amnesia@amnesia:~/Tor Browser$ cat carding-the-ultimate-guide.txt 

Dumps Carding Tutorial Ultimate Guide

Dumps Carding Tutorial Ultimate Guide did not write this

DEFINITIONS

-----------

First some terms, along with the meanings they have in the industry:

Cardholder - an individual to whom a credit card is issued. Typically,

this individual is also responsible for payment of all charges made

to that card. Corporate cards are an exception to this rule.

Card Issuer - an institution that issues credit cards to cardholders.

This institution is also responsible for billing the cardholder for

charges. Often abbreviated to "Issuer".

Card Accepter - an individual, organization, or corporation that

accepts credit cards as payment for merchandise or services. Often

abbreviated "Accepter" or "merchant".

Acquirer - an organization that collects (acquires) credit

authorization requests from Card Accepters and provides guarantees

of payment. Normally, this will be by agreement with the Issuer of

the card in question.

Many issuers are also acquirers. Some issuers allow other acquirers to

provide authorizations for them, under pre-agreed conditions. Other

issuers provide all their own authorizations.

TYPES OF CARDS

----- -- -----

The industry typically divides up cards by the business of the issuer.

So there are bank cards (VISA, Master Card, Discover), Petroleum Cards

(SUN Oil, Exxon, etc.), and Travel and Entertainment (T&E) cards

(American Express, Diners' Club, Carte Blanche). Other cards are

typically lumped together as "Private Label" cards. That would include

department store cards, telephone cards, and the like. Most private

label cards are only accepted by the issuer. People are starting to

divide the telephone cards into a separate class, but it hasn't re-

ceived widespread acceptance. (This is just a matter of terminology,

and doesn't affect anything important.)

Cards are also divided by how they are billed. Thus there are credit

cards (VISA, MC, Discover, most department store cards), charge cards

(American Express, AT&T, many petroleum cards) and debit cards. Credit

cards invoke a loan of money by the issuer to the cardholder under

pre-arranged terms and conditions. Charge cards are simply a payment

convenience, and their total balance is due when billed. When a debit

card is used, the amount is taken directly from the cardholder's ac-

count with the issuer. Terminology is loose - often people use "credit

card" to encompass credit cards and charge cards.

A recent phenomenon is third-party debit cards. These cards are issued

by an organization with which the cardholder has no account relation-

ship. Instead, the cardholder provides the card issuer with the infor-

mation necessary to debit the cardholder's checking account directly

through an Automated Clearing House (ACH), the same way a check would

be cleared. This is sort of like direct deposit of paychecks, in re-

verse. ACHs love third-party debit cards. Banks hate them.

Another recent addition is affinity cards. These cards are valid

credit cards from their issuer, but carry the logo of a third party,

and the third party benefits from their use. There is an incredible

variety of affinity cards, ranging from airlines to colleges to profes-

sional sports teams.

HOW THEY MAKE MONEY

--- ---- ---- -----

Issuers of credit cards make money from cardholder fees and from inter-

est paid on outstanding balances. Not all issuers charge fees. Even

those that do, make most of their money on the interest. They really

LIKE people who pay the minimum each month.

Issuers of charge cards make money from cardholder fees. Some charge

cards actually run at a loss for the company, particularly those that

are free. The primary purpose of such cards is to stimulate business.

Issuers of debit cards may make money on transaction fees. Not all

debit card transactions have fees. Most debit cards exist to stimulate

business for the bank and to offload tellers and back-room departments.

To date, third-party debit cards exist solely to stimulate business.

Providers of such cards make no direct money from their use.

Acquirers make money from transaction charges and discount fees. Unlike

the charges and fees mentioned above, these fees are paid by the ac-

cepter, not (directly) by the cardholder. (Technically, it is not le-

gal for the merchants to pass these charges directly to the consumer.

Some petroleum stations have gotten away with giving a discount for

cash, and it has survived court challenges so far.) Transaction charges

are typically in pennies per transaction, and are sensitive to the type

of communication used for the authorization. Discount fees are a per-

centage of the purchase price and are sensitive to volume and compli-

ance to rules. One way to encourage merchants to follow certain

procedures or to upgrade to new equipment is to offer a lower discount

fee.

Until fairly recently, the only motivation for accepters was to expand

their business by accepting cards. Reduction of fraud was enough rea-

son for many merchants to pay authorization fees, but in many cases, it

isn't worth the cost. (That is, it is cheaper to pay the fraud than to

prevent it.) Recently, electronic settlement has provided merchants

with an added benefit by reducing float on charged purchases. Merchants

can now get their accounts credited much faster than before, which

helps cash flow.

Companies that issue charge cards are real keen on float reduction. The

sooner they can bill you, the sooner they get their money. Credit card

companies are also interested in float reduction, since the sooner they

bill, the sooner they can start charging interest. Debit cards

typically involve little or no float.

Affinity cards usually pay a percentage of purchases to the affinity

organization. Although it may seem obvious to take this money from the

discount fee, this doesn't work since the issuer is not always the

acquirer. The money for this usually comes from the interest paid on

outstanding balances. Essentially, the bank is giving a share of its

profits to an organization in turn for the organization promoting use

of its credit card. The affinity organization is free to use its cut

any way it wishes. An airline will typically put it into the frequent

flyer program (and credit miles to your account). A college may put

the money into the general fund or into a scholarship fund. Lord only

knows what a sports team does with the money!

THE PLAYERS AND THEIR ROLES

--- ------- --- ----- -----

American Express (AMEX) is a charge card issuer and acquirer. (Their

other businesses are not important to this discussion.) All AMEX pur-

chases are authorized by AMEX. They make most of their money from the

discount fees, which is why they have the highest discount fee in the

industry. That's one reason why AMEX isn't accepted in as many places

as VISA and MC, and a reason why many merchants will prefer another

card to an AMEX card. The control AMEX has over authorization allows

them to provide what they consider to be better cardholder

("cardmember" to them) services.

VISA is a non-profit corporation (SURPRISE!) that is best described as

a purchasing and marketing coalition of its member banks. VISA issues

no credit cards itself - all VISA cards are issued by member banks.

