A second wave of attacks began midday Friday after much of the eastern United States was affected in the morning. Sites affected included Etsy, ...
(Page 3 of 5)
As part of the movement by the card companies to eliminate the storage of credit card data by merchants, providers of fraud-prevention services are pushing tokenization. Tokenization is a method by which account data for credit cards used to make an online purchases are stored in a secure server by the merchant's acquiring bank or gateway provider.
Each time the merchant submits a card authorization request, a token is created using unique identification symbols that retain all the essential account information and is returned to the merchant. With no actual card account data stored on the merchant's server, it reduces the merchant's liability if its server is hacked.
The same is true if a hacker breaks in to an acquiring bank's database. "The advantage of tokenization is that even if the token is hacked, it cannot be used to make a purchase because all but the last four digits of the card number have been encrypted," says Retail Decision's Clump. "The acquirer can link the encrypted data back to the actual card account, but the hacker can't."
In addition to providing tokenization, Retail Decisions offers ReD Shield, a fraud-detection service hosted by ReD that uses analytics, rules, neural network technology and pooled data to identify all the components of a fraudulent transaction and the relationships among those components across multiple merchant categories, then assembles them in real time. This allows retailers to flag and review a suspect transaction before making a decision whether to accept it, request more information from the consumer or reject the transaction.
As part of its efforts to keep actual credit card account data from passing through a merchant's web site, Litle & Co. has created a merchant-branded checkout page. The page communicates directly with the consumer's web browser. After the consumer enters his card data, his web browser sends it directly to Litle & Co.'s secure server where it is tokenized. Once the data is tokenized, the tokenÑan alphanumeric code that includes only the last four digits of the card numberÑis returned to the consumer's web browser, which inserts the token in the field on the checkout page that requests the card number.
"The flow of card information completely bypasses the retailer's web site so the retailer never touches it, which reduces their risk," explains Osman Perksoy, principal product manager for Litle & Co.'s Litle Vault application. "Using this method, the merchant does not have to interact with us using sensitive cardholder data, which closes another door to card data-related fraud."
Beyond providing tokenization services, Litle & Co. offers credit and debit card processing, including recurring billing advice, alternative payments such as BillMeLater, electronic checks and PayPal, as well as international transaction processing.
Beyond the account
Besides encrypting cardholder data, merchants need to identify the device being used to access their web sites. Device fingerprinting, a technique that tracks the signal emitted by the operating system running on a mobile device, tablet, laptop or desktop computer, is playing a growing role in fraud detection.
Retailers can also identify a device through a cookie, which is a small text file containing a unique identification tag. Retailers routinely attach cookies to the devices used to visit their sites to identify customers when they return and more accurately track their viewing and purchasing habits.
Once the device being used to access the retailer's site has been identified, it can be cross-referenced against a database of transactions linked to the device. "Some devices may be linked to multiple credit cards, mailing addresses, e-mail addresses or chargebacks, which can be a red flag," says Chase Paymentech's Nadeau. "Device fingerprinting is an important part of fraud prevention because it gets retailers away from relying primarily on whether the card account is valid or has been stolen."
Chase Paymentech, which says it processes about half of all online transactions, provides merchants with such fraud-prevention services as database aggregation and tokenization. Chase Paymentech can authorize transactions in more than 130 currencies and provide retailers with credit cards, debit cards, prepaid stored value cards and electronic check processing.
One risk associated with linking the number or transactions to a specific access device or credit card is that the information can be dated, which limits a merchant's ability to properly interpret the data. It is recommended that merchants use real-time, aggregated databases capable of linking order histories to a specific device or credit card across a broad base of merchants. By doing so, retailers can more accurately check whether a particular credit card is being used at an unusually high rate.
"A lot of criminals will use computer programs to simultaneously make purchases from multiple merchants using a single card or device," explains Rouse. "Relying on static databases, even though they may use aggregate data, only shows a history of the card or device in question, not the extent of its activity in real time. Without a real-time window into card or device activity retailers can be lulled into a false sense of security."