Fraud in Electronic Payments Wp

8/6/2019 Fraud in Electronic Payments Wp

1/22

Fraud in Electronic Payments

1


By David Guerin, Trintech Group Plc

November 2003

www.trintech.com


2/22


2

Author: David Guerin

Trintech Group Plc

Contact: [email protected]

References

1. CyberSource Online Fraud Report 2002 (Conducted by Mindwave Research)

2. CNET News


3/22


3

Table of Contents

Executive Summary ........................................................................................................5

Sources of Fraud.............................................................................................................6

Merchant Fraud............................................................................................................6Cardholder Fraud .........................................................................................................7

Third Party / Cross-Border Fraud .................................................................................7

Stolen Cards ............................................................................................................7

Skimming.................................................................................................................8

ATM Fraud...............................................................................................................8

Counterfeit Cards.....................................................................................................9

Card-Not-Present Fraud...............................................................................................9

Increased Risk .........................................................................................................9

Mail Order Telephone Order ....................................................................................9

Internet ....................................................................................................................9

Risk of Aggregation................................................................................................10

Identity Theft ..............................................................................................................10

Fraud Prevention Techniques .......................................................................................12

Hologram ...................................................................................................................12

Photo ID .....................................................................................................................12

Special Characters .....................................................................................................12

Expiration Date...........................................................................................................12

Signature Panel..........................................................................................................12

LUHN Verification.......................................................................................................13

Ultra-Violet Printing ....................................................................................................13

Magnetic Stripe ..........................................................................................................13

Card Verification Numbers .........................................................................................13

Hot Card Lists ............................................................................................................13

Online PIN..................................................................................................................14

Address Verification Service.......................................................................................14Chip Cards .................................................................................................................14

Fraud Screening Tools ...............................................................................................15

Internet Payment Security Methods...............................................................................17

SSL / TLS...................................................................................................................17

Electronic Commerce Indicator...................................................................................17


4/22


4

Manual Procedures ....................................................................................................17

One-Click Shopping ...................................................................................................19

SET Secure Electronic Transaction ........................................................................19

Verified By Visa..........................................................................................................19

MasterCard SPA/UCAF and SecureCode ..................................................................20

Maestro Payment over the Internet ............................................................................21

Transaction Liability Rules..........................................................................................21

Future Trends ...............................................................................................................22


5/22


5

Executive Summary

Consumer confidence and bank profits are persistently and pervasively undermined byelectronic payment fraud. Over the years, fraud in card payments has increased in linewith overall card volume growth, remaining at around 3% of transaction volume.

Fraud tends to flow to the weakest point and, as soon as security is tightened up in onearea, fraudsters are quick to move to the next point of least resistance. For example, thecard organizations have developed mechanisms, such as Card Verification Value fromVisa, that tackle card present fraud. However, there has been a rise in the level ofcard-not-present fraud in consumer channels such as Mail Order Telephone Order(MOTO) and the Internet.

Internet fraud in particular has caused many headaches for acquirers. Today, the rate offraud for Internet purchases is up to 22 times that of card-present transactions. Suchfraud levels have led acquirers servicing Internet-only merchants to seek high merchantservice charge (MSC) levels or up front payments as provision for risk. Some acquirers,meanwhile, have chosen to avoid the eCommerce business completely. This has further

increased costs for many Internet merchants who are already hard pressed to maintainprofitability when faced with the lost time and revenues associated with fraud.

Whereas an acquirer can choose not to handle Internet transactions, an issuer has littlecontrol over where the cardholder uses his card. However, despite the relatively highpercentage of fraud and disputes within the Internet channel, the current low volume ofInternet transactions (on average 2% of transaction volumes) has allowed issuers tomanage the cost and the overall impact to their profitability.

Losses from cross-border fraud and counterfeit cards are on the increase worldwide,demonstrating that fraudsters have found ways around many of todays card-presentsecurity tools. For example, fraud from these sources is estimated to be costing UKbanks up to 22 million a year. Existing physical security mechanisms used in magnetic

stripe cards have been largely mastered by counterfeiters often operating out of FarEastern countries allowing them to create or reproduce cards for use in both cardpresent and card-not-present situations. The rollout of EMV chip technology is now seenas a critical short-term step in addressing such fraud.

Despite the real financial pain that many merchants are experiencing, the approach ofmany merchants to fraud detection is haphazard, manual and uncoordinated, withunder-investment in fraud prevention causing a problem throughout the whole industry.Indeed, card organizations such as Visa have initiated programs to identify merchantswith higher than normal fraud rates with a view to applying penalties where necessary.

It is growing clear to all players in the payments industry that continued growth in fraud isa real threat to revenue growth and consumer confidence. The attitude is changing from

seeing fraud as an annoying but inescapable cost, to seeing fraud as a real threat toprofitability that must be tackled head-on.


6/22


6

Sources of Fraud

In this section, the main sources of card are discussed merchant fraud, cardholderfraud, third-party fraud, card not-present fraud and identity theft.

Merchant Fraud

Merchant-originated fraud ranges from honest merchants with a dishonest member ofstaff, to a dishonest or fake merchant that is operating in collusion with fraudsters.

In all merchant environments, employees have a great deal of access to sensitivecardholder information. In physical retail locations, employees have access to cardnumbers and expiration dates, as well as access to the magnetic stripe on the card. Inmany Internet and MOTO, merchants are asking cardholders to provide some privateidentity details such as a home phone number or social security number that can beused to authenticate the cardholder on subsequent purchases (see section on IdentityTheft). While these merchants may have been diligent enough to protect their databasesfrom outside attack via firewalls and encryption, they may not have invested in obscuringthe sensitive cardholder information from their own staff.

Bogus merchants may appear on the Internet or even the physical world. A commonscam is for a new merchant to conduct several transactions that appear genuine duringthe probation period after the merchant is acquired, but then to submit a number of high-value fraudulent transactions against non-participating cardholders. A merchant thatportrays itself to be in a sector such as holiday bookings can establish a perfect cover forhigh value sales. By the time the genuine cardholders have noticed the fraud on theirstatements; the bogus merchant will have absconded with the payments received fromthe acquirer.

On the web, an Internet merchant site may not be what it appears to be, preying on the

carelessness of Internet surfers who may have miss-typed a URL or have simply tried toguess the URL of a well known bricks & mortar store. In other instances, emails aresent to cardholders with a bogus website address that directs them to the fraudulentmerchant. In such cases, the URL of the fraudulent store may differ only by a fewcharacters from the genuine store and the fraudsters may have completely recreated thelook and feel of the genuine merchants web store. Unless the consumer notices thedifference in the URL, he will feel confident enough to fill in his payment and addressinformation that can then be used by the fraudster. By the time the consumer realizesthat no goods have been delivered and attempts to contact the real merchant, hispayment details will most likely have been used many times for fraudulent purchases.


7/22


7

Cardholder Fraud

This category refers to instances where the fraud is being generated by the namedcardholder, rather than by someone pretending to be the cardholder. Typically, thecardholder takes advantage of the liability for fraud, which the merchant bears for MOTOtransactions and for Internet transactions not secured by Verified by Visa or MasterCard

SecureCode (see later). In this scenario, the named cardholder carries out thetransaction using their payment card, receives the goods, and later contacts his bank todispute that he carried out the transaction or alternatively that he did carry out thetransaction but did not receive the goods. Where the goods have been physicallyshipped to the cardholders address, there have been cases where the cardholderasserts that a third party sharing or visiting his residence used his card withoutauthorization. In this situation, the card payments dispute may actually succeed, leavingthe merchant with the options of either writing off the fraud or suing the consumerthrough the courts.

In card-present environments, dishonest cardholders may look for an opportunity to takethe customer copy of the receipt and the signed merchant copy of the receipt. This

leaves the cardholder free to dispute the transaction with their issuing bank since themerchant will be unable to produce a signed receipt. In these circumstances, themerchant may consider pursuing the consumer through the courts for fraud if he hasalternative evidence that the purchase took place and can identify the cardholder perhaps through CCTV footage taken at the store.

The card organizations have introduced risk management technologies that issuers canuse to track a cardholders transaction habits. Where an issuer observes that acardholder is making a habit of raising disputes and suspects fraud then the issuer mayterminate the cardholder agreement. However, in countries where consumers moveoften from bank to bank to seek out lower interest rates or benefits it can be hard to spota fraudster who changes banks with intent to commit fraud.

Third Party / Cross-Border Fraud

The majority of overall card fraud takes place by people who have obtained one or morecardholders payment or personal details without approval, and use the payment detailsor a counterfeit card to make purchases. For example, in the UK, third party fraud costthe industry 277 million, 50% of total fraud. There are a variety of ways in whichfraudsters may obtain such payment details, and the patterns of fraudulent usage willdiffer in each case.

Stolen Cards

In the case of stolen cards, the fraudster will usually move quickly to make as manypurchases as possible within the window of time until the card is reported as stolen andblocked by the issuing bank. In some cases the cardholder may not be aware for aperiod of time that his card is missing, providing more time for the fraudster to act.Authorization floor limits are amount thresholds used in dual-message environmentsbelow which purchases do not have to be authorized by the merchant, introduced toreduce the cost of merchant phone calls. In some European countries, knowledgeablefraudsters will specifically target stores with a transaction amount that is just below the


8/22


8

merchants authorization floor limit to maximize the usage of the card even when it isblocked by the card issuer.

Eventually, such cards may be sold abroad for use in countries with poortelecommunications networks where some merchants still rely on imprinting of cardsonto vouchers, with no online authorization mechanism.

Skimming

Skimming is the copying of the information from the magnetic stripe of a card in order tocreate a counterfeit copy of the card. This is particularly common at restaurants andhotels where the card is authorized out-of-sight of the cardholder. This allows anunscrupulous desk clerk or waiter to run the card through a small skimming device thatextracts the information contained on the magnetic stripe.