VISA does not set terms and conditions for its member banks - the banks

can do pretty much as they please in signing cardholders. All VISA

charges are ultimately approved by the card issuer, regardless of where

the purchase was made. Many smaller banks share their account

databases with larger banks, third parties, or VISA itself, so that the

bank doesn't have to provide authorization facilities itself.

Master Card (MC) is very much like VISA. There are some differences

that are important to those in the industry, but from the consumers

standpoint they operate pretty much the same.

Discover cards are issued by a bank owned by Sears. All Discover pur-

chases are authorized by Sears.

Most petroleum cards, if they are even authorized, are authorized by

the petroleum company itself. There are exceptions. Fraud on petro-

leum cards is so low that the main reason for authorization is to

achieve the float reduction of electronic settlement.

THE BUSINESS RELATIONSHIPS

--- -------- -------------

Card acceptors generally sign up with a local acquirer for authoriza-

tion and settlement of all credit cards. This acquirer may or may not

be a card issuer, but certainly will not have issued all the cards that

the merchant can accept. The accepter does not generally call one

place for VISA and a different place for MC, for example. At one time,

this was necessary, but more and more acquirers are connected to all

networks and are offering a broader range of services.

Acquirers generally are connected to many issuers, and pay transaction

charges and discount fees to those issuers for authorizations. Thus,

the acquirer is actually making money on the difference between fees

paid and fees billed. Most acquirers gather together transactions from

many accepters, allowing them to get volume discounts on fees. Since

the accepters individually have lower volume and are not eligible for

those discounts, there is a markup that the acquirer can get away with.

Acquirers also, of course, provide the convenience of a single contact.

Most large banks are issuers and acquirers. Things get real interest-

ing when it's time to settle up. Some small banks are only issuers.

There are third parties that are only acquirers.

In future episodes, I'll explain how standards help all this chaos work

together, and give details about how the authorization process happens.

Joe Ziegler

att!lznv!ziegler

This is part two in a planned six-part series about the credit card in-

dustry. It would be best if you read part one before reading this

part. Enjoy.

DEFINITIONS

-----------

Some more new terms that are used in this posting.

ABA - American Bankers Association

ACH - Automated Clearing House - an organization that mechanically and

electronically processes checks.

ANSI - American National Standards Institute

Embossing - creating raised letters and numbers on the face of the

card.

Encoding - recording data on the magnetic stripe on the back of the

card.

Imprinting - using the embossed information to make an impression on a

charge slip.

Interchange - sending authorization requests from one host (the

acquirer) to another (the issuer) for approval.

ISO - International Standards Organization

NACHA - National Automated Clearing House Association

PAN - Personal Account Number. The account number associated with a

credit, debit or charge card. This is usually the same as the

number on the card.

PIN - Personal Identification Number. A number associated with the

card, that is supposedly know only to the cardholder and the card

issuer. This number is used for verification of cardholder

identity.

THE ORGANIZATIONS

--- -------------

ISO sets standards for plastic cards and for data interchange, among

other things. ISO standards generally allow for national expansion.

Typically, a national standards organization, like ANSI, will take an

ISO standard and develop a national standard from it. National stan-

dards are generally subsets of the ISO standard, with extensions as al-

lowed in the original ISO standard. Many credit card standards

originated in the United States, and were generalized and adopted by

ISO later.

The ANSI committees that deal with credit card standards are sponsored

by the ABA. Most members of these committees work for banks and other

financial institutions, or for vendors who supply banks and financial

institutions. Working committees report to governing committees.

All standards go through a formal comment and review procedure before

they are officially adopted.

PHYSICAL STANDARDS

-------- ---------

ANSI X4.13, "American National Standard for Financial Services -

Financial Transaction Cards" defines the size, shape, and other

physical characteristics of credit cards. Most of it is of interest

only to mechanical engineers. It defines the location and size of the

magnetic stripe, signature panel, and embossing area. This standard

also includes the Luhn formula used to generate the check digit for the

PAN, and gives the first cut at identifying card type from the account

number. (This part was expanded later in other standards.) Also, this

standard identifies the character sets that can be used for embossing a

card.

Three character sets are allowed - OCR-A as defined in ANSI X3.17,

OCR-B as defined in ANSI X3.49, and Farrington 7B, which is defined in

the appendix of ANSI X4.13 itself. Almost all the cards I have use

Farrington 7B, but Sears uses OCR-A. (Sears also uses the optional,

smaller card size as, allowed in the standard.) These character sets

are intended to be used with optical character readers (hence the OCR),

and large issuers have some pretty impressive equipment to read those

slips.

ENCODING STANDARDS

-------- ---------

ANSI X4.16, "American National Standard for Financial Services - Finan-

cial Transaction Cards - Magnetic Stripe Encoding" defines the

physical, chemical, and magnetic characteristics of the magnetic stripe

on the card. The standard defines a minimum and maximum size for the

stripe, and the location of the three defined encoding tracks. (Some

cards have a fourth, proprietary track.)

Track 1 is encoded at 210 bits per inch, and uses a 6-bit coding of a

64-element character set of numerics, alphabet (one case only), and

some special characters. Track 1 can hold up to 79 characters, six of

which are reserved control characters. Included in these six charac-

ters is a Longitudinal Redundancy Check (LRC) character, so that a card

reader can detect most read failures. Data encoded on track 1 include

PAN, country code, full name, expiration date, and "discretionary

data". Discretionary data is anything the issuer wants it to be.

Track 1 was originally intended for use by airlines, but many Automatic

Teller Machines (ATMs) are now using it to personalize prompts with

your name and your language of choice. Some credit authorization ap-

plications are starting to use track 1 as well.

Track 2 is encoded at 75 bits per inch, and uses a 4-bit coding of the

ten digits. Three of the remaining characters are reserved as

delimiters, two are reserved for device control, and one is left unde-

fined. In practice, the device control characters are never used, ei-

ther. Track 2 can hold up to 40 characters, including an LRC. Data

encoded on track 2 include PAN, country code (optional), expiration

date, and discretionary data. In practice, the country code is hardly

ever used by United States issuers. Later revisions of this standard

added a qualification code that defines the type of the card (debit,

credit, etc.) and limitations on its use. AMEX includes an issue date

in the discretionary data. Track 2 was originally intended for credit

authorization applications. Nowadays, most ATMs use track 2 as well.

Thus, many ATM cards have a "PIN offset" encoded in the discretionary

data. The PIN offset is usually derived by running the PIN through an

encryption algorithm (maybe DES, maybe proprietary) with a secret key.

This allows ATMs to verify your PIN when the host is offline, generally

allowing restricted account access.

Track 3 uses the same density and coding scheme as track 1. The con-

tents of track 3 are defined in ANSI X9.1, "American National Standard

- Magnetic Stripe Data Content for Track 3". There is a slight contra-

diction in this standard, in that it allows up to 107 characters to be

encoded on track 3, while X4.16 only gives enough physical room for 105

characters. Actually, there is over a quarter of an inch on each end

of the card unused, so there really is room for the data. In practice,

nobody ever uses that many characters, anyway. The original intent was

for track 3 to be a read/write track (tracks 1 and 2 are intended to be

read-only) for use by ATMs. It contains information needed to maintain

account balances on the card itself. As far as I know, nobody is actu-

ally using track 3 for this purpose anymore, because it is very easy to

defraud.

COMMUNICATION STANDARDS

------------- ---------

Formats for interchange of messages between hosts (acquirer to issuer)

is defined by ANSI X9.2, which I helped define. Financial message au-

thentication is described by ANSI X9.9. PIN management and security is

described by ANSI X9.8. There is a committee working on formats of

messages from accepter to acquirer. ISO has re-convened the interna-

tional committee on host message interchange (TC68/SC5/WG1), and ANSI

may need to re-convene the X9.2 committee after the ISO committee fin-

ishes. These standards are still evolving, and are less specific than

the older standards mentioned above. This makes them somewhat less

useful, but is a natural result of the dramatic progress in the indus-

try.

ISO maintains a registry of card numbers and the issuers to which they

are assigned. Given a card that follows standards (Not all of them

do.) and the register, you can tell who issued the card based on the

first six digits (in most cases). This identifies not just VISA,

MasterCard, etc., but also which member bank actually issued the card.

DE FACTO INDUSTRY STANDARDS

-- ----- -------- ---------

Most ATMs use IBM synchronous protocols, and many networks are migrat-

ing toward SNA. There are exceptions, of course. Message formats used

for ATMs vary with the manufacturer, but a message set originally de-

fined by Diebold is fairly widely accepted.

Many large department stores and supermarkets (those that take cards)

run their credit authorization through their cash register controllers,

which communicate using synchronous IBM protocols.

Standalone Point-of-Sale (POS) devices, such as you would find at most

smaller stores (i.e. not at department stores), restaurants and hotels

use a dial-up asynchronous protocol devised by VISA. There are two

generations of this protocol, with the second generation just beginning

to get widespread acceptance.

Many petroleum applications use multipoint private lines and a polled

asynchronous protocol known as TINET. This protocol was developed by

Texas Instruments for a terminal of the same name, the Texas Instru-

ments Network E(something) Terminal. The private lines reduce response

time, but cost a lot more money than dial-up.

NACHA establishes standards for message interchange between ACHs, and

between ACHs and banks, for clearing checks. This is important to this

discussion due to the emergence of third-party debit cards, as dis-

cussed in part 1 of this series. The issuers of third-party debit

cards are connecting to ACHs, using the standard messages, and clearing

POS purchases as though they were checks. This puts the third parties

at an advantage over the banks, because they can achieve the same re-

sults as a bank debit card without the federal and state legal restric-

tions imposed on banks.

In the next installment, I'll describe how an authorization happens, as

well as how the settlement process gets the bill to you and your money

to the merchant. After that I'll describe various methods of fraud,

and how issuers, acquirers, and accepters protect themselves. Stay

tuned.

Joe Ziegler

att!lznv!ziegler

Here's part 3 in my six-part series on the credit card industry. This

part discusses how authorization and settlement work. This is a long

one. It will help if you have read parts 1 and 2, since I had to leave

out a lot of overlap to keep this from getting ridiculous. Enjoy.

THE ACCEPTER

--- --------

An important fact to note is that a card accepter does not have to get

approval for any purchases using credit or charge cards. Of course, a

merchant is usually interested in actually getting money, and so must

participate in some form of settlement process (see below). Usually,

the most acceptable (to a merchant) forms of settlement are tied (by

the acquirer) to authorization processes. However, a merchant could

simply accept all cards without any validation, any eat any fraud that

results.

A merchant typically makes a business arrangement with a local bank or

some other acquirer for authorization and settlement services. The

acquirer assigns a merchant identifier to that merchant, which will

uniquely identify the location of the transaction. (This facilitates

compliance with federal regulations requiring that credit card bills

identify where each purchase was made.) The acquirer also establishes

procedures for the merchant to follow. The procedures will vary by

type of the merchant business, geographic location, volume of transac-

tions, and types of cards accepted.

If the merchant follows the procedures given by the acquirer and a

transaction is approved, the merchant is guaranteed payment whether the

card in question is good or bad. The purpose of authorization is to

shift financial liability from the acceptor to the acquirer.

There are two basic tools used - bulletins and online checks. Bulletins

may be hardcopy, or may be downloaded into a local controller of some

form. Online checks could be done via a voice call, a standalone ter-

minal, or software and/or hardware integrated into the cash register.

A low-volume, high-ticket application (a jewelry store) would probably

do all its authorizations with voice calls, or may have a stand-alone

terminal. A high-volume, low-ticket application (a fast-food chain)

will probably do most of its authorizations locally against a bulletin

downloaded into the cash register controller. Applications in between

typically merge the two - things below a certain amount (the "floor

limit") are locally authorized after a lookup in the bulletin, while

things over the floor limit are authorized online.

Usually a lot of effort is taken to use the least expensive tools that

are required by the expected risk of fraud. Typically, communication

costs for authorizations make up the biggest single item in the overall

cost of providing credit cards.

