SHOW:
|
|
- or go back to the newest paste.
1 | amnesia@amnesia:~/Tor Browser$ cat carding-the-ultimate-guide.txt | |
2 | Dumps Carding Tutorial Ultimate Guide | |
3 | Dumps Carding Tutorial Ultimate Guide did not write this | |
4 | ||
5 | DEFINITIONS | |
6 | ----------- | |
7 | ||
8 | ||
9 | First some terms, along with the meanings they have in the industry: | |
10 | ||
11 | ||
12 | Cardholder - an individual to whom a credit card is issued. Typically, | |
13 | this individual is also responsible for payment of all charges made | |
14 | to that card. Corporate cards are an exception to this rule. | |
15 | ||
16 | ||
17 | Card Issuer - an institution that issues credit cards to cardholders. | |
18 | This institution is also responsible for billing the cardholder for | |
19 | charges. Often abbreviated to "Issuer". | |
20 | ||
21 | ||
22 | Card Accepter - an individual, organization, or corporation that | |
23 | accepts credit cards as payment for merchandise or services. Often | |
24 | abbreviated "Accepter" or "merchant". | |
25 | ||
26 | ||
27 | Acquirer - an organization that collects (acquires) credit | |
28 | authorization requests from Card Accepters and provides guarantees | |
29 | of payment. Normally, this will be by agreement with the Issuer of | |
30 | the card in question. | |
31 | ||
32 | ||
33 | Many issuers are also acquirers. Some issuers allow other acquirers to | |
34 | provide authorizations for them, under pre-agreed conditions. Other | |
35 | issuers provide all their own authorizations. | |
36 | ||
37 | ||
38 | TYPES OF CARDS | |
39 | ----- -- ----- | |
40 | ||
41 | ||
42 | The industry typically divides up cards by the business of the issuer. | |
43 | So there are bank cards (VISA, Master Card, Discover), Petroleum Cards | |
44 | (SUN Oil, Exxon, etc.), and Travel and Entertainment (T&E) cards | |
45 | (American Express, Diners' Club, Carte Blanche). Other cards are | |
46 | typically lumped together as "Private Label" cards. That would include | |
47 | department store cards, telephone cards, and the like. Most private | |
48 | label cards are only accepted by the issuer. People are starting to | |
49 | divide the telephone cards into a separate class, but it hasn't re- | |
50 | ceived widespread acceptance. (This is just a matter of terminology, | |
51 | and doesn't affect anything important.) | |
52 | ||
53 | ||
54 | Cards are also divided by how they are billed. Thus there are credit | |
55 | cards (VISA, MC, Discover, most department store cards), charge cards | |
56 | (American Express, AT&T, many petroleum cards) and debit cards. Credit | |
57 | cards invoke a loan of money by the issuer to the cardholder under | |
58 | pre-arranged terms and conditions. Charge cards are simply a payment | |
59 | convenience, and their total balance is due when billed. When a debit | |
60 | card is used, the amount is taken directly from the cardholder's ac- | |
61 | count with the issuer. Terminology is loose - often people use "credit | |
62 | card" to encompass credit cards and charge cards. | |
63 | ||
64 | ||
65 | A recent phenomenon is third-party debit cards. These cards are issued | |
66 | by an organization with which the cardholder has no account relation- | |
67 | ship. Instead, the cardholder provides the card issuer with the infor- | |
68 | mation necessary to debit the cardholder's checking account directly | |
69 | through an Automated Clearing House (ACH), the same way a check would | |
70 | be cleared. This is sort of like direct deposit of paychecks, in re- | |
71 | verse. ACHs love third-party debit cards. Banks hate them. | |
72 | ||
73 | ||
74 | Another recent addition is affinity cards. These cards are valid | |
75 | credit cards from their issuer, but carry the logo of a third party, | |
76 | and the third party benefits from their use. There is an incredible | |
77 | variety of affinity cards, ranging from airlines to colleges to profes- | |
78 | sional sports teams. | |
79 | ||
80 | ||
81 | HOW THEY MAKE MONEY | |
82 | --- ---- ---- ----- | |
83 | ||
84 | ||
85 | Issuers of credit cards make money from cardholder fees and from inter- | |
86 | est paid on outstanding balances. Not all issuers charge fees. Even | |
87 | those that do, make most of their money on the interest. They really | |
88 | LIKE people who pay the minimum each month. | |
89 | ||
90 | ||
91 | Issuers of charge cards make money from cardholder fees. Some charge | |
92 | cards actually run at a loss for the company, particularly those that | |
93 | are free. The primary purpose of such cards is to stimulate business. | |
94 | ||
95 | ||
96 | Issuers of debit cards may make money on transaction fees. Not all | |
97 | debit card transactions have fees. Most debit cards exist to stimulate | |
98 | business for the bank and to offload tellers and back-room departments. | |
99 | To date, third-party debit cards exist solely to stimulate business. | |
100 | Providers of such cards make no direct money from their use. | |
101 | ||
102 | ||
103 | Acquirers make money from transaction charges and discount fees. Unlike | |
104 | the charges and fees mentioned above, these fees are paid by the ac- | |
105 | cepter, not (directly) by the cardholder. (Technically, it is not le- | |
106 | gal for the merchants to pass these charges directly to the consumer. | |
107 | Some petroleum stations have gotten away with giving a discount for | |
108 | cash, and it has survived court challenges so far.) Transaction charges | |
109 | are typically in pennies per transaction, and are sensitive to the type | |
110 | of communication used for the authorization. Discount fees are a per- | |
111 | centage of the purchase price and are sensitive to volume and compli- | |
112 | ance to rules. One way to encourage merchants to follow certain | |
113 | procedures or to upgrade to new equipment is to offer a lower discount | |
114 | fee. | |
115 | ||
116 | ||
117 | Until fairly recently, the only motivation for accepters was to expand | |
118 | their business by accepting cards. Reduction of fraud was enough rea- | |
119 | son for many merchants to pay authorization fees, but in many cases, it | |
120 | isn't worth the cost. (That is, it is cheaper to pay the fraud than to | |
121 | prevent it.) Recently, electronic settlement has provided merchants | |
122 | with an added benefit by reducing float on charged purchases. Merchants | |
123 | can now get their accounts credited much faster than before, which | |
124 | helps cash flow. | |
125 | ||
126 | ||
127 | Companies that issue charge cards are real keen on float reduction. The | |
128 | sooner they can bill you, the sooner they get their money. Credit card | |
129 | companies are also interested in float reduction, since the sooner they | |
130 | bill, the sooner they can start charging interest. Debit cards | |
131 | typically involve little or no float. | |
132 | ||
133 | ||
134 | Affinity cards usually pay a percentage of purchases to the affinity | |
135 | organization. Although it may seem obvious to take this money from the | |
136 | discount fee, this doesn't work since the issuer is not always the | |
137 | acquirer. The money for this usually comes from the interest paid on | |
138 | outstanding balances. Essentially, the bank is giving a share of its | |
139 | profits to an organization in turn for the organization promoting use | |
140 | of its credit card. The affinity organization is free to use its cut | |
141 | any way it wishes. An airline will typically put it into the frequent | |
142 | flyer program (and credit miles to your account). A college may put | |
143 | the money into the general fund or into a scholarship fund. Lord only | |
144 | knows what a sports team does with the money! | |
145 | ||
146 | ||
147 | THE PLAYERS AND THEIR ROLES | |
148 | --- ------- --- ----- ----- | |
149 | ||
150 | ||
151 | American Express (AMEX) is a charge card issuer and acquirer. (Their | |
152 | other businesses are not important to this discussion.) All AMEX pur- | |
153 | chases are authorized by AMEX. They make most of their money from the | |
154 | discount fees, which is why they have the highest discount fee in the | |
155 | industry. That's one reason why AMEX isn't accepted in as many places | |
156 | as VISA and MC, and a reason why many merchants will prefer another | |
157 | card to an AMEX card. The control AMEX has over authorization allows | |
158 | them to provide what they consider to be better cardholder | |
159 | ("cardmember" to them) services. | |
160 | ||
161 | ||
162 | VISA is a non-profit corporation (SURPRISE!) that is best described as | |
163 | a purchasing and marketing coalition of its member banks. VISA issues | |
164 | no credit cards itself - all VISA cards are issued by member banks. | |
165 | VISA does not set terms and conditions for its member banks - the banks | |
166 | can do pretty much as they please in signing cardholders. All VISA | |
167 | charges are ultimately approved by the card issuer, regardless of where | |
168 | the purchase was made. Many smaller banks share their account | |
