Another year has flown by and the busy season at ProPay is about to begin. We want our merchants to have a successful and stress free holiday season. This is the perfect time to make sure our merchants are up to date on the latest fraud schemes. A fraudulent buyer, chargeback or theft of data can put a damper on your end of year sales.  Here are just a few of the most prevalent fraud trends today.

Spam— Unsolicited email, possibly fraudulent from a company that you didn’t authorize to send you messages.

Phishing/Spoofing— Phishers will impersonate a legitimate company by sending fake emails or creating fake Web sites in order to acquire your personal information—like PINs, credit card or bank account numbers.

Spyware— Software that records your personal information without you realizing it. Several anti-spyware software programs are available to combat spyware.

E Commerce Fraud- Before you buy anything online, ask yourself if the site is legitimate. Look seal from trusted companies that have certified the site as safe and secure. If the deal sounds too good to be true, it probably is.

Get-out-of-debt fraud— Many online debt elimination resources are fraudulent. Be wary. Investigate them thoroughly. If they aren’t a legitimate 501(c)(3) nonprofit organization, then it’s likely that they’re trying to take advantage of your debt-related vulnerability.

International schemes— Don’t respond to emails that suggest you have won or inherited money from someone in a foreign country—Nigeria and Eastern European countries are where many of these emails originate. And any scheme that asks you to give advance money for a larger sum in return is too good to be true, and will always be fraudulent.

Evil twin— A fake Wi-Fi network set up near to and often using a similar name as a real public Wi-Fi network, like those in libraries, parks, and coffee shops. If you unknowingly join the evil twin network, the criminal behind it will have access to all of the information on your computer.

Take a few moments to review this list and to research other fraud trends that could impact you and your business. The small investment of time will be worth it in the long run. Here’s to a successful holiday season and a strong push to the finish line in 2011.

Last week, I attended the PCI SSC Community Meeting in Scottsdale, AZ.   The meeting is held every year so that stake holders in the payments industry can get together and discuss the PCI DSS and its impacts.  Each year brings with it new guidance documents, and sometimes new standards.  This year was no exception and the standard mix of new standards and new guidance was supplemented by discussion of new technologies (perhaps new is a bit of a stretch, as one of the “new” technologies under discussion was EMV – a technology that has been around for decades).  Mobile payments and Near Field Communications (NFC) were also hot topics of discussion and reminded of one my favorite topics – weighing the adoption of technology and its attendant convenience with the protection of payment data.

I am an advocate of a careful risk analysis – there are occasions in which a new technology does introduce risk, but that risk is outweighed by the potential benefit to customers and to the business overall.  In those instances, the organization may determine that the risk is acceptable and the technology is adopted.  In other instances, an organization may determine that the benefits are far outweighed by the risks and the technology is not implemented.  The point is that careful deliberation is sought.  Unfortunately, the current state of the market (economically difficult coupled with rapid technological change) may lead some companies to adopt a new technology as a “me too” strategy.  The appearance may be that by adopting new technologies companies are showing progress and leadership, which will lead to a competitive advantage.  Many times, though, the rapid adoption of new technology without proper vetting can introduce the “unknown unknown” into the environment.

The idea of the “unknown unknown” can be nicely summed up by saying that “you don’t know what you don’t know.”  In other words, one doesn’t have enough experience or knowledge about a particular subject to speak definitively about what its potential risks might be.  The concept was famously speared after Rumsfeld made his famous “unknown unknown” speech.  While pundits and comedians alike had a good time poking fun at Rumsfeld for his use of the terms “known unknowns” and “unknown unknowns,”  he is referencing something that risk analysts and philosophers alike have discussed for years. The premise of Nassim Taleb’s  The Black Swan is largely concerned with operating in a world in which we don’t know what we don’t know.  You can mitigate the number of unknown unknowns through analysis, evaluation, and research.

One of the ways that companies can mitigate the “unknown unknown” in terms of payment security is to evaluate new technologies against the standards established by the industry.  The standards are established to counter the known risks in the payment environment.  Any time a new technology is considered, a good practice is to consider how that technology would be integrated into the existing infrastructure and evaluate that result against the standards and against data security best practices )which sometimes evolve at a faster rate than the standards do.  Certainly this will not bring to light all possible permutations of risk that might arise from the adoption of a new technology, but it will help address an organization’s compliance status and may help mitigate the risk associated with adopting a new technology.

Dr. Heather Mark, PhD; SVP Market Strategy

Protect yourself as a merchant!  Cardholders can dispute transactions that you have processed through your merchant account.  It would be ideal to not have any chargebacks, but to be prepared for a chargeback, please consider these suggestions:

1. Let your customers know ahead of time what will appear on their card statements. 

2. Make sure that your customers are able to contact you.  If they have a problem or are not satisfied with the merchandise, then they are able to go to you first before going to their bank.  Be sure to respond promptly to any questions or concerns.