Large accepters are always a special case. Airlines are usually di-

rectly connected, host-to-host, to issuers and/or acquirers, and autho-

rize everything online. Likewise for many petroleum companies and

large department stores. Some large chains use different approaches at

different locations, either as a result of franchising oddities or due

to volume differences between locations. A lot of experimentation is

still going on as well - this is not a mature market.

For voice authorizations, the merchant ID, PAN, expiration date, and

purchase amount are required for an approval. Some applications also

require the name on the card, but this is not strictly necessary. For

data authorizations, the merchant ID, PAN, PIN (if collected), expira-

tion date, and purchase amount are required. Typically, the "discre-

tionary data" from track 2 is sent as well, but this is not strictly

necessary. In applications that do not transmit the PIN with the au-

thorization, it is the responsibility of the merchant to verify iden-

tity. Usually, this should be done by checking the signature on the

card against the signature on the form. Merchants don't often follow

this procedure, and they take a risk in not doing so.

In most applications, the amount of the purchase is known at the time

of the authorization request. For hotels, car rentals, and some petro-

leum applications, an estimated amount is used for the authorization.

After the transaction is complete (e.g. after the gas is pumped or at

check-out time), another transaction may be sent to advise of the ac-

tual amount of the transaction. More on this later.

THE ACQUIRER

--- --------

The acquirer gathers authorization requests from accepters and returns

approvals. If the acquirer is an issuer as well, "on us" transactions

will typically be turned around locally. As before, the acquirer does

not have to forward any requests on to the actual issuer. However,

acquirers are not willing to take the financial risks associated with

generating local approvals. Thus most transactions are sent on to the

issuers (interchanged). The purpose of interchange is to shift finan-

cial liability from the acquirer to the issuer.

Typically, an acquirer connects to many issuers, and negotiates differ-

ent business arrangements with each one of them. But the acquirer gen-

erally provides a uniform interface to the accepter. Thus, the

interchange rules are sometimes less stringent than those imposed on

the accepter. Also, most issuers will trust acquirers to with respon-

sibilities they would never trust to accepters. The acquirer can

therefore perform some front-end screening on the transactions, and

turn some of them around locally without going back to the issuer.

The first screening by the acquirer would be a "sanity" test, for valid

merchant ID, valid Luhn check on PAN, expiration date not past, amount

field within reason for type of merchant, etc. After that, a floor

limit check will be done. Issuers generally give acquirers higher

floor limits than acquirers give accepters, and floor limits may vary

by type of merchant. Next, a "negative file" check would be done

against a file of known bad cards. (This is essentially the same as

the bulletin.) Then a "velocity file" check may be done. A velocity

file keeps track of card usage, and limits are often imposed on both

number of uses and total amount charged within a given time period.

Sometimes multiple time periods are used, and it can get fairly compli-

cated.

Transactions that pass all the checks, and are within the authority

vested in the acquirer by the issuer, are approved by the acquirer.

(Note that, under the business arrangement, financial liability still

resides with the issuer.) An "advice" transaction is sometimes sent to

the issuer (perhaps at a later time), to tell the issuer that the

transaction took place.

Transactions that "fail" one or more checks are denied by the acquirer

(if the cause was due to form, such as bad PAN) or sent to the issuer

for further checking. (Note that "failure" here can mean that it's be-

yond the acquirer's authority, not necessarily that the card is bad.)

Some systems nowadays will periodically take transactions that would

otherwise be approved locally, and send them to the issuer anyway. This

serves as a check on the screening software and as a countermeasure

against fraudulent users who know the limits.

Transactions that go to the issuer are routed according to the first

six digits of the PAN, according to the ISO registry mentioned in an

earlier section. Actually, it's a bit more complicated than that,

since there can be multiple layers of acquirers, and some issuers or

acquirers will "stand in" for other issuers when there are hardware or

communication failures, but the general principal is the same at each

point.

THE ISSUER

--- ------

An issuer receiving an interchanged transaction will often perform many

of the same tests on it that the acquirer performs. Some of the tests

may be eliminated if the acquirer is trusted to do them correctly. This

is the only point where a velocity file can actually detect all usage

of a card. This is also the only point where a "positive file" lookup

against the actual account can be done, since only the issuer has the

account relationship with the cardholder. If a PIN is used in the

transaction, only the issuer can provide true PIN verification -

acquirers may be able to do only "PIN offset" checking, as described in

a previous section. This is one reason why PINs have not become

popular on credit and charge cards.

An account typically has a credit limit associated with it. An ap-

proved authorization request usually places a "hold" against the credit

limit. If the sum of outstanding holds plus the actual outstanding

balance on the account, plus the amount of the current transaction, is

greater than the credit limit, the transaction is (usually) denied.

Often in such a case the issuer will send back a "call me" response to

the merchant. The merchant will then call the issuer's number, and the

operator may even want to talk to the cardholder. The credit limit

could be extended on the spot, or artificially high holds (from hotels

or car rental companies) could be overlooked so that the transaction

can be approved.

The difference between the credit limit and the sum of holds and out-

standing balance is often referred to as the "open to buy" amount. Once

a hold is placed on an account, it is kept there until the actual the

transaction in question is settled (see below), in which case the

amount goes from a hold to a billed amount, with no impact on the open

to buy amount, theoretically. For authorizations of an estimated

amount, the actual settled amount will be less than or equal to the ap-

proved amount. (If not, the settlement can be denied, and the merchant

must initiate a new transaction to get the money.) Theoretically, in

such a case, the full hold is removed and the actual amount is added to

the outstanding balance, resulting in a possible increase in the open

to buy amount.

In practice, older systems were not capable of matching settlements to

authorizations, and holds were simply expired based on the time it

would take most transactions to clear. Newer systems are starting to

get more sophisticated, and can do a reasonable job of matching autho-

rizations for actual amounts with the settlements. Some of them still

don't match estimated amounts well, with varying effects. In some

cases, the difference between actual and estimated will remain as a

hold for some period of time. In other cases, both the authorization

and the settlement will go against the account, reducing the open to

buy by up to twice the actual amount, until the hold expires. These

problems are getting better as the software gets more sophisticated.

Some issuers are also starting to use much more sophisticated usage

checks as well. They will not only detect number of uses and amount

over time, but also types of merchandise bought, or other patterns to

buying behavior. Most of this stuff is new, and is used for fraud pre-

vention. I expect this to be the biggest effort in authorization soft-

ware for the next few years.

American Express does things completely differently. There are no

credit limits on AMEX cards. Instead, AMEX relies entirely on usage

patterns, payment history, and financial data about cardmembers to de-

termine whether or not to automatically approve a transaction. AMEX

also has a policy that a cardmember will never be denied by a machine.

Thus, if the computer determines that a transaction is too risky, the

merchant will receive a "call me" message. The operator will then get

details of the transaction from the merchant, and may talk to the

cardmember as well, if cardmember identity is in question or a large

amount is requested. To verify cardmember identity, the cardmember

will be asked about personal information from the original application,

or about recent usage history. The questions are not the same each

time. If an unusually large amount is requested, the cardmember may be

asked for additional financial data, particularly anything relating to

a change in financial status (like a new job or a promotion). People

who are paranoid about Big Brother and computer databases should not

use AMEX cards.

SETTLEMENT

----------

So far, no money has changed hands, only financial liability. The pur-

pose of settlement is to shift the financial liability back to the

cardholder, and to shift the cardholder's money to the merchant.

Theoretically, all authorization information can be simply discarded

once an approval is received by a merchant. Of course, contested

charges, chargebacks, merchant credits, and proper processing of holds

require that the information stay around. Still, it is important to

realize that an authorization transaction has no direct financial con-

sequences. It only establishes who is responsible for the financial

consequences to follow.

Traditionally, a merchant would take the charge slips to the bank that

was that merchant's acquirer, and "deposit" them into the merchant ac-

count. The acquirer would take the slips, sort them by issuer, and

send them to the issuing banks, receiving credits by wire once they ar-

rived and were processed. The issuer would receive the slips, micro-

film them (to save the transaction information, as required by federal

and state laws) charge them against the cardholder's accounts, send

credits by wire to the acquirer, and send out the bill to the

cardholder. Problem is, this took time. Merchants generally had to

wait a couple of weeks for the money to be available in their accounts,

and issuers often suffered from float on the billables of about 45

days.

Therefore, nowadays many issuers and acquirers are moving to on-line

settlement of transactions. This is often called "draft capture" in

the industry. There are two ways this is done - one based on the host

and one based on the terminal at the merchant's premises. In the

host-based case, the terminal generally only keeps counts and totals,

while the acquirer host keeps all the transaction details. Peri-

odically, the acquirer host and the terminal communicate, and verify

that they both agree on the data. In the terminal-based case, the ter-

minal remembers all the important transaction information, and peri-

odically calls the acquirer host and replays it all for several

transactions. In either case, once the settlement is complete the mer-

chant account is credited. The acquirer then sends the settlement in-

formation electronically to the issuers, and is credited by wire

immediately (or nearly so). The issuer can bill directly to the

cardholder account, and float can be reduced to an average of 15 days.

The problem is, what to do with the paper? Current regulations in many

states require that it be saved, but there is no need for it to be sent

to the issuer. Also, for contested charges, a paper trail is much more

likely to stand up in court, and much better to use for fraud investi-

gations. Currently, the paper usually ends up back at the issuer, as

before, but it doesn't need to be processed, just microfilmed and

stored.

Much of the market still uses paper settlement methods. Online settle-

ment will replace virtually all of this within the next 5 to 10 years,

because of its many benefits.

This was pretty long, but there is a lot of information, and I skimmed

over a lot of details. Future installments should be shorter. Coming

up next is a discussion of fraud and security, and then a special dis-

cussion of debit cards. Hang on, we're halfway through this!

Joe Ziegler

att!lznv!ziegler

This is part four of a planned six-part series on the credit card in-

dustry. It will be helpful if you have read parts one through three,

as I use a lot of terminology here that was introduced earlier. Enjoy.

WARNING

This installment describes various methods of perpetrating fraud

against credit and charge card issuers, acquirers, and cardholders. Le-

gal penalties for using these methods to commit fraud are severe. The

reason for sharing this information is so that consumers will be aware

of the importance of security and be aware of the procedures used by

financial institutions to protect against fraud. Neither I nor my em-

ployer advocate use of the fraudulent methods described herein.

All the information here is publicly available from other sources. Un-

necessary detail is purposely not included, particularly as it applies

to detection and prevention of fraud.

CARDHOLDER FRAUD

---------- -----

The most common type of fraud against credit cards is cardholders fal-

sifying applications to get higher credit limits than they can afford

to pay, or to get multiple cards that they cannot afford to pay off.

Sometimes this is done with intent to defraud, but most often it is

done out of desperation or sheer financial ineptitude. Those who in-

tend to defraud generally use the multiple-card approach. They give

false names and financial data on several (sometimes as many as hun-

dreds) of applications. Often, the address of a vacant house that the

crook has access to is given, making it difficult to track the crook's

real identity. Once cards start showing up, the crook uses them for

cash advances or charges merchandise that is easy to sell, like con-

sumer electronics. The crook will run all the cards up to the limit

immediately, and will generally move on by the time the bills start ar-

riving. This type of fraud is not applicable to debit cards, since

they require an available account balance equal to or greater than any

purchases or withdrawals.

Protecting against this type of fraud, either intentional or otherwise,

is exactly the purpose of credit bureaus such as TRW. Issuers have be-

come more aware of the need for careful screening of applications, and

are using better techniques for detecting similar applications sent to

multiple issuers. More sophisticated velocity file screening can also

be used to detect possibly fraudulent usage patterns. Since this is a

method of fraud that can be used to gain really large amounts of

money, it is a high priority with issuers' security departments.

A variant of this scheme is much like check kiting. Can you use your

VISA to pay your MasterCard? Well, you might be able to manage it, but

if you're doing it with intent to defraud, you can be prosecuted. Kit-

ing schemes typically don't last long, have a low payoff, and are very

easy to detect.

