Putting the squeeze on credit card fraud

At session hosted by Visa, expert offers tips. One eye-opener: Brick-and-mortar stores are favorite targets of thieves.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
4 min read
SACRAMENTO, Calif.--About once a week, travel agent Sue Heffner receives a call requesting a booking for an expensive last-minute airline ticket, often departing from far-flung locations in Africa.

The calls appear to come from Nigeria and the callers prefer to use operator-assisted Telephone-Typewriter services meant for the hearing impaired. Heffner, who operates a small travel agency out of the town of Clarksburg, about 30 miles south of state capital Sacramento, doesn't book for these customers. She knows how to spot a scam.

"Fraud is always an issue for the travel industry," Heffner said. "I have been very fortunate because I only do business with clients I know."

Heffner was among a few dozen merchants attending a seminar on credit cards and fraud here on Thursday. With data security breaches, identity theft and credit card fraud often in the headlines, these merchants came to get some tips on what they can do to protect consumer data and their own businesses.

The event, part of a nine-city tour, was hosted by Visa USA and the U.S. Chamber of Commerce. Much of the presentation dealt with credit card industry rules for merchant security. These rules, called the Payment Card Industry Data Security Standard, went into effect earlier this year but have been criticized because of a lack of enforcement.

"Anybody who accepts payment cards can be the target of criminals," Joe Majka, vice president of fraud control at Visa, told the audience. Still, Majka said, merchants who follow the credit card industry's rules are safe.

The PCI Data Security Standard has 12 basic requirements that focus on using secure systems. The rules include installing a firewall, changing default passwords, protecting stored data, using antivirus software and encrypting transmissions of cardholder data across public networks.

While perhaps common sense to technically savvy people, the security rules aren't always as obvious to card-accepting merchants.

"It is amazing how many businesses out there are using the default passwords," Majka said. "We also found some merchants getting into wireless access not realizing they could be creating an entry point for criminals."

Randy Carpadus, director of client development at Bright Hope Designs, helps companies with Web site designs. "My clients are technically illiterate," he said at the event, happy with the overview of security options given by Visa.

Disturbing fact
Majka had a chilling message for the operators of traditional brick-and-mortar businesses. The perception may be that criminals target online stores to steal credit card data, but the reality is that traditional retailers are more popular targets, he said. That's because sellers in offline transactions usually swipe the actual credit card.

"Criminals want the data that is on the card's magnetic stripe," Majka said. "Internet merchants don't have that."

The data on the stripe is used to create counterfeit credit cards that are typically used to buy expensive goods such as electronics, Majka said. Retailers should not store information encoded on the magnetic stripes, but Visa has found that many point-of-sale terminals store all the data anyway, sometimes unbeknownst to the retailer, he said.

"The majority of data security breach incidents reported to Visa have involved retail merchants, not Internet merchants," Majka said. That has shifted from a few years back, when online merchants were the main targets, he said.

Earlier this year, information on more than 1.4 million credit card and 96,000 check transactions was stolen from 108 DSW shoe stores. In another incident, a problem with point-of-sale software at Polo Ralph Lauren compromised the credit card data of as many as 180,000 people.

Retailers should talk to the makers of their cash register software to find out which data is stored for each transaction. Visa recently invited about 35 makers of such software to an event to discuss the issue, Majka said. A list of software that has been shown to comply with Visa's data security standards is available on Visa's Web site.

Still, while fear of identity theft and theft of financial information among U.S. residents is at "an all-time high," the actual amount of fraud is at a low point, Majka said. Of each $100 transacted in the Visa system, 6 cents are fraudulent, he said. "It is hard to believe, because you hear a lot about credit card fraud," Majka said.

Credit card security was also spotlighted in June, when MasterCard International reported that information on more than 40 million cards was stolen from CardSystems Solutions, a payment processor. Intruders were able to exploit software security vulnerabilities to install a rogue program on the CardSystems network, according to MasterCard.

The investigation into the CardSystems case, possibly the largest data security leak to date, is ongoing, according to Majka. Visa, however, no longer allows the processor to handle Visa card payments.

Travel agent Heffner trusts in her instinct and her decision to work only with known customers. The people who call her from Nigeria claim they are from a church and try to help poor people, to the point where the Telephone-Typewriter operator feels sorry for them.

"It is ultimately credit card fraud because you know damn well that the card they are using would not be real," she said.