Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- amnesia@amnesia:~/Tor Browser$ cat carding-the-ultimate-guide.txt
- Dumps Carding Tutorial Ultimate Guide
- Dumps Carding Tutorial Ultimate Guide did not write this
- DEFINITIONS
- -----------
- First some terms, along with the meanings they have in the industry:
- Cardholder - an individual to whom a credit card is issued. Typically,
- this individual is also responsible for payment of all charges made
- to that card. Corporate cards are an exception to this rule.
- Card Issuer - an institution that issues credit cards to cardholders.
- This institution is also responsible for billing the cardholder for
- charges. Often abbreviated to "Issuer".
- Card Accepter - an individual, organization, or corporation that
- accepts credit cards as payment for merchandise or services. Often
- abbreviated "Accepter" or "merchant".
- Acquirer - an organization that collects (acquires) credit
- authorization requests from Card Accepters and provides guarantees
- of payment. Normally, this will be by agreement with the Issuer of
- the card in question.
- Many issuers are also acquirers. Some issuers allow other acquirers to
- provide authorizations for them, under pre-agreed conditions. Other
- issuers provide all their own authorizations.
- TYPES OF CARDS
- ----- -- -----
- The industry typically divides up cards by the business of the issuer.
- So there are bank cards (VISA, Master Card, Discover), Petroleum Cards
- (SUN Oil, Exxon, etc.), and Travel and Entertainment (T&E) cards
- (American Express, Diners' Club, Carte Blanche). Other cards are
- typically lumped together as "Private Label" cards. That would include
- department store cards, telephone cards, and the like. Most private
- label cards are only accepted by the issuer. People are starting to
- divide the telephone cards into a separate class, but it hasn't re-
- ceived widespread acceptance. (This is just a matter of terminology,
- and doesn't affect anything important.)
- Cards are also divided by how they are billed. Thus there are credit
- cards (VISA, MC, Discover, most department store cards), charge cards
- (American Express, AT&T, many petroleum cards) and debit cards. Credit
- cards invoke a loan of money by the issuer to the cardholder under
- pre-arranged terms and conditions. Charge cards are simply a payment
- convenience, and their total balance is due when billed. When a debit
- card is used, the amount is taken directly from the cardholder's ac-
- count with the issuer. Terminology is loose - often people use "credit
- card" to encompass credit cards and charge cards.
- A recent phenomenon is third-party debit cards. These cards are issued
- by an organization with which the cardholder has no account relation-
- ship. Instead, the cardholder provides the card issuer with the infor-
- mation necessary to debit the cardholder's checking account directly
- through an Automated Clearing House (ACH), the same way a check would
- be cleared. This is sort of like direct deposit of paychecks, in re-
- verse. ACHs love third-party debit cards. Banks hate them.
- Another recent addition is affinity cards. These cards are valid
- credit cards from their issuer, but carry the logo of a third party,
- and the third party benefits from their use. There is an incredible
- variety of affinity cards, ranging from airlines to colleges to profes-
- sional sports teams.
- HOW THEY MAKE MONEY
- --- ---- ---- -----
- Issuers of credit cards make money from cardholder fees and from inter-
- est paid on outstanding balances. Not all issuers charge fees. Even
- those that do, make most of their money on the interest. They really
- LIKE people who pay the minimum each month.
- Issuers of charge cards make money from cardholder fees. Some charge
- cards actually run at a loss for the company, particularly those that
- are free. The primary purpose of such cards is to stimulate business.
- Issuers of debit cards may make money on transaction fees. Not all
- debit card transactions have fees. Most debit cards exist to stimulate
- business for the bank and to offload tellers and back-room departments.
- To date, third-party debit cards exist solely to stimulate business.
- Providers of such cards make no direct money from their use.
- Acquirers make money from transaction charges and discount fees. Unlike
- the charges and fees mentioned above, these fees are paid by the ac-
- cepter, not (directly) by the cardholder. (Technically, it is not le-
- gal for the merchants to pass these charges directly to the consumer.
- Some petroleum stations have gotten away with giving a discount for
- cash, and it has survived court challenges so far.) Transaction charges
- are typically in pennies per transaction, and are sensitive to the type
- of communication used for the authorization. Discount fees are a per-
- centage of the purchase price and are sensitive to volume and compli-
- ance to rules. One way to encourage merchants to follow certain
- procedures or to upgrade to new equipment is to offer a lower discount
- fee.
- Until fairly recently, the only motivation for accepters was to expand
- their business by accepting cards. Reduction of fraud was enough rea-
- son for many merchants to pay authorization fees, but in many cases, it
- isn't worth the cost. (That is, it is cheaper to pay the fraud than to
- prevent it.) Recently, electronic settlement has provided merchants
- with an added benefit by reducing float on charged purchases. Merchants
- can now get their accounts credited much faster than before, which
- helps cash flow.
- Companies that issue charge cards are real keen on float reduction. The
- sooner they can bill you, the sooner they get their money. Credit card
- companies are also interested in float reduction, since the sooner they
- bill, the sooner they can start charging interest. Debit cards
- typically involve little or no float.
- Affinity cards usually pay a percentage of purchases to the affinity
- organization. Although it may seem obvious to take this money from the
- discount fee, this doesn't work since the issuer is not always the
- acquirer. The money for this usually comes from the interest paid on
- outstanding balances. Essentially, the bank is giving a share of its
- profits to an organization in turn for the organization promoting use
- of its credit card. The affinity organization is free to use its cut
- any way it wishes. An airline will typically put it into the frequent
- flyer program (and credit miles to your account). A college may put
- the money into the general fund or into a scholarship fund. Lord only
- knows what a sports team does with the money!
- THE PLAYERS AND THEIR ROLES
- --- ------- --- ----- -----
- American Express (AMEX) is a charge card issuer and acquirer. (Their
- other businesses are not important to this discussion.) All AMEX pur-
- chases are authorized by AMEX. They make most of their money from the
- discount fees, which is why they have the highest discount fee in the
- industry. That's one reason why AMEX isn't accepted in as many places
- as VISA and MC, and a reason why many merchants will prefer another
- card to an AMEX card. The control AMEX has over authorization allows
- them to provide what they consider to be better cardholder
- ("cardmember" to them) services.
- VISA is a non-profit corporation (SURPRISE!) that is best described as
- a purchasing and marketing coalition of its member banks. VISA issues
- no credit cards itself - all VISA cards are issued by member banks.
- VISA does not set terms and conditions for its member banks - the banks
- can do pretty much as they please in signing cardholders. All VISA
- charges are ultimately approved by the card issuer, regardless of where
- the purchase was made. Many smaller banks share their account
- databases with larger banks, third parties, or VISA itself, so that the
- bank doesn't have to provide authorization facilities itself.
- Master Card (MC) is very much like VISA. There are some differences
- that are important to those in the industry, but from the consumers
- standpoint they operate pretty much the same.
- Discover cards are issued by a bank owned by Sears. All Discover pur-
- chases are authorized by Sears.
- Most petroleum cards, if they are even authorized, are authorized by
- the petroleum company itself. There are exceptions. Fraud on petro-
- leum cards is so low that the main reason for authorization is to
- achieve the float reduction of electronic settlement.
- THE BUSINESS RELATIONSHIPS
- --- -------- -------------
- Card acceptors generally sign up with a local acquirer for authoriza-
- tion and settlement of all credit cards. This acquirer may or may not
- be a card issuer, but certainly will not have issued all the cards that
- the merchant can accept. The accepter does not generally call one
- place for VISA and a different place for MC, for example. At one time,
- this was necessary, but more and more acquirers are connected to all
- networks and are offering a broader range of services.
- Acquirers generally are connected to many issuers, and pay transaction
- charges and discount fees to those issuers for authorizations. Thus,
- the acquirer is actually making money on the difference between fees
- paid and fees billed. Most acquirers gather together transactions from
- many accepters, allowing them to get volume discounts on fees. Since
- the accepters individually have lower volume and are not eligible for
- those discounts, there is a markup that the acquirer can get away with.
- Acquirers also, of course, provide the convenience of a single contact.
- Most large banks are issuers and acquirers. Things get real interest-
- ing when it's time to settle up. Some small banks are only issuers.
- There are third parties that are only acquirers.
- In future episodes, I'll explain how standards help all this chaos work
- together, and give details about how the authorization process happens.
- Joe Ziegler
- att!lznv!ziegler
- This is part two in a planned six-part series about the credit card in-
- dustry. It would be best if you read part one before reading this
- part. Enjoy.