Another type of cardholder fraud is simply contesting legitimate

charges. Most often, retrieving the documents gives pretty convincing

proof. Frequently, a family member will be found to have used the card

without the cardholder's permission. Such cases are usually pretty

easy to resolve. In the case of an ATM card, cameras are often placed

at ATMs (sometimes hidden) to record users of the machine. The camera

is usually tied to the ATM, so that a single retrieval stamp can be

placed on the film and the ATM log. If a withdrawal is contested, the

bank can then retrieve the picture of the person standing at the ma-

chine, and conclusively tie that picture to the transaction.

A type of cardholder fraud that is endemic only to ATMs is making false

deposits. You could, theoretically, tell the ATM that you are deposit-

ing a large amount of money, and put in an empty envelope. Most banks

will not let you withdraw amounts deposited into an ATM until the de-

posit has been verified, but some will allow part of the deposit to be

withdrawn. Typically, you can't get away with much. If you have any

money actually in your account, the bank has easy, legal recourse to

seize those funds. Most banks have no sense of humor about such

things, and will remove ATM card privileges after the first offense.

THIRD-PARTY FRAUD

----------- -----

The simplest way for a third party to commit fraud is for them to get

their hands on a legitimate card. There is a large black market for

credit cards obtained from hold-ups, break-ins and muggings. Perhaps

one of the cruelest methods of getting a card is a "Good Samaritan"

scam. In such a scam, credit cards are stolen by pick-pockets,

purse-snatchers, etc. That same day, someone looks up your number in

the phone book and calls you up. "I just found your wallet. All the

money is gone, but the credit cards and your driver's license are still

here. It just happens that I'll be in your neighborhood next Wednesday

and I'll drop it off then." Since the cards are found, you don't re-

port them stolen, and the crooks get until next Wednesday before you're

even suspicious. If such a thing happens to you, ask if you can come

and pick the cards up immediately. A true good samaritan won't mind,

but a crook will stall you. If you can't get your hands on the cards

immediately, report them as stolen. Most issuers will be able to get

you a new card by next Wednesday, anyway.

Often stolen cards will be used for a time exactly as is. The best

tool for preventing this is verification of the signature, but this is

ineffective because most merchants don't consistently check signatures

and some people don't even sign their cards. (I guess these people

figure that all purse snatchers are accomplished forgers as well.)

Many cards will eventually be modified as the various security schemes

start catching up.

It is a very easy matter, for example, to re-encode a different number

on the magnetic stripe. Since the card still looks fine, a merchant

will accept it and run it through the POS terminal, completely ignorant

of the fact that the number read off the back is not the same as that

on the front. Although the number on the front would fail a negative

file check, the number on the back is one that hasn't been reported

yet. A card can be re-encoded almost any number of times, as long as

you can keep coming up with new valid PANs. To protect against this,

some merchants purposely avoid using the magnetic stripe. Others have

terminals that display the number read from the stripe, so the cashier

can compare it to the number on the card. Some issuers are experiment-

ing with special encoding schemes, to make re-encoding difficult, but

most of these schemes would require replacing the entire embedded base

of POS terminals. An interesting approach I've seen (it's probably

patented) uses a laser to burn off the parts of the magnetic stripe

where zeroes are encoded, leaving only the ones. This severely limits

the changes you can make to the card number. Some issuers use the

"discretionary data" field to encode data unique to the card, that a

crook would not be able to guess, to combat this type of fraud.

Since an ATM doesn't have a human looking at the card, it is especially

susceptible to re-encoding fraud. A crook could get a number from a

discarded receipt and encode it on a white card blank, which is easy to

obtain legally. Many people use PINs that are easy to guess, and the

crook has an easy job of it. Most ATMs will not give you your card

back if you don't enter a correct PIN, and will only give you a few

tries to get it right, to prevent this type of fraud. Velocity file

checks are also important in detecting this. You should always take

your ATM receipts with you, pick a non-obvious PIN, and make sure that

nobody sees you enter it.

One place that a crook can get valid PANs to encode on credit cards is

from dumpsters outside of stores and restaurants. The credit slip

typically is a multipart form, with one copy for you, one for the mer-

chant, and one for the issuer (ultimately). If carbon paper is used,

and the carbons are discarded intact, it's pretty easy to read the num-

bers off of them. Carbonless paper and forms that either rip the car-

bons in half or attach them to the cardholder copy automatically are

used to prevent this.

There are a lot of scams for getting people to tell their credit card

numbers over the phone. Never give your card number to anyone unless

you are buying something from them, and make sure that it is a le-

gitimate business you are buying from. "Incredible deal!! Diamond

jewelry at half price!! Call now with your VISA number, and we'll rush

you your necklace!!" When you don't get the necklace for four weeks,

you might start to wonder. When you get your credit card bill, you'll

stop wondering.

There are other, more sophisticated ways to modify a credit card. If

you're skillful, you can change the embossing on the card and even the

signature on the back. For most purposes, these techniques are more

trouble than they're worth, since it's not difficult to come up with a

new stolen card, or fake ID to match the existing card.

MERCHANT FRAUD

-------- -----

There are many urban rumors of merchants imprinting a card multiple

times while the cardholder isn't looking, and then running through a

bunch of charges after the cardholder leaves. I don't know of any case

where this is an official policy of a merchant, but this is certainly

one technique a dishonest cashier could use. The cashier can then take

home a bunch of merchandise charged to your account. Although some

people are afraid of this happening in a restaurant, where a waiter

takes your card away for a while, it's actually less likely there,

since there isn't anything the waiter can charge against your card and

take home.

A merchant could also make copies of charge slips, to sell the PANs to

other crooks. (See above for use of PANs.) Most credit card investi-

gation departments are sensitive to this possibility, and catch on real

fast if it's happening just by looking at usage history of cards with

fraudulent charges.

A merchant is also in a position to create many false charges against

bogus numbers, to attempt to defraud the acquirer or issuer. These

schemes are usually not too effective, since acquirers generally re-

spond very quickly to an unusual number of fraudulent transactions by

tightening restrictions on the merchant.