169 | databases with larger banks, third parties, or VISA itself, so that the | |
170 | bank doesn't have to provide authorization facilities itself. | |
171 | ||
172 | ||
173 | Master Card (MC) is very much like VISA. There are some differences | |
174 | that are important to those in the industry, but from the consumers | |
175 | standpoint they operate pretty much the same. | |
176 | ||
177 | ||
178 | Discover cards are issued by a bank owned by Sears. All Discover pur- | |
179 | chases are authorized by Sears. | |
180 | ||
181 | ||
182 | Most petroleum cards, if they are even authorized, are authorized by | |
183 | the petroleum company itself. There are exceptions. Fraud on petro- | |
184 | leum cards is so low that the main reason for authorization is to | |
185 | achieve the float reduction of electronic settlement. | |
186 | ||
187 | ||
188 | THE BUSINESS RELATIONSHIPS | |
189 | --- -------- ------------- | |
190 | ||
191 | ||
192 | Card acceptors generally sign up with a local acquirer for authoriza- | |
193 | tion and settlement of all credit cards. This acquirer may or may not | |
194 | be a card issuer, but certainly will not have issued all the cards that | |
195 | the merchant can accept. The accepter does not generally call one | |
196 | place for VISA and a different place for MC, for example. At one time, | |
197 | this was necessary, but more and more acquirers are connected to all | |
198 | networks and are offering a broader range of services. | |
199 | ||
200 | ||
201 | Acquirers generally are connected to many issuers, and pay transaction | |
202 | charges and discount fees to those issuers for authorizations. Thus, | |
203 | the acquirer is actually making money on the difference between fees | |
204 | paid and fees billed. Most acquirers gather together transactions from | |
205 | many accepters, allowing them to get volume discounts on fees. Since | |
206 | the accepters individually have lower volume and are not eligible for | |
207 | those discounts, there is a markup that the acquirer can get away with. | |
208 | Acquirers also, of course, provide the convenience of a single contact. | |
209 | ||
210 | ||
211 | Most large banks are issuers and acquirers. Things get real interest- | |
212 | ing when it's time to settle up. Some small banks are only issuers. | |
213 | There are third parties that are only acquirers. | |
214 | ||
215 | ||
216 | In future episodes, I'll explain how standards help all this chaos work | |
217 | together, and give details about how the authorization process happens. | |
218 | ||
219 | ||
220 | Joe Ziegler | |
221 | att!lznv!ziegler | |
222 | This is part two in a planned six-part series about the credit card in- | |
223 | dustry. It would be best if you read part one before reading this | |
224 | part. Enjoy. | |
225 | ||
226 | ||
227 | DEFINITIONS | |
228 | ----------- | |
229 | ||
230 | ||
231 | Some more new terms that are used in this posting. | |
232 | ||
233 | ||
234 | ABA - American Bankers Association | |
235 | ||
236 | ||
237 | ACH - Automated Clearing House - an organization that mechanically and | |
238 | electronically processes checks. | |
239 | ||
240 | ||
241 | ANSI - American National Standards Institute | |
242 | ||
243 | ||
244 | Embossing - creating raised letters and numbers on the face of the | |
245 | card. | |
246 | ||
247 | ||
248 | Encoding - recording data on the magnetic stripe on the back of the | |
249 | card. | |
250 | ||
251 | ||
252 | Imprinting - using the embossed information to make an impression on a | |
253 | charge slip. | |
254 | ||
255 | ||
256 | Interchange - sending authorization requests from one host (the | |
257 | acquirer) to another (the issuer) for approval. | |
258 | ||
259 | ||
260 | ISO - International Standards Organization | |
261 | ||
262 | ||
263 | NACHA - National Automated Clearing House Association | |
264 | ||
265 | ||
266 | PAN - Personal Account Number. The account number associated with a | |
267 | credit, debit or charge card. This is usually the same as the | |
268 | number on the card. | |
269 | ||
270 | ||
271 | PIN - Personal Identification Number. A number associated with the | |
272 | card, that is supposedly know only to the cardholder and the card | |
273 | issuer. This number is used for verification of cardholder | |
274 | identity. | |
275 | ||
276 | ||
277 | THE ORGANIZATIONS | |
278 | --- ------------- | |
279 | ||
280 | ||
281 | ISO sets standards for plastic cards and for data interchange, among | |
282 | other things. ISO standards generally allow for national expansion. | |
283 | Typically, a national standards organization, like ANSI, will take an | |
284 | ISO standard and develop a national standard from it. National stan- | |
285 | dards are generally subsets of the ISO standard, with extensions as al- | |
286 | lowed in the original ISO standard. Many credit card standards | |
287 | originated in the United States, and were generalized and adopted by | |
288 | ISO later. | |
289 | ||
290 | ||
291 | The ANSI committees that deal with credit card standards are sponsored | |
292 | by the ABA. Most members of these committees work for banks and other | |
293 | financial institutions, or for vendors who supply banks and financial | |
294 | institutions. Working committees report to governing committees. | |
295 | ||
296 | ||
297 | All standards go through a formal comment and review procedure before | |
298 | they are officially adopted. | |
299 | ||
300 | ||
301 | PHYSICAL STANDARDS | |
302 | -------- --------- | |
303 | ||
304 | ||
305 | ANSI X4.13, "American National Standard for Financial Services - | |
306 | Financial Transaction Cards" defines the size, shape, and other | |
307 | physical characteristics of credit cards. Most of it is of interest | |
308 | only to mechanical engineers. It defines the location and size of the | |
309 | magnetic stripe, signature panel, and embossing area. This standard | |
310 | also includes the Luhn formula used to generate the check digit for the | |
311 | PAN, and gives the first cut at identifying card type from the account | |
312 | number. (This part was expanded later in other standards.) Also, this | |
313 | standard identifies the character sets that can be used for embossing a | |
314 | card. | |
315 | ||
316 | ||
317 | Three character sets are allowed - OCR-A as defined in ANSI X3.17, | |
318 | OCR-B as defined in ANSI X3.49, and Farrington 7B, which is defined in | |
319 | the appendix of ANSI X4.13 itself. Almost all the cards I have use | |
320 | Farrington 7B, but Sears uses OCR-A. (Sears also uses the optional, | |
321 | smaller card size as, allowed in the standard.) These character sets | |
322 | are intended to be used with optical character readers (hence the OCR), | |
323 | and large issuers have some pretty impressive equipment to read those | |
324 | slips. | |
325 | ||
326 | ||
327 | ENCODING STANDARDS | |
328 | -------- --------- | |
329 | ||
330 | ||
331 | ANSI X4.16, "American National Standard for Financial Services - Finan- | |
332 | cial Transaction Cards - Magnetic Stripe Encoding" defines the | |
333 | physical, chemical, and magnetic characteristics of the magnetic stripe | |
334 | on the card. The standard defines a minimum and maximum size for the | |
335 | stripe, and the location of the three defined encoding tracks. (Some | |
336 | cards have a fourth, proprietary track.) | |
337 | ||
338 | ||
339 | Track 1 is encoded at 210 bits per inch, and uses a 6-bit coding of a | |
340 | 64-element character set of numerics, alphabet (one case only), and | |
341 | some special characters. Track 1 can hold up to 79 characters, six of | |
342 | which are reserved control characters. Included in these six charac- | |
343 | ters is a Longitudinal Redundancy Check (LRC) character, so that a card | |
344 | reader can detect most read failures. Data encoded on track 1 include | |
345 | PAN, country code, full name, expiration date, and "discretionary | |
346 | data". Discretionary data is anything the issuer wants it to be. | |
347 | Track 1 was originally intended for use by airlines, but many Automatic | |
348 | Teller Machines (ATMs) are now using it to personalize prompts with | |
349 | your name and your language of choice. Some credit authorization ap- | |
350 | plications are starting to use track 1 as well. | |
351 | ||
352 | ||
353 | Track 2 is encoded at 75 bits per inch, and uses a 4-bit coding of the | |
354 | ten digits. Three of the remaining characters are reserved as | |
355 | delimiters, two are reserved for device control, and one is left unde- | |
356 | fined. In practice, the device control characters are never used, ei- | |
357 | ther. Track 2 can hold up to 40 characters, including an LRC. Data | |
358 | encoded on track 2 include PAN, country code (optional), expiration | |
359 | date, and discretionary data. In practice, the country code is hardly | |
360 | ever used by United States issuers. Later revisions of this standard | |
361 | added a qualification code that defines the type of the card (debit, | |
