ard fraud is growing. Sources put 2005 losses from this offense at $2.8 billion, up from $2.6 billion in 2004¹. In 2005, one source tracked more than 80 data breaches, a number sure to grow in 2006².

But outpacing this growth is the number of regulatory requirements concerning card fraud and identity theft (these terms are often used synonymously, even by industry insiders). The requirements come from such entities as government agencies, card Associations and insurers.

As quickly as the industry can react to prevent particular types of fraud, crooks find new approaches. Phony card readers and skimmers are old news. The latest crimes involve card verification value (CVV) "brute force" attacks, e-mail phishing, phone-based scams, data system hacking and more.

With technology and communication advances, these new threats do not require a local physical presence. Instead, thieves can be literally halfway around the world - and often are.

Not my problem?

But is card fraud an acquirer problem? As long as merchants or ATM owners follow "the rules" and, in the case of acquirers, pay the card Association interchange, they're not liable for losses from these crimes, right?

Wrong. The growth in card fraud puts consumer confidence in our payments system at risk. Fraudsters are payments industry parasites threatening the health of their host. Combating them necessitates that everyone in the value chain adapt and work together. And this has begun to affect the economics of the acquiring side of the payments system.

To date, the regulatory bodies have generally ignored the acquiring side. There is, however, a great deal of regulation for card issuers concerning customer identification, money laundering prevention, dual-factor authentication, neural network fraud detection systems and so on.

New "red flag" proposed regulations would establish a set of controls to prevent identity theft and more quickly detect the thefts that do occur. But these rules are largely focused on the transaction approval process rather than on preventing phony transactions from even being presented for approval.

That is, they focus on making sensitive card information harder to use, rather than harder to steal in the first place. This is where ISOs, merchant level salespeople (MLSs) and merchants come in.

And there is a precedent. In migrating to chip and PIN technology in Europe, the card Associations punitively assigned liability to merchants who did not update their POS equipment on-schedule.

Proposed federal regulation on public disclosure of data breaches - information merchants and acquirers have been loath to disclose in the past - will impact the economics of fraud on the acquiring side.

Recognizing this gap, Visa U.S.A. and MasterCard Worldwide have documented practices for acquirers to follow. The ATM Industry Association has also been working to systematize "best practices" specifically for POS PIN security. ATMIA is working with the acquiring industry to develop the "POS security lifecycle" (see chart above).

What acquirers can do

What can you do as ISOs, MLSs and ATM owners to prevent fraud and maintain consumer confidence in the payments system? In a nutshell, do not be an "absentee acquirer." Follow the recommendations of Visa, MasterCard, ATMIA and other industry bodies, including these six fundamental practices:

• Stay up to date with card Association recommendations and rules. If you are unfamiliar with them, your processor can help you learn.
• Train employees how to verify customer identity at the time of sale. Signature checking is required. Asking for a second form of ID is becoming more common among merchants and accepted by consumers. A consumer's resistance to such a check is a red flag.
• Enhance POS systems to include CVV, expiration-date checking, name-matching or last-four-digits verification. Implement new practices as they become available. These checks can be done as part of the transaction with little or no impact to transaction flow.
• Use your processor's services for detecting suspect activity, or subscribe to or implement a separate system. Such systems are critical for early fraud detection and for reducing losses - and associated costs - for merchants, cardholders, financial institutions and card Associations.
• Make sure all your reports mask sensitive cardholder information. The card Associations and other standards bodies require it.
• Implement an encryption system for all information stored in your in-house systems. Simple disk encryption products are widely available, easy to use and inexpensive. If you must keep paper records that include card numbers, make sure these are as secure as if they were cash (because they do represent "cash" to a crook).

¹ Source: Celent Communications LLC
² Source: Mercator Advisory Group

Peter Kulik manages electronic-fund-transfer products for Cincinnati-based Fifth Third Processing Solutions. E-mail him at peter.kulik@53.com or call him at 513-534-8685.