Inside the Black Hole

That is what a great Consumer Reports article tells us. The issue lies with the magnetic stripe still present on all credit cards on our side of the Atlantic. The mag-stripe technology has been around since the 1970s and its age is showing in rising rates of card skimming and counterfeiting.

The Issue with Mag-Stripe Technology

Consumer Reports points to a recent ACI Worldwide study, according to which close to a third of Americans have reported credit card fraud in the past five years, and identifies the magnetic stripe as being the culprit. The mag-stripe, we are reminded, is uniquely vulnerable to “skimming,” which causes all the problems.

Card skimming is a well-known problem and we have written about it on several occasions previously. It is the copying of the account information that is encoded on the magnetic stripe of a payment card. The skimmed information is then re-encoded on a counterfeit card and used by criminals in fraudulent transactions.

Skimming is relatively easy to do. As Consumer Reports points out:

American credit- and debit-card data are usually stored unencrypted on a magnetic stripe on the back of each card, which thieves can easily and cheaply copy.

The Alternative: EMV Cards

Unsurprisingly, having identified the issue with the magnetic stripe long ago, most developed and many developing countries have adopted a safer technology, called EMV (which stands for Europay, MasterCard and VISA; I don’t know why). EMV cards feature a chip where encrypted account data are stored and a unique identifier. The majority of EMV terminals also require cardholders to confirm their identity by entering a PIN, instead of signing a sales receipt, which is the procedure with mag-stripe readers.

According to Consumer Reports:

China has announced that it will no longer produce or accept such cards after 2015; American travelers are already finding that their cards aren’t accepted at some gas stations, parking facilities, subways, and merchants in Europe. The European Central Bank has recommended that banks stop issuing magstripe cards after 2012.

EMV adoption has reduced fraud substantially. Consumer Reports:

Total fraud losses dropped by 50 percent, and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992. Other countries that have switched have also seen card fraud decline.

Why Is the U.S. Lagging Behind?

The U.S. has found itself alone among developed countries and in the company of “some nonindustrialized countries in Africa” in sticking to mag-stripe cards. Why haven’t we switched to EMV?

Well, it turns out that credit card companies are willing to tolerate mag-stripe related losses. In the words of John Buzzard, Client Relations Manager at FICO, a credit scoring company:

Losses are comfortably in the multimillion- dollar range each year but are incredibly hard to authenticate because of the discreet position that most financial institutions take when asked to assess a loss figure.

Switching to EMV would cost issuers about $3 billion, according to an estimate by the Mercator Advisory Group, and merchants would have to pay not much less to upgrade their point-of-sale (POS) equipment.

Still, many big retailers are pushing for EMV adoption, as they get to absorb much of the fraud losses, and some of them have already begun deploying more sophisticated POS terminals.

As I see it, it is now fairly obvious that EMV adoption in the U.S. is inevitable and the only question is how soon it will happen. Evidently the answer is that it will not be before the current status quo becomes unbearable to issuers. The problem is that the situation is quickly deteriorating, as the U.S. is becoming the easiest market to penetrate by fraudsters, and can get out of control in a fairly short order. I guess we’ll find out just how bad it can get.

Get a personalized credit card rate for each of your transactions!

Get the lowest possible credit card processing rate for each individual transaction! Our interchange-plus pricing model gives you:

• Processing rates calculated separately for each transaction to ensure that not a single one of them is overcharged.
• No more mid-qualified and non-qualified fees.
• No fixed monthly fees.

VeriFone, a big hardware provider for the payment card industry, has launched a head-on attack against Square, a start-up mobile payments company, over allegations that Square’s credit card readers are easily hacked, enabling criminals to steal account information stored in the card’s magnetic stripe.

The Allegation: Square “places consumers in dire risk”

In an open letter, posted on a specially set-up website, VeriFone’s CEO Douglas G. Bergeron alleges that there is a “serious security flaw” in Square’s credit card reader that compromises the security of cards swiped through it. In the words of Bergeron:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

To back their claim, VeriFone have created a video showing exactly how they believe Square’s reader can be used for skimming and will be sending their allegations to Visa, MasterCard, Discover, American Express, and JPMorgan Chase (Square’s processing bank).

What Is Skimming?

Skimming is the illegal copying of the account information stored in the magnetic stripe of a payment card. There are two different ways of doing it: swiping the card directly through a skimming device and placing a skimmer over the slot of an ATM machine. The copied information can then be used to create clones of the skimmed card.

Skimming is a problem. According to Bankrate.com, fraud losses from ATM skimming alone amount to close to $1 billion annually. The average yield from a skimming device placed at an ATM machine is $50,000, according to the American Bankers Association.

While not quite as scalable, the individual skimming of cards, the type Square is alleged to be vulnerable to, is equally damaging to cardholders. So, if real, VeriFone’s concern is legitimate and the vulnerability should be addressed. But the timing of these allegations is raising questions.

Why Is VeriFone Going After Square Now?

The battle for domination of the fledgling direct card acceptance sector of the mobile payments industry is heating up. Square has taken the early lead, with Intuit and VeriFone in hot pursuit.

Several weeks ago VeriFone introduced the PAYware Mobile card encryption sleeve for iPhone that enables users to accept cards. The company said that the information is encrypted right after the swipe making it difficult for criminals to skim it.

Just a couple of weeks later Square upped the ante, by dropping the per-transaction component of the fee it charges its users for each card transaction they accept. The start-up is now processing $1 million a day, according to a tweet posted by CEO Jack Dorsey and is currently signing up 100,000 new users per month.

And now, this allegation.

The Takeaway: Square’s Growth Unlikely to Suffer

It is unclear whether VeriFone’s revelations will have any effect on Square’s growth. After all, even if it is as real as advertised, the vulnerability will affect the cardholders, not Square’s users who will still be attracted by the start- up’s no-monthly-fee pricing. Moreover, cardholders are fully protected from fraudulent transactions, so they have nothing to lose.

The fraud-related liabilities are born by Square and JPMorgan Chase. The latter can terminate the start- up’s processing agreement, if it deems the associated risks too high. Yet, the more likely scenario is that Square will bolster the security of its service and keep on growing.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit and debit card fraud in the U.K. fell in 2010 for a second year in a row to its lowest level in a decade, according to a new report released earlier this week by the U.K. Cards Association, a trade association for the cards industry.

U.K. Credit Card Fraud Down 17%

The losses from fraudulent credit and debit card transactions in 2010 totaled £365.4 million ($591.7 million), according to the report, down 17 percent from 2009 and 40 percent lower than the all-time high level recorded in 2008 – £610 million ($987.8 million).

The gains were not evenly spread, with some transaction types faring better than others:

• Online banking fraud losses decreased by 22 percent on a year-over-year basis to £46.7 million ($75.6 million), despite a 21 percent increase in phishing attacks for the period.
• Phone banking fraud losses rose by 5 percent in 2010, reaching £12.7 million ($20.6 million). These losses are mostly due to customers disclosing their account information to fraudsters pretending to be calling from their bank.
• Retail face-to-face fraud losses dropped by 6 percent to £67.4 million in 2010 ($109.1).
• Cash machine fraud losses fell by 9 percent to £33.2 million ($53.8 million) for the year.
• Check fraud losses fell by 3 percent to £28.9 million ($46.8 million) during 2010.

Lower Fraud Level Due to Higher Fraud Awareness

The U.K. Cards Association’s report credits the fall in fraud levels to the higher awareness among retailers and consumers on how to prevent fraud. The following factors were the biggest contributors to the downward fraud trend:

• Better protection from retailers of their chip and PIN credit card equipment. In Europe chip and PIN credit cards are much more prevalent that the type used in the U.S., which require a signature to complete a transaction.
• Increased consumer participation in Verified by Visa and MasterCard SecureCode. These authentication services managed by the two credit card associations verify the identity of the customer through a password created by the cardholder when she signed up for the service.
• Improved sharing of fraud data.
• Increased use of fraud detection services by banks and businesses.

Consumers are also contributing to the drop in card fraud and Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit, encourages them to do more:

“By taking simple steps, such as: shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.”

The Takeaway: Technology Helps

The report clearly shows that the increased use of fraud prevention tools has led to a substantial drop in the overall fraud rate. The only two areas that did register a higher fraud rate – phone banking and mail non-receipt – were the ones least reliant on technology, where criminals could either trick their victims into divulging their account information or simply steal it from their mail boxes. Whatever the cause, however, consumers are fully protected against fraud and the losses are borne by the card issuers.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Credit card fraud is much easier to identify when payments are accepted face-to-face than it is in internet-based transactions. However, store-front merchants can only realize their advantage if they can identify suspicious transaction characteristics and know how to handle such situations.

Card-present fraud reasons. There are two main reasons for a merchant to suspect fraud in a card-present setting:

• The card is altered or counterfeit. Altered are cards on which the name, expiration date, account number, and / or the magnetic stripe have been changed in some way. Counterfeit are invalid cards that are fraudulently manufactured and bear a valid account number.
• The customer is not the authorized cardholder. The customer’s signature on the sales receipt must match the one on the back of the card. Otherwise, your customer is probably not the authorized user. You should ask for a driver’s license or another government-issued ID to verify your customer’s identity.

Code 10 call. If either the card or the customer makes you suspicious at any time during a transaction, you need to contact your authorization center and make a Code 10 call. Code 10 is an authorization request that alerts the card issuer to the suspicious activity – without alerting your customer. During the call you will be transferred to the card issuer’s special operator who will provide instructions on any necessary action.

When making a Code 10 transaction authorization request it is important that you remain calm, so that your customer does not get suspicious, and follow these simple steps:

• Keep the card in your possession.
• State to the representative who picks up the call “I have a Code 10 authorization request.”
• Answer the operator’s questions with a simple “yes” and “no.”
• Follow the card issuer representative’s instructions.
• If the operator asks you to retain the card, you should only do it if is safe to do so. If it is necessary to call the police, the operator will do it for you.

Unsigned cards. Industry regulations require that all cards are signed, before they can be accepted for payment. If you are presented with an unsigned card, you should do the following:

• Obtain transaction authorization the way you normally would.
• Ask your customer to provide an ID and confirm his or her identification.
• Ask that your customer signs the back of the card. If he or she refuses, do not complete the transaction.

Some consumers are lead to believe that writing “Ask for Photo ID” or something to that effect in the signature panel, instead of actually signing the card, reduces the risk of fraud. However, as far as your processing bank is concerned, or the card issuer for that matter, the card is unsigned and you should follow the procedures listed above.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.

Having reviewed the typical characteristics of e-commerce credit card fraud and offered a strategy on dealing with suspicious online transactions, we can now turn to the altogether easier task of doing the same for face-to-face payments.

There is a caveat, of course. Identifying and preventing card-present fraud is only easier if you develop a sound fraud prevention strategy, train your staff on implementing it consistently and then monitor the results and make adjustments as necessary, which means constantly.

But first things first. Let’s take a look at the typical features that are present in an average fraudulent face-to-face transaction. Once again, as with e-commerce payments, you will need to account for the fact that each of these transaction characteristics can have a perfectly legitimate explanation. Identifying a suspicious transaction feature should serve as a cause for a more in-depth review of its validity, not for an outright decline of the payment. The presence of multiple suspicious characteristics in a single credit card transaction, on the other hand, should be seen as a strong indication of fraud and your organization should have a clear policy on following up in such situations.

With that in mind, here are 5 features that are typically present in such transactions:

1. Buying large amounts of merchandise without much attention to details. This is a very strong indicator of fraud! If your customer is making large purchases, without much care for the item’s size, color, or even price, he or she is likely to be interested much more in its resale value than its utility.
2. Trying to rush the cashier into a faster processing of the payment. While your customer may really be in a hurry, as we all often are, bullying the cashier into quickly completing a transaction is not something we see all that often. By doing so, your customer may be hoping to force the cashier into circumvent standard fraud prevention procedures. You would not want to delay a legitimate customer any longer than necessary, however you should never forgo established card acceptance procedures, as this is exactly what a criminal’s goal would be. Explain to your customer that you appreciate the fact that they are short on time, but you are responsible for ensuring that all payments are legitimate and cardholders’ interests are protected.
3. Making multiple purchases within a short period of time. This is another strong indicator of fraud! If a customer completes a purchase, leaves your store and then comes right back in, he or she may be doing it because they believe that making multiple fraudulent transactions for smaller amounts is less suspicious than making a single large-amount purchase.
4. Shopping either right after the store opens or before it closes. This one is tricky and you should not read too much into it, unless it is accompanied by other suspicious features. While any one of us may be shopping early in the morning or late in the evening, because our work schedule would not allow us to do otherwise, a criminal could do it in the hope that the merchant will not be as attentive then as during other stretches of the day.
5. Disregarding a free delivery option (where applicable). Some large-ticket items, like furniture, electronics, etc., require delivery and there is often a free option on offer. If your customer completely ignores a free delivery option in favor of one that offers a quicker, but paid, delivery, this could be a warning sign.

So this is my short list of suspicious card-present transaction characteristics. We’ll take a look at what you could do to mitigate the fraud risk such transactions represent in one of my next posts. Before that, if there is anything you believe should be added to my list, share it in the comments below and I will consider it.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).