Once the electronic copy of the magnetic stripe is available, it can be easily written to themagnetic strip of a counterfeit card and used for card present transactions. Thesignature of the fraudster will obviously match the signature on the back of the

counterfeit card, so the merchant will have little opportunity to detect the fraud. In someinstances, known as white plastic fraud, the fraudster will just reproduce the magneticstripe on a blank card and work in collusion with a merchant to authorize cash-backtransactions.

There is evidence that card-skimming fraudsters are highly organized and that thecontents of magnetic stripes stolen in this way may be sent abroad on many occasions.Also, because counterfeit cards are reproduced without the knowledge of the cardholder,fraud can take place up until the cardholder receives their monthly statement with thefraudulent charges included.

ATM Fraud

Fraud at ATMs is very low compared to other types of fraud due to the mandatory use offour digit PINs that are always verified online by the card issuer. The most commontypes of ATM fraud occur are skimming, theft of PIN, and robbery.

In the case of skimming, fraudsters will typically insert a very slim device into the cardslot in the ATM itself, which is capable of capturing the contents of the magnetic strip asthe card is inserted into the ATM by the cardholder. Where possible, the device will alsohave a micro camera included that records a video of the cardholder entering his PIN.This combination allows the fraudsters to create a counterfeit card and use it for ATMwithdrawals until the cardholder detects the fraud, which could be several days or weeksif the cardholder does not regularly check his account.

Where a fraudster does not have access to such high-tech equipment, he may resort tolooking over their shoulder to take note of the cardholders PIN. This is known to someas shoulder surfing. Once the thief knows the PIN, they attempt to steal the card fromcardholder to use for cash withdrawals.

A common and unsophisticated method of ATM crime is robbing the cardholder byforcing them to make a cash withdrawal with their card.


9/22


9

Counterfeit Cards

Organized criminal gangs, often operating in Asia-Pacific, counterfeit cards in largenumbers using card embossing equipment. Card numbers are generated at random butthe fraudsters will filter out those that fail the LUHN verification algorithm that is used bymost issuers and POS terminals to verify the card number on a card is genuine. The

card numbers may be attributed to a real cardholder and may be used to make physicalcounterfeit cards or may be used just for MOTO and Internet purchases that do notrequire the creation of a physical card.

Card-Not-Present Fraud

Increased Risk

Card-not-present environments are the greatest risk areas for fraud generated either byconsumers or merchants.

Where neither party has physical contact with each other and interact only thoughphone numbers or web sites then the risk increases many times over of one of theparties not being what they appear to be.

Many of the types of fraud described previously by merchants, cardholders or thirdparties apply particularly in card-not-present environments because of the lack of contactbetween the parties to the transaction.

Mail Order Telephone Order

Mail Order has been a means of marketing chosen by a number of low-cost merchantswho wish to avoid the high costs of maintaining physical outlets. In the US and the UK

where the Address Verification Service (see later) operates, such merchants may verifythat the delivery address matches the billing address of the buyer and may refuse to shipto a different address. Also, in the UK and other countries, such merchants also usedocuments such as the Electoral Register and even the Telephone Directory to verifythat the delivery address corresponds to the name of the buyer.

Generally, the merchants who remain in this sector have reached a balance point wheretheir cost of fraud is outweighed by their low operating costs and the levels of repeatbusiness from regular customers is significant. Also, the fact that MOTO business tendsto stay within national boundaries allows merchants to use local forms of consumerverification.

Internet

The growth of the Internet has provided a rich medium for fraudsters due to theanonymity it provides and its global reach across national boundaries. Its global naturemeans that it is very difficult for restrictions or laws enacted by any one country to beenforced if both of the parties to the transaction are not within its boundaries. Neither is itpossible to use traditional or local methods to identify the bone fide of the other party tothe transaction.


10/22


10

Some industry analysis would point out that though freedom of information and lack ofbureaucracy have been key factors in the adoption and success of the Internet, they arealso key issues limiting the growth of Internet commerce. In particular, the risk of identitytheft (see later) on the side of either the buyer or the seller is a substantial cause ofconcern to those transacting over the Internet.

Risk of Aggregation

Credit card companies are concerned about the emergence of third-party aggregators orpayment brokers because they create further distance between the consumer and themerchant, and make fraud more difficult to trace. For example, aggregators may takecredit card payments from consumers and in turn make payment to merchants via ACHtransfers. The advantage to the merchant is that they do not need to accept credit cardsdirectly, making it easy for very small low volume home or garage based vendors to selltheir goods. A further twist is when the credit card payment becomes eMoney i.e. fundsare loaded via a credit or debit card which may subsequently be used for multiplepurchases.

Credit card companies fear that because the initial credit card loading of the funds canresult in multiple subsequent purchases using the funds, it could lead to an avalanche ofdisputes relating to a single credit card transaction. And if funds in such a stored valueaccount were loaded using multiple credit cards, then who would be responsible forhandling a dispute raised with respect to any of the subsequent purchases?

Stored value accounts also open up the possibility of cascading fraud. For example, inthe case of one US payment aggregator, fraudsters used falsely obtained credit cardnumbers to register and load funds into pre-paid accounts. Once the accounts had beenloaded (in a single transaction per account) then the fraudsters were free to makemultiple purchases against participating merchants using the funds in the account,without any further worries about credit card authentication or blocking of the stolen carddetails.