362 | credit, etc.) and limitations on its use. AMEX includes an issue date | |
363 | in the discretionary data. Track 2 was originally intended for credit | |
364 | authorization applications. Nowadays, most ATMs use track 2 as well. | |
365 | Thus, many ATM cards have a "PIN offset" encoded in the discretionary | |
366 | data. The PIN offset is usually derived by running the PIN through an | |
367 | encryption algorithm (maybe DES, maybe proprietary) with a secret key. | |
368 | This allows ATMs to verify your PIN when the host is offline, generally | |
369 | allowing restricted account access. | |
370 | ||
371 | ||
372 | Track 3 uses the same density and coding scheme as track 1. The con- | |
373 | tents of track 3 are defined in ANSI X9.1, "American National Standard | |
374 | - Magnetic Stripe Data Content for Track 3". There is a slight contra- | |
375 | diction in this standard, in that it allows up to 107 characters to be | |
376 | encoded on track 3, while X4.16 only gives enough physical room for 105 | |
377 | characters. Actually, there is over a quarter of an inch on each end | |
378 | of the card unused, so there really is room for the data. In practice, | |
379 | nobody ever uses that many characters, anyway. The original intent was | |
380 | for track 3 to be a read/write track (tracks 1 and 2 are intended to be | |
381 | read-only) for use by ATMs. It contains information needed to maintain | |
382 | account balances on the card itself. As far as I know, nobody is actu- | |
383 | ally using track 3 for this purpose anymore, because it is very easy to | |
384 | defraud. | |
385 | ||
386 | ||
387 | COMMUNICATION STANDARDS | |
388 | ------------- --------- | |
389 | ||
390 | ||
391 | Formats for interchange of messages between hosts (acquirer to issuer) | |
392 | is defined by ANSI X9.2, which I helped define. Financial message au- | |
393 | thentication is described by ANSI X9.9. PIN management and security is | |
394 | described by ANSI X9.8. There is a committee working on formats of | |
395 | messages from accepter to acquirer. ISO has re-convened the interna- | |
396 | tional committee on host message interchange (TC68/SC5/WG1), and ANSI | |
397 | may need to re-convene the X9.2 committee after the ISO committee fin- | |
398 | ishes. These standards are still evolving, and are less specific than | |
399 | the older standards mentioned above. This makes them somewhat less | |
400 | useful, but is a natural result of the dramatic progress in the indus- | |
401 | try. | |
402 | ||
403 | ||
404 | ISO maintains a registry of card numbers and the issuers to which they | |
405 | are assigned. Given a card that follows standards (Not all of them | |
406 | do.) and the register, you can tell who issued the card based on the | |
407 | first six digits (in most cases). This identifies not just VISA, | |
408 | MasterCard, etc., but also which member bank actually issued the card. | |
409 | ||
410 | ||
411 | DE FACTO INDUSTRY STANDARDS | |
412 | -- ----- -------- --------- | |
413 | ||
414 | ||
415 | Most ATMs use IBM synchronous protocols, and many networks are migrat- | |
416 | ing toward SNA. There are exceptions, of course. Message formats used | |
417 | for ATMs vary with the manufacturer, but a message set originally de- | |
418 | fined by Diebold is fairly widely accepted. | |
419 | ||
420 | ||
421 | Many large department stores and supermarkets (those that take cards) | |
422 | run their credit authorization through their cash register controllers, | |
423 | which communicate using synchronous IBM protocols. | |
424 | ||
425 | ||
426 | Standalone Point-of-Sale (POS) devices, such as you would find at most | |
427 | smaller stores (i.e. not at department stores), restaurants and hotels | |
428 | use a dial-up asynchronous protocol devised by VISA. There are two | |
429 | generations of this protocol, with the second generation just beginning | |
430 | to get widespread acceptance. | |
431 | ||
432 | ||
433 | Many petroleum applications use multipoint private lines and a polled | |
434 | asynchronous protocol known as TINET. This protocol was developed by | |
435 | Texas Instruments for a terminal of the same name, the Texas Instru- | |
436 | ments Network E(something) Terminal. The private lines reduce response | |
437 | time, but cost a lot more money than dial-up. | |
438 | ||
439 | ||
440 | NACHA establishes standards for message interchange between ACHs, and | |
441 | between ACHs and banks, for clearing checks. This is important to this | |
442 | discussion due to the emergence of third-party debit cards, as dis- | |
443 | cussed in part 1 of this series. The issuers of third-party debit | |
444 | cards are connecting to ACHs, using the standard messages, and clearing | |
445 | POS purchases as though they were checks. This puts the third parties | |
446 | at an advantage over the banks, because they can achieve the same re- | |
447 | sults as a bank debit card without the federal and state legal restric- | |
448 | tions imposed on banks. | |
449 | ||
450 | ||
451 | In the next installment, I'll describe how an authorization happens, as | |
452 | well as how the settlement process gets the bill to you and your money | |
453 | to the merchant. After that I'll describe various methods of fraud, | |
454 | and how issuers, acquirers, and accepters protect themselves. Stay | |
455 | tuned. | |
456 | ||
457 | ||
458 | Joe Ziegler | |
459 | att!lznv!ziegler | |
460 | Here's part 3 in my six-part series on the credit card industry. This | |
461 | part discusses how authorization and settlement work. This is a long | |
462 | one. It will help if you have read parts 1 and 2, since I had to leave | |
463 | out a lot of overlap to keep this from getting ridiculous. Enjoy. | |
464 | ||
465 | ||
466 | THE ACCEPTER | |
467 | --- -------- | |
468 | ||
469 | ||
470 | An important fact to note is that a card accepter does not have to get | |
471 | approval for any purchases using credit or charge cards. Of course, a | |
472 | merchant is usually interested in actually getting money, and so must | |
473 | participate in some form of settlement process (see below). Usually, | |
474 | the most acceptable (to a merchant) forms of settlement are tied (by | |
475 | the acquirer) to authorization processes. However, a merchant could | |
476 | simply accept all cards without any validation, any eat any fraud that | |
477 | results. | |
478 | ||
479 | ||
480 | A merchant typically makes a business arrangement with a local bank or | |
481 | some other acquirer for authorization and settlement services. The | |
482 | acquirer assigns a merchant identifier to that merchant, which will | |
483 | uniquely identify the location of the transaction. (This facilitates | |
484 | compliance with federal regulations requiring that credit card bills | |
485 | identify where each purchase was made.) The acquirer also establishes | |
486 | procedures for the merchant to follow. The procedures will vary by | |
487 | type of the merchant business, geographic location, volume of transac- | |
488 | tions, and types of cards accepted. | |
489 | ||
490 | ||
491 | If the merchant follows the procedures given by the acquirer and a | |
492 | transaction is approved, the merchant is guaranteed payment whether the | |
493 | card in question is good or bad. The purpose of authorization is to | |
494 | shift financial liability from the acceptor to the acquirer. | |
495 | ||
496 | ||
497 | There are two basic tools used - bulletins and online checks. Bulletins | |
498 | may be hardcopy, or may be downloaded into a local controller of some | |
499 | form. Online checks could be done via a voice call, a standalone ter- | |
500 | minal, or software and/or hardware integrated into the cash register. | |
501 | ||
502 | ||
503 | A low-volume, high-ticket application (a jewelry store) would probably | |
504 | do all its authorizations with voice calls, or may have a stand-alone | |
505 | terminal. A high-volume, low-ticket application (a fast-food chain) | |
506 | will probably do most of its authorizations locally against a bulletin | |
507 | downloaded into the cash register controller. Applications in between | |
508 | typically merge the two - things below a certain amount (the "floor | |
509 | limit") are locally authorized after a lookup in the bulletin, while | |
510 | things over the floor limit are authorized online. | |
511 | ||
512 | ||
513 | Usually a lot of effort is taken to use the least expensive tools that | |
514 | are required by the expected risk of fraud. Typically, communication | |
515 | costs for authorizations make up the biggest single item in the overall | |
516 | cost of providing credit cards. | |
517 | ||
518 | ||
519 | Large accepters are always a special case. Airlines are usually di- | |
520 | rectly connected, host-to-host, to issuers and/or acquirers, and autho- | |
521 | rize everything online. Likewise for many petroleum companies and | |
522 | large department stores. Some large chains use different approaches at | |
523 | different locations, either as a result of franchising oddities or due | |
524 | to volume differences between locations. A lot of experimentation is | |
525 | still going on as well - this is not a mature market. | |
526 | ||
527 | ||
528 | For voice authorizations, the merchant ID, PAN, expiration date, and | |
529 | purchase amount are required for an approval. Some applications also | |
530 | require the name on the card, but this is not strictly necessary. For | |
531 | data authorizations, the merchant ID, PAN, PIN (if collected), expira- | |
532 | tion date, and purchase amount are required. Typically, the "discre- | |
533 | tionary data" from track 2 is sent as well, but this is not strictly | |
534 | necessary. In applications that do not transmit the PIN with the au- | |
535 | thorization, it is the responsibility of the merchant to verify iden- | |
536 | tity. Usually, this should be done by checking the signature on the | |
537 | card against the signature on the form. Merchants don't often follow | |
538 | this procedure, and they take a risk in not doing so. | |
539 | ||
540 | ||
541 | In most applications, the amount of the purchase is known at the time | |
542 | of the authorization request. For hotels, car rentals, and some petro- | |
543 | leum applications, an estimated amount is used for the authorization. | |
544 | After the transaction is complete (e.g. after the gas is pumped or at | |
545 | check-out time), another transaction may be sent to advise of the ac- | |
546 | tual amount of the transaction. More on this later. | |
547 | ||
548 | ||
549 | THE ACQUIRER | |
550 | --- -------- | |
551 | ||
552 | ||
553 | The acquirer gathers authorization requests from accepters and returns | |
554 | approvals. If the acquirer is an issuer as well, "on us" transactions | |
555 | will typically be turned around locally. As before, the acquirer does | |
556 | not have to forward any requests on to the actual issuer. However, | |
557 | acquirers are not willing to take the financial risks associated with | |
558 | generating local approvals. Thus most transactions are sent on to the | |
559 | issuers (interchanged). The purpose of interchange is to shift finan- | |
560 | cial liability from the acquirer to the issuer. | |
561 | ||
562 | ||
563 | Typically, an acquirer connects to many issuers, and negotiates differ- | |
564 | ent business arrangements with each one of them. But the acquirer gen- | |
565 | erally provides a uniform interface to the accepter. Thus, the | |
566 | interchange rules are sometimes less stringent than those imposed on | |
567 | the accepter. Also, most issuers will trust acquirers to with respon- | |
568 | sibilities they would never trust to accepters. The acquirer can | |
569 | therefore perform some front-end screening on the transactions, and | |
570 | turn some of them around locally without going back to the issuer. | |
571 | ||
572 | ||
573 | The first screening by the acquirer would be a "sanity" test, for valid | |
574 | merchant ID, valid Luhn check on PAN, expiration date not past, amount | |
575 | field within reason for type of merchant, etc. After that, a floor | |
576 | limit check will be done. Issuers generally give acquirers higher | |
577 | floor limits than acquirers give accepters, and floor limits may vary | |
578 | by type of merchant. Next, a "negative file" check would be done | |
579 | against a file of known bad cards. (This is essentially the same as | |
580 | the bulletin.) Then a "velocity file" check may be done. A velocity | |
581 | file keeps track of card usage, and limits are often imposed on both | |
582 | number of uses and total amount charged within a given time period. | |
583 | Sometimes multiple time periods are used, and it can get fairly compli- | |
584 | cated. | |
585 | ||
586 | ||
587 | Transactions that pass all the checks, and are within the authority | |
588 | vested in the acquirer by the issuer, are approved by the acquirer. | |
589 | (Note that, under the business arrangement, financial liability still | |
590 | resides with the issuer.) An "advice" transaction is sometimes sent to | |
591 | the issuer (perhaps at a later time), to tell the issuer that the | |
592 | transaction took place. | |
593 | ||
594 | ||
595 | Transactions that "fail" one or more checks are denied by the acquirer | |
596 | (if the cause was due to form, such as bad PAN) or sent to the issuer | |
597 | for further checking. (Note that "failure" here can mean that it's be- | |
598 | yond the acquirer's authority, not necessarily that the card is bad.) | |
599 | Some systems nowadays will periodically take transactions that would | |
600 | otherwise be approved locally, and send them to the issuer anyway. This | |
601 | serves as a check on the screening software and as a countermeasure | |
602 | against fraudulent users who know the limits. | |
603 | ||
604 | ||
605 | Transactions that go to the issuer are routed according to the first | |
606 | six digits of the PAN, according to the ISO registry mentioned in an | |
607 | earlier section. Actually, it's a bit more complicated than that, | |
608 | since there can be multiple layers of acquirers, and some issuers or | |
609 | acquirers will "stand in" for other issuers when there are hardware or | |
610 | communication failures, but the general principal is the same at each | |
611 | point. | |
612 | ||
613 | ||
614 | THE ISSUER | |
615 | --- ------ | |
616 | ||
617 | ||
618 | An issuer receiving an interchanged transaction will often perform many | |
619 | of the same tests on it that the acquirer performs. Some of the tests | |
620 | may be eliminated if the acquirer is trusted to do them correctly. This | |
621 | is the only point where a velocity file can actually detect all usage | |
622 | of a card. This is also the only point where a "positive file" lookup | |
623 | against the actual account can be done, since only the issuer has the | |
624 | account relationship with the cardholder. If a PIN is used in the | |
625 | transaction, only the issuer can provide true PIN verification - | |
626 | acquirers may be able to do only "PIN offset" checking, as described in | |
627 | a previous section. This is one reason why PINs have not become | |
628 | popular on credit and charge cards. | |
629 | ||
630 | ||
631 | An account typically has a credit limit associated with it. An ap- | |
632 | proved authorization request usually places a "hold" against the credit | |
633 | limit. If the sum of outstanding holds plus the actual outstanding | |
634 | balance on the account, plus the amount of the current transaction, is | |
635 | greater than the credit limit, the transaction is (usually) denied. | |
636 | Often in such a case the issuer will send back a "call me" response to | |
637 | the merchant. The merchant will then call the issuer's number, and the | |
638 | operator may even want to talk to the cardholder. The credit limit | |
639 | could be extended on the spot, or artificially high holds (from hotels | |
640 | or car rental companies) could be overlooked so that the transaction | |
641 | can be approved. | |
642 | ||
643 | ||
644 | The difference between the credit limit and the sum of holds and out- | |
645 | standing balance is often referred to as the "open to buy" amount. Once | |
646 | a hold is placed on an account, it is kept there until the actual the | |
647 | transaction in question is settled (see below), in which case the | |
648 | amount goes from a hold to a billed amount, with no impact on the open | |
649 | to buy amount, theoretically. For authorizations of an estimated | |
650 | amount, the actual settled amount will be less than or equal to the ap- | |
651 | proved amount. (If not, the settlement can be denied, and the merchant | |
652 | must initiate a new transaction to get the money.) Theoretically, in | |
653 | such a case, the full hold is removed and the actual amount is added to | |
654 | the outstanding balance, resulting in a possible increase in the open | |
655 | to buy amount. | |
656 | ||
657 | ||
658 | In practice, older systems were not capable of matching settlements to | |
659 | authorizations, and holds were simply expired based on the time it | |
660 | would take most transactions to clear. Newer systems are starting to | |
661 | get more sophisticated, and can do a reasonable job of matching autho- | |
662 | rizations for actual amounts with the settlements. Some of them still | |
663 | don't match estimated amounts well, with varying effects. In some | |
664 | cases, the difference between actual and estimated will remain as a | |
665 | hold for some period of time. In other cases, both the authorization | |
666 | and the settlement will go against the account, reducing the open to | |
667 | buy by up to twice the actual amount, until the hold expires. These | |
668 | problems are getting better as the software gets more sophisticated. | |
669 | ||
670 | ||
671 | Some issuers are also starting to use much more sophisticated usage | |
672 | checks as well. They will not only detect number of uses and amount | |