ACQUIRER AND ISSUER FRAUD

-------- --- ------ -----

The place to make really big bucks in fraud is at the acquirer or is-

suer, since this is where you can get access to large amounts of money.

Fortunately, it's also fairly easy to control things here with audit

procedures and dual control. People working in the back offices, pro-

cessing credit slips, bills, etc. have a big opportunity to "lose"

things, introduce false things, artificially delay things, and tempo-

rarily divert things. Most of the control is standard banking stuff,

and has been proven effective for decades, so this isn't a big problem.

A bigger potential problem to the consumer is the possibility of an em-

ployee at the issuer or acquirer selling PANs to crooks. This would be

very hard to track down, and could compromise a large part of the card

base. I know of no cases where this has happened.

Programmers, in particular, are very dangerous because they know where

the data is, how to get it, and what to do with it. In most shops, de-

velopment is done on completely separate facilities from the production

system. Certification and installation are done by non-developers, and

developers are not allowed any access to the production facilities.

Operations and maintenance staff are monitored very carefully as well,

since they typically have access to the entire system as part of their

jobs.

Another type of fraud that is possible here is diversion of materials,

such as printed, but not embossed or encoded, card blanks. Such mate-

rials are typically controlled using processes similar to those used at

U.S. mints. Since most of the cards issued in the United States are

actually manufactured by only a handful of companies, it's not too hard

to keep things under control.

There are many types of fraud that can be perpetrated by tapping data

communication lines, and using protocol analyzers or computers to in-

tercept or introduce data. These types of fraud are not widespread,

mainly because of the need for physical access and because sophisti-

cated computer techniques are required. There are message authentica-

tion, encryption, and key management techniques that are available to

combat this type of fraud, but currently these techniques are far more

costly than the minimal fraud they could prevent. About the only such

security technique that is in widespread use is encryption of PINs.

The next episode will be devoted to debit cards, and the final episode

will talk about the networks that make all this magic happen.

EVOLUTION OF DEBIT CARDS

--------- -- ----- -----

The debit card originated as a method for bank customers to have access

to their funds through Automatic Teller Machines (ATMs). This was seen

as a way for banks to automate their branches and save money, as well

as a benefit for customers. A secondary intent was for the card to be

used as a method of identification when dealing with a human teller.

Although that idea never really caught on, it has seen renewed interest

from time to time.

One problem with using cards to access bank accounts is that federal

regulations required a signature be used for each withdrawal transac-

tion. After much debate, the concept of a Personal Identification Num-

ber (PIN) was invented, and federal regulations were modified to allow

PINs for use in place of signatures with bank withdrawals. ATMs also

faced many other regulatory difficulties. In many states, for example,

there are limitations on the number of branches a bank can have. In a

conflict that only a lawyer could conceive of, a ruling was required

about whether an ATM constitutes a bank branch or not. Since such rul-

ings were made on a state by state basis, it varies across the country.

This results in some very odd arrangements in some states, because of

requirements placed on bank branches.

In early attempts, the card actually carried account information and

balances. The cardholder would bring the card into a branch, and bank

personnel would "load" money onto the card, based on the customer's ac-

tual account balance. The cardholder could then use the card at a

stand-alone machine that would update the information on the card as

money was withdrawn. The information was stored on track 3 of the mag-

netic stripe, as mentioned in an earlier installment. This approach

had many problems. It was far too susceptible to fraud, it could not

reasonably handle multiple accounts, and it could not be used as a ve-

hicle for other services. Since it was pretty much limited to with-

drawals, it didn't even automate much of the bank branch functions.

The online ATM offered a solution to the problems of the early ATM

cards. Since the ATM was connected to the bank's host, it was no

longer necessary to maintain account balances on the card itself, which

removed a major source of fraud. Also, access to multiple accounts be-

came possible, as did additional services, such as bill payment.

Once banks started buying and installing ATMs, they quickly realized

that it is very expensive to maintain a large number of machines. Yet

customers began demanding more machines, so they could have easier ac-

cess to their funds. Since many banks in an area would have ATMs, the

obvious solution was to somehow cross-connect bank hosts so that cus-

tomers could use ATMs at other banks, for convenience. The lawyers

struck again. Does a shared ATM count as a branch for both banks? Does

a transaction at a shared ATM mean that one bank is doing financial

transactions for another, which is not allowed? If two banks share

ATMs, but refuse to allow a third bank, is that monopolizing or re-

straint of trade? Strange restrictions on shared ATM transactions re-

sulted.

Soon interchange standards began to evolve, and ATM networks became a

competitive tool. Regional and national networks started to emerge.

And the lawyers struck again. If a network allows transactions in one

state for a bank in another state, isn't that interstate banking, which

was at the time forbidden? Should an ATM network that dominates a re-

gion become a regulated monopoly? Should an ATM network that gets re-

ally big be considered a public utility?

Today, the regional and national networks continue to grow and offer

more services and more interconnections. All of the regulatory issues

have not been resolved, and this is creating a lot of tension for eas-

ing banking restrictions.

An ATM card is just an ATM card, regardless of how many ATMs it works

in. Most banks long ago saw an opportunity for the ATM card to be used

as a debit card, presumably to replace checks. A tremendous number of

checks are used each year, and it costs banks a lot of money to process

them. Debit card transactions could cost less to process, given an ap-

propriate infrastructure. Some of the costs could potentially be

passed on to the merchants or the consumers, who are notoriously reluc-

tant to directly pay the cost of checks. So far there have been many

trials of using ATM cards as debit cards at the point of sale, but they

have, in general, met with consumer apathy. In some areas, where banks

have aggressively promoted debit, things have gone better. Still, gen-

eral acceptance of debit seems a ways off.