Identity Theft

Cited by industry analysts as the single greatest impediment to the growth ofeCommerce, the use of an assumed identity is the basis of most forms of fraud. Thepractice is particularly prevalent in the US were detailed personal information is easy toobtain. In January 2003, the Federal Trade Commission (FTC) stated that identity thefthas risen by 73% in 2002 in the US. Identity theft now represents 43% of all complaintsmade to the FTC. Insiders selling private information were top of the causes of identitytheft, followed by Internet auctions. Victims are also receiving emails from fraudstersposing as administrators working at their ISP, asking them to reveal their account and

password details to help resolve a problem with the account.

Some common examples of this practice are:

In November 2001, two customer services sold the personal details of thousands ofcredit card applicants to a third party fraudster. This allowed the fraudster to apply forcredit cards at other institutions in the name of the original applicants but with herown address, resulting in the purchase of $450,000 worth of goods on thoseaccounts.


11/22


11

In February 2003, an online career-listing firm warned its subscribers that some fakejob postings are appearing on the site, inviting applicants to provide personal details.

In March 2003, data thieves used millions of randomly generated Social Securitynumbers to obtain the records of 55,000 students at a major university in the UnitedStates. This follows the theft of 1,400 student records by hackers at another US

university in January.Some issuing banks send pre-approved offers to creditworthy consumers in the hopethat they get a higher response rate than from normal direct marketing campaigns, asthe individuals only need to sign the form and return it to the bank. However, whenfraudsters are in a position to intercept such direct marketing offers then they can simplyaccept and return the application to the bank having altered the address because theyhave moved house. Finding such direct marketing is not difficult for fraudsters. In someinstances, identity theft can take place by fraudsters finding offers thrown out inhousehold waste, or by intercepting the consumers mail. The result is that the fraudsterwill have a new credit card and PIN shipped to him at a temporary address, and willhave at least a month to make purchases and ATM withdrawals up to his limit beforeabsconding from the temporary address when his statement arrives.

People with their identities stolen in this way will not just have financial problems tosolve, but their credit ratings will be severely damaged making it very difficult to take outany further types of credit or loans.

There is also a growing trend amongst Internet and MOTO merchants to ask for andstore some personal details when you make a purchase, to be used to authenticate youon subsequent purchases. For example, a merchant may ask for your home telephonenumber, or mothers maiden name, or address. It should be noted that if fraudsters werein a position to accumulate information about a particular consumer from a number ofmerchants then they could build up enough personal information to impersonate thatconsumer successfully to other merchants. While this situation is unlikely, it is obviousthat authentication mechanisms, which involve the consumer in parting with secret

information to a third party, are inherently flawed.


12/22


12

Fraud Prevention Techniques

The examples of fraud prevention techniques explained in this section are based on Visamethodologies. MasterCard, American Express, JCB, Diners and Discover also usesimilar features on their cards though the positioning and specifications may vary from

brand to brand.

Hologram

A hologram is embedded in the card plastic that is difficult to copy. Though fraudstersare capable of creating such holograms, the quality of the reproduction is often poor.

Photo ID

Some issuers have taken the step of also introducing miniature photographs of the

cardholder on the card. The problem with card photographs is the quality is often poorand the merchant rarely checks the photo against the person performing the transaction.

Special Characters

Visa and MasterCard have introduced embossed characters with a special font thatindicates the brand or card product.

Expiration Date

In theory, the Expiration Date can limit the fraud potential of a stolen card i.e. it places atime limit on the validity of the card. However, in the case of a stolen card, it would beexpected that the issuer would block the card soon after the theft, making the ExpirationDate unnecessary in most circumstances as a means of controlling fraud.

Signature Panel

The signature panel contains a faded background with a Visa logo that discolors if thesignature is erased. The presence of the cardholder signature itself is a key method ofidentifying that the cardholder is genuine for a card-present transaction. Comparing thecardholder signature on the panel against that on the receipt is the most commonly usedmethod of cardholder verification used by merchant staff and is perhaps the onlymethod used in many instances. For card-present transactions, the cardholder signatureon the receipt is used in dispute processing as a means of verifying that the cardholderparticipated in the transaction.


13/22


13

LUHN Verification

Most credit cards use the LUHN algorithm that ensures that individual digits in a PANcannot be changed without being detected by electronic point-of-sale systems and bankauthorization systems.

Ultra-Violet Printing

Some card organizations print characters on their cards that are only visible using ultra-violet light. Merchants may use ultra-violet light emitters to verify genuine cards much asthey verify the hidden characters on genuine paper currency.

Magnetic Stripe

The magnetic stripe on the back of the card contains magnetically encoded data that isread by electronic POS terminals and ATMs during the transaction. The magnetic stripe

contains three tracks of data based on ISO standards, though not all of the informationor tracks are used by all card brands. The format of the data is mandated by each brandin their Operating Regulations documents, just as the other physical characteristics ofthe card are specified in detail.

