or the last two years I have attended the National Retail Federation's Loss Prevention Conference, most recently in June in Vancouver, British Columbia. For those of you unfamiliar with the NRF, it is the world's largest retail trade association, representing retailers in 50 countries and more than a hundred state, national and international trade organizations.

You might be surprised to learn that loss management is a very important job in every large retailer, and one component of this is the payment piece. What follows is designed to be an overview for those of you that call on large retailers and want to know who some of the players are in this business.

Like any business, first you need to know the buzzwords of the industry. For large retailers, those would be data extraction and analysis, fraud detection, network security assessment, e-commerce security and continuous monitoring.

There is one main vendor in the data extraction and fraud detection business: ACL Services (www.acl.com) seems to be the leader; after that the most common solutions are spreadsheet and database software. You also may want to consider Triversity (www.triversity.com) for these applications.

For network security, the most common solutions are Kane Security Analyst, Internet Scanner, Blindview, Cybercop Scanner and NetRecon.

In the area of e-commerce control, the dominant player other than the ISP seems to be Verisign. Security breaches in this area to now primarily have been hacker attacks, denial-of-service attacks and virus infiltrations. Of course, security also has been breached by employees and in-house contractors.

It is probably true to say that most auditors are at the very beginning stages of addressing e-commerce risk. I particularly like a quote from last year's survey of 2,700 members of the Institute of Internal Auditors, as published in "Internal Auditor" magazine in August 2000: "We are just entering the e-commerce environment, and we haven't established controls or performed an audit in this area yet. We hope it doesn't become too overwhelming before we're ready."

Have I got news for him: According to the Computer Security Institute and the FBI, 85 percent of 538 organizations surveyed said their networks were breached last year. The 186 respondents who quantified their damage put their losses at $378 million. But, as someone pointed out, as networks and computers grow increasingly important, the stakes are higher than ever.

In the payments area, there are many risks to large retailers. Of course, the dominant one is check fraud. The Tower Group, a research firm, estimates that U.S. merchants lost $13 billion in bad checks in 1998. I don't have more recent numbers, but it is safe to say that it is a larger number.

To give you a perspective, the September 2000 issue of Bank Technology News reported on a study done on checks accepted by New Jersey merchants. In the test, 2 percent of the checks bounced, 1 percent were drawn on closed accounts, and 1 percent were drawn on accounts that never existed! And to think - you were wondering if your merchants needed a check guarantee service!

It should also be mentioned that notwithstanding all of the many various initiatives in the payment system, checks still will be the dominant method of non-cash payment for the next few years. Credit card losses at point of sale are quoted as $1.9 billion worldwide in 1999, although about $553 million was in Europe, where fraud accounted for 7 basis points of each transaction (not surprising when you realize that they do not have an online authorization system as we do in the U.S.).

It is harder to quantify losses in the non-POS environment because merchants are afraid to report them for fear of being put on the dreaded Terminated Merchant File. However, it is probably not too far off to estimate that in certain high-risk industries, which tend to be the majority of transactions on the Web, that chargebacks might approach 1 percent.

We are hearing about various initiatives from the card associations that are intended to drive chargebacks to a number closer to what they are at the point of sale, which has been variously reported over the last few years to be somewhere around 10 to 15 basis points. That brings up the question: Just how are they going to do that?

There are a few players who have converged on this space. First of all, in February, Visa has announced its Cardholder Information Security Program, a 12-step guide (another 12-step program?) for merchants. The program consists of very obvious steps (have a firewall, encrypt data, use anti- virus software, restrict access, assign a unique ID, etc.), but the most interesting thing about it is that Visa is implying that if merchants do not comply with these steps, it somehow will limit their chargeback rights.

Then, recently, Mastercard told some of its largest acquirers at a conference at their headquarters in Purchase, N.Y., that they were going to monitor chargebacks and that merchants at an elevated level (which was reported to me to be above the traditional 10 to 15 basis points at POS) would be subject to losing their merchant account. This is strong medicine indeed for MOTO merchants, but I must say that acquirers in the high-risk acquiring business (including me) have been predicting this for years.

