Visa fraud alert puts banks, payment processors on guard

It warns of a coming fraudulent batch settlement attempt

Visa Inc. last week sent a fraud alert to banks and payment processors warning them to look out for a "large batch settlement fraud scheme" involving a merchant account in East Europe.

That alert is focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.

Batch settlements refer to the common practice where merchants store all authorized payment card transactions that occur during a day and then send them in a batch for settlement to their acquiring bank at the close of business. An "acquiring" bank, in payment industry parlance, is the financial institution that basically vets and clears a merchant to accept payment card transactions.

In its alert, Visa said it had received reliable information from a "third-party entity" that a criminal group planned to submit a large batch settlement through a merchant account approved by a bank in Eastern Europe. "The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend," Visa warned.

The company said it had no details about who exactly was involved or when the fraudulent activity might occur. The alert noted that the people behind the scheme were likely a "consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."

In an e-mailed comment, a Visa spokesman said that card issuers and acquiring banks routinely monitor for unusual batch settlements. Even so, it issued the alert as a reminder to "critical stakeholders so they can take cautionary or mitigating steps" against fraud..

Avivah Litan, an analyst with Gartner Inc. said that the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant's accounts the funds are quickly withdrawn and the merchant drops out of the payment system, she said.

The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions, Litan said. Credit card companies and acquiring banks, "need to tighten up their accreditation process and how they onboard new merchants."

She said there are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts, Litan said. The standards for approval used by such organizations have allowed "too many illegitimate merchants to establish accounts and access to the payment systems," she said.

Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said that poor merchant validation is a problem -- especially with e-commerce.

Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.

Acquiring banks that are approving new e-commerce merchants for credit card transactions should, at a minimum, ensure that the merchant has acquired an Extended SSL certificate, Petitti said. Those certificates offer a much higher degree of identity validation because they're issued only after the certificate authority has verified the legal, physical and operational existence of a company.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags trustwavevisaCredit card fraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?