Track 1 was originally intended for use by airlines, but many electronic POS devices useit to retrieve the cardholder name for printing on receipts and statements. Track 2 is thestandard track used by banks for card details. Track 3 was originally intended as aread/write track to allow the storage of account security and balance information, but israrely used now for this purpose.

Card Verification Numbers

There are normally two Card Verification Numbers (CVNs) on the card one encodedon the magnetic stripe and one on the signature panel or front of the card. The CVN onthe magnetic stripe provides added security where transactions are authorized at thepoint-of-sale, while the printed CVN is designed to protect MOTO transactions where theCVN can be quoted to the merchant over the phone by the cardholder or keyed into aweb page. Visa, MasterCard and American Express differ in terms of the naming andspecification of the CVNs on their cards.

Hot Card Lists

Once the issuer is informed the cardholder that their card is missing, the issuer will blockthe card within his authorization system, and may request either Visa or MasterCard toblock the card on their switching or stand-in authorization systems.

The card organizations also produce lists of cards that have been compromised anddistribute these to acquirers for passing on to merchants. The Visa Card RecoveryBulletin (CRB) is an example of such a list. These lists are published on a geographicbasis i.e. the issuer and card organization will determine which regions are a high risk fora stolen card to be used.


14/22


14

In offline merchant environments, acquirers often choose to issue their merchants withelectronic hot card files which are automatically downloaded into POS terminals eachday when the end of day data capture or reconciliation process is triggered. Thisensures that each transaction is automatically checked against the list of the mostcurrent and high-risk hot-listed cards before being sent for authorization, so that stolencards may be rejected even if the transaction is below floor limit.

Online PIN

Online verification of a four digit PIN is mandatory for all ATM transactions, and is usedfor debit transactions in many parts of the world. This involves the PIN data beingencrypted and transmitted to the issuer for verification. As mentioned previously, the useof mandatory PIN verification at ATMs has been highly effective leading to very low ratesof fraud for ATM transactions. For these transactions, the four-digit PIN is encrypted andtransmitted to the issuing bank for verification. Online PIN for debit cards (such asMaestro and Visa Debit) is very effective in combating debit fraud in some markets,though it is not used in all markets for credit card purchases.

Address Verification Service

The Address Verification Service is offered by card organizations in the US and UK forMOTO and Internet transactions. AVS checks the shipping address provided by thepurchaser against the billing address used on the payment card. The AVS Service relieson the availability of postal codes within a country that have a strictly defined format andhave a low level of granularity with respect to street addresses. In the US, such postalcodes are known as ZIP codes. When making a purchase, the consumer is asked toprovide his postal or ZIP code and this is included in the online authorization request bythe merchant. The postal code is verified in real time by the card organizations switching

system against the postal code registered by the issuer for each cardholder. In someinstances, the merchant may choose to ship the goods to an address other than thecredit card billing code if they have an outstanding relationship with the customer.

The AVS Service has been available in the US for many years and has been morerecently introduced in the UK. It has been shown to be extremely effective in the US atcombating MOTO fraud for non-card present transactions.

Chip Cards

Chip technology represents the most effective medium-term solution to card fraud.Despite the compelling technological advantages of smart cards, the technology hasbeen slow to take off, primarily because of the cost and complexity of chipimplementation. In the US, where 90% of all transactions are authorized online, fraud isnot the catalyst for smart card adoption. However in Europe, where telecommunicationscosts make online authorizations prohibitively expensive, chip has a viable businesscase. In Western Europe a mandated deadline has been set of January 2000 by whichtime acquirers must support chip & PIN and whereby the liability for fraud shifts to theissuer for chip and PIN transactions. Up to this point, PIN verification for ATM and POStransactions has involved the PIN-block information being encrypted via DES or Triple-


15/22


15

DES and transmitted all of the way to the issuer, but Chip cards allow the PIN to beverified offline against the chip itself. The mandate is that basic credit and debit mustbe supported with offline PIN, though issuers are free to introduce value-added features,such as purse or loyalty if they choose to do so.

France was the first country to implement chip technology in 1987. In its first year of

operation, the Cartes Bancaires system successfully reduced fraud by 50% despite asizeable increase in card volume. One of the challenges facing the mandated migrationto chip in Europe was the lack of international interoperability. When tourists use foreignnon-chip cards in France, or French cards are used abroad in countries where the chipis not read, then fraud levels increase to match levels in other countries. Fortunately,thanks to the efforts of the card organizations, all the major schemes, including CartesBancaires, have adopted the international EMV standard, ensuring globalinteroperability.

Some issuers and acquirers are still concerned about the cost of introduction of chipcards into the market. Issuers will need to bear the cost of basic chip cards or invest inhigher capacity chip cards if they plan to support multiple applications. Initially somesubsidies may be available to them from the card organizations for such cards. But

acquirers must shoulder the largest burden of cost, having to upgrade all of theirnetworks of ATMs and merchant PoS terminals to accept chip cards. Though acquirersand even card organizations are willing to make investments in their largest merchantchains and high volume merchants, the mid-to-low end merchants may themselves haveto pay the cost of upgrading their own equipment. Those merchants who fail to upgrademay experience increased fraud levels as fraudsters seek out the lowest point ofresistance.

