Few of the security features designed to prove a credit card's validity in the physical world work well online. One startup aims to change that.
Jumio Inc., which plans to launch its Netswipe product Tuesday, uses a computer's webcam to verify that a shopper is in possession of a legitimate payment card before allowing a transaction to occur. It examines the card's various traits in a video stream to avoid being tricked by a static image of a fake card. And the company plans to adapt its software to recognize government-issued documents, so banks could someday view a photo ID when opening an account online.
Today the most prominent security feature used with card payments online is the card verification value 2 or card validation code 2, a short string of digits typically printed on the back of the card. This code is meant to prove the user is in possession of the card, but the digits can be copied easily by keylogging software.
If fraudsters have infected a user's computer and can steal information as it is typed, then they have enough information to put bogus charges on the user's card. Jumio attempts to improve security by examining the other features that are built into the physical card.
"The idea is to turn the webcam into a credit card reader," says Daniel Mattes, Jumio's founder and chief executive. "We have technology in our image-analyzing servers where we can actually identify if this is a real card or if this is a fake, like a print[out] or something."
Mattes would not go into detail about which features the software examines, though he says that his system does not currently work with prepaid cards because they sometimes lack some of those features. "In the moment, we are focusing on credit cards, but at the very end you could probably identify practically everything."
After the Netswipe software scans the card's image, the user types in the card's CVV2 or CVC2 code with an on-screen keypad. The use of a graphic keypad, instead of the physical keyboard, improves security, Mattes says.
"We actually force the user to use the mouse because, as an additional layer of security, we are also analyzing the mouse movement," he says. A fraudster using software to move the mouse cursor would be caught, he says.
Jumio, founded in mid-2010, is based in Mountain View, Calif., with development offices in Linz, Austria. Its goal for Netswipe is to turn online transactions into card-present transactions.
"The biggest problem for the merchant online is there is a so-called liability shift … you, as a merchant, are responsible for all chargebacks," Mattes says. "We are actually turning online card-not-present transactions into card-present transactions."
The card networks don't yet agree, he says, so transactions handled through Jumio's technology are still card-not-present transactions. However, "with some merchant agreements we take over the liability," Mattes says. "It is possible to get a complete chargeback guarantee from us."
Merchants that use Netswipe can choose to pay 2.75% of the transaction cost to cover all payment costs. They could also choose to handle the payment processing separately and invoke Netswipe's system at a price of 15 cents for each use. In those arrangements, Jumio hosts its software.
Larger merchants that would prefer to host the software themselves would have a different pricing structure based on which features and services they use, Mattes says.
One merchant has tested Netswipe and five others have signed up to use it, Mattes says. (He would not name them.) The six-week test ended about a month ago. Mattes says that without Netswipe, 52% of the merchant's online shoppers typically abandoned their cart before paying. With Netswipe, that figure dropped to 21%. "He actually almost doubled his revenue" during the trial, Mattes says.
The typical merchant incorrectly declined 6% of valid cards. That figure dropped to 0.2% with Netswipe, Mattes says.
By August or September, Jumio plans to add a version for mobile phones that will allow shoppers to present their cards in front of a mobile phone's camera, he says.
Avivah Litan at Gartner Inc. says the true benefit of Jumio's system might not be one it is advertising. "If it's a brand-new system, then the fraudsters haven't heard of it yet," so any bank or merchant that adopts it will be ahead in the arms race, she says.
"The value sounds like a reduced rejection rate, but you can't really tell that from one pilot," Litan says. The reduced churn might be a result of the novelty of the system, and thus might not be sustainable over time, she says.
She questioned whether Netswipe could properly identify government documents, since those items have security features that a webcam can't see, such as ink meant to be visible only to infrared light.
Netswipe's biggest security feature may be unintended, Litan says. Jumio's system does not store a recording of the card of the cardholder, but fraudsters may assume the camera is looking at and recording their faces — and the implication of video surveillance may drive them to look for softer targets.
"Criminals tend to shy away from recordings, if they can," Litan says.