- DEFINITIONS
- -----------
- Some more new terms that are used in this posting.
- ABA - American Bankers Association
- ACH - Automated Clearing House - an organization that mechanically and
- electronically processes checks.
- ANSI - American National Standards Institute
- Embossing - creating raised letters and numbers on the face of the
- card.
- Encoding - recording data on the magnetic stripe on the back of the
- card.
- Imprinting - using the embossed information to make an impression on a
- charge slip.
- Interchange - sending authorization requests from one host (the
- acquirer) to another (the issuer) for approval.
- ISO - International Standards Organization
- NACHA - National Automated Clearing House Association
- PAN - Personal Account Number. The account number associated with a
- credit, debit or charge card. This is usually the same as the
- number on the card.
- PIN - Personal Identification Number. A number associated with the
- card, that is supposedly know only to the cardholder and the card
- issuer. This number is used for verification of cardholder
- identity.
- THE ORGANIZATIONS
- --- -------------
- ISO sets standards for plastic cards and for data interchange, among
- other things. ISO standards generally allow for national expansion.
- Typically, a national standards organization, like ANSI, will take an
- ISO standard and develop a national standard from it. National stan-
- dards are generally subsets of the ISO standard, with extensions as al-
- lowed in the original ISO standard. Many credit card standards
- originated in the United States, and were generalized and adopted by
- ISO later.
- The ANSI committees that deal with credit card standards are sponsored
- by the ABA. Most members of these committees work for banks and other
- financial institutions, or for vendors who supply banks and financial
- institutions. Working committees report to governing committees.
- All standards go through a formal comment and review procedure before
- they are officially adopted.
- PHYSICAL STANDARDS
- -------- ---------
- ANSI X4.13, "American National Standard for Financial Services -
- Financial Transaction Cards" defines the size, shape, and other
- physical characteristics of credit cards. Most of it is of interest
- only to mechanical engineers. It defines the location and size of the
- magnetic stripe, signature panel, and embossing area. This standard
- also includes the Luhn formula used to generate the check digit for the
- PAN, and gives the first cut at identifying card type from the account
- number. (This part was expanded later in other standards.) Also, this
- standard identifies the character sets that can be used for embossing a
- card.
- Three character sets are allowed - OCR-A as defined in ANSI X3.17,
- OCR-B as defined in ANSI X3.49, and Farrington 7B, which is defined in
- the appendix of ANSI X4.13 itself. Almost all the cards I have use
- Farrington 7B, but Sears uses OCR-A. (Sears also uses the optional,
- smaller card size as, allowed in the standard.) These character sets
- are intended to be used with optical character readers (hence the OCR),
- and large issuers have some pretty impressive equipment to read those
- slips.
- ENCODING STANDARDS
- -------- ---------
- ANSI X4.16, "American National Standard for Financial Services - Finan-
- cial Transaction Cards - Magnetic Stripe Encoding" defines the
- physical, chemical, and magnetic characteristics of the magnetic stripe
- on the card. The standard defines a minimum and maximum size for the
- stripe, and the location of the three defined encoding tracks. (Some
- cards have a fourth, proprietary track.)
- Track 1 is encoded at 210 bits per inch, and uses a 6-bit coding of a
- 64-element character set of numerics, alphabet (one case only), and
- some special characters. Track 1 can hold up to 79 characters, six of
- which are reserved control characters. Included in these six charac-
- ters is a Longitudinal Redundancy Check (LRC) character, so that a card
- reader can detect most read failures. Data encoded on track 1 include
- PAN, country code, full name, expiration date, and "discretionary
- data". Discretionary data is anything the issuer wants it to be.
- Track 1 was originally intended for use by airlines, but many Automatic
- Teller Machines (ATMs) are now using it to personalize prompts with
- your name and your language of choice. Some credit authorization ap-
- plications are starting to use track 1 as well.
- Track 2 is encoded at 75 bits per inch, and uses a 4-bit coding of the
- ten digits. Three of the remaining characters are reserved as
- delimiters, two are reserved for device control, and one is left unde-
- fined. In practice, the device control characters are never used, ei-
- ther. Track 2 can hold up to 40 characters, including an LRC. Data
- encoded on track 2 include PAN, country code (optional), expiration
- date, and discretionary data. In practice, the country code is hardly
- ever used by United States issuers. Later revisions of this standard
- added a qualification code that defines the type of the card (debit,
- credit, etc.) and limitations on its use. AMEX includes an issue date
- in the discretionary data. Track 2 was originally intended for credit
- authorization applications. Nowadays, most ATMs use track 2 as well.
