GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Work that net:
The ABCs of online social networking

News

Industry Update

AmEx green with Web access

UIGEA, WTO rules at odds

Alternative currencies - better with plastic?

In the OTA we trust

Slaying the breach elephant

Selling Prepaid

Prepaid in brief

Complexities, solutions for prepaid fraud

Key players in Health Care 2.0

Unity and beyond

Views

Social networking's impact on payments

Patti Murphy
The Takoma Group

A bigger bite for Visa, MasterCard

Ken Musante
Humboldt Merchant Services

Go remote: Boost security and profits

Stuart Taylor
Hypercom Corp.

Education

Street SmartsSM:
Blog on, link in, tweet out

Jon Perry and Vanessa Lang
888QuikRate.com

Marketing with social networks

Vicki M. Daughdrill
Small Business Resources LLC

Much ado about Twitter

Nancy Drexler
SignaPay Ltd.

Summiting the social networks

Dale S. Laszig
DSL Direct LLC

Payments and social networking:
A legal perspective

Adam Atlas
Attorney at Law

Level 4: The small-merchant PCI challenge

Joan Herbig
ControlScan

Company Profile

Global eTelecom Inc.

New Products

A new skimming antidote

Anti-Skim ATM Security Solution
ADT Security Services Inc.

Gift card network at your service

SparkBase 3.0
SparkBase

Inspiration

Lifelong learning: A business strategy

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

April 27, 2009  •  Issue 09:04:02

previous next

SP
Complexities, solutions for prepaid fraud

In December 2008, prepaid card issuer and processor RBS WorldPay Inc. disclosed a security breach in its U.S., open-loop gift and payroll card system. The breach resulted in an ATM scam that netted fraudsters $9 million. While RBS said the damage was contained and the company had taken steps to strengthen the safeguards to its systems, the breach and its aftermath should serve as a wake-up call to the prepaid card industry.

In a report entitled Prepaid Fraud and Risk: Between Cash and a Hard Place, David Fish, Principal Analyst at Mercator Advisory Group, outlined steps the industry should take to secure systems and outthink the hackers.

Unique systems

According to Fish, the same basic principals that govern credit and debit card fraud management systems also apply to prepaid card systems. All systems have authorization and clearing functions. Card issuers and program managers set authorization policies. Processors that manage risk tolerances and authorization streams approve or decline transactions based on the policies already set up.

"But there are caveats that come with prepaid like load transactions that the systems need to be aware of and take into account," Fish said. "There is an additional section on the policy on loads. So that's how prepaid is unique in authorization."

Fish said that prepaid fraud systems need to check the "value and velocity" of transactions, both when value is subtracted from cards when they are used and when value is added to cards through loads and reloads.

"The transactional monitoring piece has to be modified to accommodate for the uniqueness of prepaid," he said. "It has load transactions. It has activation transactions. It's not just usage. So the parameters of an issuer's or program manager's fraud system or a processor's fraud system do need to be modified in such a way that that uniqueness is taken into account."

A holistic approach

Additionally, Fish believes the prepaid card industry must do a better job of communicating between companies and systems. "The degree of cross-industry coordination to combat fraud and money laundering needs to accelerate," he said. "While it's not a new idea in the slightest, the demand for collaborative, systemic fraud controls has really never been greater."

Fish noted that consortia and trade associations, such as the Network Branded Prepaid Card Association and the Center for Financial Services Innovation, have been active in fostering dialogue between prepaid constituencies.

"So it's not like there's a total lack of any sort of consortium on the prepaid side," he said. "What I'm saying is that the businesses themselves need to be linked in such a way that risk management can happen across the industry."

Not only should industry players adopt industrywide security standards, but the systems themselves "should also talk to each other in such a way that the entire payments ecosystem is made more secure," Fish said.

Fish gave the RBS breach as an example. "The crooks were able to hack into the platform and adjust the card parameters so that the mules could go to the ATMs and withdraw $9 million," he said. "That scam was made possible not only by the hackers' manipulation of RBS Worldpay, but there's nothing in the ATMs to say nope, that's not right and stop that transaction."

GPRs targeted

Mercator's fraud report goes into detail on fraud perpetrated using general purpose reloadable (GPR) cards. GPRs have greater fraud potential than closed-loop gift cards, for example, because they have "longer account lifecycles and increased volume and liquidity driven by reload schemes," according to the report.

The breach at RBS involved the theft of data from GPR cards. RBS said 1.5 million open-loop gift and payroll card numbers were compromised in the breach. Only 100 of the card numbers - all from payroll accounts - were allegedly used in the ATM scam.

"That level of sophistication and that type of attack is where the fraud community seems to be moving," Fish said.

The RBS breach and its aftermath - three law firms filed a class action lawsuit against RBS and the processor was stripped of its Payment Card Industry Data Security Standard compliance certification - represents "every payment company's worst nightmare," Fish added. "I think in order to rest a bit better at night, these players are going to need to cooperate."


For more stories from SellingPrepaid E-Magazine, as well as breaking news and forums devoted to the prepaid sphere, please visit SellingPrePaid.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios