GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Mobile privacy hot topic in Washington


Industry Update

Washington getting serious about cyber privacy

PCI DSS effectiveness questioned

Bling Nation may rise again

The Green Sheet gets resourceful


An interview with Trent Voigt

Ken Musante
Eureka Payments LLC

Research Rundown

Advisory board benefits

Selling Prepaid

Prepaid in brief

Prepaid scores in stadiums internationally

David Parker
Polymath Consulting Ltd.

Paying bills with gift cards


Data breaches renew privacy concerns

Patti Murphy
The Takoma Group


Street SmartsSM:
Timely tips for MLSs

Bill Pirtle
MPCT Publishing Co.

Will POS control solve merchant attrition?

Jerry Cibley
United Bank Card Inc.

Fraud, the conversation starter

Nicholas Cucci
Network Merchants Inc.

Counterintuitive selling

Dale S. Laszig
Castles Technology Co. Ltd.

Deciphering breach notification regulations

Tim Cranny
Panoptic Security Inc.

Company Profile

eProcessing Network LLC

Moneris Solutions Inc.

New Products

A button so smart, it connects the world

Alternative Payment Smart Button
2000Charge Inc.

Network security for small merchants

SecurityMetrics Vision
SecurityMetrics Inc.


What a difference a birth date makes


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

June 27, 2011  •  Issue 11:06:02

previous next

Fraud, the conversation starter

By Nicholas Cucci

Living in this age of technology means personal financial information is increasingly vulnerable to fraudsters. According to a study by the Bureau of Justice Statistics, 23 percent of consumers subjected to identity theft lost money due to the fraud. The average out-of-pocket loss was $1,870, but half suffered losses of $200 or less.

The emotional impact of identity theft is often far more painful than the actual financial loss. Now, with instances of cyber fraud, it is becoming more important for merchants, banks and processors to be proactive about guarding card information and the personal details included with it.

The Sony breach

Despite card issuers' efforts to protect customer card information, we have still seen two large breaches in 2011, the ones at Sony Corp. and Michaels Stores Inc. In the Sony breach, over 100 million card numbers were exposed. Because of the breach, the Sony network went down for 23 days and only recently was restored. Sony expects to be fully back up by the end of June.

Sony's Playstation Network breach is likely to cost the company well over $100 million. However, this breach could cost Sony even more as the estimate does not include lawsuits filed against Sony from users of the hacked network.

Sony's servers were hacked between April 17 and 19, which impacted three networks, the Playstation Network, Qriocity and Sony Online Entertainment services. Sony discovered the breach on April 19, but did not disclose any information publicly until April 26.

On May 28, Sony offered its Playstation Network and Qriocity customers the services of Debix, an identity protection firm, with the first 12 months of protection free of charge. But is that enough to make consumers happy? Will this be the new aftermath trend for breaches? Only time may tell, but it's definitely a start in the right direction.

The Michaels breach

The Michaels breach was a little different. Ninety POS terminals were tampered with in Michaels stores in 20 states. Michaels used terminals and PIN pads that were Payment Application Data Security Standard certified. However, the attackers got around the security by swapping out the compliant PIN pads with compromised ones.

Due to the Michaels breach, the U.S. Secret Service is now investigating fraud incidents linked to POS device tampering. But the breach would have been relatively easy to avoid if store managers had been paying attention to what was happening in their stores.

How to avoid breaches

An axiom in the fraud prevention world is that fraudsters will always travel the path of least resistance. The more safeguards merchants have in place, the less likely it is fraudsters will spend the time required to gain access to their systems. Here are eight basic fraud prevention tips for ISOs and merchant level salespeople (MLSs) to pass on to merchants:

  1. Watch out for multiple orders with different "bill to" and "ship to" addresses. Check the IP geo-location, and compare it with the billing address to help verify the validity of the charge.

  2. Start keeping a database of prior fraud attempts once you have found a fraudulent charge. You will want to keep information such as the customer name, shipping/billing address, phone number, IP address and e-mail address. Make sure to designate a section in your database where you can input comments.

  3. Detect patterns. Multiple orders being shipped to the same address but using different credit card numbers should throw up a red flag. Also, when fraudsters try to use stolen credit card numbers on online checkouts, they often submit the same credit card number multiple times with different expiration dates because the expiration date is what they are missing.

  4. Suspect free e-mail accounts. A majority of fraud originates from free email services. Many businesses today refuse to accept orders from free email accounts or non-ISP email domains. Depending on the value of the purchase, merchants can call or request more information before the order is further processed.

  5. Enroll in payer authentication programs. Programs such as Verified by Visa and MasterCard's SecureCode use personal passwords to confirm identities of card users. When merchants use this program, card issuers may incur some of the losses for online fraud that would otherwise be the responsibility of merchants.

  6. Have BINs checked. You can use the first six digits of the credit card that contain the bank identification number to determine if the issuing bank and the credit cardholder are in the same country. However, merchants need to keep in mind that some legitimate transactions occur even if cardholders and issuing banks are in different countries.

  7. Employ the AVS. The address verification system (AVS) is only available in the United States and in four European countries. It checks whether the cardholder's address and ZIP code match the information at the issuing bank. Merchants should be aware that the AVS can fail because of certain issues, such as cardholder address changes.

  8. Call customers. With the high volume of transactions today, it may not be the best way to spend your time, but an occasional phone call will benefit merchants in many ways. Phone calls give retailers an opportunity to welcome customers and develop relationships with them for future ordering.

    If a merchant calls a person who claims to have never authorized a certain charge, the merchant simply cancels the order and advises the person to call his or her credit card company to get a new card issued. Doing this will solidify your merchants' relationships with customers (and potential customers) and help prevent further fraudulent charges.

Get the conversation started

Merchants can also help themselves by staying alert and proactive when it comes to POS terminal security. Here are a few tips to follow to guard against POS attacks:

With the expansion of e-commerce, fraudsters are becoming increasingly sophisticated, and identity theft and credit card fraud are taking on new aspects every day. Therefore, it is more important than ever that ISOs and MLSs inform merchants on what steps to take to ensure they do not become the next breach victims.

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios