Credit Card Processing Blog

The Federal Trade Commission has filed charges in relation to the $10 million credit card scam that we first learned about a month and a half ago, we learn from the New York Times. The NYT article tells us that the charges against the bogus companies set up to facilitate the fraudulent transactions were filed back in March, three months before the FTC announced the scam in a press release.

It was a very elaborate scheme, involving more than 16 dummy corporations the scammers had set up in various Eastern European and Central Asian countries, including Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The criminals then opened up more than 100 merchant accounts in the U.S. to process the payments. In order to do so, however, they had to convince the processing banks that their business was legitimate. Here is how they did that, according to the NYT:

…false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.

The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.

Once the merchant accounts were operational, the criminals started to charge small amounts to credit and debit card accounts whose information they had stolen. Most of the charges were for $9, although the amounts could be as low as $0.20 and as high as $10, according to Steven M. Wernikoff from FTC’s Midwest Region Office.

The criminals succeeded in stealing so much money mostly because the small individual charges either went unnoticed by many of their victims or they simply didn’t bother to dispute them.

Yet, with so many fraudulent transactions, complaints were bound to pile up and eventually the FTC received more than 1,000 of them. Interestingly, there “were more complaints about the 20-cent charges because they looked really odd,” according to Wernikoff.

The FTC’s investigation lasted for nine months, however the identities of the individuals who masterminded the scam are still unknown. No one is defending the companies in this law suit either. Less than $100,000 has been recovered so far from the U.S. assets of the false companies. The FTC hopes to recover some of the money transferred abroad, but it is unlikely that it will meet with much success there.

Apart from its sheer scale, the most striking thing about this scam is the discipline and patience with which it was executed. The criminals had detailed understanding of how the credit card processing system operated, had identified its vulnerabilities and knew how to exploit them. It must have taken them months just to lay down the groundwork of setting up U.S. corporations and opening up e-commerce websites and merchant accounts for them. They must have known that eventually the whole thing would be found out, but that it would take months for it to happen. In the mean time they managed to steal money from 1.3 million people. This must be some kind of a record, but I’m also wondering if we have learned the full extent of the scam. Take a look at your January statement. Maybe you’ll see a $0.20 transaction from Link Services or Site Management.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

MasterCard’s Site Data Protection (SDP) Program is designed to ensure that payment processors, merchants and third party service providers take adequate measures to protect against account data compromises. It is the responsibility of processing banks to ensure that their merchants implement the SDP program. Implementation is achieved through compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Merchants and service providers must validate their compliance with PCI DSS by using the following tools:

• On-site reviews. On-site reviews are an annual requirement for Level 1 merchants and for Level 1* and 2* Service Providers. Merchants can use an internal auditor or independent assessor recognized by MasterCard as acceptable. Service providers must use an acceptable third-party assessor. Both Visa and MasterCard have published lists with authorized third-party assessors.
• The Payment Card Industry (PCI) Self-Assessment Questionnaire. The PCI Self-Assessment Questionnaire is available on PCI Security Standards Council’s website. To be compliant, each Level 2*, 3*, and 4* merchant, and each Level 3* service provider must generate acceptable ratings on an annual basis.
• Network security scan. The network security scan evaluates the security measures in place at a website. To fulfill the network scanning requirement, all Level 1* to 3* merchants and all service providers must conduct scans on a quarterly basis using an authorized vendor.

  * Merchant level definitions for PCI certification.
  
  

  Merchant Level	Definition
  Level 1	Level 1 are merchants processing over 6million Visa or MasterCard transactions per year.
  Level 2	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 3	Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year.
  Level 4	Level 4 are all merchants not included in Levels 1, 2 or 3.

As part of the SDP Program, processing banks send quarterly reports for each Level 1, Level 2, and Level 3 merchant to MasterCard, which include the following information:

• The name and primary address of the merchant.
• The name and phone number of the primary contact for the merchant.
• The merchant’s identification number with the processor.
• The name of each service provider that stores card account data on the merchant’s behalf.
• The number of transactions that the processing bank processed for the merchant during the previous 12-month period.
• The merchant’s level under the implementation schedule.
• The names of any assessor, auditor, or vendor engaged to conduct an on-site review or network security scan, and the expected completion dates of any reviews or security scans.
• The date on which the merchant most recently completed the PCI Self-Assessment Questionnaire.
• The date on which the processor most recently registered the merchant as SDP compliant.

Processors are required to communicate all SDP Program requirements to each Level 1, Level 2, and Level 3 merchant.

Beginning July 1, 2012, a new Payment Application Data Security Standard (PA DSS) Program will take effect to specifically address common vulnerabilities that have been identified as main causes in credit card data breaches. PA DSS updates the standards for vendors of third party payment applications and the Credit Card Associations will enforce compliance, so make sure your service providers have passed the tests.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

There are several weak links in an e-commerce merchant account that are typically targeted by criminals looking to steal card account information. Understanding what these weak spots are and implementing a set of best practices to protect them will significantly improve your account’s protective mechanisms and keep sensitive data safe.

Among the favorite targets for cyber criminals looking for credit card data are an e-commerce website’s shopping cart and the payment gateway that connects it to the merchant’s processing bank’s system. Criminals usually attack web-based merchants that use weak or generic passwords. Once they gain access to the merchant account, they start processing fraudulent debit and credit transactions. The fraudulent sales are usually equal or similar in total amount to the deposited credits, so that they offset each other. This is done in an effort to avoid detection by deposit-volume monitoring.

