The Green Sheet Online Edition
May 28, 2012 • Issue 12:05:02
Paving the way to fraud deterrence
How could anyone forget the multiple Sony Corp. breaches that occurred over a 30-day period in 2011? This year is also gaining its share of notoriety with the recent breach of Global Payments Inc., which reportedly enabled hackers to access 1.5 million card numbers.
While this may seem like an alarming number, it is only a fraction of the 1 billion cards used in North America, according to Forbes.com LLC. Credit card data is a hot commodity because it can be used to create counterfeit cards.
In April 2012, American Express Co. sent a letter to card members about the Global Payments breach but didn't mention the target, even though the news had already been made public. An excerpt from the letter read, "A company that provides payment processing services to numerous merchants in North America has informed us that there has been unauthorized access to a portion of its processing system.
"As a result, account information of some of our card members, including some of your account information, may have been improperly accessed. The processor, or other parties, including merchants where you have used your card, may also contact you about this incident."
Visa Inc. was the first company to remove Global Payments from its list of approved service providers. Global will be certified again, but it will pay Visa more to process transactions.
Breaches on the rise
First Data Corp., the largest payment processor in the United States, recently warned of emergent sophisticated trends in hacking. The company said it is seeing a substantial increase in the number of POS systems that are unprotected or only loosely protected as well.
Prominent sandwich shop franchisor Subway was recently breached, compromising data for more than 100,000 cardholders. According to the Bank Info Security website, the culprits planned the attack for more than a year before carrying it out. Attacks on payment systems are only going to increase over time.
The challenge for both ISOs and merchant level salespeople (MLSs) is educating smaller merchants on Payment Card Industry (PCI) Data Security Standard (DSS) compliance. Merchants need to understand that their systems and technology must comply with current practices to limit their vulnerability.
Neither Visa nor MasterCard Worldwide includes Level 4 merchants on its list of PCI DSS compliant merchants. This is because Level 4 merchants are not required to undergo compliance audits by qualified security assessors; the card brands assume these merchants conduct self-assessments, which apparently is not happening.
Merchants in need of education
What steps can merchants, ISOs and MLSs take to cut back on data breaches and fraud? This question was posed to Roy Derby, a veteran law enforcement official and current Director of Risk Management for America's Bankcard Alliance LLC.
"The credit card processing industry is based on risk, and it's our duty and obligation to mitigate the risk for our merchants," Derby said. "One of the most overlooked and basic ways to help your merchants is prevention through education."
Being proactive is essential to reducing one's risk. One way to achieve this is through training. Most merchant sales trainees receive entry-level instructions on how to use credit card processing equipment and the definition of fraud.
Providing ongoing training is key, along with establishing policies on the steps to take when the inevitable suspicious activity occurs. The small price of keeping staff updated on the latest scams and trends can positively impact profit margin and reflect a store's reputation for zero tolerance.
When Derby explains to merchants the importance of keeping staff informed, he draws from his prior experience as a detective assigned to paper crimes (forgeries, bad checks and unlawful use of credit cards). "I always knew where the most activity was going to occur simply due to certain stores' reputations on the street as being easy," he said. "Don't be that easy target. Be the one the criminal decides to skip and move onto the next store."
Fraud-fighting tips to share
ISOs can assist Level 4 merchants by:
- Evaluating the extent of their PCI DSS validation requirements
- Helping merchants obtain full PCI compliance, including the completion of self-assessment questionnaires
- Explaining how POS terminals and PIN pads can be breached and what to look for, such as sticker seals, keypad overlays, pin holes, and unauthorized people claiming they need access to devices to service or replace them
In addition, ISOs and MLSs can share fraud-fighting techniques and trends with merchants by giving them the following advice:
- Watch out for multiple orders with a different "bill to" and "ship to" address, and compare the Internet Protocol (IP) geolocation to billing address to help verify the validity of a charge.
- Keep a database of fraud attempts after discovering a fraudulent charge. Merchants should keep information, such as the customer name, shipping and billing addresses, phone number, IP address and e-mail address. The database should include a section for comments.
- Detect patterns. Multiple orders shipping to the same address but paid for with different credit cards should raise a flag. Fraudsters may have the credit card number but submit it multiple times with different expiration dates because that's what they are missing.
- Watch for free email accounts. Most fraudsters use free email services. Many businesses today refuse to accept orders from any free email accounts or any non-ISP email domains. Depending on the value of the purchase, merchants can call or request more information before allowing an order to be processed further.
- Use payer authentication programs. Programs such as Verified by Visa and MasterCard's SecureCode use personal passwords to confirm the identity of the card user. When merchants use these programs, card issuers may incur some of the losses for online fraud that would otherwise be the responsibility of the merchants.
- Perform a bank identification number check. Merchants can use the first six digits of the credit card to determine if the issuing bank and the credit card holder are in the same country. However, this method should be verified before canceling a transaction since some legitimate transactions occur with credit cards from other countries.
- Use the Address Verification System (AVS) service. AVS is only available in the United States and in four European countries. It checks whether a cardholder's address and ZIP code match the information at the issuing bank. This, too, should be checked; AVS can fail because of certain issues, such as an address change.
- Telephone customers. Even with today's time constraints, phoning customers to verify questionable orders will benefit merchants in many ways. Phone calls give merchants an opportunity to welcome customers and develop relationships that will foster future orders. If a customer claims to never have authorized a charge, a merchant can simply cancel the order and let the customer know to call his or her credit card company so a new card can be issued. This will further solidify the merchant's relationship with the customer and prevent additional fraudulent charges.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.