Richard Bucker

Credit Card Fraud! Again? Really?

Posted at — Apr 30, 2012

I’m somewhat of an expert when it comes to credit card systems. I have worked for the likes of NaBanco, First Data, WildCard Systems, MetaVentures, Insight Cards, Klarna, NXSystems. I have also collaborated and certified directly with Visa, MasterCard, American Express, and Discover. I have also designed open and closed loop systems including stealth platforms like insurance eligibility. Finally I have participated in several PCI audits as the target and the auditor.Yet I was still outraged when I received a letter from a major card brand that my account had been compromised; they go on to reassure me that my social security number and some other private details have not been compromised.Let me be perfectly clear here.  *** This is utter and total bullshit !!!  ***  I’d like a chance to repeat myself but that might be gloating or looking for business.Firstly; PCI and may other security and privacy measures are not as secure as I’d like. PCI takes the rent-a-cop approach to security. Observe and record. There is nothing in the PCI document that tells the institution to take an active role.Secondly; The Rules and Regulations for the various major associations does not go any farther than the PCI when it comes to detection or the active prevention of fraud. Again, observe and record. And unless you are doing something that is going to hurt the brand-name the issuers and acquirers can take whatever risks they deem necessary to capture and keep a cardholder.The CEO of Klarna (Sweden) is always talking about removing friction from the transaction process. His company’s product does not use credit cards and is similar to Bill Me Later (temporary credit is offered on the fly). Part of what makes his product successful is not that his customer’s credit is tied to their SSN but that the laws in the countries that Klarna operates is mindful of how this private information is being used and in fact the it’s not so private. It’s about as common as your cell number.[caption id=“attachment_1044” align=“aligncenter” width=“645” caption=“who are the players in the credit card process”]<img class=“size-full wp-image-1044” title=“the players” src=“http://rbucker.files.wordpress.com/2012/04/the-players.png" alt=” width=“645” height=“174” />[/caption]GLOSSARY(smiley) This is the cardholder. The cardholder is on both sides of the picture because the cardholder deposits his hard earned cash into a bank or makes partial or full payments for credit that had been provided. The cardholder also buys goods or services from merchants. Therefore the cardholder is on both sides of the credit equation.(M) This is the merchant. The merchant provides goods and services to cardholders. The merchant also pays a percentage of each sale to all of the entities to the right.(MB) The merchant bank is where the final settlement funds are deposited once the transactions cleared.(GW) The gateway processor is considered a 3rd party service provider. They provide some level of transaction, reporting or security service for the merchant. They may provide other types of business integration or workflow.(GW Bank) Depending on the acquirers rules the gateway processor has a clearing bank in order to capture their commission from the day’s transactions.(AP) The acquiring processor is just a technical entity that processes transactions between the merchant and the association. The AP does not actually have to be a bank but they need to be bank sponsored.(A Bank) The acquiring processor bank performs the clearing function for the acquiring processor, however, more importantly this bank sponsors the AP’s relationship with the association.(association) Visa and MasterCard are associations of banks. American express is referred to as an association but was a privately held company at one time. Discover was spun off from Sears and is/was also a proper bank.(IP) Like the AP, the issuing processor does not need to be a proper bank. The IP need only be sponsored.(IP Bank) The issuing processor bank handles the clearing and settlement on an on-demand basis. Sometimes this entity is extending credit to the cardholder and sometimes this entity is holding the cardholder deposits. It depends on the individual card program.(Bank) The cardholder bank is where there cardholder interacts with deposits and payments.Authorization - this is the first part of a 2 or 3 step process (from the merchant). It depends on where the transaction is being performed. If you are buying a book from the book store then this is the first of 2 transactions. It’s just intended to see if you have enough funds. If it’s a gas station or a restaurant then it’s a pre-authorization – because it is absent of a tip.Settlement - the settlement process takes place at least once a day (from the merchant). It is when the point of sale device tells the issuers what transactions were actually completed. This triggers the clearing and settlement process.Clearing and Settlement - The association takes all of the settled transactions and groups them together sending like transactions to the individual issuing processors along with a “demand” file which the issuer uses in order to pay the association.Single Message System - this is when the authorization and the settlement transaction are performed in one transaction. ATM transactions are typical single message system(s).PS: There are few differences between credit cards and debit cards. I suppose the actuary have a different view of this but it amounts to the same results. It’s still a 15 or 16 digit card number.The Short VersionWhat does all of this mean?The cardholder bank makes money when you deposit money and potentially gives you a fraction back as interested, once they have charged you fees. The cardholder bank also makes money during the clearing and settlement process as “demand”. The bank does pay processing fees of a sort but the majority of the bank’s gross revenue comes from the transaction.The reality is that the merchant pays the freight on card transactions. And that is passed through to the cardholder.NOTE: if you want to create an issuing processor from the ground up then I strongly recommend that you get someone to do the IP for you. Get some cardholders and capture the transaction revenue. You can also use your own system (although you might be processing on someone else’s IP at least you are getting instant discounts. I hope that makes sense) This is the reason that Discover can return 5% on all transactions and the similar for Costco-Amex and others.What does it all mean?Someone in the diagram above lost or allowed to be stolen; my data. Whether or not that data is used to perform actual fraudulent transactions should not be my problem. I pay to get the card. I pay to use the card. And I get a fraction of the value in interest if I do nothing… except fees for not using it.This letter that I received should not be a “get out of jail free” card for whichever entity permitted my data to leak. I should be able to sue them individually because any class action lawsuit only benefits the lawyers and not the cardholders. In fact they should just start dumping money on my doorstep in advance of any bad thing that might happen. And more importantly I will be watching my credit scores for the rest of my life… looking over my shoulder waiting for someone to take advantage.PS: Suzy Orman once said that you should never cancel a credit card. If you do it will negatively effect your credit score. I have a Delta/Amex frequent flier card that I do not use.  They charge me $100/year for membership and I get nothing in return except that they extended me some credit that I have to pay for anyway if I elect to use it.In the US our laws seem to protect corporate America and not America. What is good for corporate America is not always good for me!In SummaryWe are not safe and we are paying too much.I almost Forgot… the reason for writing this post in the first place.  The association that sent me the letter recommended that I check with the various credit bureaus in order to see whether my personal information was in fact being used. True, that is an option, however, the credit bureaus only give me one or two free reports a year. And if you’ve ever used their services they harass you with FUD and other tough sale pitches and tactics in order to get you into a subscription. The wording in their online Apps is so questionable it was obviously intended to get me or anyone else to make a mistake.Really what I’m suggesting here is that this service needs to be FREE for the individual. Forever.