To keep your e-commerce merchant account safe, merchants should apply the following best practices:

• Conduct daily monitoring of authorizations and transactions. In particular, you should check daily for the following:
  • Authorization-only transactions. An unusually high number of authorization-only transactions could indicate that your website is being tested for vulnerability.
  • An unusually high number, average size, or volume of credit transactions. This could be an indication of a fraud.
  • Identical or similar transaction amounts.
  • Transactions that do not include customer identification information.
  • Multiple transactions from the same Internet Protocol (IP) address.
  • Transactions with similar account numbers. Such credit card accounts may have been generated by software for generating fraudulent account numbers (e.g. CreditMaster).
  • Multiple transactions made using a single account within a short period of time. This is a typical sign of fraud where a criminal is attempting to run up as much charges as possible within the limited time he or she has before the stolen account is blocked.
• Monitor your daily batches. In particular:
  • Know what time your transactions settle. Make sure to review your transactions before settlement occurs.
  • If you use the Address Verification Service (AVS) or Card Security Codes (CVV2, CVC 2 and CID), look for transactions submitted without an AVS or a Card Security Code response in the authorization record. You should always use AVS and security code validation, before processing an e-commerce transaction. These tools were created specifically to fight e-commerce fraud and have been proved quite successful.
• Create a strong password for your payment gateway and change it regularly. For best results you should:
  • Use a combination of letters and numbers with a minimum of six characters.
  • Make sure that the log-in ID and password are different.
• Maintain compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS). PCI DSS are specifically designed to help merchants with their data security management, policies, procedures, network architecture, software design and other protective measures. There are 12 mandatory standards built around several core principles: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.

What is a web cookie? Web cookie (also called a browser cookie, an HTTP cookie or just a cookie) is a text string that is stored in a web browser. Cookies are simple pieces of data sent by a web server to a browser and then sent back unchanged by the browser every time it accesses the server. The stored information may be encrypted for data security and privacy purposes.

What are web cookies used for? Cookies were first used to help create shopping carts for e-commerce websites. Shopping carts enable customers to store items they are interested in purchasing and then continue browsing the website, adding or removing items from the shopping cart, without losing previously stored information, which is what the cookies are used for.

The use of cookies has since expanded and today embedding them into a web browser is an effective tool to help e-commerce merchants recognize and acknowledge existing customers, so that no log-in is required every time a repeat customer makes a purchase.

Web cookies can be used for an array of purposes, including:

• User authentication. Cookies can be used to remember a repeat customer’s log-in information about the user, so that the log-in fields are filled in when the customer returns to the website.
• Session management. Cookies can be used to store data about a user’s navigation patterns, including across multiple visits.
• Tracking browsing habits. Tracking cookies enable merchants to store information about visitors’ browsing habits. Such data allow e-commerce merchants to produce usage statistics. Advertising companies use tracking across websites to produce user profiles, which are then used to determine what advertisements should be shown to the user.

All major browsers allow users to decide whether to accept cookies or not, and how long to store them for. However, rejecting cookies makes some e-commerce websites unusable.

The ability of web cookies to maintain specific information about website visitors and to automatically provide it whenever a visitor revisits a website helps e-commerce merchants to simplify the order process for returning customers by not requesting that they provide payment details that have already been provided during a previous visit. Cookies remain stored in the browser until deleted by the user.

Consider adopting the following procedures when using browser cookies with your e-commerce website:

• Use permanent browser cookies to record and store non-sensitive cardholder information and preferences to enable repeat customers to order products and services without having to re-enter this information. Consumers appreciate not having to provide their payment details every time they visit a website, provided they are ensured that the process is secure.
• Use browser cookies to maintain active user sessions. Once the session expires, however, your website should prompt the user to log in again, regardless of the computer being used.

There have been a number of credit card skimming reports in the last couple of months, clearly indicating that there is a rise in this type of fraud. Let’s take a look at what skimming is, how it is done and what you can do to protect yourself.

What is skimming. Skimming is a fraudulent activity involving the illegal copying, or “skimming”, of the account information stored in the magnetic stripe of a credit or debit card. Unfortunately it is way too easy for criminals to skim a card’s information. There are a couple of ways skimming is done:

• Most often skimming is committed in a card-present environment, typically by employees of restaurants, bars or other merchant locations where customers present their cards to pay for a legitimate transaction and the swiping of the card is done out of the customer’s sight. The employee completes the legitimate transaction and then swipes the card through an electronic device (skimmer) that reads and stores the victims’ account information. The card is then returned to the unsuspecting customer.
• The other major skimming scheme is perpetrated at ATMs. This type of fraud involves the installation of a skimming device over the ATM’s card slot, which reads the card information as the cardholder passes the card through it. Often a small camera is installed, in addition to the skimmer, to record the cardholder’s PIN.

The skimmed information is subsequently used to make copies of the card to be used in fraudulent transactions or the information itself may be sold to criminals.

How to prevent skimming. Unfortunately, it is difficult for cardholders to detect skimming, especially when it is done at a merchant location and out of sight. Merchants, however, can and must ensure the physical security of their terminals and monitor their employees’ activity. Specifically, merchants should be on guard against:

• The use of all electronic devices that are not needed or normally used in your type of business. If you are not sure exactly what a particular device is used for, you should investigate.
• Any offers to record customer card account information for whatever reason.

If you believe or suspect that skimming might be taking place at your business, you should immediately contact your payment processor and take the appropriate measures against the employee involved.

Card issuers, however, are perhaps best equipped to identify and put a stop to skimming activities. Cardholders first contact their credit card company when fraud is suspected and issuers keep track of these complaints and look for fraud patterns. If a particular merchant is connected to multiple complaints, the merchants should be investigated. It is, after all, in the issuer’s best interest to prevent fraud from occurring, as it is liable for the fraudulent amount, while the cardholder is protected.