Visa and MasterCard have separately drafted new plans to wage war against online credit-card fraud, a costly burden for merchants who get fooled into accepting fake card numbers over the Web.

Visa this week trumpeted a list of security "best practices" for e-merchants that accept Visa cards, requiring them to use encryption and firewalls to protect card data.

In a different approach, MasterCard next year plans to require that credit-card purchases on the Net include a special three-digit cardholder identification number that's printed on the back of their cards.

This change, expected to go into effect next April, will require alterations to card-processing software and networks, MasterCard says.

"We're being more vigilant in monitoring those [Internet] transactions," says Vinnie DeLuca, MasterCard's vice president of fraud control.

"Effective 1 April, 2001, MasterCard will require the three-digit code called the Card Validation Code No. 2."

Internet merchants must then be prepared to request that three-digit code, which is identification for the cardholder that is not part of the regular credit-card number. This three-digit number can be found on the plastic card but doesn't get printed out in a credit-card receipt or processed through MasterCard's network today.

Visa also has a three-digit code on the back of its cards called the "Card Verification Value," according to John Shaunessy, Visa's senior vice president of risk management. A merchant can request that code when the cardholder is not present to help validate the transaction. Currently, Visa won't mandate its use on the Internet. "We leave that up to the merchant," Shaunessy says.

Instead, Visa has formulated a 12-point list of security practices it wants online merchants, ISPs and third-party service providers processing credit cards to follow.

These practices, aimed at preventing break-ins to steal card numbers from servers, include encrypting card data and using firewalls and antivirus software.

The new rules about data security are expected to take effect by the end of the year.

"It's premature to suggest penalties for noncompliance, but we are developing the capacity to monitor the security of merchants," Shaunessy warns, declining to reveal how Visa will do this monitoring. Merchants might even face loss of their Visa merchant card accounts if they fail to follow the new rules.

However, industry analysts and e-merchants claim the credit-card companies have yet to come to grips with the full scope of the problem.

Internet-based card fraud is "at least 10 times the rate for the physical world," claims Avivah Litner, an analyst at Gartner Group in Stamford, Conn.

A Gartner survey of 100 Web retailers found Internet credit-card fraud to be much more common than offline fraud, making it the "No. 1 problem" in e-commerce, according to Litner.

Online travel service Expedia, which accepts credit cards for airline tickets and hotel reservations, recently acknowledged that it had been victimised by gang-related card fraud to the tune of £2.7 million.