Visa fraud alert puts banks, payment processors on guard

It warns of a coming fraudulent batch settlement attempt

Visa Inc. last week sent a fraud alert to banks and payment processors warning them to look out for a "large batch settlement fraud scheme" involving a merchant account in East Europe.

That alert is focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.

Batch settlements refer to the common practice where merchants store all authorized payment card transactions that occur during a day and then send them in a batch for settlement to their acquiring bank at the close of business. An "acquiring" bank, in payment industry parlance, is the financial institution that basically vets and clears a merchant to accept payment card transactions.

In its alert, Visa said it had received reliable information from a "third-party entity" that a criminal group planned to submit a large batch settlement through a merchant account approved by a bank in Eastern Europe. "The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend," Visa warned.

The company said it had no details about who exactly was involved or when the fraudulent activity might occur. The alert noted that the people behind the scheme were likely a "consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."

In an e-mailed comment, a Visa spokesman said that card issuers and acquiring banks routinely monitor for unusual batch settlements. Even so, it issued the alert as a reminder to "critical stakeholders so they can take cautionary or mitigating steps" against fraud..

Avivah Litan, an analyst with Gartner Inc. said that the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant's accounts the funds are quickly withdrawn and the merchant drops out of the payment system, she said.

The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions, Litan said. Credit card companies and acquiring banks, "need to tighten up their accreditation process and how they onboard new merchants."

She said there are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts, Litan said. The standards for approval used by such organizations have allowed "too many illegitimate merchants to establish accounts and access to the payment systems," she said.

Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said that poor merchant validation is a problem -- especially with e-commerce.

Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.

Acquiring banks that are approving new e-commerce merchants for credit card transactions should, at a minimum, ensure that the merchant has acquired an Extended SSL certificate, Petitti said. Those certificates offer a much higher degree of identity validation because they're issued only after the certificate authority has verified the legal, physical and operational existence of a company.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Knowledge Center.

Tags trustwavevisaCredit card fraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?