Visa fraud alert puts banks, payment processors on guard

It warns of a coming fraudulent batch settlement attempt

Visa Inc. last week sent a fraud alert to banks and payment processors warning them to look out for a "large batch settlement fraud scheme" involving a merchant account in East Europe.

That alert is focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.

Batch settlements refer to the common practice where merchants store all authorized payment card transactions that occur during a day and then send them in a batch for settlement to their acquiring bank at the close of business. An "acquiring" bank, in payment industry parlance, is the financial institution that basically vets and clears a merchant to accept payment card transactions.

In its alert, Visa said it had received reliable information from a "third-party entity" that a criminal group planned to submit a large batch settlement through a merchant account approved by a bank in Eastern Europe. "The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend," Visa warned.

The company said it had no details about who exactly was involved or when the fraudulent activity might occur. The alert noted that the people behind the scheme were likely a "consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."

In an e-mailed comment, a Visa spokesman said that card issuers and acquiring banks routinely monitor for unusual batch settlements. Even so, it issued the alert as a reminder to "critical stakeholders so they can take cautionary or mitigating steps" against fraud..

Avivah Litan, an analyst with Gartner Inc. said that the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant's accounts the funds are quickly withdrawn and the merchant drops out of the payment system, she said.

The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions, Litan said. Credit card companies and acquiring banks, "need to tighten up their accreditation process and how they onboard new merchants."

She said there are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts, Litan said. The standards for approval used by such organizations have allowed "too many illegitimate merchants to establish accounts and access to the payment systems," she said.

Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said that poor merchant validation is a problem -- especially with e-commerce.

Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.

Acquiring banks that are approving new e-commerce merchants for credit card transactions should, at a minimum, ensure that the merchant has acquired an Extended SSL certificate, Petitti said. Those certificates offer a much higher degree of identity validation because they're issued only after the certificate authority has verified the legal, physical and operational existence of a company.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags visatrustwaveCredit card fraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?