673 | over time, but also types of merchandise bought, or other patterns to | |
674 | buying behavior. Most of this stuff is new, and is used for fraud pre- | |
675 | vention. I expect this to be the biggest effort in authorization soft- | |
676 | ware for the next few years. | |
677 | ||
678 | ||
679 | American Express does things completely differently. There are no | |
680 | credit limits on AMEX cards. Instead, AMEX relies entirely on usage | |
681 | patterns, payment history, and financial data about cardmembers to de- | |
682 | termine whether or not to automatically approve a transaction. AMEX | |
683 | also has a policy that a cardmember will never be denied by a machine. | |
684 | Thus, if the computer determines that a transaction is too risky, the | |
685 | merchant will receive a "call me" message. The operator will then get | |
686 | details of the transaction from the merchant, and may talk to the | |
687 | cardmember as well, if cardmember identity is in question or a large | |
688 | amount is requested. To verify cardmember identity, the cardmember | |
689 | will be asked about personal information from the original application, | |
690 | or about recent usage history. The questions are not the same each | |
691 | time. If an unusually large amount is requested, the cardmember may be | |
692 | asked for additional financial data, particularly anything relating to | |
693 | a change in financial status (like a new job or a promotion). People | |
694 | who are paranoid about Big Brother and computer databases should not | |
695 | use AMEX cards. | |
696 | ||
697 | ||
698 | SETTLEMENT | |
699 | ---------- | |
700 | ||
701 | ||
702 | So far, no money has changed hands, only financial liability. The pur- | |
703 | pose of settlement is to shift the financial liability back to the | |
704 | cardholder, and to shift the cardholder's money to the merchant. | |
705 | Theoretically, all authorization information can be simply discarded | |
706 | once an approval is received by a merchant. Of course, contested | |
707 | charges, chargebacks, merchant credits, and proper processing of holds | |
708 | require that the information stay around. Still, it is important to | |
709 | realize that an authorization transaction has no direct financial con- | |
710 | sequences. It only establishes who is responsible for the financial | |
711 | consequences to follow. | |
712 | ||
713 | ||
714 | Traditionally, a merchant would take the charge slips to the bank that | |
715 | was that merchant's acquirer, and "deposit" them into the merchant ac- | |
716 | count. The acquirer would take the slips, sort them by issuer, and | |
717 | send them to the issuing banks, receiving credits by wire once they ar- | |
718 | rived and were processed. The issuer would receive the slips, micro- | |
719 | film them (to save the transaction information, as required by federal | |
720 | and state laws) charge them against the cardholder's accounts, send | |
721 | credits by wire to the acquirer, and send out the bill to the | |
722 | cardholder. Problem is, this took time. Merchants generally had to | |
723 | wait a couple of weeks for the money to be available in their accounts, | |
724 | and issuers often suffered from float on the billables of about 45 | |
725 | days. | |
726 | ||
727 | ||
728 | Therefore, nowadays many issuers and acquirers are moving to on-line | |
729 | settlement of transactions. This is often called "draft capture" in | |
730 | the industry. There are two ways this is done - one based on the host | |
731 | and one based on the terminal at the merchant's premises. In the | |
732 | host-based case, the terminal generally only keeps counts and totals, | |
733 | while the acquirer host keeps all the transaction details. Peri- | |
734 | odically, the acquirer host and the terminal communicate, and verify | |
735 | that they both agree on the data. In the terminal-based case, the ter- | |
736 | minal remembers all the important transaction information, and peri- | |
737 | odically calls the acquirer host and replays it all for several | |
738 | transactions. In either case, once the settlement is complete the mer- | |
739 | chant account is credited. The acquirer then sends the settlement in- | |
740 | formation electronically to the issuers, and is credited by wire | |
741 | immediately (or nearly so). The issuer can bill directly to the | |
742 | cardholder account, and float can be reduced to an average of 15 days. | |
743 | ||
744 | ||
745 | The problem is, what to do with the paper? Current regulations in many | |
746 | states require that it be saved, but there is no need for it to be sent | |
747 | to the issuer. Also, for contested charges, a paper trail is much more | |
748 | likely to stand up in court, and much better to use for fraud investi- | |
749 | gations. Currently, the paper usually ends up back at the issuer, as | |
750 | before, but it doesn't need to be processed, just microfilmed and | |
751 | stored. | |
752 | ||
753 | ||
754 | Much of the market still uses paper settlement methods. Online settle- | |
755 | ment will replace virtually all of this within the next 5 to 10 years, | |
756 | because of its many benefits. | |
757 | ||
758 | ||
759 | This was pretty long, but there is a lot of information, and I skimmed | |
760 | over a lot of details. Future installments should be shorter. Coming | |
761 | up next is a discussion of fraud and security, and then a special dis- | |
762 | cussion of debit cards. Hang on, we're halfway through this! | |
763 | ||
764 | ||
765 | Joe Ziegler | |
766 | att!lznv!ziegler | |
767 | This is part four of a planned six-part series on the credit card in- | |
768 | dustry. It will be helpful if you have read parts one through three, | |
769 | as I use a lot of terminology here that was introduced earlier. Enjoy. | |
770 | ||
771 | ||
772 | WARNING | |
773 | ||
774 | ||
775 | This installment describes various methods of perpetrating fraud | |
776 | against credit and charge card issuers, acquirers, and cardholders. Le- | |
777 | gal penalties for using these methods to commit fraud are severe. The | |
778 | reason for sharing this information is so that consumers will be aware | |
779 | of the importance of security and be aware of the procedures used by | |
780 | financial institutions to protect against fraud. Neither I nor my em- | |
781 | ployer advocate use of the fraudulent methods described herein. | |
782 | ||
783 | ||
784 | All the information here is publicly available from other sources. Un- | |
785 | necessary detail is purposely not included, particularly as it applies | |
786 | to detection and prevention of fraud. | |
787 | ||
788 | ||
789 | CARDHOLDER FRAUD | |
790 | ---------- ----- | |
791 | ||
792 | ||
793 | The most common type of fraud against credit cards is cardholders fal- | |
794 | sifying applications to get higher credit limits than they can afford | |
795 | to pay, or to get multiple cards that they cannot afford to pay off. | |
796 | Sometimes this is done with intent to defraud, but most often it is | |
797 | done out of desperation or sheer financial ineptitude. Those who in- | |
798 | tend to defraud generally use the multiple-card approach. They give | |
799 | false names and financial data on several (sometimes as many as hun- | |
800 | dreds) of applications. Often, the address of a vacant house that the | |
801 | crook has access to is given, making it difficult to track the crook's | |
802 | real identity. Once cards start showing up, the crook uses them for | |
803 | cash advances or charges merchandise that is easy to sell, like con- | |
804 | sumer electronics. The crook will run all the cards up to the limit | |
805 | immediately, and will generally move on by the time the bills start ar- | |
806 | riving. This type of fraud is not applicable to debit cards, since | |
807 | they require an available account balance equal to or greater than any | |
808 | purchases or withdrawals. | |
809 | ||
810 | ||
811 | Protecting against this type of fraud, either intentional or otherwise, | |
812 | is exactly the purpose of credit bureaus such as TRW. Issuers have be- | |
813 | come more aware of the need for careful screening of applications, and | |
814 | are using better techniques for detecting similar applications sent to | |
815 | multiple issuers. More sophisticated velocity file screening can also | |
816 | be used to detect possibly fraudulent usage patterns. Since this is a | |
817 | method of fraud that can be used to gain really large amounts of | |
818 | money, it is a high priority with issuers' security departments. | |
819 | ||
820 | ||
821 | A variant of this scheme is much like check kiting. Can you use your | |
822 | VISA to pay your MasterCard? Well, you might be able to manage it, but | |
823 | if you're doing it with intent to defraud, you can be prosecuted. Kit- | |
824 | ing schemes typically don't last long, have a low payoff, and are very | |
825 | easy to detect. | |
826 | ||
827 | ||
828 | Another type of cardholder fraud is simply contesting legitimate | |
