Credit Card Processing Blog

That is the conclusion of a study of 23 U.S. credit card issuers conducted by Javelin Strategy & Research, a consulting firm specializing in the financial services and payments industries. Criminals are getting better at stealing card account information, while banks and consumers are simply not doing enough to protect their data, the researchers tell us.

The result is that account fraud costs issuers about $37 billion annually, the report says.

New Card Account Fraud Costlier and More Difficult to Resolve

It turns out that, while existing credit card accounts generate a higher total of fraudulent transactions than new accounts – $17 billion vs. $6 billion last year, new account fraud is much costlier on a per-incident basis – $1,267 vs. $565, according to the study.

On top of that, new account fraud takes much longer to detect – 49 hours on average, compared to the 26 hours it takes to discover fraud on existing cards. “The difficulty in detection of this fraud type is a large contributor to the high costs,” the report concludes.

To make matters worse, in addition to the direct cost of dealing with fraud, banks suffer from a couple of fraud-related side effect. Some fraud victims quit online banking, which is costly for issuers, while 20 percent switch to a competitor, which is an even worse outcome from a bank’s perspective.

Bank of America Safest Issuer

Bank of America earned the highest score – 87 out of 100 points – for credit card safety among the 23 U.S. issuers evaluated in the Javelin study, the fifth consecutive year in which the Charlotte, NC-based bank led its peers.

Here is the top 7 list in the study:

• Bank of America – 87.
• Discover Financial Services – 74.
• U.S. Bank – 73.
• USAA – 71.
• Capital One – 68.
• JPMorgan Chase – 67.
• American Express – 66.

The average score for the 23 issuers was 59.

How to Protect Account Data

The researchers have some suggestions on what issuers should do to make it harder for hackers to steal account information. Here are some of them:

• Send SMS alerts to cardholders when large purchases are made or for card-not-present transactions (I am not so sure about that one).
• Stop asking for SSN, a prime target for fraudsters, for authentication purposes.
• Limiting online access for customers who have not updated their anti-virus software.

While issuers may or may not decide to adopt any of these measures, there are things consumers can do themselves to protect themselves, including:

• Keep your anti-virus software updated.
• Look for issuers who support tokenization, which is a technology that replaces the card account number with a random string of characters, which, if intercepted, is useless to the criminal.
• Look for issuers who will let you set transaction limits and ask you for validation when you exceed them.
• Get a chip-and-PIN card when they become available in the U.S. In these cards the account information is embedded in a chip and studies have proven them to be less vulnerable to fraud than traditional magnetic stripe cards.

The Takeaway

Challenging as it is, the situation is certain to become even trickier with the rapid evolution of the numerous nascent mobile payments technologies, which present a whole different set of problems and I am sure we will be hearing a lot about that in the coming months.

Technologies will evolve and change, but common sense will never go out of fashion. It is your best protection. Keep an eye out for anything that looks out of the ordinary. If you find it, stop what you are doing and contact your issuer.

The good thing about credit card fraud, from a cardholder’s stand point, is that ultimately the issuer is liable for fraudulent transaction amounts. Still, the investigative process can take a while and you will be wholly involved in it. Moreover, there are a number of things that can go wrong and your credit history may suffer as a result. So just because someone else is paying for it, does not mean that you will necessarily get off scot-free.

Get a personalized credit card rate for each of your transactions!

Get the lowest possible credit card processing rate for each individual transaction! Our interchange-plus pricing model gives you:

• Processing rates calculated separately for each transaction to ensure that not a single one of them is overcharged.
• No more mid-qualified and non-qualified fees.
• No fixed monthly fees.

It has been quite a while since we have written anything about the Address Verification Service (AVS) and I thought I should offer a refresher course. Also, there is some new information about the service that needs to be shared.

What Is AVS?

AVS is a risk management service provided by the card brands that allows merchants processing card-not-present transactions to verify the billing address provided by their customers by comparing it to the one on file with the card issuer.

At present, AVS is supported in only a few countries, including the U.S., Canada and the United Kingdom.

AVS verifies only the numeric portion of the address. For example, if your address is 10 State Street, Boston MA 02109, AVS will check 10 and 02109. AVS may also check additional digits like an apartment number.

AVS Process

AVS verifications are typically processed together with the transaction authorization requests. The process goes through the following stages:

1. The customer provides her credit card account information at the check-out for payment.
2. The merchant includes the provided billing address into the authorization request, along with the other transaction information. Both requests are routed to the processing bank and from there, to the card brand (Visa, MasterCard, Discover or American Express).
3. The card brand then routes the request on to the card issuer. The issuer matches the received billing address to the one it has on file for its cardholder.
4. The issuer returns both the authorization and the AVS responses to the merchant through the same channel. The AVS response consists of a single-digit code.

The AVS process takes only a few seconds.

AVS Response Codes

AVS response codes differ from one card brand to another. To avoid confusion, some processors may change the originally received code to one that is applicable to all brands. Listed in the table below are the possible response codes you may receive.

