Securing internet payments

Tuesday, 15 March 2011 00:02 -     - {{hitsCtrl.values.hits}}

By Viraj Mudalige

Over the past few decades internet commerce or e-commerce has recorded a significant growth as a convenient way of buying and selling goods and services over the internet.

Innovations in Information Communications Technology (ICT) and the advancement of the internet have changed business models and competitive landscapes of many industries across the globe.


Interestingly, the popularity of e-commerce is not restricted to the developed world. Statistics reveal sustained growth of e-commerce in emerging economies as well; for example, China recorded US$ 36.6 billion in internet commerce transactions in 2009.

Consumers engaged in e-commerce use their credit cards to make payments to e-commerce merchants, in order to purchase goods and services. This type of payment is known as ‘Card Not Present (CNP)’ transactions in the industry. Unfortunately CNP transactions have inherent security vulnerabilities due to the remote nature of the online transactions.

The main threat exists in the verification of the identity of the consumer as the legitimate and authorised cardholder. In Card Present transactions, a physical credit card must be produced by the consumer to the retailer for payment. The merchant has the opportunity to inspect the physical card for security features and consumer must either provide signature on sales draft or enter PIN for identity verification.

However, in the case of CNP transactions, there is no mechanism to verify cardholder identity as the consumer is only required to input credit card details to make a payment.

The exponential growth in the e-commerce industry makes it mandatory to address the threats and vulnerabilities. At present 70 per cent of all fraudulent credit card transactions originate from CNP transactions, incurring substantial costs to the industry and threatening the public confidence in using their credit card for online transactions.

This article focuses on how consumers and merchants can harness the opportunities offered by e-commerce industry and how the local banks and financial institutions should facilitate secure internet commerce transactions to ensure profitability and growth of the industry.

Opportunities for e-commerce in

Sri Lanka

Having ended 30 years of conflict, Sri Lanka is undoubtedly on a fast development trajectory with a booming economy. In this era where globalisation has become a central topic, e-commerce plays a vital role as markets and economies are getting more and more integrated. Therefore, Sri Lanka must exploit the vast potential of e-commerce to realise its economic growth.

Local entrepreneurs and merchants have the opportunity to attract new buyers and expand their reach across geographical boundaries via internet. Similarly, overseas consumers have the opportunity to purchase locally produced goods and services from local merchants.

The tourism industry shows enormous potential for growth and the key stakeholders are keen in expanding facilities and enhancing quality standards to ensure sustainability in terms of profits and growth.

This is an industry which can harness the benefits of internet and e-commerce to reach out the world to attract more and more tourists. Foreigners from different parts of the globe can make travel arrangements, reserve hotels and facilities where online payments using Credit Cards can facilitate everybody.

As the country is expecting a two-fold growth in the per capita income over the next couple of years, local consumers too would be benefitted from e-commerce where they can look for the best sources of supplies over the internet and make on-line payments to conclude transactions conveniently.

Connecting local exporters to global markets

In order to support the nation’s export oriented growth, small time manufacturers and exporters are also invited and encouraged to join the mainstream. A solid technological infrastructure is a pre-requisite for the new comers to become attractive exporters.

Local businesses entities must be provided with compatible technology platforms to engage in cross border transactions, where payment over the internet is the preferred means for the majority. Otherwise local exporters will look less attractive to overseas purchasers, who may choose alternatives with superior technological infrastructure.

Readers who examine the country’s business models would endorse the importance of facilitating this segment of exporters in diverse industry sectors where one to one type sales have more potential for a country like ours as mass supplies are dominated by China and India making competition an uphill battle for others.

Challenges facing local payment card industry

With the existing payment gateway infrastructure, local financial institutions and Banks are lacking the capability to prevent unauthorised transactions and associated frauds. They lack the fraud prevention mechanisms necessary to filter transactions and stop suspicious transactions.

Furthermore, most of the internet payment gateways in deployment at local banks cannot facilitate payer authentication, which verifies consumer as the legitimate cardholder, prior to processing transactions for authorisation. Timely action is required to correct this situation as e-commerce is expanding faster than conventional transactions. Increasing vulnerabilities further justify urgent corrective measures.

Protecting the global image of our country

Declining the credit card of a foreigner carrying a credit card issued in his or her country when attempting to make a payment to a Sri Lankan entity via a local acquirer obviously raises many issues, in addition to inconvenience caused to the cardholder. It also affects the image of our country as we may lose potential visitors and income.

Any foreigner who is now in Sri Lanka, including the players and the fans of the ongoing ICC Cricket World Cup 2011 would endorse the difficulties they have experienced when attempting to make an e-commerce payment as local acquirer gateways do not comply with international standards, resulting in the immediate decline of transactions by card issuer, despite the availability of credit and the social standing of the card holder. Imagine where we stand when a foreigner staying in Colombo wanting to reserve a hotel in Kandy or Hambantota via the internet fails to do so due to non compatibility of our payment infrastructure with global standards!

Unnecessary burden on law enforcement agencies

Non compliance with best practices and global standards also results in increasing number of crimes and frauds reported. Not being proactive naturally makes law enforcement agencies be reactive in a digitally connected world where more and more people are engaged in cross border travelling and business.

Sri Lanka cannot be isolated from the flat world. On the other hand, we must not allow the country to be cited forever as a hub for cybercrimes in international watch lists. The amount of resources to be deployed by State agencies in carrying out post event investigations is substantial. Moreover, it disturbs the core services to be provided by such authorities.

The Army Commander recently stated that the country should be ready to combat the next war citing increasing cyber crimes globally. Those who have to be proactive, it is high time now.

Steps taken by payment industry

The global payment card industry has jointly developed 3D secure, to facilitate payer authentication for e-commerce transactions. 3D Secure provides an additional layer of security for both cardholder as well as merchants with the addition of an authentication step to the transaction lifecycle.

Prior to request for a transaction authorisation, the acquiring bank through card association contacts card issuing bank asking them to carry out cardholder authentication. At this point the card issuing bank verifies identity of cardholder and forwards response to acquirer.

The acquirer can then proceed with transaction authorisation passing on Electronic Commerce Indicator (ECI) value with request message to inform that cardholder was successfully authenticated. The card issuer upon receiving request can verify payer authentication via ECI value and provide authorisation of transaction.

Solutions available

Global payment card associations, as well as Western and European state authorities have made it mandatory to introduce 3D Secure enabled internet payment gateway infrastructure to accept credit card transactions.

Non availability of such infrastructure adversely affects the local payment card industry as a whole. Firstly from an acquirer’s perspective not being able to facilitate payer authentication and provide ECI value will result in transaction declines by overseas card issuers. That means local acquirers will be unable to take payments from overseas cardholders. Furthermore, any fraudster with stolen card details could initiate and successfully complete payment against an online purchase.  From an issuer’s perspective, cardholders are vulnerable as any unauthorised party with their credit card details can initiate and successfully complete transactions. Furthermore overseas merchants and acquirers may decline locally issued cards as they are not providing 3D Secure Payer Authentication facility.

Sri Lanka has world class local talents to successfully design, develop and implement 3D Secure enabled internet payment gateways at a fraction of the cost of a foreign solution and what we need is consensus and collective action of the key stakeholders other than the public.

(The writer is a Chartered Engineer whose name is synonymous in secure electronic payments with his deep rooted and iconic involvements since the inception of the industry in Sri Lanka. Having developed internationally acclaimed software solutions and several national level ICT implementations, he has been a regular resource person in the regional forums in secure electronic payments. He is a member of the Panel of Experts appointed by President Mahinda Rajapaksa on Electronic Payments Policy and Detection of Frauds.)