One interesting twist to the debit card story, as mentioned earlier, is

the emergence of third party debit cards. Issuers of these cards have

no real account relationship with the cardholders. Instead, they ob-

tain permission from the cardholders to debit their checking accounts

directly through the Automated Clearing Houses (ACHs), the same way

checks are cleared. (Think of it as direct deposit, in reverse.) Oil

companies first started experimenting with this a couple of years ago,

and it has met with surprising success. Banks dislike this concept,

because it competes directly with their debit cards, but isn't subject

to the same state and federal regulations. ACHs like this, because it

bolsters their business, which otherwise stands to lose a lot by

acceptance of debit cards. Merchants generally like this, especially

the large retailers, because it allows them to get their payment sys-

tems out from under the control of the banks.

THE ATM

--- ---

An ATM is an interesting combination of computer, communication, bank-

ing, and security technology all in one box. A typical machine has a

microprocessor, usually along the lines of an 8086, a communications

module (which may have it's own microprocessor), a security module

(also with a microprocessor), and special-purpose controllers for the

hardware. The user interface is typically a CRT, a telephone-style

keypad, and some soft function keys. Typically there is a lot of

memory, but no disk. The screens and program are usually downloaded

from the host at initialization, and are stored in battery-backed RAM

indefinitely. The machine typically interacts with the host for every

transaction, but it can operate offline if necessary, as dictated by

the downloaded program. The downloaded program is often in an

industry-standard "states and screens" format that was created by

Diebold, a manufacturer of various banking equipment, including ATMs.

Most machines can use a few IBM protocols (bisync, SNA, and an outmoded

but still used "loop" protocol), Burroughs poll/select, and perhaps

some others, depending on which communications module is in place.

This allows the manufacturer to make a standard machine, and plug in

different communications hardware to suit the customer. The IBM bisync

and SNA protocols are most common, with most networks moving toward

SNA.

The security modules do all encryption for the ATM. They are separate

devices that are physically sealed and cannot be opened or tapped with-

out destroying the data within them. In a truly secure application, no

sensitive data entering or leaving the security module is in cleartext.

Arranging this and maintaining it is more complicated than I can go

into here.

Most ATMs contain two bill dispensers, a "divert" bin for bills, a

"capture" bin for cards, a card reader, receipt printer, journal

printer, and envelope receptacle. Some ATMs have more than two bill

dispensers, and can even dispense coins.

When an ATM is dispensing money, it counts the appropriate bills out of

the bill dispensers, and uses a couple of mechanical and optical checks

to make sure it counted correctly. If the checks fail, it shunts the

bills into the divert bin and tries again. Typically, this is because

two bills were stuck together. I've seen ATMs have sensor faults, and

divert the total contents of both bill dispensers the first time a user

asks for a withdrawal. "Gee, all I did was ask for $50, and this ma-

chine made all kinds of funny whirring noises and shut down." Most

banks will put twenty-dollar bills in one of the dispensers and five

dollar bills in the other. Some use tens and fives, or tens and twen-

ties. Depending on the denominations of the bills, the size of the

dispensers, and the policy of the bank, an ATM can hold tens of thou-

sands of dollars.

The journal printer keeps a running log of every use of the machine,

and exactly what the machine is doing, for audit purposes. you can of-

ten hear it printing as soon as you put your card in or after your

transaction is complete.

When you put an envelope into an ATM, the transaction information is

usually printed directly on the envelope, so that verifying the deposit

is easier. Bank policies typically require that any deposit envelope

be opened and verified by two people. In this, you're actually safer

depositing cash at an ATM than giving it to a human teller.

A card will be diverted to the capture bin if it is on the "hot card"

list, if the user doesn't enter a correct PIN, or if the user walks

away and forgets to take the card.

On some machines, the divert bin, capture bin, envelope receptacle, and

bill dispenser bins are all separately locked containers, so that re-

stocking can be done by courier services who simply swap bins and re-

turn the whole thing to a central site.

The entire ATM is typically housed in a hardened steel case with alarm

circuitry built in. These suckers have been known to survive dynamite

explosions. The housing typically has a combination lock on the door,

and no single person knows the entire combination. The machine can

thus be opened for restocking, maintenance, or repair, only if at least

two people are present.

DEBIT CARD PROCESSING

----- ---- ----------

Debit card processing is fairly similar to credit and charge card pro-

cessing, with a few exceptions. First, in the case of ATMs, the ac-

cepter and acquirer are usually the same. For debit card use at the

point of sale, the usual acquirer-accepter relationship holds. In gen-

eral, acquirers may do front-end screening on debit cards, but all ap-

provals are generated by the issuer - the floor limit is zero. This

makes it possible to eliminate a separate settlement process for debit

card transactions, but places additional security and reliability con-

straints on the "authorization". Often a separate settlement is done

anyway.

One problem that has caused difficulties for POS use of debit cards is

the use of PINs. Many merchants and cardholders would rather use sig-

nature for identity verification. But most debit systems grew out of

ATM systems, and require PINs. This is an ironic reversal of the early

ATM card days, when people were trying to avoid requiring signature.

Other than the PIN, the information required for a debit transaction is

the same as that required for a credit transaction.

One last installment on the networks that tie this all together, and

the Credit Card 101 course will be complete. There will be no final

exam - you will be graded entirely on classroom participation. Most of

you are failing miserably...

ACCESS NETWORKS

------ --------

For most credit card applications, the cost of the access network is

the single biggest factor in overall costs, often accounting for over

half of the total. For that reason, there are many different solu-

tions, depending on the provider, the application, and geographical

constraints.

The simplest form of access network uses 800 service, in one of its

many forms. Terminals at merchant locations across the country dial an

800 number that is terminated on a large hunt group of modems, con-

nected directly to the acquirer's front-end processor (FEP). The FEP

is typically a fault-tolerant machine, since an outage here will take

out the entire service. A large acquirer will typically have two or

more centers for terminating the 800 service. This allows better

economy, due to the nature of 800 service tariffs, and allows for di-

of 800 service is that it is quite easy to cover the entire country

with it. It also provides the most effective utilization of your FEP

resources. (A little queuing theory will show you why.) However, 800

service is quite expensive. It always requires 10 (or 11) digits di-

aled, and in areas with pulse dialing it can take almost three seconds

just to dial 1-800. The delay between dialing and connection is longer

for 800 calls than many other calls, because of the way the calls get

routed. All of this adds to the perce