829 | charges. Most often, retrieving the documents gives pretty convincing | |
830 | proof. Frequently, a family member will be found to have used the card | |
831 | without the cardholder's permission. Such cases are usually pretty | |
832 | easy to resolve. In the case of an ATM card, cameras are often placed | |
833 | at ATMs (sometimes hidden) to record users of the machine. The camera | |
834 | is usually tied to the ATM, so that a single retrieval stamp can be | |
835 | placed on the film and the ATM log. If a withdrawal is contested, the | |
836 | bank can then retrieve the picture of the person standing at the ma- | |
837 | chine, and conclusively tie that picture to the transaction. | |
838 | ||
839 | ||
840 | A type of cardholder fraud that is endemic only to ATMs is making false | |
841 | deposits. You could, theoretically, tell the ATM that you are deposit- | |
842 | ing a large amount of money, and put in an empty envelope. Most banks | |
843 | will not let you withdraw amounts deposited into an ATM until the de- | |
844 | posit has been verified, but some will allow part of the deposit to be | |
845 | withdrawn. Typically, you can't get away with much. If you have any | |
846 | money actually in your account, the bank has easy, legal recourse to | |
847 | seize those funds. Most banks have no sense of humor about such | |
848 | things, and will remove ATM card privileges after the first offense. | |
849 | ||
850 | ||
851 | THIRD-PARTY FRAUD | |
852 | ----------- ----- | |
853 | ||
854 | ||
855 | The simplest way for a third party to commit fraud is for them to get | |
856 | their hands on a legitimate card. There is a large black market for | |
857 | credit cards obtained from hold-ups, break-ins and muggings. Perhaps | |
858 | one of the cruelest methods of getting a card is a "Good Samaritan" | |
859 | scam. In such a scam, credit cards are stolen by pick-pockets, | |
860 | purse-snatchers, etc. That same day, someone looks up your number in | |
861 | the phone book and calls you up. "I just found your wallet. All the | |
862 | money is gone, but the credit cards and your driver's license are still | |
863 | here. It just happens that I'll be in your neighborhood next Wednesday | |
864 | and I'll drop it off then." Since the cards are found, you don't re- | |
865 | port them stolen, and the crooks get until next Wednesday before you're | |
866 | even suspicious. If such a thing happens to you, ask if you can come | |
867 | and pick the cards up immediately. A true good samaritan won't mind, | |
868 | but a crook will stall you. If you can't get your hands on the cards | |
869 | immediately, report them as stolen. Most issuers will be able to get | |
870 | you a new card by next Wednesday, anyway. | |
871 | ||
872 | ||
873 | Often stolen cards will be used for a time exactly as is. The best | |
874 | tool for preventing this is verification of the signature, but this is | |
875 | ineffective because most merchants don't consistently check signatures | |
876 | and some people don't even sign their cards. (I guess these people | |
877 | figure that all purse snatchers are accomplished forgers as well.) | |
878 | Many cards will eventually be modified as the various security schemes | |
879 | start catching up. | |
880 | ||
881 | ||
882 | It is a very easy matter, for example, to re-encode a different number | |
883 | on the magnetic stripe. Since the card still looks fine, a merchant | |
884 | will accept it and run it through the POS terminal, completely ignorant | |
885 | of the fact that the number read off the back is not the same as that | |
886 | on the front. Although the number on the front would fail a negative | |
887 | file check, the number on the back is one that hasn't been reported | |
888 | yet. A card can be re-encoded almost any number of times, as long as | |
889 | you can keep coming up with new valid PANs. To protect against this, | |
890 | some merchants purposely avoid using the magnetic stripe. Others have | |
891 | terminals that display the number read from the stripe, so the cashier | |
892 | can compare it to the number on the card. Some issuers are experiment- | |
893 | ing with special encoding schemes, to make re-encoding difficult, but | |
894 | most of these schemes would require replacing the entire embedded base | |
895 | of POS terminals. An interesting approach I've seen (it's probably | |
896 | patented) uses a laser to burn off the parts of the magnetic stripe | |
897 | where zeroes are encoded, leaving only the ones. This severely limits | |
898 | the changes you can make to the card number. Some issuers use the | |
899 | "discretionary data" field to encode data unique to the card, that a | |
900 | crook would not be able to guess, to combat this type of fraud. | |
901 | ||
902 | ||
903 | Since an ATM doesn't have a human looking at the card, it is especially | |
904 | susceptible to re-encoding fraud. A crook could get a number from a | |
905 | discarded receipt and encode it on a white card blank, which is easy to | |
906 | obtain legally. Many people use PINs that are easy to guess, and the | |
907 | crook has an easy job of it. Most ATMs will not give you your card | |
908 | back if you don't enter a correct PIN, and will only give you a few | |
909 | tries to get it right, to prevent this type of fraud. Velocity file | |
910 | checks are also important in detecting this. You should always take | |
911 | your ATM receipts with you, pick a non-obvious PIN, and make sure that | |
912 | nobody sees you enter it. | |
913 | ||
914 | ||
915 | One place that a crook can get valid PANs to encode on credit cards is | |
916 | from dumpsters outside of stores and restaurants. The credit slip | |
917 | typically is a multipart form, with one copy for you, one for the mer- | |
918 | chant, and one for the issuer (ultimately). If carbon paper is used, | |
919 | and the carbons are discarded intact, it's pretty easy to read the num- | |
920 | bers off of them. Carbonless paper and forms that either rip the car- | |
921 | bons in half or attach them to the cardholder copy automatically are | |
922 | used to prevent this. | |
923 | ||
924 | ||
925 | There are a lot of scams for getting people to tell their credit card | |
926 | numbers over the phone. Never give your card number to anyone unless | |
927 | you are buying something from them, and make sure that it is a le- | |
928 | gitimate business you are buying from. "Incredible deal!! Diamond | |
929 | jewelry at half price!! Call now with your VISA number, and we'll rush | |
930 | you your necklace!!" When you don't get the necklace for four weeks, | |
931 | you might start to wonder. When you get your credit card bill, you'll | |
932 | stop wondering. | |
933 | ||
934 | ||
935 | There are other, more sophisticated ways to modify a credit card. If | |
936 | you're skillful, you can change the embossing on the card and even the | |
937 | signature on the back. For most purposes, these techniques are more | |
938 | trouble than they're worth, since it's not difficult to come up with a | |
939 | new stolen card, or fake ID to match the existing card. | |
940 | ||
941 | ||
942 | MERCHANT FRAUD | |
943 | -------- ----- | |
944 | ||
945 | ||
946 | There are many urban rumors of merchants imprinting a card multiple | |
947 | times while the cardholder isn't looking, and then running through a | |
948 | bunch of charges after the cardholder leaves. I don't know of any case | |
949 | where this is an official policy of a merchant, but this is certainly | |
950 | one technique a dishonest cashier could use. The cashier can then take | |
951 | home a bunch of merchandise charged to your account. Although some | |
952 | people are afraid of this happening in a restaurant, where a waiter | |
953 | takes your card away for a while, it's actually less likely there, | |
954 | since there isn't anything the waiter can charge against your card and | |
955 | take home. | |
956 | ||
957 | ||
958 | A merchant could also make copies of charge slips, to sell the PANs to | |
959 | other crooks. (See above for use of PANs.) Most credit card investi- | |
960 | gation departments are sensitive to this possibility, and catch on real | |
961 | fast if it's happening just by looking at usage history of cards with | |
962 | fraudulent charges. | |
963 | ||
964 | ||
965 | A merchant is also in a position to create many false charges against | |
966 | bogus numbers, to attempt to defraud the acquirer or issuer. These | |
967 | schemes are usually not too effective, since acquirers generally re- | |
968 | spond very quickly to an unusual number of fraudulent transactions by | |
969 | tightening restrictions on the merchant. | |
970 | ||
971 | ||
972 | ACQUIRER AND ISSUER FRAUD | |
973 | -------- --- ------ ----- | |
974 | ||
975 | ||
976 | The place to make really big bucks in fraud is at the acquirer or is- | |
977 | suer, since this is where you can get access to large amounts of money. | |
978 | Fortunately, it's also fairly easy to control things here with audit | |
979 | procedures and dual control. People working in the back offices, pro- | |
