(Page 2 of 5)
"Proxy servers hide the identity and location of the criminal by making it look as though their IP address has a different origin," says Bob Nadeau, group executive, product development, for Chase Paymentech, a provider of payment processing and merchant acquiring services. "Retailers need the ability to look beyond the device and determine the combination of identifiable network attributes and associate them with where and how shoppers are accessing their site."
Among the fraud-detection services that Chase Paymentech offers is proxy piercing, a technique that examines much more than the presented IP address of the shopper's computer to determine if a proxy server is being used and to establish the true geographic location of the shopper's IP address. Knowing the true location of the command and control computer used to originate the transaction can help retailers determine if the device location at the time of the purchase is somewhere other than the location entered in the online checkout form.
A three-way threat
Triangulation is another scam that criminals are effectively using to cover their tracks. The scam takes place on eBay, where a criminal can pose as a legitimate seller and place a high-value item up for auction, such as jewelry or electronics, without actually being in possession of the product. The aim of the scam is to acquire from an unsuspecting buyer all the necessary payment card information needed to make an online purchase.
The scam works like this: The criminal lists an item for auction she knows can be purchased on another retailer's web site. After selecting the winning bid, the criminal uses the buyer's credit card account information and shipping information to purchase the item from another retailer, which sends it to the winning bidder.
The criminal then uses the consumer's credit card account information to purchase items she can quickly resell. The items are shipped to a so-called safe address the criminal has set up to receive fraudulently purchased goods, but at which she does not reside. A safe address can be an apartment or office rented under a false identity.
When the victim reports her card has been used to make fraudulent purchases, law enforcement agents have difficulty tracking the source of the fraud because the criminal has set up a seller's account on eBay using a false identity and made purchases from other merchants using legitimate credit card accounts.
"Criminals can use triangulation to scam multiple consumers out of their account information at once by listing several items for auction," says Bill Roese, senior vice president of fraud management solutions at FIS North America, a provider of banking and payments technologies. "Triangulation creates a lot of confusion about the origin of the fraud."
Being aware of the fraud scams used by criminals is just one piece of the fraud-prevention puzzle. Retailers are coming under increasing pressure from the credit card companies to not only protect customer credit card data, but to keep track of where that data travels within their computer networks, who has access to it, and where it may unexpectedly be stored.
In other words, retailers are being urged by the card companies to avoid storing customer credit card data and to improve their internal audits. That point was driven home last October when the PCI Security Standards Council for the first time in its five-year existence listed merchants not storing card data as a best practice for data security. Prior to that action, the message was blended into the PCI Council's push for industry compliance with the Payment Card Industry Data Security Standard (PCI DSS). The new best practice is part of the compliance guidelines for version 2.0 PCI DSS, which took effect in January 2011.
To the extent fewer merchants store credit card account data, the PCI Council and the payment card companies hope to create a smaller defensive perimeter that will be easier to defend against hackers.
"PCI 2.0 is a set of best practice guidelines that merchants can follow to mitigate the risk of being hacked by eliminating the storage of credit card data in their servers," says Sheryl York, compliance manager for Litle & Co., a payments management company specializing in card-not-present transactions. "The latest version of the standard is also emphasizing the need for merchants to perform a scoping exercise prior to an assessment to make sure they know every place card account data may wind up within their organization."
Knowing all the places cardholder data can be stored within their operating platform is critical, York adds, because card data can show up in unexpected places within a retail organization. Data security experts tell stories of audits that turned up card data in the human resources department, she says.
When card data finds its way into such unlikely places it opens a back door for hackers. Hackers need only to attach a sniffer program to a merchant's operating platform to locate unencrypted card data and copy it. "Studies have shown that of merchants suffering a data breach, 75% were not PCI-compliant," says GlobalCollect's Vanpraet.
While that statistic alone ought to be enough to motivate merchants to follow PCI rules, it is not. "In the United Kingdom, only about 58% of Level 1 online merchants were PCI-compliant in early 2010, so there is still a long way to go before full compliance is achieved," Vanpraet adds. Level 1 refers to the largest merchants.
GlobalCollect, which services merchants all over the world, offers a scalable fraud-screening service that features a range of integrated fraud-reduction tools in collaboration with best-in-class partners alongside its wide variety of payment options, such as credit, debit and prepaid cards, direct debits, cash, bank transfers, real-time bank transfers and electronic wallets like PayPal, WebMoney, cashU and Moneybookers.
Tokens, not card numbers
A merchant's vendor relationships can also open back doors to unencrypted card data. "Merchants not only need to know what departments within their own organization touch customer credit card data, but which of their vendors touch it and whether those vendors are PCI-compliant," says York of Litle & Co. "Merchants need to be certain that customer card account data is secure at all touch points."