a lot more to the development of our site at that stage of the game, to garner more business," he says. But until then, he'll treat it as little more than a novelty. "Now, it's much safer selling through conventional methods to my regular, in-town customers."