E-commerce in France continues to grow, in step with but still lagging behind the English and German markets, which are giving the French market the highest growth rate. The of e-commerce in Europe. According to Fevad, sales growth in 2012 reached 19%, driven in particular by the explosion of m-commerce, which now represents 6% of total sales (2% in 2011). With a post-purchase satisfaction rate of 98%, e-commerce in France has now reached its maturity and has definitely become part of the French people's daily life.
This idyllic observation contrasts sharply with the negative evolution of the Internet fraud rate. According to the Payment Card Security Observatory, the rate has been rising steadily since 2007, reaching a record high of 0.34%, with no sign of a trend reversal.
Thus, total Internet payments represent only 8.4% of the value of national transactions, but already 61% of the amount of payment card fraud (253 million out of 413 million euros). This figure is all the more worrying since the French online payment market still has very strong growth potential. By way of comparison, the size of the UK market is double that of the French market.
It's as if a boulevard is opening up to fraudsters, all the more so as the French e-commerce ecosystem as a whole does not seem to have the will to shrink it.
How did we get to this point and what are the solutions?
Why not enjoy unlimited reading of UP'? Subscribe from €1.90 per week.
Main cause of fraud: usurpation of card numbers
It's no secret that the main source of Internet fraud is the theft of credit card numbers.
According to the Card Security Observatory, this cause already accounted for nearly 63% of all fraud in 2010, far ahead of stolen or counterfeit cards. It is therefore obvious to everyone that these numbers are not sufficiently secure, and that it remains relatively simple to usurp them. The bank card was not originally designed to be used for remote purchases. This results in obvious security holes.
Apart from everything stored in the chip, all its identifiers are in clear text, for example, including the famous visual cryptogram, which is valid for two years. Are the various players in the e-commerce market aware of this reality? The answer is yes. In fact, a series of security solutions have been designed since the mid-2000s to address this issue. Starting with e-Carte Bleue and 3D Secure, designed by the major bank card operators, implemented in Europe as early as 2008, aimed at introducing a second phase of authentication through the generation of a single-use code. In addition, the PCI DSS security standard, which brings together a set of best practices, is now mandatory for all e-merchants. Other security technologies can also be implemented on merchant sites, such as the already widespread SSL certificates, Capcha systems or certified emails.
The anti-fraud solutions implemented: a finding of failure
Has the implementation in France of these various anti-fraud security solutions been successful? The answer is clearly no.
The failure of 3D Secure in our country is obvious. Now in its second version, this security system, although effective, has never managed to impose itself. It is true that 40% of e-merchants use it today, but these represent only about 10% of card payments and only 15% of amounts.
All the banks have adopted it, albeit with delay and in scattered order. Their implementation of the system proved to be too complex. In fact, the authentication process is not standardized and consumers have to juggle several different systems between banks, which does not encourage ease of use ...
On the e-merchant side, the rejection is even clearer. Not all the major retailers, i.e. the twenty or so sites that carry out the vast majority of online transactions, have so far adopted the system, in particular because of its consequences on the order abandonment rate.
The PCI DSS standard no longer had the desired result. Firstly because it is not infallible, famous cases of massive data theft have shown this. Then because French legislation does not formally impose it. The result is an obvious vagueness in the interpretation of its list of good practices, particularly in the lifetime of stored bank card data. Some sites keep them for several years beyond the simple necessity linked to payment, or even never erase them, which increases the risk of identity theft.
To fight against disinformation and to favour analyses that decipher the news, join the circle of UP' subscribers.
Other security systems such as certified email, which is the absolute weapon against phishing, are hardly ever used.
Only one victim: the consumer
There are several reasons for this paradox, all of which converge on the basic principles of risk management.
Firstly, although the financial cost of Internet fraud is borne approximately equally by banks and merchants, and not by consumers, who are usually reimbursed, it is in fact the latter who pay for the damage. This is because banks are insured against the risk of non-payment, and pass on the cost of this insurance in the price of their services. In the same way, retailers pass on their financial losses in the prices of their products, such as the famous "unknown markdown" in supermarkets. Banks and merchants are therefore not directly impacted by fraud, and simply manage the risk.
Secondly, merchants are primarily focused on growing their sales. They respond to the expectations of Internet users, and facilitate the purchasing process as much as possible, in order to avoid shopping cart abandonment. As a result, identity checks are reduced to a minimum, and secure payments are sacrificed at the altar of ease of use. The most obvious example of this is the increasing use of 'one-click payment' functions on e-commerce sites. These sites do everything to simplify the life of their customers, but most of them do not control the impact that this has on security. The consistency of the customer accounts created, for example, is almost never checked.
Thirdly, the public authorities have never really been involved in solving the problem. In the case of 3D Secure, for example, the Banque de France, which is the guarantor of the security of means of payment, does not have the power to impose a precise rule on the group that manages the blue cards, having only observer status. Similarly, the administration has never communicated to the general public to encourage the adoption of the system, as has been the case in other countries, or for the SSL padlock.
Actors must assume their responsibilities
However, the inexorable rise in Internet fraud is not inevitable. The case of the British market is a shining example. In this country, the rate of fraud in e-commerce is close to that observed in 'traditional' points of sale. 96% of Internet transactions use 3D Secure, and the 3D Secure authentication failure rate does not exceed 3%, whereas it is 13% in France.
The reason for this success lies in the establishment of a virtuous circle combining the introduction of a single authentication procedure adopted by all banks and bank card operators, and mass adoption by merchants.
To reverse the trend in France, several common sense measures could be quickly implemented.
Starting with better consumer awareness of the risks associated with paying on the Internet. First of all, from e-merchants, who need to better inform their customers about the risks they take when entering personal data on the Internet. Many banking sites regularly issue security alerts, but no major e-commerce site does the same, for example. It would be logical for Fevad to take charge of a real sensitisation of the general public on this subject.
Then from the government. Genuine government communication on payment security should be developed, as is the case in many other countries. In France, it is mainly companies that are aware of security, not consumers.
On the other hand, banks should logically agree on a single authentication procedure that is simple to understand and implement and that can be used to gain the support of both consumers and merchants.
Finally, consumers also have their share of responsibility, and must be aware that they must comply with basic safety rules throughout their purchase on the Internet.
As the fraud rate cannot continue to grow indefinitely, this evidence will eventually come to the fore. In the interests of consumers and the e-commerce industry alike, it would be in the best interests of both.