The most significant factor that will contribute to critical mass of adoption of chip cards isa significant recent rise in card-present cross-border fraud due to counterfeit andskimmed cards. Cross-border fraud is estimated to be costing up to $16 million perannum in the UK alone, and is being experienced by a number of European countries. InEurope, the card organizations are promoting fraud reduction as the key business driverfor chip introduction.

In the US, the 2005 mandate does not apply and the business case for chip introductionis weaker because of the lower levels of fraud experienced there. However, value-addedand loyalty services and, to a lesser extent, stored value purse may be seen as thebusiness drivers. Currently, approximately 12 million Visa-branded chip cards have beenissued in the US and POS acceptance of EMV is growing. Even despite the weakerbusiness case, regular upgrades to POS systems have ensured the EMV chipacceptance in the US is over 50%.

The introduction of chip cards is targeted at reducing the levels of fraud for card-presenttransactions, but it has the potential to be used for Internet purchases also whentechnology and standards are in place. In particular, it is likely that offline PIN

authentication will be adopted in time as part of the 3-D Secure standard once chipcards are in the hands of the majority of cardholders.

Fraud Screening Tools

Merchants have introduced screening tools to detect fraud particularly in the MOTOand Internet space. In the merchant area, tools such as these will help merchants todifferentiate low risk business from repeat customers or for low risk goods, versus higher


16/22


16

risk transactions from new customers, overseas customers or where particularcircumstances of the transaction represent increased risk. Many customers who shopfrom common MOTO stores such as flower shops or theatre ticket bookings will noticethat some merchants request the consumer to provide some personal information suchas a phone number or address which they can use for comparison purposes the nexttime the same payment card is presented for payment.

Acquirer fraud screening tools may detect cardholder fraud, but their primary goal is toprotect the acquirer from fraudulent merchants who may disappear following receipt ofpayment from the acquirer. Such screening tools will establish trends and patterns oftransaction volumes, amounts and types for each merchant or category of merchant,and compare new transactions to those patterns.

Issuers have traditionally performed velocity checking on incoming authorizationrequests to identify transactions which are unusual with respect to cardholders spendingpatterns. Such verification routines have often been included within an issuers coreauthorization host system. Examples of such checking are

First use of a newly issued card some issuers may issue Referral responses insuch cases to ensure that the genuine cardholder did receive the physical card(unless the cardholder first activated his new card by phoning his bank);

Maintenance of rolling 3 or 4 day average spending, and identification of transactionswhich raise that average spend above a certain threshold;

Monitoring of what types of goods (by Merchant Category Code) the cardholderusually buys, and identifying transactions which are outside his normal types ofpurchases;

Identification of transactions above his normal spend for an individual purchase;

Identification of purchases for a cardholder originating from a country where he doesnot normally do business.

Identification of (non-Internet) purchases for a cardholder originating from differentgeographic locations within a narrow time interval.

Issuers will use these factors together with other risk measurements related to thecardholder to make a judgment on each transaction.

In addition to these velocity checks, some issuers employ more extensive fraudscreening tools to track transactions, identify trends and provide alerts on anomalies.Patterns of expenditure for each cardholder will be established based on variables suchas the types of goods purchased, high and low amounts of purchases over periods oftime, geographic areas in which purchases have been made, normal frequency of cardusage and other parameters. The tools will normally store transaction data over severalmonths and identify complex patterns based on this data, which would not be apparent

when examining a limited number of transactions.


17/22


17

Issuers may choose to implement such systems in real-time or deferred i.e. in real timethe authorization request may be declined if fraud is detected, whereas in deferred modethe potential fraud is not identified until after the authorization request has beenprocessed. Generally, real-time authorization controls are more costly to implement andissuers are wary about slowing down the response time to authorization requests if thesystem performance of the fraud-screening tool does not match that of their

authorization host. However, delayed fraud detection means that only future transactionsmay be blocked for the compromised card since the current transaction has beenapproved and the merchant has received a valid approval code.

Internet Payment Security Methods

SSL / TLS

SSL (Secure Socket Layer) and TLS (Transport Layer Security) are commonly used to

secure data traveling over open (Internet) networks. The goal of the TLS protocol is toprovide privacy and data integrity between two communicating applications. Symmetriccryptography is used for data encryption e.g., DES, RC4, etc. to ensure that theconnection is private. Message transport, using a keyed Message Authentication Code(MAC), ensures that the connection is reliable and has not been tampered with. SSL andTLS are layered on top of the standard TCP/IP protocol. SSL is frequently used byhome banking web sites to secure account information displayed to customers on webpages.

Electronic Commerce Indicator

The Electronic Commerce Indicator (ECI) is a value within a financial card paymentauthorization request that informs the issuer of the card that the transaction has beencarried out over the Internet, and whether any security protocol such as SSL, Verified byVisa, etc. were used to protect the transaction. It is mandated that all Internettransactions should have this value populated in the authorization request. Prior to thismandate coming into effect, it was very difficult for issuers to identify which transactionswere eCommerce transactions and which were physical world transaction, and thepresence of this value now makes it possible for issuers to target eCommercetransactions with fraud detection software analysis.

