PayPal, eBay’s payments arm, says StackMob will help PayPal further its mobile payments capabilities, and PayPal will help StackMob clients better enable payments in ...
Card verification numbers serve offline world, but are they a remedy for Internet card fraud?
(Page 2 of 3)
MasterCard and Visa provide additional incentives for merchants to use CVNs. These include the potential for reduced discount rates and some minimal chargeback/re-presentment rights.
Visa and MasterCard have special interchange categories that they use to determine the interchange applicable rate called Incentive Interchange Rate Programs. The interchange rate is a fee paid to the issuing bank by the acquiring bank and is usually passed on to merchants, as part of the discount fee. There are numerous factors that drive interchange fees: speed, risk, processing, float and marketing are just a few.
In October and November of this year Visa is introducing two new Custom Payment Service categories; e-commerce basic and e-commerce preferred. Whether it is Visa’s Custom Payment Services programs or MasterCard’s Merit programs, the message is the same for e-merchants: provide the information in the transaction/authorization fast enough to qualify for the most advantageous interchange rates.
If the card issuer fails to respond to a CVN request, the merchant’s acquirer has the right to re-present a chargeback on the merchant’s behalf, stating the issuer did not validate the CVN information and therefore did not allow the merchant to utilize industry standard security measures.
In an effort to fully implement CVN checking, both MasterCard and Visa have recently mandated participation by issuers, processors, and acquirers. Merchant participation is voluntary. Absent from the list of entities covered by the mandate are transaction processing vendors, e- commerce transaction processing platforms, gateways, and other transaction facilitators that sit between the merchant and the acquirer in the transaction processing flow. This is because these non-member processors are not within the scope of MasterCard’s and Visa’s mandates. The business and information technology decisions of these non-member processors will clearly impact their client merchant’s ability to benefit from CVNs.
Of course, any merchant will want to run a cost/benefit analysis of adopting CVNs. Among the costs a merchant will want to take into account are:
- additional costs of authorization,
- the cost of lost orders if asking
for a CVN causes some customers to abandon their shopping carts. One way to
test that cost is to ask for CVNs on only a small portion-say 5%-of sales
and see what effect it has.
- the cost of follow-up from customer
service or risk management if a customer enters a number incorrectly and the
transaction cannot be completed
- the cost of adding the software code and procedures to allow the merchant to capture the CVN. This will vary depending on whether the merchant is using an outside hosting service or if in-house staff performs the coding and hosting. Furthermore, adding the extra step will typically be subject to review by quality assurance, customer service and marketing departments, further adding to the cost.
On the benefit side, of course, is the opportunity to reduce fraud and chargebacks. The card companies monitor each merchant’s volume of chargebacks. If the merchant’s chargeback volume is deemed excessive the merchant’s card acceptance rights can be terminated. All the associations take chargeback volumes seriously; for example, Visa, effective Nov. 1, will cut the acceptable chargeback rates in half for its Global Merchant Chargeback Monitoring Program.
An added benefit may be the opportunity to salvage some transactions by proceeding with seemingly risky transactions that the merchant might have denied before. While most people would assume that all transactions would be approved, I assume that some legitimate ones would be denied and thus these procedures would save them.
The bad news
While CVNs are finally gaining in widespread use, fraudsters are quickly adopting new methods to get around security checks. The Internet is providing a virtual automation tool that was unavailable in the physical world. Some web sites allow customers to enter their transaction information with no limitations to the number of attempts.
This “customer service” feature allows the criminals to enter the number over and over again until they get it right. With the use of electronic wallets or scripts, fraudsters can automate this attack until they get a valid number. Probably the most limiting feature of the CVNs is the fact that they are clearly printed on cards. Thus, they are easily compromised at the point of sale.
A low-tech approach
To get past CVN security, card fraud now combines skimming techniques with identity theft for e-commerce transactions. The new fraud typically follows this scenario:
1. A clerk skims the contents of the magnetic stripe, obtaining, among other things, the account number, expiration date, and the customer’s name.
2. The clerk turns over the card appearing to check the signature, but is really memorizing the simple 3-digit CVN.
3. With the above information obtained, the clerk then obtains the cardholder’s address from any of dozens of Internet sites.
4. The clerk now has account number, expiration date, CVN, address information and is free to shop on the Internet.
As one of more than a dozen security features on the payment card today, CVNs are useful weapons in the fight against online card fraud. They are not, however, a silver bullet that will make card fraud go away. When used in conjunction with advanced statistical risk management tools, CVNs provide solid, additional protection. But in the end, there is never a real substitute for a comprehensive risk management strategy that works in concert with continuously improving security methods to stay a step ahead of the criminals.
Wesley Wilhelm is director of risk management and consulting at San Diego-based HNC Software Inc. He can be reached at email@example.com