PCI squeezing the merchants?

Posted on July 13, 2011 by Tom Mahoney

In a recent article in Storefront Backtalk, PCI Columnist Walt Conway suggests that maybe it’s time to eliminate the shortened versions of the PCI SAQ in favor of the 280 question SAQ D. Apparently this suggestion came from one of the largest card acquirers. Early in the article, Walt tells us that,

I am not convinced that requiring every merchant to use SAQ D, with its 280-plus requirements, makes sense. It is just too daunting for a small or midsize merchant.

In the rest of the article he falls a little short of advocating such a move, but does present some compelling points in favor of it.

I’m certainly in favor of good security all around but as long as we have serious problems with the big guns like Citibank and the others, I see no point in wasting time tightening up the requirements for small merchants.

It’s like trying to patch a pinhole in the hull while the ship sinks from the iceberg damage. As a matter of fact, I find it rather distaseful that such a proposal would even cross someone’s lips.

Posted in PCI Compliance, Security Standard | Tagged , | Leave a comment

Ethoca helps catch fraudsters

Posted on April 13, 2011 by Tom Mahoney

logo.gifFraudStop-COMPRESSED-50x50.jpgspacer.gif
I had an interesting, even exciting, conversation with Julie Fergerson this week. Julie is the Vice President of Emerging Technologies at Ethoca and has been at the forefront of card-not-present fraud prevention for 15 years. She co-founded ClearCommerce Corporation and was their VP while also co-founding and Chairing the Merchant Risk Council.

Now she’s at it again at Ethoca, giving CNP merchants a way to screen for fraud and help catch the bad guys that have been plaguing us for years. Merchant911 members have talked about data sharing for years. Those discussions always come down to costs, liability, and logistics.

Enter Ethoca’s FraudStop™. They have it all under control and they are doing it at no cost.

FraudStop™ is a new PCI Certified service from Ethoca that compiles fraud information for National Cyber-Forensics & Training Alliance (NCFTA) analysis — so your organization can not only reduce its fraud losses but also contribute to catching fraudsters. Something no other anti-fraud tool does.

And if that’s not enough, the data goes to IC3 when patterns are detected.

I’m really excited about this and merchants will be too. In addition to sharing your fraud data with other merchants via manual web entry, batch upload or API to a central repository, you’ll be able to use everyone’s data for screening. While you’re doing that, the incoming data will be analyzed for patterns that can lead to arrests.

Why not check out Ethoca’s FraudStop™? Remember – it’s free, although they are very up front in saying that they may charge for parts of the service later.

Posted in Ethoca, Fraud Prevention Strategies, Fraud screening | Tagged , , , , | 1 Comment

Fraud trend updates

Posted on March 31, 2011 by Tom Mahoney

The CyberSource 2011 Online Fraud Report – 12th Annual Edition, released in January, is always a great resource for merchants. I read it every year and every merchant should get it and digest it.

The report is compiled from survey results of 334 US and Canadian merchants. I’m not a statistician and I wonder if 334 respondents is statistically significant for the big picture. After all, there are many thousands of merchants in the US alone. Still, it’s an excellent report.

One of the things I’d like to see in these reports is debit card and credit card break out. CyberSource appears to be aggregating both classes of card together. This isn’t unusual since most merchants wouldn’t know which class of card is used, but this could certainly skew the numbers.

There seems to be a general consensus in the payment industry that credit card fraud is decreasing. Clearly, the CyberSource report reflects the trend. Given that smaller merchants have an increased awareness of the problem and more sophisticated fraud fighting tools available, I would expect this. But most reports tell us that debit card fraud is increasing along with the use of them; some say at a frightening rate. Admittedly, the biggest debit card problems seem to be at ATM machines for the big cash-out but there is ample evidence that gas stations and convenience stores are feeling big losses from debit cards as well. We don’t know what classes of merchants are represented in reports but, in my opinion, debit cards are, or soon could be, a bigger fraud source for merchants.