3. Have a clear refund/return/cancellation policy.  Make sure your customers are aware of this when they purchase from you.  Have them sign, initial, or click-to-agree to the policy stating they agree to the terms and conditions.

4. Be sure to enter your customer’s full billing address when you submit the charge.  When you process a card with this information, the Address Verification System (AVS) verifies the address entered with the card number through the cardholder’s bank.  Depending on what information matches, you will get different AVS responses.  Most common are:

• Y-Address and zip code verify
• A-Address verifies
• Z-Zip code verifies
• N-No information verifies

5. If you are shipping merchandise, only ship to a cardholder’s billing address and be sure to enter the full billing address in when processing.  Keep tracking information for each shipment.  You can also request signed delivery confirmation.  Be prompt in your shipping.

6. Obtain signed documentation for all the transactions that you process through your merchant account whenever possible. 

7. Enter the security code on the back of the card, the CVV2/CID, when you are processing the card.  This helps to show that the card was present at the time of sale.

By following these steps, you can help to prevent chargebacks from occurring, and to keep yourself protected should they occur by keeping the documentation necessary to resolve a dispute.  For more information on chargebacks, please see our website or check out this link:

FAQ-Chargeback-Fraud

“Why does it matter what I sell? You are just making money off each transaction? There is no risk to you.” This is a common conversation that we have while reviewing and underwriting new merchants. Many people we talk with have used the dispute process on their credit cards. However most don’t recognize that as the merchant they now shoulder that liability. It is often an eye opening conversation as they begin to understand why we want to know where they sell their goods or services, how they sell, etc.

Items reviewed in the underwriting process for a merchant account are different from underwriting for an auto loan or mortgage, but the principles are the same. What is the potential for loss and what factors are there to mitigate those issues? Are you processing in a face-to-face environment where you are swiping the card & have a signature? Are all of your transactions done online? If you process online, do you get delivery confirmation at the billing address? What is the average transaction amount? What is your return policy? Do you ship overseas?

There are many other questions and as we get answers to those questions we are better able to determine the risk of the account. Underwriting for a merchant account involves properly identifying the business that is applying, as well as the individual applicant. Confirmation of the entities existence is done through various means including through filings in the state where they are registered. Once the individual & business have been validated we can move on to what is being sold and the manner in which it is sold. The type of product or service that is being rendered plays a significant role in this process since some items pose a higher risk than others. We maintain a list on our website that shows products/services that we consider higher risk and those that we prohibit.

We strive to make the underwriting processing quick and easy, so you can focus on operating your business. We are here to help you succeed by making credit card acceptance, simple, secure & affordable. Should you have any questions before, during or after the underwriting process please don’t hesitate to contact ProPay.

A recent article on MSNBC detailed a “security issue” at two major banks.  The vulnerability in question related specifically to the use of the banks’ phone system.  Generally, when a caller uses the automated account system via telephone, the system verifies the number from which the person is calling.  If the number matches the number on the account, the verification process is streamlined.  That means that instead of entering an entire account number, the caller can simply enter the last four digits of the number.  They would then be able to access the limited information available through the automated phone system.  Typically, that would include information such as credit limit, account balance, date and amount of the last payment and similar information.  The caller would not be able to access other accounts or to retrieve the account number.  The article expressed concern that someone could easily obtain a consumers phone number and the last four digits of the card number.  By “spoofing” the consumer’s number and entering the last four digits, an ill-intentioned individual could “hack” the system.

The author expresses outrage that such a vulnerability could exist.  Other banks, he insists, require that users enter a complete account number.  He makes no argument about the increased security that may offer to the transaction.  The article goes on to detail exactly how one could hack the system, then call the consumer posing as the bank to use that ill-gotten information to coax more information out of the user that could be used to facilitate identity theft, or even to blackmail users based on their transaction history.

Data security and privacy should be top priorities for any companies that deal with consumer information.  However, those businesses must also maintain operations.  Convenience and security will always be at odds and companies are tasked with striking just the right balance – making their services easy to access while still protecting consumers and their data.  Most companies seek to achieve this balance with the judicious use of risk analyses.  During the risk analysis, the company identifies the potential vulnerability and analyzes what the impact would be if that vulnerability were exploited.  High impact events, whether that impact is in terms of frequency or in monetary damage, are addressed and steps taken to mitigate the risk.  While this author has no direct knowledge of the businesses practices of the banks in questions, it is unlikely that the bank would have adopted such a practice if the impact to its customers or to the bank was intolerable.

In security, one must balance the theoretical with the practical.  In theory, data is never safe.  There is no way to categorically prevent data theft.  The risk can be transferred (as with insurance policies or third-party service providers) or it can be mitigated by implementing increasingly strong protections, but it cannot be entirely removed.  Security professionals must be able to recognize when a theoretical threat becomes a real one and how to most efficiently allocate resources to address the nature of threat.

Dr. Heather Mark, PhD; SVP of Market Strategy