Manual Procedures

Many small-to-medium merchants cannot afford to implement software-based fraudscreening tools and must resort to manual procedures. If the customer is from within themerchants country then the merchant may make use of locally available electoralregisters or phone books to verify that the shipping address of the goods provided by theconsumer corresponds to his home address. Merchants may also attempt to contact thecardholder directly using his publicly available phone number to verify that he did carryout the transaction, before shipping the goods. In some extreme cases, merchants have


18/22


18

been known to refuse to process orders from overseas customers because their identitycannot be verified, but this practice is frowned on by the card organizations.

A recent report on fraud from CyberSource has indicated that in the US manymerchants approach to fraud detection is ad-hoc, uncoordinated and is not integratedinto the merchants operational procedures. This means that staff who are not trained to

detect fraud properly will either fail to detect high-risk transactions or may losecustomers by highlighting false positive fraud occurrences. In either case, valuable timeis often wasted and the rate of fraud detection is unreliable.


19/22


19

One-Click Shopping

In recent years, a number of Internet merchants have implemented One-Clickshopping. Its goal is two-fold both to provide ease and convenience to the onlineshopper, and to reduce fraudulent transactions. Using the One-Click approach, aconsumer will be asked to register his personal details with an individual merchant

including his payment card details. When the consumer returns to carry out atransaction, he only has to sign-on with his username and password in order to pay forthe goods, since his payment details will be picked up automatically from the database.In many cases, the entry of only a password is required, since the merchant site willidentify the user by picking up a cookie previously stored on his personal computer.

For the online merchant, the benefit is that a database will be built up over time ofreliable repeat customers who carry low risk when making a purchase. This allows themerchant to focus his fraud detection attention on new customers who have justregistered, or those customers who have avoided registration and gone directly to thepayment page. However, such databases must be protected by encryption and strongfirewalls.

SET Secure Electronic Transaction

The SET standard was launched jointly by Visa International and MasterCard in 1996 asa global standard to reduce fraud in Internet commerce. The goal of the standard was toauthenticate all parties to a transaction and to secure the integrity of the transactiondetails using strong public key cryptography.

A number of pilots were undertaken throughout the world between 1997 and 2001, butthe standard did not reach the critical mass needed for adoption. The burst bubble inInternet stocks in 2000 also served to delay spending by many banking institutions inauthentication infrastructures for Internet commerce. Both Visa and MasterCard began

to work independently on the next generation of authentication mechanisms, leading tothe emergence of the 3-D Secure protocol and the SPA UCAF standard from Visa andMasterCard respectively.

Verified By Visa

In late 2000, Visa USA issued a technical specification for a consumer authenticationprotocol known as Payer Authentication. This was based on the concept of separatingthe transaction process into 3 separate domains issuer, acquirer and messageinterchange. During the course of 2001 and 2002 the protocol was rolled out to otherVisa regions and was given the brand name Verified by Visa (VbV).

The goal of Verified by Visa is to authenticate the consumer using a designatedauthentication code. Unlike the SET specification, Verified by Visa does not attempt toinclude or replace the traditional authorization methods. Verified by Visa authenticationis merely an additional step that happens before the transaction authorization takesplace, and therefore is easier for merchants to integrate into their business processes.Also, the basic protocol is much simpler than that developed for SET transactions.

The solution involves the deployment of a software module called a Merchant Plug-In(MPI) at the merchant site or his acquirers site (if the acquirer hosts the MPI). The


20/22


20

issuer also needs to operate an Access Control Server (ACS) that interacts with themerchants MPI via XML messages over the Internet. The other two softwarecomponents in the process are the Visa Directory which allows merchant MPIs tocommunicate with issuer ACSs, and the Authentication History Server which is alsooperated by Visa and stores a log of all fully completed authentications.

The transaction process is carried out in the following way : The cardholder enrolls for the Verified by Visa (or MasterCard SecureCode) service

at his issuing bank and chooses his Personal Assurance Message andauthentication password or PIN.

The cardholder shops for goods and enters his payment details into the merchantcheckout page as normal.

The merchant 3-D Secure software checks with the Visa (or MasterCard) Directoryand the issuer to determine whether the cardholder is enrolled for 3D secure.

Provided that the cardholder is enrolled for the service, the merchant seeksauthentication of the cardholder by his issuing bank.

The cardholder is presented with a web page by his issuing bank that shows thedetails of the transaction and his Personal Assurance Message and is requested toenter his 3-D Secure password or PIN.

The issuing bank validates the password or PIN against the details stored for thecardholder at the time of enrolment.

The issuer responds to the merchant to indicate whether the cardholder is authenticor not, and if so, provides an authentication code to the merchant to include with thefinancial authorization request.

MasterCard SPA/UCAF and SecureCode

Soon after Visa launched the 3-D Secure protocol concept, MasterCard followed with astandard known as Secure Payment Application/Universal Cardholder AuthenticationField (SPA UCAF). The goal of SPA/UCAF was similar to that of VbV i.e. to authenticatea cardholder prior to the event of a financial transaction. However, the technicalapproach taken by SPA/UCAF differed to 3-D Secure.

