HISTORICALLY...

Back in the day, credit card fraud was heavily focused on Retail card-present.  This was because the bad guys could buy a list of stolen card info and use that to rewrite the magnetic stripe on the back of old cards.  When swiped, the merchant did not realize the swiped data was truly "swiped" (stolen) and processed the charge.

EMV TO THE RETAIL RESCUE

Now, the new CHIP and Signature cards, called EMV, make it impossible to do that, and have eliminated that lucrative method of stealing money from merchants.  According to Visa: "Merchants who accept chip cards witnessed a 76 percent dip in card present counterfeit payment fraud since the U.S. payments industry began the shift to EMV chip in 2011."    
https://usa.visa.com/visa-everywhere/blog/bdp/2019/05/28/chip-technology-helps-1559068467332.html

SHIFT TO e-COMMERCE

Fraud is a growing and constant threat to merchants who accept cards, and now espeically in e-commerce. E-commerce does not enjoy the protections offered by chip cards.  Most e-commerce fraud is done by brute force, repeatedly trying to process stolen card data.  One merchant of Curbstone was protected against a brute force attack earlier this year that resulted in over one half-million automted authorization attempts.

Here at Curbstone, we’ve compiled some hints on where to start in minimizing fraud in e-Commerce and the consequent risk to the business.  These tips are not only useful to our clients, but to any merchant.  Following are some measures that can minimize fraudulent e-commerce transactions.

CHARGEBACKS

Chargebacks, even if many are legitimate, are one area where merchants can incur heavy losses. These occur when credit card users declare a dispute because an item was not received, was significantly not as described, or they had not authorized the transaction.

Astute merchants take steps to minimize legitimate chargebacks by making it very easy for users to contact them, rather than declaring a dispute, and by making it very easy to return unwanted products. Other steps to take include giving realistic delivery dates, using delivery services offering proof of delivery and insurance, and many others.

Of course, some chargebacks are outright fraudulent but the tips above should help reduce the number. The bulk of e-Commerce fraud occurs; however, when criminals use stolen credit cards, legitimate credit card or customer account information to make purchases online or by phone.

PCI SECURITY BEST PRACTICES

The first and most important way to minimize this fraud is to ensure the business is compliant with PCI standards. This will ensure that security best practices are in use and that customer data is protected so it can't easily be accessed and used fraudulently.

The highly-researched and mature PCI security standards would cost any one merchant tens of thousands to have a Qualified Security Assessor (QSA) develop for them.  PCI makes them available for free in the form of Self-Assessment Questionnaires.

Go here  https://www.pcisecuritystandards.org/document_library and select "SAQs" in the FILTER BY: dropdown to download them.  

This document explains how to select from them to use the one appropriate for your way of doing business.
https://www.pcisecuritystandards.org/documents/SAQ-InstrGuidelines-v3_2_1.pdf

Examples of common PCI DSS control failures include, but are not limited to:

  • Storage of sensitive authentication data (SAD), such as track data, after authorization
    (Requirement 3.2). Many compromised entities were unaware that their systems were storing this
    data.
  • Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing
    malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2, and 8.3).
    Default system settings and passwords not changed when the system was installed
    (Requirement 2.1).
  • Unnecessary and insecure services not removed or secured when the system was installed
    (Requirements 2.2.2 and 2.2.3).
  • Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow
    access to the database storing cardholder data directly from the website (Requirement 6.5).
    Missing and outdated security patches (Requirement 6.2).
  • Lack of logging (Requirement 10).
  • Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans,
    and change-detection mechanisms) (Requirements 10.6, 11.2, 11.4 and 11.5).
  • Poor scoping decisions—for example, excluding part of the network from PCI DSS scope due to
    inadequate network segmentation that was not verified to be effective (Requirement 11.3.4).
    • This results in the cardholder data environment being unknowingly exposed to weaknesses in other
      parts of the network that have not been secured according to PCI DSS (for example, from
      unsecured wireless access points and vulnerabilities introduced via employee e-mail and web
      browsing) (Requirements 1.2, 1.3 and 1.4).

WHAT CURBSTONE DOES

At Curbstone, we help our clients by assisting them in becoming compliant and reducing the scope of their PCI auditing and reporting obligations. 

ADDRESS VERIFICATION 

The second important tip is to use Address Verification (AVS) and Card Code Verification (CVV) services when accepting online payments.

AVS checks the billing street address and zip code provided by the purchaser.  The merchant is informed if it is the same as that on file with the customer's card issuer.  Curbstone and most systems can be set to reject transactions where there is a variance.  Since the issuing banks do not always have accurate address information, this is subject to false failures, but is still accurate enough to use religiously.  Note that only the numeric portion of the address is checked, not the text.  So "Twelve Fourth Street" should be entered by your operators as "12 4 street" if it is a phone order.

Some merchants have adopted the policy of only shipping to the validated AVS address.

SECURITY CODES

The PCI standards do not allow storage of customers' CVV numbers, security codes, so they should not be available to the criminal unless they have the stolen card physically in their hands.  We highly recommend that security code match be required for all purchases.

Many credit card processing services offer an additional safeguard by checking the purchaser’s IP address corresponds to the card billing address which, if available, can provide another level of security.

chained cards 04

Other tips include limiting the number of declined transactions before the customer session, or shopping cart, is frozen and keeping an eye out for unexpectedly large orders or those placed by purchasers who don't fit the normal profile.

Check suspicious e-commerce transactions by phone since fraudsters will seldom include real phone numbers in their orders.  Some authorities recommend manually reviewing a percentage of transactions to increase the chances of detecting fraud.

More to come!

Curbstone Corporation's secure technology processes about $2.4 Billion per year for merchants based on the IBM i (AS/400, iSeries) platform, for phone orders, e-commerce, and retail.

###