Credit Card Security: Where Are We Now?
Dec 7, 2005 5:00 AM PT
Summer is behind us, but recent memories of credit card processing breaches are still haunting security-conscious consumers, safety-minded merchants and bustling banks.
While CardSystems Solutions made media headlines in June after a computer virus captured the private information of millions of consumers, it was certainly not the only security breach that compromised identities this year.
In the same month, Citigroup reported that United Parcel Service lost computer tapes with sensitive information from 3.9 million of its home loan customers. And in February, ChoicePoint admitted that hackers stole as many as 145,000 identities from its database.
The question is, what have the credit card companies -- and the banks that issue those cards -- done since summertime to shore up their systems? Are there safeguards in place to ensure that holiday shoppers' data is protected from fraudsters?
Matt Ornce, COO of EPX, a payment processing company that works with Visa, MasterCard, Discover and American Express, told the E-Commerce Times that there have been many changes since June 2005 -- and he predicted that much more change is on the way.
"The CardSystems situation was sort of the credit card industry's 9/11. Everyone involved in the whole chain, from merchants through associations, has to react to it," Ornce said. "There are even bills in Congress that would mandate customer notification if their personal information is at risk. Individual states are also working on passing legislation."
Visa, MasterCard and Discover have plenty to say about what they've been doing to safeguard data since the summer. American Express did not return calls seeking comment.
Visa's Two Cents
While high-tech fraudsters have devised ever-more sophisticated attacks, Visa USA is fighting back with new technology to detect these emerging threats and help shut them down on the spot.
Visa launched a new security initiative that coincided with the dreaded CardSystems breach last summer. In June, the company rolled out a patent-pending technology designed to help stop card fraud before it occurs -- right at the checkout line.
Dubbed Advanced Authorization, the technology pinpoints and addresses coordinated attacks on multiple accounts in real time, according to Visa. Visa predicts the technology will prevent about US$164 million in fraud losses over the next five years.
Here's how it works: When a Visa card is used, Advanced Authorization provides an instantaneous rating of that transaction's potential for fraud to the financial institution that issued the card, including whether it was part of a reported data security compromise.
The Issuer is then able to send an immediate response back to the merchant whether to accept or decline the transaction. Visa said technology is being applied to every Visa credit and check card purchase today.
"Fighting fraud and protecting cardholders has always been a high priority for Visa," said Jean Bruesewitz, senior vice president of Processing and Emerging Products for Visa USA. "Visa is continually investing in the most sophisticated fraud-fighting systems to stay one step ahead of the criminals."
Partnering for Security
In August, Visa made yet another security move, partnering with identity risk management company ID Analytics to help financial institutions better identify and stop fraudulent debit and credit card applications.
Visa Advanced ID Solutions provides members with a customized version of ID Analytics ID Score -- an empirically-derived risk assessment score that determines the likelihood of whether applicants are who they claim they are.
A joint study by Visa and ID Analytics projects that member financial institutions that use the ID Score in combination with Issuers' Clearinghouse Service alerts could realize an incremental lift in identification of fraudulent applications of between 17 and 34 percent. The service won't be ready for this holiday season -- it's scheduled to launch in 2006.
"One of Visa's highest priorities is to protect cardholders and our members from fraud and identity theft," Bruesewitz said. "Visa's offering of the ID Analytics identity risk score will help thwart identity thieves' attempts to open new payment card accounts or take over existing accounts."
Discovering New Measures
Meanwhile, Discover Financial Services is working to discover the root of fraud problems. Laura Gingiss, a spokesperson for Discover Financial Services, told the E-Commerce Times that the company continues to monitor ongoing fraud trends looking for any indication of a data compromise with a merchant, processor, or Internet value-added reseller.
"We study each documented data compromise to understand the vulnerabilities the hacker was able to exploit," she said. "For example, was the vulnerability with the point of sale software? Was the software storing track data? Was the data unencrypted? And so on. As a company, we want to identify the breach with speed."
Gingiss said Discover's goal is to ensure the forensic response is thorough, complete, and the remediation of the problem permanent. Most importantly, she said, the company wants to ensure its card holders' interests are thoroughly resolved with no lastly issues of fraud for them to be concerned about.
With all that said, Discover has issued no press announcements about new security features since the CardSystems fiasco in June.
Mastering Credit Card Security
MasterCard, on the other hand, has taken some aggressive measures against fraud -- at least outside of the U.S. In July, MasterCard announced that the Asia/Pacific region, where credit card fraud is traditionally high, has adopted a zero liability rule for unauthorized use of a consumer cards issued there.
"This zero liability rule has been a work-in-progress for some time, taking into account the great diversity across the Asia/Pacific markets," said Andre Sekulic, president of Asia/Pacific, Middle East and Africa, MasterCard International.
MasterCard did not return calls seeking comment on efforts it is making in the U.S. and Europe. However, the company has not made any public announcements about new security measures outside of Asia since June.
Are Credit Card Companies Doing Enough?
At the end of the day, are credit card companies doing enough to protect consumers, merchants and banks from fraud? The results will have to speak for themselves, but companies like CyberSource are keeping tabs on Internet-based credit card fraud and, according to the results of its 2006 Fraud Survey, there is more work to be done.
CyberSource reports fraudsters will take $2.8 billion out of e-commerce sales in 2005. Medium and large merchants with online sales of more than $5 million are the hardest hit. And international order risk is three times higher than the overall average.
Vic Dolcourt, senior product manager for risk products at CyberSource Corporation, told the E-Commerce Times that the issue of credit card security boils down to trust.
"Companies like eBay have built Trust and Safety Departments to focus on educating consumers and building trust," Dolcourt said. "The CardSystems breach raised issues of trust for merchants and consumers. It's an old-fashioned confidence game that's moved to the Internet."
Credit Card Security: Where Are We Now? is Part One of a three-part series on credit card security by E-Commerce Times reporter Jennifer LeClaire. Look for Part Two on Dec. 14. Part Three will run on Dec. 21.