980 | cessing credit slips, bills, etc. have a big opportunity to "lose" | |
981 | things, introduce false things, artificially delay things, and tempo- | |
982 | rarily divert things. Most of the control is standard banking stuff, | |
983 | and has been proven effective for decades, so this isn't a big problem. | |
984 | A bigger potential problem to the consumer is the possibility of an em- | |
985 | ployee at the issuer or acquirer selling PANs to crooks. This would be | |
986 | very hard to track down, and could compromise a large part of the card | |
987 | base. I know of no cases where this has happened. | |
988 | ||
989 | ||
990 | Programmers, in particular, are very dangerous because they know where | |
991 | the data is, how to get it, and what to do with it. In most shops, de- | |
992 | velopment is done on completely separate facilities from the production | |
993 | system. Certification and installation are done by non-developers, and | |
994 | developers are not allowed any access to the production facilities. | |
995 | Operations and maintenance staff are monitored very carefully as well, | |
996 | since they typically have access to the entire system as part of their | |
997 | jobs. | |
998 | ||
999 | ||
1000 | Another type of fraud that is possible here is diversion of materials, | |
1001 | such as printed, but not embossed or encoded, card blanks. Such mate- | |
1002 | rials are typically controlled using processes similar to those used at | |
1003 | U.S. mints. Since most of the cards issued in the United States are | |
1004 | actually manufactured by only a handful of companies, it's not too hard | |
1005 | to keep things under control. | |
1006 | ||
1007 | ||
1008 | There are many types of fraud that can be perpetrated by tapping data | |
1009 | communication lines, and using protocol analyzers or computers to in- | |
1010 | tercept or introduce data. These types of fraud are not widespread, | |
1011 | mainly because of the need for physical access and because sophisti- | |
1012 | cated computer techniques are required. There are message authentica- | |
1013 | tion, encryption, and key management techniques that are available to | |
1014 | combat this type of fraud, but currently these techniques are far more | |
1015 | costly than the minimal fraud they could prevent. About the only such | |
1016 | security technique that is in widespread use is encryption of PINs. | |
1017 | ||
1018 | ||
1019 | The next episode will be devoted to debit cards, and the final episode | |
1020 | will talk about the networks that make all this magic happen. | |
1021 | ||
1022 | ||
1023 | ||
1024 | ||
1025 | EVOLUTION OF DEBIT CARDS | |
1026 | --------- -- ----- ----- | |
1027 | ||
1028 | ||
1029 | The debit card originated as a method for bank customers to have access | |
1030 | to their funds through Automatic Teller Machines (ATMs). This was seen | |
1031 | as a way for banks to automate their branches and save money, as well | |
1032 | as a benefit for customers. A secondary intent was for the card to be | |
1033 | used as a method of identification when dealing with a human teller. | |
1034 | Although that idea never really caught on, it has seen renewed interest | |
1035 | from time to time. | |
1036 | ||
1037 | ||
1038 | One problem with using cards to access bank accounts is that federal | |
1039 | regulations required a signature be used for each withdrawal transac- | |
1040 | tion. After much debate, the concept of a Personal Identification Num- | |
1041 | ber (PIN) was invented, and federal regulations were modified to allow | |
1042 | PINs for use in place of signatures with bank withdrawals. ATMs also | |
1043 | faced many other regulatory difficulties. In many states, for example, | |
1044 | there are limitations on the number of branches a bank can have. In a | |
1045 | conflict that only a lawyer could conceive of, a ruling was required | |
1046 | about whether an ATM constitutes a bank branch or not. Since such rul- | |
1047 | ings were made on a state by state basis, it varies across the country. | |
1048 | This results in some very odd arrangements in some states, because of | |
1049 | requirements placed on bank branches. | |
1050 | ||
1051 | ||
1052 | In early attempts, the card actually carried account information and | |
1053 | balances. The cardholder would bring the card into a branch, and bank | |
1054 | personnel would "load" money onto the card, based on the customer's ac- | |
1055 | tual account balance. The cardholder could then use the card at a | |
1056 | stand-alone machine that would update the information on the card as | |
1057 | money was withdrawn. The information was stored on track 3 of the mag- | |
1058 | netic stripe, as mentioned in an earlier installment. This approach | |
1059 | had many problems. It was far too susceptible to fraud, it could not | |
1060 | reasonably handle multiple accounts, and it could not be used as a ve- | |
1061 | hicle for other services. Since it was pretty much limited to with- | |
1062 | drawals, it didn't even automate much of the bank branch functions. | |
1063 | ||
1064 | ||
1065 | The online ATM offered a solution to the problems of the early ATM | |
1066 | cards. Since the ATM was connected to the bank's host, it was no | |
1067 | longer necessary to maintain account balances on the card itself, which | |
1068 | removed a major source of fraud. Also, access to multiple accounts be- | |
1069 | came possible, as did additional services, such as bill payment. | |
1070 | ||
1071 | ||
1072 | Once banks started buying and installing ATMs, they quickly realized | |
1073 | that it is very expensive to maintain a large number of machines. Yet | |
1074 | customers began demanding more machines, so they could have easier ac- | |
1075 | cess to their funds. Since many banks in an area would have ATMs, the | |
1076 | obvious solution was to somehow cross-connect bank hosts so that cus- | |
1077 | tomers could use ATMs at other banks, for convenience. The lawyers | |
1078 | struck again. Does a shared ATM count as a branch for both banks? Does | |
1079 | a transaction at a shared ATM mean that one bank is doing financial | |
1080 | transactions for another, which is not allowed? If two banks share | |
1081 | ATMs, but refuse to allow a third bank, is that monopolizing or re- | |
1082 | straint of trade? Strange restrictions on shared ATM transactions re- | |
1083 | sulted. | |
1084 | ||
1085 | ||
1086 | Soon interchange standards began to evolve, and ATM networks became a | |
1087 | competitive tool. Regional and national networks started to emerge. | |
1088 | And the lawyers struck again. If a network allows transactions in one | |
1089 | state for a bank in another state, isn't that interstate banking, which | |
1090 | was at the time forbidden? Should an ATM network that dominates a re- | |
1091 | gion become a regulated monopoly? Should an ATM network that gets re- | |
1092 | ally big be considered a public utility? | |
1093 | ||
1094 | ||
1095 | Today, the regional and national networks continue to grow and offer | |
1096 | more services and more interconnections. All of the regulatory issues | |
1097 | have not been resolved, and this is creating a lot of tension for eas- | |
1098 | ing banking restrictions. | |
1099 | ||
1100 | ||
1101 | An ATM card is just an ATM card, regardless of how many ATMs it works | |
1102 | in. Most banks long ago saw an opportunity for the ATM card to be used | |
1103 | as a debit card, presumably to replace checks. A tremendous number of | |
1104 | checks are used each year, and it costs banks a lot of money to process | |
1105 | them. Debit card transactions could cost less to process, given an ap- | |
1106 | propriate infrastructure. Some of the costs could potentially be | |
1107 | passed on to the merchants or the consumers, who are notoriously reluc- | |
1108 | tant to directly pay the cost of checks. So far there have been many | |
1109 | trials of using ATM cards as debit cards at the point of sale, but they | |
1110 | have, in general, met with consumer apathy. In some areas, where banks | |
1111 | have aggressively promoted debit, things have gone better. Still, gen- | |
1112 | eral acceptance of debit seems a ways off. | |
1113 | ||
1114 | ||
1115 | One interesting twist to the debit card story, as mentioned earlier, is | |
1116 | the emergence of third party debit cards. Issuers of these cards have | |
1117 | no real account relationship with the cardholders. Instead, they ob- | |
1118 | tain permission from the cardholders to debit their checking accounts | |
1119 | directly through the Automated Clearing Houses (ACHs), the same way | |
1120 | checks are cleared. (Think of it as direct deposit, in reverse.) Oil | |
1121 | companies first started experimenting with this a couple of years ago, | |
1122 | and it has met with surprising success. Banks dislike this concept, | |
1123 | because it competes directly with their debit cards, but isn't subject | |
1124 | to the same state and federal regulations. ACHs like this, because it | |