How then are these merchants going to comply and deal with a problem that was reported in the June 2001 issue of Stores magazine to be 3 percent of total sales?

The article mentions companies that will sell their software to merchants, such as HNC (San Diego), MIVA (San Diego), RocketBridge (Chicago), CyberSource (Palo Alto), iShopSecure (Davie, FL), US Search (Los Angeles), and Shift4 (Las Vegas). Typically, these work by asking the consumer a series of questions as he is completing an online sales transaction. It asks consumers questions based on information in their wallets, such as the printed numbers on the back of their cards (this is an advantage versus having personal information stored on the servers of the merchants or processors).

The article mentions software by HNC and says, "About 60 to 70 questions are asked of the shopper during the online sales transaction before a score is attained." Now let me ask you, if you were online (or on the telephone) and the usual friendly and well-trained telemarketing rep asked you 60 questions before it could be determined that you could actually buy the product that you want without going to the store, exactly how many questions would it take before you logged off or rang off? Personally, I am guessing it would take about five, in my case.

This is the same reason why other previous well-funded solutions such as digital certificate or digital signature haven't caught on yet; they don't pass the "Mom" test. That is to say, you cannot explain easily to your 65- year-old mother how they work and why she should use them.

I have looked at many of these programs, and I have found three that I would recommend to the ISO community:

One is a company called Internet Clearing House (www.ichonline.com). Its president, Paul Fichtman (888-391-1145) is a true industry leader. His solution is simple: The consumer enters their name, address, and telephone number, and ICH can verify that the consumer is who they say they are and even verify the age (within 30 days of birthdate), and can do this in high volume (50 transactions per second) and at (relatively) low cost.

This is a seamless process for the consumer (indeed, the consumer would not even realize that this is going on in the background), and because it verifies the true address of the consumer, it is also useful for merchants who need to have this information, such as gaming.

The second is another company whose officials I met at the NRF show: Image Data (Nashua, NH). The president is Larry Gilbert (Lgilbert@ImageDataLLC.com).

This solution is a POS one. It addresses the fact that, according to a national credit bureau, identity-fraud inquiries increased from 35,235 in 1992 to 522,922 in 1997. MasterCard found that ID fraud-related losses were about 96 percent of a member bank's overall fraud loses.

Here, a single device is installed at the POS, combining a high-speed image scanner and a digital display. A customer enrolls by presenting a valid, state-authorized photo ID to the retailer for scanning. The digital photo is encrypted and sent to Image Data, where the information is securely stored and where the company maps the account number and other data to the digital photo. Each retailer has its own PIN for gaining system access and completing the transaction.

The photo is retrieved and sent to the retailer, who compares it to the individual at the counter. The logic of the system is contained in this quote from their founder: "It creates a very significant deterrent. A criminal doesn't want to walk up, read this disclosure notice and then enroll in the system, which is exactly what we're trying to do." I am currently looking at this application as an enhancement to our check guarantee workflow.

The third new entrant is a San Francisco-area company called Veristar (www.veristarcorp.com). This has been characterized as the first truly new payment system since the credit card. Basically, the consumer registers at a merchant with a fingerprint. The merchant needs a $100 interface to the credit card terminal to read the biometric input. The consumer enters their payment information (check, credit, or debit card), and the next time they come in the store they put the finger on the reader and choose the desired payment alternative.

Veristar does the payment authorization and settlement on the back end. It is truly a simple and elegant payment structure that would work particularly well for the fast-food industry, and, of course, it will need ISOs to sell it! This company is well funded and is looking for processors to integrate it into their product line. Contact me if you would like more information.

These are some of the current products and services in the world of fraud prevention as it relates to the payment industry. I am always interested in learning about new developments, and if you would like to get my input, please share your ideas with me.