Whereas 3-D Secure involved the flow of XML messages over the Internet betweenmerchant and issuer, the SPA/UCAF technical approach was to assume that thecardholder would use a consumer wallet application to interact with hidden fields locatedon the merchants payment pages. The wallet application would extract merchant andtransaction details from the specified hidden fields and the wallet would populate data

the UCAF value generated by the issuer for example into the hidden fields on thepayment page. At this point, the additional authentication data would be passed into themerchants payment application and sent as part of the financial authorization messageto the issuing bank.

Thus, the two standards mainly differed in terms ofhow the transaction data would betransported between the merchant and the issuer.

In September 2002, MasterCard announced the launch of the MasterCard SecureCodestandard that could interoperate with the 3-D Secure protocol, as well as the previously


21/22


21

published wallet-based standard. This announcement reunited the two major brands inthe use of a common technology standard for consumer authentication and paved theway for dual-brand issuers and acquirers to implement a single software solution tosupport both brands.

Maestro Payment over the Internet

In the summer of 2001, Maestro introduced an authentication standard built upon thepreviously published MasterCard SPA/UCAF standard. The goal of the Maestrostandard was more than just consumer authentication it was intended to allow Maestrodebit cards to be used generally for purchases over the Internet. The Maestro standardpromoted the use of a pseudo-PAN and described mechanisms for both acquirers andissuers to work around for the absence of PIN-block data for Internet transactions, whichis normally present for card-present transactions.

Transaction Liability Rules

Traditionally, the liability rule for Internet transaction has been that the merchant takesthe liability for fraudulent transactions. Hence, the merchant is in the position that hemust prove that the cardholder committed fraud or assume the loss. This mirrored therules applied to MOTO transactions, given that the same lack of direct involvementapplied between the cardholder and the merchant. This rule has left many merchantsconsiderably at risk of fraud losses, with the intention of incentivizing them to implementfraud detection and prevention measures.

With effect from April 2002 in the EU region and April 2003 in all other regions, Visa hasmandated that, under certain conditions, fraud liability shifts to the issuer in instanceswhere the Internet merchant has adopted the Verified by Visa protocol. Effectively, thismeans that Internet merchants who implement the VbV merchant-plug-in will beprotected from fraud, moving the focus from the merchant/acquirer to the issuer toprevent fraud. This is intended to incentivize issuers to properly authenticate theircardholders to avoid financial loss. MasterCard have introduced similar liability shift forthose merchants implementing SecureCode.


22/22


22

Future Trends

The following are a series of predictions with respect to fraud-related events over thecoming decade:

Despite the risks of fraud outlined in this paper, the credit/debit card will remain the

safest and most secure means for consumers to make payments, particularly overthe Internet. The degree of protection provided to consumers by the regulationsmandated by card schemes such as Visa and MasterCard are unmatched by otherpayment methods. This will ensure the continued growth of card payments.

Based on the mandate to accept chip cards by 2005, the majority of medium-to-largemerchants in Europe and other regions outside of the US will support chip by 2006 or2007. Issuers will be most likely to purchase chips with memory capacity just largeenough to support magnetic stripe contents and PIN verification only, and will waitlonger before investing in larger memory chip cards which can support loyalty, purseand other value added applications.

In the US market, it is thought that fraud will increase post-2005 as fraudsters seek

to use non-EMV cards issued by US issuers for purchases outside of the US withoutthe protection of PIN verification. These drivers may bring about an acceleratedrollout of chip cards in the US market towards the end of the decade, but those cardswill most likely be multi-application smart cards from the start.

The introduction of EMV chip cards will have little or no affect on MOTO fraud.

Eventually fraudsters may find a way to cost-effectively skim and create counterfeitchip cards, and the move to strengthen card security will begin again. The next stepup in security will most likely take the form of biometrics using technology such asfingerprints, voice analysis or retinal scans.

The volume of Internet transactions secured by Verified by Visa and MasterCardSecureCode will grow steadily as Internet transaction volumes and the globaleconomy improves. Following the rollout of chip cards in Europe perhaps around2007 many issuers will support PIN based cardholder authentication for Internettransactions through the chip extension to the 3-D Secure authentication protocol.

The single greatest threat that will continue to raise its head this decade is thegrowth of identity theft. As a result of the introduction of more computerized systemsin many consumer-facing institutions, there is more personal information available onindividuals in electronic (and hence easily distributed) format. Indeed, if a personwere to wish to truly protect their personal information in their day-to-day lives, thenthey may be unable to avail of a wide number of services from banks, insuranceagencies, employers and merchants who all require that such information beprovided to them. Protection will be unlikely to be provided to citizens until

Government action is taken to regulate the use and storage of such information, andto provide a secure form of personal authentication from birth. The debate on theownership of personal information and evidence of identity is likely to be one ofthe most significant and important this decade, with long lasting implications forthe future.

Documents

Fraud in Electronic Payments Wp