Visa fraud alert puts banks, payment processors on guard

It warns of a coming fraudulent batch settlement attempt

Visa Inc. last week sent a fraud alert to banks and payment processors warning them to look out for a "large batch settlement fraud scheme" involving a merchant account in East Europe.

That alert is focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.

Batch settlements refer to the common practice where merchants store all authorized payment card transactions that occur during a day and then send them in a batch for settlement to their acquiring bank at the close of business. An "acquiring" bank, in payment industry parlance, is the financial institution that basically vets and clears a merchant to accept payment card transactions.

In its alert, Visa said it had received reliable information from a "third-party entity" that a criminal group planned to submit a large batch settlement through a merchant account approved by a bank in Eastern Europe. "The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend," Visa warned.

The company said it had no details about who exactly was involved or when the fraudulent activity might occur. The alert noted that the people behind the scheme were likely a "consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."

In an e-mailed comment, a Visa spokesman said that card issuers and acquiring banks routinely monitor for unusual batch settlements. Even so, it issued the alert as a reminder to "critical stakeholders so they can take cautionary or mitigating steps" against fraud..

Avivah Litan, an analyst with Gartner Inc. said that the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant's accounts the funds are quickly withdrawn and the merchant drops out of the payment system, she said.

The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions, Litan said. Credit card companies and acquiring banks, "need to tighten up their accreditation process and how they onboard new merchants."

She said there are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts, Litan said. The standards for approval used by such organizations have allowed "too many illegitimate merchants to establish accounts and access to the payment systems," she said.

Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said that poor merchant validation is a problem -- especially with e-commerce.

Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.

Acquiring banks that are approving new e-commerce merchants for credit card transactions should, at a minimum, ensure that the merchant has acquired an Extended SSL certificate, Petitti said. Those certificates offer a much higher degree of identity validation because they're issued only after the certificate authority has verified the legal, physical and operational existence of a company.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags trustwavevisaCredit card fraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?