Using AVS Response Codes

When deciding on how to proceed with the transaction, you need to take into account the AVS response code. The following general guidelines should apply:

• Exact match (e.g. X, Y, D, M, F). If there are no other causes for suspicion, you will want to proceed with the transaction.
• Partial match (e.g. A, Z, B, P, T, W). You may want to be a bit more careful when the address matches, but the ZIP code does not, or vice versa. It is not a good idea to outright decline such transactions, especially if there are no other causes for suspicion. Rather, look for typical signs of fraudulent transactions, such as larger-than-average orders, orders with overnight delivery; big-ticket items, etc. Try to verify the phone number and contact the cardholder to confirm the order.
• No match (N). If neither the address nor the ZIP code match, you have a strong indicator of fraud, although there is a possibility that the cardholder has moved recently and the issuer has not yet updated the billing information. Call your customer and verify the order. If you cannot reach your customer, do not proceed with the transaction.
• Unavailable or not supported (e.g. U, S, G, I, C). If that is the response you get, you will have to base your processing decision on other factors. Again, do a reverse search for the phone and address and call your customer to confirm the order.

Generally speaking, you would want to use AVS for all of your card-not-present transactions. It is a simple and inexpensive way to verify customer information and there is no reason not to use it that I can think of.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

That is what a great Consumer Reports article tells us. The issue lies with the magnetic stripe still present on all credit cards on our side of the Atlantic. The mag-stripe technology has been around since the 1970s and its age is showing in rising rates of card skimming and counterfeiting.

The Issue with Mag-Stripe Technology

Consumer Reports points to a recent ACI Worldwide study, according to which close to a third of Americans have reported credit card fraud in the past five years, and identifies the magnetic stripe as being the culprit. The mag-stripe, we are reminded, is uniquely vulnerable to “skimming,” which causes all the problems.

Card skimming is a well-known problem and we have written about it on several occasions previously. It is the copying of the account information that is encoded on the magnetic stripe of a payment card. The skimmed information is then re-encoded on a counterfeit card and used by criminals in fraudulent transactions.

Skimming is relatively easy to do. As Consumer Reports points out:

American credit- and debit-card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy.

The Alternative: EMV Cards

Unsurprisingly, having identified the issue with the magnetic stripe long ago, most developed and many developing countries have adopted a safer technology, called EMV (which stands for Europay, MasterCard and VISA; I don’t know why). EMV cards feature a chip where encrypted account data are stored and a unique identifier. The majority of EMV terminals also require cardholders to confirm their identity by entering a PIN, instead of signing a sales receipt, which is the procedure with mag-stripe readers.

According to Consumer Reports:

China has announced that it will no longer produce or accept such cards after 2015; American travelers are already finding that their cards aren’t accepted at some gas stations, parking facilities, subways, and merchants in Europe. The European Central Bank has recommended that banks stop issuing magstripe cards after 2012.

EMV adoption has reduced fraud substantially. Consumer Reports:

Total fraud losses dropped by 50 percent, and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992. Other countries that have switched have also seen card fraud decline.

Why Is the U.S. Lagging Behind?

The U.S. has found itself alone among developed countries and in the company of “some nonindustrialized countries in Africa” in sticking to mag-stripe cards. Why haven’t we switched to EMV?

Well, it turns out that credit card companies are willing to tolerate mag-stripe related losses. In the words of John Buzzard, Client Relations Manager at FICO, a credit scoring company:

Losses are comfortably in the multimillion- dollar range each year but are incredibly hard to authenticate because of the discreet position that most financial institutions take when asked to assess a loss figure.

Switching to EMV would cost issuers about $3 billion, according to an estimate by the Mercator Advisory Group, and merchants would have to pay not much less to upgrade their point-of-sale (POS) equipment.

Still, many big retailers are pushing for EMV adoption, as they get to absorb much of the fraud losses, and some of them have already begun deploying more sophisticated POS terminals.

As I see it, it is now fairly obvious that EMV adoption in the U.S. is inevitable and the only question is how soon it will happen. Evidently the answer is that it will not be before the current status quo becomes unbearable to issuers. The problem is that the situation is quickly deteriorating, as the U.S. is becoming the easiest market to penetrate by fraudsters, and can get out of control in a fairly short order. I guess we’ll find out just how bad it can get.

Get a personalized credit card rate for each of your transactions!

Get the lowest possible credit card processing rate for each individual transaction! Our interchange-plus pricing model gives you:

• Processing rates calculated separately for each transaction to ensure that not a single one of them is overcharged.
• No more mid-qualified and non-qualified fees.
• No fixed monthly fees.

VeriFone, a big hardware provider for the payment card industry, has launched a head-on attack against Square, a start-up mobile payments company, over allegations that Square’s credit card readers are easily hacked, enabling criminals to steal account information stored in the card’s magnetic stripe.

