Merchant911 Blog

I blogged about this back in Early March, but I’m going to do it again. Yes, it’s THAT serious!

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product. I hope somebody has a copyright on this “SoftCard” thing!

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card. The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc.. Note that these folks use the word “security” in their corporate identity.

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them. My main objection, and there were several, was that their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates. “Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card. The form also requires a full name and DOB. I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert. If a company official can’t use his company’s domain for email, I’m not going to talk to him. I don’t know if he has any association with the company he claims to represent.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.

Recently, there was announcement about a new “disposable,” virtual credit card from Orbiscom Of course the hairs on the back of my neck stood up as they always do when I read about such things. I sent the following enquiry to the company.

Disposable credit card numbers have always been a concern to on-line
merchants because they severely limit our fraud screening ability.
We are unable to do much, if any, basic manual fraud screening by
calling the Issuer to verify account information presented to us.

Given that on-line merchants are always liable for fraudulent
transactions, we are more than a little concerned about a product
that curtails our prevention efforts. We’re fairly confident that
Orbiscom will not assume that liability in the event your disposable
numbers are used against us.

I would be interested in knowing how you would address these concerns
to our 3700 small merchants.

I actually got a response from them in a timely manner. It seems that, at least from Obiscom’s perspective, e-commerce merchants will be able to do manual fraud screening as we always have.

Thank you for your inquiry regarding Orbiscom’s online security product for credit card customers.  You have voiced concern that online merchants may experience impediments to fraud prevention by not being able to verify account information when contacting the issuer.  Orbiscom’s product allows for account information verification by the issuer when in contact with the merchant or the card holder.

The Orbiscom technology enables issuers to identify and verify account details based on the provision of a “disposable” card number. Therefore, merchants may continue to conduct manual fraud screening by calling the Issuer to verify account information presented to merchants for purchases made with disposable numbers as they would for purchases made with “real” card numbers.

Of interest to you and your members: our Issuer clients have seen an increase in their cardholders’ willingness to shop online while empowered by Orbiscom technology and most importantly for your members, a willingness to shop at smaller sites that are not as well known as the “online giants”.

I hope this clarifies the situation you described. Orbiscom’s mission is to improve the experience of the cardholder and make him/her more willing to transact online … while increasing online sales and improving the quality of the transactions that are authorized by preventing unwanted transactions from being approved.

Sincerely,

Diane Shaib
Executive VP, Orbiscom
 

Of course those of us in the trenches know that, among all the other things that can go wrong, banks don’t always cooperate on these matters. And we also know that anything dealing with credit cards is marketed to card holders, not merchants.

Still, it looks like Orbiscom has an understanding of E-commerce Merchant’s concerns and has tried to address them.

Thank you, Obiscom. And those who know me, know that I don’t hand out Kudos to processors very often

Yes, dear readers, the so called experts are finally waking up and the UK press is jumping on it. Credit card fraud is worse than everyone thought! That’s the case in the U.S. too, but the experts haven’t quantified it yet.

Part of the reason, I think, in simple. Most of the fraud trends that we read about are from statistics gathered from merchants based on their actual losses to fraud. They don’t usually, if ever, take into account the fraudulent use of cards that merchant screen out and never process.

I’m not saying that actual fraud losses aren’t important; of course they are. Those are the numbers that can put merchants out of business. But I am here to tell you that fraud attempts are important too. They reflect the true nature of just how serious the problem is.

Card Not Present losses from UK issued cards are up 37% in the UK alone. That doesn’t reflect the losses outside of the UK from those cards. This 37% increase occurred at the same time that the Card Companies were pushing Payer Authentication and merchants were doing more to become PCI compliant and recognize fraudulent transactions before they were processed.

And lets not forget that cardholders are becoming more security conscious too. I think there’s almost as much tightened security from cardholders as there is in the industry.

The reported losses keep climbing in spite of all the new safeguards and initiatives, and we’re only seeing the actual losses - not the total picture. I have to believe the total is a lot bigger than the part we’re seeing in reports.

If someone in the industry cares to dispute that, the comments are open!