Credit card security problems and solutions

Credit card security relies on the physical security of the plastic card as well as the privacy of the credit card number. Therefore, whenever a person other than the card owner has access to the card or its number, security is potentially compromised. Once, merchants would often accept credit card numbers without additional verification for mail order purchases. It’s now common practice to only ship to confirmed addresses as a security measure to minimise fraudulent purchases. Some merchants will accept a credit card number for in-store purchases, whereupon access to the number allows easy fraud, but many require the card itself to be present, and require a signature. A lost or stolen card can be cancelled, and if this is done quickly, will greatly limit the fraud that can take place in this way. European banks can require a cardholder’s security PIN be entered for in-person purchases with the card.

The PCI DSS is the security standard issued by The PCI SSC (Payment Card Industry Security Standards Council). This data security standard is used by acquiring banks to impose cardholder data security measures upon their merchants.

A smart card, combining credit card and debit card properties. The 3 by 5 mm security chip embedded in the card is shown enlarged in the inset. The contact pads on the card enable electronic access to the chip.

The goal of the credit card companies is not to eliminate fraud, but to “reduce it to manageable levels”. This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction – as would be expected from organisations whose goal is profit maximisation.

Internet fraud may be by claiming a chargeback which is not justified (“friendly fraud”), or carried out by the use of credit card information which can be stolen in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, security breaches are usually the result of poor practice by merchants. For example, a website that safely uses SSL to encrypt card data from a client may then email the data, unencrypted, from the webserver to the merchant; or the merchant may store unencrypted details in a way that allows them to be accessed over the Internet or by a rogue employee; unencrypted card details are always a security risk. Even encryption data may be cracked.

Controlled Payment Numbers which are used by various banks such as Citibank (Virtual Account Numbers), Discover (Secure Online Account Numbers, Bank of America (Shop Safe), 5 banks using eCarte Bleue and CMB’s Virtualis in France, and Swedbank of Sweden’s eKort product are another option for protecting against credit card fraud. These are generally one-time use numbers that front one’s actual account (debit/credit) number, and are generated as one shops on-line. They can be valid for a relatively short time, for the actual amount of the purchase, or for a price limit set by the user. Their use can be limited to one merchant. If the number given to the merchant is compromised, it will be rejected if an attempt is made to use it again.

A similar system of controls can be used on physical cards. Technology provides the option for banks to support many other controls too that can be turned on and off and varied by the credit card owner in real time as circumstances change (i.e., they can change temporal, numerical, geographical and many other parameters on their primary and subsidiary cards). Apart from the obvious benefits of such controls: from a security perspective this means that a customer can have a Chip and PIN card secured for the real world, and limited for use in the home country. In this eventuality a thief stealing the details will be prevented from using these overseas in non chip and pin (EMV) countries. Similarly the real card can be restricted from use on-line so that stolen details will be declined if this tried. Then when card users shop online they can use virtual account numbers. In both circumstances an alert system can be built in notifying a user that a fraudulent attempt has been made which breaches their parameters, and can provide data on this in real time. This is the optimal method of security for credit cards, as it provides very high levels of security, control and awareness in the real and virtual world.

Additionally, there are security features present on the physical card itself in order to prevent counterfeiting. For example, most modern credit cards have a watermark that will fluoresce under ultraviolet light. A Visa card has a letter V superimposed over the regular Visa logo and a Mastercard has the letters MC across the front of the card. Older Visa cards have a bald eagle or dove across the front. In the aforementioned cases, the security features are only visible under ultraviolet light and are invisible in normal light.

The Federal Bureau of Investigation and U.S. Postal Inspection Service are responsible for prosecuting criminals who engage in credit card fraud in the United States, but they do not have the resources to pursue all criminals. In general, federal officials only prosecute cases exceeding US$5,000. Three improvements to card security have been introduced to the more common credit card networks but none has proven to help reduce credit card fraud so far. First, the on-line verification system used by merchants is being enhanced to require a 4 digitPersonal Identification Number (PIN) known only to the card holder. Second, the cards themselves are being replaced with similar-looking tamper-resistant smart cards which are intended to make forgery more difficult. The majority of smart card (IC card) based credit cards comply with the EMV (Europay MasterCard Visa) standard. Third, an additional 3 or 4 digitCard Security Code (CSC) is now present on the back of most cards, for use in card not present transactions. Stakeholders at all levels in electronic payment have recognized the need to develop consistent global standards for security that account for and integrate both current and emerging security technologies. They have begun to address these needs through organizations such as PCI DSS and the Secure POS Vendor Alliance.

Post comment