- Thus, many ATM cards have a "PIN offset" encoded in the discretionary
- data. The PIN offset is usually derived by running the PIN through an
- encryption algorithm (maybe DES, maybe proprietary) with a secret key.
- This allows ATMs to verify your PIN when the host is offline, generally
- allowing restricted account access.
- Track 3 uses the same density and coding scheme as track 1. The con-
- tents of track 3 are defined in ANSI X9.1, "American National Standard
- - Magnetic Stripe Data Content for Track 3". There is a slight contra-
- diction in this standard, in that it allows up to 107 characters to be
- encoded on track 3, while X4.16 only gives enough physical room for 105
- characters. Actually, there is over a quarter of an inch on each end
- of the card unused, so there really is room for the data. In practice,
- nobody ever uses that many characters, anyway. The original intent was
- for track 3 to be a read/write track (tracks 1 and 2 are intended to be
- read-only) for use by ATMs. It contains information needed to maintain
- account balances on the card itself. As far as I know, nobody is actu-
- ally using track 3 for this purpose anymore, because it is very easy to
- defraud.
- COMMUNICATION STANDARDS
- ------------- ---------
- Formats for interchange of messages between hosts (acquirer to issuer)
- is defined by ANSI X9.2, which I helped define. Financial message au-
- thentication is described by ANSI X9.9. PIN management and security is
- described by ANSI X9.8. There is a committee working on formats of
- messages from accepter to acquirer. ISO has re-convened the interna-
- tional committee on host message interchange (TC68/SC5/WG1), and ANSI
- may need to re-convene the X9.2 committee after the ISO committee fin-
- ishes. These standards are still evolving, and are less specific than
- the older standards mentioned above. This makes them somewhat less
- useful, but is a natural result of the dramatic progress in the indus-
- try.
- ISO maintains a registry of card numbers and the issuers to which they
- are assigned. Given a card that follows standards (Not all of them
- do.) and the register, you can tell who issued the card based on the
- first six digits (in most cases). This identifies not just VISA,
- MasterCard, etc., but also which member bank actually issued the card.
- DE FACTO INDUSTRY STANDARDS
- -- ----- -------- ---------
- Most ATMs use IBM synchronous protocols, and many networks are migrat-
- ing toward SNA. There are exceptions, of course. Message formats used
- for ATMs vary with the manufacturer, but a message set originally de-
- fined by Diebold is fairly widely accepted.
- Many large department stores and supermarkets (those that take cards)
- run their credit authorization through their cash register controllers,
- which communicate using synchronous IBM protocols.
- Standalone Point-of-Sale (POS) devices, such as you would find at most
- smaller stores (i.e. not at department stores), restaurants and hotels
- use a dial-up asynchronous protocol devised by VISA. There are two
- generations of this protocol, with the second generation just beginning
- to get widespread acceptance.
- Many petroleum applications use multipoint private lines and a polled
- asynchronous protocol known as TINET. This protocol was developed by
- Texas Instruments for a terminal of the same name, the Texas Instru-
- ments Network E(something) Terminal. The private lines reduce response
- time, but cost a lot more money than dial-up.
- NACHA establishes standards for message interchange between ACHs, and
- between ACHs and banks, for clearing checks. This is important to this
- discussion due to the emergence of third-party debit cards, as dis-
- cussed in part 1 of this series. The issuers of third-party debit
- cards are connecting to ACHs, using the standard messages, and clearing
- POS purchases as though they were checks. This puts the third parties
- at an advantage over the banks, because they can achieve the same re-
- sults as a bank debit card without the federal and state legal restric-
- tions imposed on banks.
- In the next installment, I'll describe how an authorization happens, as
- well as how the settlement process gets the bill to you and your money
- to the merchant. After that I'll describe various methods of fraud,
- and how issuers, acquirers, and accepters protect themselves. Stay
- tuned.
