Yesterday was April Fools' Day. I used to write spoof columns for the occasion, but 10 years ago I wrote one in Infoworld that took on a life of its own. I fictionalized that the National Security Agency had created a virus that was implanted in Iraq's air defense system and that that was the real reason we won the Gulf War. The column ended with a hearty "April Fools!"

Yet somehow, my joke got picked up by U.S. News & World Report in an article titled "The Secrets of the Gulf War" and was presented as real. Before it was published, I told the authors it was all a joke, but they published it anyway. My spoof became an incontrovertible fact. Somebody at the Pentagon confirmed the story.

I bring this up because in the on-the-Internet-nobody-knows-you're-a-dog era, we're going to need better tools to know when, and if, we're being spoofed in our online transactions.

Online merchants already know the price they pay for the lack of transactional security services. While credit card companies charge brick-and-mortars 1% to 3% of a transaction to handle credit authorization, verification and payment, they charge online merchants 3% to 6%. In the brick-and-mortar setting, where physical credit cards are usually present, merchants bear the costs of fraud 10% to 15% of the time. In the online world, where all transactions are "card not present," merchants have to pick up the tab about 25% of the time. This is because fraud rates are 10 times as much as when the physical cards aren't used in transactions.

In other words, security risks and attendant security costs are higher in the online world. On the other hand, moving a customer from, say, doing business via an 800 number to doing business online can cut a merchant's cost per transaction by a factor of 10 or 20.

These higher security risks and costs in the online world are driving a market for transaction security software and services. It will grow from $128 million in 1999 to more than $3 billion in 2005, according to my colleague Chris Christiansen, IDC's Internet security guru.

These services usually work by letting a merchant identify a potential customer, verify the identification through a third party and then download security "credentials" to use in the transaction. A new customer can be doing business in minutes. By creating what is, in essence, a virtual smart card, the merchant can actually process the transaction as if it were supported by a physical credit card.

Wrinkles on this include digital signatures, credit card encryption and discount payment services. The advantage over traditional IT security systems is support for one-time transactions.

IT departments will, of course, play a critical role in implementing such transactional security and working with the company's business partners. The nice thing is that for once you can point to a real return on investment for implementing a security solution: lower transaction fees and higher customer retention. You no longer have to sell protection but rather customer benefit. Security goes from risk avoidance to business enablement.

This is no April Fools' joke. I promise.

» posted by ITworld staff

Computerworld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine