The Myth of the Level Playing Field in E-Commerce

Written by Evan Schuman
November 6th, 2005

The argument that e-commerce allows price and product quality to trump large marketing budgets has been crushed by, well, large marketing budgets.

One of the core beliefs among e-commerce cognoscenti is that the Web serves as the great equalizer, allowing 20-employee retailers to effectively compete with Fortune 100 giants with $100 million ad budgets.

Of course, those Fortune 100 ad budgets certainly help consumers think about clicking over to the big Web sites; so the Web’s populist response is to rely on price-comparison sites that?in theory?put all vendors on an equal footing so that price is the only differentiator.

If that were true, the smaller retailers would have a fair fight. Much lower overhead sometimes allows them to charge less than the big boys could, though much weaker volume discounts might force them to charge more. All in all, it often washes out.

Recently, though, identity theft and related security concerns have entered the equation, returning the odds to strongly favor the major players.

What do security and identify thieves have to do with wooing more consumers while charging 15 percent more for the identical product? Paradoxically enough, the answer is “trust.”

Rightly or wrongly, consumers tend to trust larger sites more for three reasons.

First, they want to trust them more, in the way that a 4-year-old wants to believe his/her parents know best and that blind obedience is in their best interest.

Secondly, they emotionally believe that a larger outfit is more professionally run and would have the resources to take proper security safeguards. (The fact that most large IT departments never bother to install the most crucial OS patches is something they either don’t know or choose to conveniently forget.)

The third reason is more logical, as it is steeped in cynical theories that retailers will do things only that are in their self-interest. That reason is that if customers of a large site get bloodied by thieves, it’s quite likely that bad publicity would result and the retailer would get beaten up.

In a strange twist, the Web has succeeded in giving all companies equal access to consumers, but security fears make them long for the comfort of a major established player.

Could it be that consumers don’t truly want to be able to shop for the best price, regardless of source?

“Consumers, they don’t know anything about PCI compliance, but they are afraid of identity theft so the larger sites give them a feeling of security,” said Asa Holmstrom, president of security firm Columbitech.

Most consumers, Holmstrom said, will use Google and other search engines for looking for products and will strongly examine price, but when they choose the site that they’re going to give their credit number to, “they are probably going to pick a big one.”

The CEO of one of those price-comparison sites freely volunteers the view that consumers don’t want to make purchase decisions based solely?or even mostly?on price. “Trust is the single most important factor,” said CEO Michael Yang.

The man who arguably has the most to lose from aggressive price-comparison sites?Amazon CEO Jeff Bezos?said he has little to fear.

Bezos doubts that price comparison sites will hurt his company much, but he’s trying to fight back with lower prices and better delivery options anyway. (Duration: 42 seconds)

Bezos, who was talking with me on an entirely different subject Friday afternoon, said his site is well-positioned to shine brighter than small sites in those comparisons.

“We have been working on lowering prices, increasing selection, having great availability. The Internet?whether it’s price-comparison shopping sites or anything else?is this fantastic world where consumers have terrific information,” Bezos said. “What we seek to do is to provide the best all-end value for customers so that customers choose us.”

Amazon has argued that their free shipping and related services provide an edge that other sites can’t match. And, yes, the relative stability and large size of Amazon?and the strength of its brand?certainly doesn’t hurt.

In a sense, the major vendors have been passively taking advantage of the computer industry standby of FUD (Fear, Uncertainty and Doubt) to tweak the e-commerce equalizing factor to once again favor the largest vendors. Be suspicious of a large vendor touting their security features too much.

That said, there certainly is a legitimate reason for a consumer to be hesitant to give out their credit card number plus their card verification number to anybody who can put up a nice-looking online storefront.

I still remember an attractive looking e-commerce site a few years ago that sold some out-of-print books I was interested in. Their credit card system was very effective. It was so effective that it continued to function even after the company shut down and the owners went their different ways.

No one had bothered to shut down the site, so it kept taking credit card data, charging those cards and dispatching orders to a no-longer existing product distribution team.

The mess was ultimately cleaned up by the credit card companies, but it’s a frightening lesson about buying from an unknown Web site.

Personally, I like to come up with a reason to call a little-known vendor’s customer service people, just to make sure there’s somebody still there.

On that point, why do so many e-commerce vendors feel the need to staff a customer service department and then hide the contact information?

Here’s a challenge for you: Go to and see how long it will take you to find the phone number for customer service. You can cheat, of course, and just search for 1-800-201-7575, but try finding that number on that site if you don’t already know it.

Getting back to e-commerce security, it’s amusing to watch today’s activity around the card verification number, which is the small series of digits that are not imprinted on the card. Almost all E-Commerce sites now require the number, which means that it no longer has any solid value as an authentication tool. In other words, if a bogus transaction is charged to a card and the cardholder denies the charge, the authentication number is intended to be proof that the cardholder was involved. But with that number now being given out to every online merchant the cardholder has ever used, that seems to be ludicrously diluted.

At every stage of the roughly 11-year-old history of e-commerce, the major vendors have had the advantage. When the Web was super young, consumers only knew of the major players. Today, consumers are more knowledgeable and confident of search engines and price comparison sites, but security threats make them too nervous to veer too far from the major players.

The problem is that small sites can’t fight back even if they choose to invest heavily in security. Let’s say a small site puts in place state-of-the-art security at every level. The best they can do is tout that fact to site visitors. Why would a security-concerned consumer believe them?

If the e-commerce population truly wants a level-playing field, an organization of well-known vendors would put together a security standards group that would issue the equivalent of a Good Housekeeping Seal of Approval for security procedures. Yes, security certificates aren’t what they used to be, but at least it would be a start, especially if it involved frequent re-certification requirements. (“This site certified secure by the Really Big Name Security Council as of Jan. 15, 2006 through April 15, 2006.”)

The vendors would pay for their site to be secured. But those vendors need not worry about the cost because it simply will never happen. The security fear is a potent weapon that defends the large e-commerce players, so don’t look for that particular playing field to be leveled any time soon.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.