The CyberSource report shows some other interesting things. We’re seeing that, as expected, lower volume merchants are doing significantly more manual screening than the high volume operations. Merchants with under $5M in sales are manually reviewing 35% of orders as opposed to the over $100M bracket doing only 9% manual screenings. This difference has been evident for at least 4 years but the overall manual review rates have decreased. I find the decrease of manual review troubling since it is usually more effective. No doubt the decrease is due to shrinking profits and increased costs. There is no question that manual fraud screening strains the bottom line.

According to the CyberSource report there’s some good news on the horizon. A large percentage of merchants (46% of merchants with over $25M in revenue and 30% overall) are planning to implement device fingerprinting in the next 12 months. Device fingerprinting is generally a bit more expensive than other forms of card fraud screening but its value is being recognized. One of the leading vendors in that arena is iovation, Inc.

I’ve been pleasantly surprised to see the two year downward trend in both the percentage of revenue and total dollars. I predicted a level or increasing trend so I won’t stick my neck out again. But I will say that with the increased use of RFID cards and mobile payment systems, combined with the sagging economy and increasing sophistication of the fraudsters, those of us involved in detecting and preventing fraud had better not let the two year trend allow us to become complacent.

Posted in Fraud screening, fraud trends | Tagged , , , | 3 Comments

Mobile Payment Apps not PCI compliant?

Posted on March 11, 2011 by Tom Mahoney

There has been a flurry of discussion in the payment industry blogs about the current and future state of mobile payments, the Square in particular.

It appears to have started over some finger pointing between VeriFone and Square over who was PCI compliant and who wasn’t. It’s not clear to me who fired the first shot and it doesn’t really matter.

square.gifspacer.gifpayware-mobile.jpg

 

The real issue is whether or not any of these mobile phone devices or, more specifically, the phone itself is, or ever will be, PCI compliant. I think Attorney Mark D. Rasch, who should know, probably said it best.

Want to destroy your network infrastructure, grab all your customer’s unencrypted credit card numbers and drive your business into bankruptcy? There’s an app for that.

Read more: http://storefrontbacktalk.com/securityfraud/mobile-the-new-weak-link/#ixzz1GLdEMddI

And we know it’s possible.

A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.

Read more: http://www.thinq.co.uk/2011/1/20/android-trojan-captures-credit-card-details/#ixzz1GLdsJkuc

It’s only been a few days since the VeriFone/Square sparring and already there are “Reliable rumors” that PCI compliance has been pulled on all mobile payment applications.
I use the term reliable rumor since, according to Avivah Litan at Gartner, it hasn’t been confirmed.

The most obvious rationale for all this is simple. The phones cannot be locked down. The OS of the devices permits the manufacturer to update the systems and remove malware without intervention (or even knowledge of) the owner.

Only time will tell if the non-compliance status is permanent. I suspect not, but it appears that if you’re using these apps now, you need to at least check with your compliance providers. You may be in violation.

Posted in Credit card, PCI Compliance, Security Standard | Tagged , , , , , | 10 Comments

Chargeback Reason Codes

Posted on February 9, 2011 by Tom Mahoney

From time to time, someone gets a chargeback and don’t understand the chargeback codes. There are numerous codes and the brands all have different ones. Hopefully you’ll never see any of them but chargebacks do occur and you should know what the codes mean.

Many of them you should never see if you are even a little careful. For example, if you see a Visa chargeback with codes 71 thru 73, you didn’t follow basic card acceptance practices. The same applies to MasterCard chargebacks like 4808 and 4835. They just shouldn’t happen.

I’ve found over the years that chargebacks can be reversed. This doesn’t mean that all of them can but, if you are following credit card acceptance best practices, most of them can be. It’s up to you as the merchant to know these practices. Just knowing the chargeback codes can give you a better idea of what to look out for while doing business.

Merchant University, a website I highly recommend, has a list of Visa and MasterCard codes. Take a look.

In the comments, let us know if you’ve gotten any of these and whether you were able to get them reversed.

Posted in chargeback, Credit card, Fraud Prevention Strategies, Payment Processors | Tagged , | Leave a comment