The Allegation: Square “places consumers in dire risk”

In an open letter, posted on a specially set-up website, VeriFone’s CEO Douglas G. Bergeron alleges that there is a “serious security flaw” in Square’s credit card reader that compromises the security of cards swiped through it. In the words of Bergeron:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

To back their claim, VeriFone have created a video showing exactly how they believe Square’s reader can be used for skimming and will be sending their allegations to Visa, MasterCard, Discover, American Express, and JPMorgan Chase (Square’s processing bank).

What Is Skimming?

Skimming is the illegal copying of the account information stored in the magnetic stripe of a payment card. There are two different ways of doing it: swiping the card directly through a skimming device and placing a skimmer over the slot of an ATM machine. The copied information can then be used to create clones of the skimmed card.

Skimming is a problem. According to Bankrate.com, fraud losses from ATM skimming alone amount to close to $1 billion annually. The average yield from a skimming device placed at an ATM machine is $50,000, according to the American Bankers Association.

While not quite as scalable, the individual skimming of cards, the type Square is alleged to be vulnerable to, is equally damaging to cardholders. So, if real, VeriFone’s concern is legitimate and the vulnerability should be addressed. But the timing of these allegations is raising questions.

Why Is VeriFone Going After Square Now?

The battle for domination of the fledgling direct card acceptance sector of the mobile payments industry is heating up. Square has taken the early lead, with Intuit and VeriFone in hot pursuit.

Several weeks ago VeriFone introduced the PAYware Mobile card encryption sleeve for iPhone that enables users to accept cards. The company said that the information is encrypted right after the swipe making it difficult for criminals to skim it.

Just a couple of weeks later Square upped the ante, by dropping the per-transaction component of the fee it charges its users for each card transaction they accept. The start-up is now processing $1 million a day, according to a tweet posted by CEO Jack Dorsey and is currently signing up 100,000 new users per month.

And now, this allegation.

The Takeaway: Square’s Growth Unlikely to Suffer

It is unclear whether VeriFone’s revelations will have any effect on Square’s growth. After all, even if it is as real as advertised, the vulnerability will affect the cardholders, not Square’s users who will still be attracted by the start- up’s no-monthly-fee pricing. Moreover, cardholders are fully protected from fraudulent transactions, so they have nothing to lose.

The fraud-related liabilities are born by Square and JPMorgan Chase. The latter can terminate the start- up’s processing agreement, if it deems the associated risks too high. Yet, the more likely scenario is that Square will bolster the security of its service and keep on growing.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit and debit card fraud in the U.K. fell in 2010 for a second year in a row to its lowest level in a decade, according to a new report released earlier this week by the U.K. Cards Association, a trade association for the cards industry.

U.K. Credit Card Fraud Down 17%

The losses from fraudulent credit and debit card transactions in 2010 totaled £365.4 million ($591.7 million), according to the report, down 17 percent from 2009 and 40 percent lower than the all-time high level recorded in 2008 – £610 million ($987.8 million).

The gains were not evenly spread, with some transaction types faring better than others:

• Online banking fraud losses decreased by 22 percent on a year-over-year basis to £46.7 million ($75.6 million), despite a 21 percent increase in phishing attacks for the period.
• Phone banking fraud losses rose by 5 percent in 2010, reaching £12.7 million ($20.6 million). These losses are mostly due to customers disclosing their account information to fraudsters pretending to be calling from their bank.
• Retail face-to-face fraud losses dropped by 6 percent to £67.4 million in 2010 ($109.1).
• Cash machine fraud losses fell by 9 percent to £33.2 million ($53.8 million) for the year.
• Check fraud losses fell by 3 percent to £28.9 million ($46.8 million) during 2010.

Lower Fraud Level Due to Higher Fraud Awareness

The U.K. Cards Association’s report credits the fall in fraud levels to the higher awareness among retailers and consumers on how to prevent fraud. The following factors were the biggest contributors to the downward fraud trend:

• Better protection from retailers of their chip and PIN credit card equipment. In Europe chip and PIN credit cards are much more prevalent that the type used in the U.S., which require a signature to complete a transaction.
• Increased consumer participation in Verified by Visa and MasterCard SecureCode. These authentication services managed by the two credit card associations verify the identity of the customer through a password created by the cardholder when she signed up for the service.
• Improved sharing of fraud data.
• Increased use of fraud detection services by banks and businesses.

Consumers are also contributing to the drop in card fraud and Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit, encourages them to do more:

“By taking simple steps, such as: shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.”

The Takeaway: Technology Helps

The report clearly shows that the increased use of fraud prevention tools has led to a substantial drop in the overall fraud rate. The only two areas that did register a higher fraud rate – phone banking and mail non-receipt – were the ones least reliant on technology, where criminals could either trick their victims into divulging their account information or simply steal it from their mail boxes. Whatever the cause, however, consumers are fully protected against fraud and the losses are borne by the card issuers.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).