1125 | bolsters their business, which otherwise stands to lose a lot by | |
1126 | acceptance of debit cards. Merchants generally like this, especially | |
1127 | the large retailers, because it allows them to get their payment sys- | |
1128 | tems out from under the control of the banks. | |
1129 | ||
1130 | ||
1131 | THE ATM | |
1132 | --- --- | |
1133 | ||
1134 | ||
1135 | An ATM is an interesting combination of computer, communication, bank- | |
1136 | ing, and security technology all in one box. A typical machine has a | |
1137 | microprocessor, usually along the lines of an 8086, a communications | |
1138 | module (which may have it's own microprocessor), a security module | |
1139 | (also with a microprocessor), and special-purpose controllers for the | |
1140 | hardware. The user interface is typically a CRT, a telephone-style | |
1141 | keypad, and some soft function keys. Typically there is a lot of | |
1142 | memory, but no disk. The screens and program are usually downloaded | |
1143 | from the host at initialization, and are stored in battery-backed RAM | |
1144 | indefinitely. The machine typically interacts with the host for every | |
1145 | transaction, but it can operate offline if necessary, as dictated by | |
1146 | the downloaded program. The downloaded program is often in an | |
1147 | industry-standard "states and screens" format that was created by | |
1148 | Diebold, a manufacturer of various banking equipment, including ATMs. | |
1149 | ||
1150 | ||
1151 | Most machines can use a few IBM protocols (bisync, SNA, and an outmoded | |
1152 | but still used "loop" protocol), Burroughs poll/select, and perhaps | |
1153 | some others, depending on which communications module is in place. | |
1154 | This allows the manufacturer to make a standard machine, and plug in | |
1155 | different communications hardware to suit the customer. The IBM bisync | |
1156 | and SNA protocols are most common, with most networks moving toward | |
1157 | SNA. | |
1158 | ||
1159 | ||
1160 | The security modules do all encryption for the ATM. They are separate | |
1161 | devices that are physically sealed and cannot be opened or tapped with- | |
1162 | out destroying the data within them. In a truly secure application, no | |
1163 | sensitive data entering or leaving the security module is in cleartext. | |
1164 | Arranging this and maintaining it is more complicated than I can go | |
1165 | into here. | |
1166 | ||
1167 | ||
1168 | Most ATMs contain two bill dispensers, a "divert" bin for bills, a | |
1169 | "capture" bin for cards, a card reader, receipt printer, journal | |
1170 | printer, and envelope receptacle. Some ATMs have more than two bill | |
1171 | dispensers, and can even dispense coins. | |
1172 | ||
1173 | ||
1174 | When an ATM is dispensing money, it counts the appropriate bills out of | |
1175 | the bill dispensers, and uses a couple of mechanical and optical checks | |
1176 | to make sure it counted correctly. If the checks fail, it shunts the | |
1177 | bills into the divert bin and tries again. Typically, this is because | |
1178 | two bills were stuck together. I've seen ATMs have sensor faults, and | |
1179 | divert the total contents of both bill dispensers the first time a user | |
1180 | asks for a withdrawal. "Gee, all I did was ask for $50, and this ma- | |
1181 | chine made all kinds of funny whirring noises and shut down." Most | |
1182 | banks will put twenty-dollar bills in one of the dispensers and five | |
1183 | dollar bills in the other. Some use tens and fives, or tens and twen- | |
1184 | ties. Depending on the denominations of the bills, the size of the | |
1185 | dispensers, and the policy of the bank, an ATM can hold tens of thou- | |
1186 | sands of dollars. | |
1187 | ||
1188 | ||
1189 | The journal printer keeps a running log of every use of the machine, | |
1190 | and exactly what the machine is doing, for audit purposes. you can of- | |
1191 | ten hear it printing as soon as you put your card in or after your | |
1192 | transaction is complete. | |
1193 | ||
1194 | ||
1195 | When you put an envelope into an ATM, the transaction information is | |
1196 | usually printed directly on the envelope, so that verifying the deposit | |
1197 | is easier. Bank policies typically require that any deposit envelope | |
1198 | be opened and verified by two people. In this, you're actually safer | |
1199 | depositing cash at an ATM than giving it to a human teller. | |
1200 | ||
1201 | ||
1202 | A card will be diverted to the capture bin if it is on the "hot card" | |
1203 | list, if the user doesn't enter a correct PIN, or if the user walks | |
1204 | away and forgets to take the card. | |
1205 | ||
1206 | ||
1207 | On some machines, the divert bin, capture bin, envelope receptacle, and | |
1208 | bill dispenser bins are all separately locked containers, so that re- | |
1209 | stocking can be done by courier services who simply swap bins and re- | |
1210 | turn the whole thing to a central site. | |
1211 | ||
1212 | ||
1213 | The entire ATM is typically housed in a hardened steel case with alarm | |
1214 | circuitry built in. These suckers have been known to survive dynamite | |
1215 | explosions. The housing typically has a combination lock on the door, | |
1216 | and no single person knows the entire combination. The machine can | |
1217 | thus be opened for restocking, maintenance, or repair, only if at least | |
1218 | two people are present. | |
1219 | ||
1220 | ||
1221 | DEBIT CARD PROCESSING | |
1222 | ----- ---- ---------- | |
1223 | ||
1224 | ||
1225 | Debit card processing is fairly similar to credit and charge card pro- | |
1226 | cessing, with a few exceptions. First, in the case of ATMs, the ac- | |
1227 | cepter and acquirer are usually the same. For debit card use at the | |
1228 | point of sale, the usual acquirer-accepter relationship holds. In gen- | |
1229 | eral, acquirers may do front-end screening on debit cards, but all ap- | |
1230 | provals are generated by the issuer - the floor limit is zero. This | |
1231 | makes it possible to eliminate a separate settlement process for debit | |
1232 | card transactions, but places additional security and reliability con- | |
1233 | straints on the "authorization". Often a separate settlement is done | |
1234 | anyway. | |
1235 | ||
1236 | ||
1237 | One problem that has caused difficulties for POS use of debit cards is | |
1238 | the use of PINs. Many merchants and cardholders would rather use sig- | |
1239 | nature for identity verification. But most debit systems grew out of | |
1240 | ATM systems, and require PINs. This is an ironic reversal of the early | |
1241 | ATM card days, when people were trying to avoid requiring signature. | |
1242 | Other than the PIN, the information required for a debit transaction is | |
1243 | the same as that required for a credit transaction. | |
1244 | ||
1245 | ||
1246 | One last installment on the networks that tie this all together, and | |
1247 | the Credit Card 101 course will be complete. There will be no final | |
1248 | exam - you will be graded entirely on classroom participation. Most of | |
1249 | you are failing miserably... | |
1250 | ||
1251 | ||
1252 | ||
1253 | ||
1254 | ACCESS NETWORKS | |
1255 | ------ -------- | |
1256 | ||
1257 | ||
1258 | For most credit card applications, the cost of the access network is | |
1259 | the single biggest factor in overall costs, often accounting for over | |
1260 | half of the total. For that reason, there are many different solu- | |
1261 | tions, depending on the provider, the application, and geographical | |
1262 | constraints. | |
1263 | ||
1264 | ||
1265 | The simplest form of access network uses 800 service, in one of its | |
1266 | many forms. Terminals at merchant locations across the country dial an | |
1267 | 800 number that is terminated on a large hunt group of modems, con- | |
1268 | nected directly to the acquirer's front-end processor (FEP). The FEP | |
1269 | is typically a fault-tolerant machine, since an outage here will take | |
1270 | out the entire service. A large acquirer will typically have two or | |
1271 | more centers for terminating the 800 service. This allows better | |
1272 | economy, due to the nature of 800 service tariffs, and allows for di- | |
1273 | - | saster recovery in case of a failure of one data center. An advantage |
1273 | + | saster recovery in case of a fdailure of one data center. An advantage |
1274 | of 800 service is that it is quite easy to cover the entire country | |
1275 | with it. It also provides the most effective utilization of your FEP | |
1276 | resources. (A little queuing theory will show you why.) However, 800 | |
1277 | service is quite expensive. It always requires 10 (or 11) digits di- | |
1278 | aled, and in areas with pulse dialing it can take almost three seconds | |
1279 | just to dial 1-800. The delay between dialing and connection is longer | |
1280 | for 800 calls than many other calls, because of the way the calls get | |
1281 | routed. All of this adds to the perce |