Stop Online Fraud with the Fast Charge Payment Gateway

Automatic Merchant Fraud Protection With the Fast Charge Payment Gateway

In addition to the merchant-initiated protection mechanisms described in this section, several automatic features have been incorporated into the Merchant Fraud Protection stop online fraudmodule to block out customers exhibiting suspicious buying behaviors, including:

  • A feature to block a credit card that is submitted and declined twice within 24 hours using different expiration dates.
  • A feature to check City and State entries for validity against the zip code entered.
  • A feature to check area codes for validity against the zip code entered.

SSL Technology

Secure Sockets Layer (SSL) technology is the industry-standard method for protecting web communications developed by Netscape Communications Corporation.

The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities.

SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the “session key” generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code.

Most browsers support 40-bit SSL sessions, and the latest browsers, including Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions – trillions of times stronger than 40-bit sessions.

VeriFone Taking Aim At Square

When Square Inc. launched its mobile card reader in 2009, VeriFone Systems Inc. was on its heels with PayWare Mobile. Now the terminal maker’s ready to roll out another rival to Square with a product it calls Sail.

Whereas VeriFone designed PayWare Mobile for use off the shelf, it designed Sail for small businesses with technical savvy. It plans to offer Sail with open-source software that developers can adapt to work with merchants’ inventory software.

Merchants also may use Sail as is, just like VeriFone’s earlier product. Square similarly designed its product for merchant use right out of the box.

Developers will be able to register with San Jose, Calif.-based VeriFone to receive programming interface tools. By the end of the year, Sail will work with several different advertising platforms and smartphone apps.

“Square did a great job in showing everyone there is a micromerchant market,” says Greg Cohen, senior vice president and general manager with the SMB Commerce group at VeriFone. “But Square only works with Square [software]; … ours is open to develop other applications on top of it, or inside our application.”

Other payment companies, such PayPal and the major card brands, offer developers toolkits to better integrate their payment products.

VeriFone is “playing catch-up baseball in a market that is now crowded by Square, PayPal” and others, says Brian Riley, a senior research director in the bank cards practice at CEB TowerGroup. “It’s a play that they have to make, and they are definitely making it late in the game.”

Since Square’s launch, VeriFone has criticized the rival product. Its most blatant broadside was a website it made dedicated to the idea that Square’s reader could be adapted to work as a skimming device. Square endured the attack and reportedly has worked to improve its device’s security.

Sail is the first product to come out of VeriFone’s roughly five-month-old SMB Commerce group. Cohen joined VeriFone about six weeks ago.

VeriFone has a better shot at success with Sail than with PayWare Mobile, says Rick Oglesby, a senior analyst at Aite Group.

“Their previous strategy was to work with traditional merchant acquirers who weren’t focused at targeting micromerchants, so there was a bit of a mismatch between the product and the channel,” he says. “This is a step forward because they are now matching their products and their channels.”


firearms payment processing

Restaurant Chain Reports Credit Card Breach

Penn Station Inc. has confirmed that 43 of its 235 U.S. restaurants may have been affected by a payments breach that exposed credit and debit details.

In a June 1 statement and list of frequently asked questions posted on Penn Station’s corporate website, the restaurant Credit card breachchain identifies franchise locations in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania and Tennessee that may have been affected by the attack.

Details about the breach are vague; exactly how the card details were exposed is unclear.

Penn Station President Craig Dunaway says Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of Penn Station’s franchised locations. From there, Dunaway says Penn Station contacted its processor, Heartland Payment Systems.

“We’ve been working with Heartland to address the issue,” Dunaway says. “The key is to work with the Secret Service and get down to the bottom of what happened.”

Dunaway says he does not know the nature of the breach, and could not say if the card compromises resulted from tampered with POS devices or a network hack.

But industry experts suggest the breach is likely linked to either a processing hack or a point-of-sale scheme similar to the one discovered by the Michaels crafts store chain in May 2011.

Penn Station suspects the compromise dates back to March, based on a preliminary investigation, according to its FAQ posting. Debit and credit cards used during March and April may have been exposed.

“Upon learning of the possibility of unauthorized access to credit and debit card information, all of the individual owners of the Penn Station restaurants changed the method for processing credit and debit card transactions,” the FAQ states.

The investigation is ongoing, and Penn Station says it expects to update its list of affected locations if more are identified.

Penn Station says only account holder names and card numbers were breached. Whether PINs or card verification codes were part of that information has not been clarified.
What Type of Scheme?

Experts can only speculate, but Gartner analyst Avivah Litan says the scenario sounds like a POS-device swapping scheme – a scam that involves fraudsters physically swapping or trading a merchant’s POS device and/or PIN pad with a device manipulated to skim card and PIN details.

“It sounds a lot like Michaels,” Litan says. “Maybe they only hit 20 percent of the locations because Penn Station caught it early.”

John Buzzard, who monitors card fraud for FICO’s Card Alert Service, also says the breach sounds like a POS-device attack of some sort, but he says it’s too early to determine how those devices might have been targeted.

“It’s possible that a simple default admin password was never changed for the POS system at the affected locations,” he says.

Jason Malo, a research director at CEB TowerGroup who covers security and fraud, says the breach seems localized, and organized. “I don’t think it’s not a network breach,” he says. “By listing the stores that were affected, there’s a point-of-sale aspect to it, and that automatically makes you think there’s something that happened with the devices.”

Because only some locations in certain geographic markets were hit, Malo says the breach likely involved an organized effort coordinated among numerous players.

But Aite analyst Julie McNelley believes the compromise is more likely linked to a network hack, referencing Penn Station’s note about updating its payments processing procedures.

“This just further highlights how vulnerable merchants are and highlights the importance of upgrading to more current data security standards, such as tokenization and end-to-end encryption,” she says.
The Point of Compromise

Most breaches at merchant locations are reported by card-issuing banks to Visa and MasterCard, Litan says. After a number of fraud reports come in to the card brands, they trace the fraud back to identify the point of compromise.

But Litan says fraudsters have learned to expand their windows of compromise by only using cards from one or two card issuers at a time. “When only one or two banks report fraud, it takes longer for Visa and MasterCard to link the fraud to a larger compromise,” she says.

The Penn Station breach appears to have been detected relatively quickly. In the Michaels case, the exposure was traced back to December 2010, more than five months before the breach was discovered. In all, 90 individual PIN pads at stores in 20 states were identified as being sources of the Michaels breach.

Get a Quick Quote: