FRAMINGHAM (08/18/2000) - Visa International Inc. and MasterCard International Inc. have separately drafted new plans to wage war against online credit-card fraud, a costly burden for merchants who get fooled into accepting phony card numbers over the Web.
Visa this week trumpeted a list of security "best practices" for e-merchants that accept Visa cards, requiring them to use encryption and firewalls to protect card data. In a different approach, MasterCard next year plans to require that credit-card purchases on the 'Net include a special three-digit cardholder identification number that's printed on the back of their cards.
This change, expected to go into effect next April, will require alterations to card-processing software and networks, MasterCard says.
"We're being more vigilant in monitoring those [Internet] transactions," says Vinnie DeLuca, MasterCard's vice president of fraud control. "Effective April 1, 2001, MasterCard will require the three-digit code called the Card Validation Code No. 2."
Internet merchants must then be prepared to request that three-digit code, which is identification for the cardholder that is not part of the regular credit-card number. This three-digit number can be found on the plastic card but doesn't get printed out in a credit-card receipt or processed through MasterCard's network today.
Visa also has a three-digit code on the back of its cards called the "Card Verification Value," according to John Shaunessy, Visa's senior vice president of risk management. A merchant can request that code when the cardholder is not present to help validate the transaction. Currently, Visa won't mandate its use on the Internet. "We leave that up to the merchant," Shaunessy says.
Instead, Visa has formulated a 12-point list of security practices it wants online merchants, ISPs and third-party service providers processing credit cards to follow. These practices, aimed at preventing break-ins to steal card numbers from servers, include encrypting card data and using firewalls and antivirus software.
"Visa has always had rules about storing data. A year ago, we knew we had to adapt to this new environment, with some of the hacking incidents and security breaches," Shaunessy explains. "We have come up with a list of requirements that will apply to all merchants, from the largest to the smallest."
The new rules about data security are expected to take effect by year-end.
"It's premature to suggest penalties for noncompliance, but we are developing the capacity to monitor the security of merchants," Shaunessy warns, declining to reveal how Visa will do this monitoring. Merchants might even face loss of their Visa merchant card accounts if they fail to follow the new rules.
While none of the credit-card associations disclose exact loss-rate figures for fraud - in part because they aren't sure - Visa, MasterCard and American Express claim to have a handle on the problem overall.
"At Visa, it's as low as it's ever been; 6 cents on the dollar," Shaunessy says. "In 1992, it was 22 cents on the dollar due to magnetic-stripe counterfeiting."
Merchants are stuck paying for this fraud and also risk losing their accounts with the card companies if fraud rates get too high.
While American Express prefers not to discuss in depth how it combats Internet card fraud, both Visa and MasterCard believe such fraud is often the work of hackers who penetrate servers or databases that hold credit-card numbers.
However, industry analysts and e-merchants claim the credit-card companies have yet to come to grips with the full scope of the problem.
Internet-based card fraud is "at least 10 times the rate for the physical world," claims Avivah Litner, an analyst at Gartner Group in Stamford, Conn.
A Gartner survey of 100 Web retailers found Internet credit-card fraud to be much more common than offline fraud, making it the "No. 1 problem" in e-commerce, according to Litner.
Gartner found 44 percent of the e-retailers built their own antifraud software, unless they were simply manually processing card numbers off the Web and making checks through phone calls and other means. That kind of software works by automatically submitting check-card numbers in Web-based purchases to known patterns of abuse to ascertain risk.
Many merchants are also beginning to use fraud-screening services and software that subject the card number to a risk assessment as the order is being placed on the Web, leaving the merchant to decide to accept the card number or not based on that value. CyberSource, Digital Courier, ClearCommerce and HNC Software are the leading vendors, Litner says.
In Gartner's view, these services and software, which work by automatically screening the card number against a long list of checks, are still "very new" and the jury is out on their effectiveness.
Credit-card thieves don't need to break into Web servers to steal card numbers; they can generate a supply of numbers through freeware found on the Internet, says Tom Arnold, chief technology officer at CyberSource. "It's a no-brainer to generate all the credit-card numbers associated with a particular bank," he says.
Moreover, the thieves are always developing new ways to trick e-merchants.
"They'll aggressively phone to get the order approved, or they'll exploit an offer to get instant credit, and open an account in your name," Arnold says.
"They sometimes work in gangs, going after high-value goods like jewelry or computer equipment, moving it quickly once they have it."
Online travel service Expedia, which accepts credit cards for airline tickets and hotel reservations, earlier this year acknowledged that it had been victimized by gang-related card fraud to the tune of $4.1 million.
"The fraud was committed by professional criminals who obtained the card numbers, not from Expedia or Expedia customers, but from elsewhere," says Suzi LeVine, the company's marketing director.
In the role as a travel agent, Expedia earns about US$10 on a $300 plane trip booked for an airline carrier, but if the card number is bad, Expedia has to eat that full amount. Under U.S. law, consumers victimized by fraud are liable for $50 of the charge, though merchants that fall for phony card numbers often waive even that amount.
A Brooklyn, N.Y., resident has been arrested and charged in connection with the Expedia case.
LeVine says Expedia has beefed up its fraud-screening procedures, adding card risk-assessment software written in-house.
LeVine says she welcomes efforts from Visa and MasterCard to counter the fraud problem. She added that Expedia already uses firewalls and other security procedures on Visa's best-practices list. Expedia's card-fraud problem wasn't due to a break-in; rather, fraudulent numbers coming over the Web didn't get screened out.
MasterCard's mandate next year to link a card number with the cardholder's I.D. number on the plastic card should work to authenticate a buyer's identity.
However, because it's based on just a three-digit number, the Internet criminals may find a way to generate that I.D. number through software, too.
It's not the first time the card associations have tried to find a way to prove the buyer's identity on the Internet.
Three years ago, Visa and MasterCard claimed public-key encryption certificates based on a protocol called Secure Electronic Transactions would be the main way to make online card processing safer.
While PKI certificates were an ambitious project, the industry is still bogged down in technology-deployment problems and consumers never got the PKI certificates.
Though the card associations refute any notion that SET is dead, the idea lives on only in a few pilot projects. Meanwhile, the crooks grow more inventive each year.