- Joe Ziegler
- att!lznv!ziegler
- Here's part 3 in my six-part series on the credit card industry. This
- part discusses how authorization and settlement work. This is a long
- one. It will help if you have read parts 1 and 2, since I had to leave
- out a lot of overlap to keep this from getting ridiculous. Enjoy.
- THE ACCEPTER
- --- --------
- An important fact to note is that a card accepter does not have to get
- approval for any purchases using credit or charge cards. Of course, a
- merchant is usually interested in actually getting money, and so must
- participate in some form of settlement process (see below). Usually,
- the most acceptable (to a merchant) forms of settlement are tied (by
- the acquirer) to authorization processes. However, a merchant could
- simply accept all cards without any validation, any eat any fraud that
- results.
- A merchant typically makes a business arrangement with a local bank or
- some other acquirer for authorization and settlement services. The
- acquirer assigns a merchant identifier to that merchant, which will
- uniquely identify the location of the transaction. (This facilitates
- compliance with federal regulations requiring that credit card bills
- identify where each purchase was made.) The acquirer also establishes
- procedures for the merchant to follow. The procedures will vary by
- type of the merchant business, geographic location, volume of transac-
- tions, and types of cards accepted.
- If the merchant follows the procedures given by the acquirer and a
- transaction is approved, the merchant is guaranteed payment whether the
- card in question is good or bad. The purpose of authorization is to
- shift financial liability from the acceptor to the acquirer.
- There are two basic tools used - bulletins and online checks. Bulletins
- may be hardcopy, or may be downloaded into a local controller of some
- form. Online checks could be done via a voice call, a standalone ter-
- minal, or software and/or hardware integrated into the cash register.
- A low-volume, high-ticket application (a jewelry store) would probably
- do all its authorizations with voice calls, or may have a stand-alone
- terminal. A high-volume, low-ticket application (a fast-food chain)
- will probably do most of its authorizations locally against a bulletin
- downloaded into the cash register controller. Applications in between
- typically merge the two - things below a certain amount (the "floor
- limit") are locally authorized after a lookup in the bulletin, while
- things over the floor limit are authorized online.
- Usually a lot of effort is taken to use the least expensive tools that
- are required by the expected risk of fraud. Typically, communication
- costs for authorizations make up the biggest single item in the overall
- cost of providing credit cards.
- Large accepters are always a special case. Airlines are usually di-
- rectly connected, host-to-host, to issuers and/or acquirers, and autho-
- rize everything online. Likewise for many petroleum companies and
- large department stores. Some large chains use different approaches at
- different locations, either as a result of franchising oddities or due
- to volume differences between locations. A lot of experimentation is
- still going on as well - this is not a mature market.
- For voice authorizations, the merchant ID, PAN, expiration date, and
- purchase amount are required for an approval. Some applications also
- require the name on the card, but this is not strictly necessary. For
- data authorizations, the merchant ID, PAN, PIN (if collected), expira-
- tion date, and purchase amount are required. Typically, the "discre-
- tionary data" from track 2 is sent as well, but this is not strictly
- necessary. In applications that do not transmit the PIN with the au-
- thorization, it is the responsibility of the merchant to verify iden-
- tity. Usually, this should be done by checking the signature on the
- card against the signature on the form. Merchants don't often follow
- this procedure, and they take a risk in not doing so.
- In most applications, the amount of the purchase is known at the time
- of the authorization request. For hotels, car rentals, and some petro-
- leum applications, an estimated amount is used for the authorization.
- After the transaction is complete (e.g. after the gas is pumped or at
- check-out time), another transaction may be sent to advise of the ac-
- tual amount of the transaction. More on this later.
- THE ACQUIRER
- --- --------
- The acquirer gathers authorization requests from accepters and returns
- approvals. If the acquirer is an issuer as well, "on us" transactions
- will typically be turned around locally. As before, the acquirer does
- not have to forward any requests on to the actual issuer. However,
- acquirers are not willing to take the financial risks associated with
- generating local approvals. Thus most transactions are sent on to the
- issuers (interchanged). The purpose of interchange is to shift finan-
- cial liability from the acquirer to the issuer.
- Typically, an acquirer connects to many issuers, and negotiates differ-
- ent business arrangements with each one of them. But the acquirer gen-
- erally provides a uniform interface to the accepter. Thus, the
- interchange rules are sometimes less stringent than those imposed on
- the accepter. Also, most issuers will trust acquirers to with respon-
- sibilities they would never trust to accepters. The acquirer can
- therefore perform some front-end screening on the transactions, and
- turn some of them around locally without going back to the issuer.
- The first screening by the acquirer would be a "sanity" test, for valid
- merchant ID, valid Luhn check on PAN, expiration date not past, amount
- field within reason for type of merchant, etc. After that, a floor
- limit check will be done. Issuers generally give acquirers higher
- floor limits than acquirers give accepters, and floor limits may vary
- by type of merchant. Next, a "negative file" check would be done
- against a file of known bad cards. (This is essentially the same as
- the bulletin.) Then a "velocity file" check may be done. A velocity
- file keeps track of card usage, and limits are often imposed on both
- number of uses and total amount charged within a given time period.
- Sometimes multiple time periods are used, and it can get fairly compli-
- cated.
- Transactions that pass all the checks, and are within the authority
- vested in the acquirer by the issuer, are approved by the acquirer.
- (Note that, under the business arrangement, financial liability still
- resides with the issuer.) An "advice" transaction is sometimes sent to
- the issuer (perhaps at a later time), to tell the issuer that the
- transaction took place.
- Transactions that "fail" one or more checks are denied by the acquirer
- (if the cause was due to form, such as bad PAN) or sent to the issuer
- for further checking. (Note that "failure" here can mean that it's be-
- yond the acquirer's authority, not necessarily that the card is bad.)
- Some systems nowadays will periodically take transactions that would
- otherwise be approved locally, and send them to the issuer anyway. This
- serves as a check on the screening software and as a countermeasure
- against fraudulent users who know the limits.
- Transactions that go to the issuer are routed according to the first
- six digits of the PAN, according to the ISO registry mentioned in an
- earlier section. Actually, it's a bit more complicated than that,
- since there can be multiple layers of acquirers, and some issuers or
- acquirers will "stand in" for other issuers when there are hardware or
- communication failures, but the general principal is the same at each
- point.
- THE ISSUER
- --- ------
- An issuer receiving an interchanged transaction will often perform many
- of the same tests on it that the acquirer performs. Some of the tests
- may be eliminated if the acquirer is trusted to do them correctly. This
- is the only point where a velocity file can actually detect all usage
- of a card. This is also the only point where a "positive file" lookup
- against the actual account can be done, since only the issuer has the
- account relationship with the cardholder. If a PIN is used in the
- transaction, only the issuer can provide true PIN verification -
- acquirers may be able to do only "PIN offset" checking, as described in
- a previous section. This is one reason why PINs have not become
- popular on credit and charge cards.
- An account typically has a credit limit associated with it. An ap-
- proved authorization request usually places a "hold" against the credit
- limit. If the sum of outstanding holds plus the actual outstanding
- balance on the account, plus the amount of the current transaction, is
- greater than the credit limit, the transaction is (usually) denied.
- Often in such a case the issuer will send back a "call me" response to
- the merchant. The merchant will then call the issuer's number, and the
- operator may even want to talk to the cardholder. The credit limit
- could be extended on the spot, or artificially high holds (from hotels
- or car rental companies) could be overlooked so that the transaction
- can be approved.
- The difference between the credit limit and the sum of holds and out-
- standing balance is often referred to as the "open to buy" amount. Once
- a hold is placed on an account, it is kept there until the actual the
- transaction in question is settled (see below), in which case the
- amount goes from a hold to a billed amount, with no impact on the open
- to buy amount, theoretically. For authorizations of an estimated
- amount, the actual settled amount will be less than or equal to the ap-
- proved amount. (If not, the settlement can be denied, and the merchant
- must initiate a new transaction to get the money.) Theoretically, in
- such a case, the full hold is removed and the actual amount is added to
- the outstanding balance, resulting in a possible increase in the open
- to buy amount.
- In practice, older systems were not capable of matching settlements to
- authorizations, and holds were simply expired based on the time it
- would take most transactions to clear. Newer systems are starting to
- get more sophisticated, and can do a reasonable job of matching autho-
- rizations for actual amounts with the settlements. Some of them still
- don't match estimated amounts well, with varying effects. In some
- cases, the difference between actual and estimated will remain as a
- hold for some period of time. In other cases, both the authorization
- and the settlement will go against the account, reducing the open to
- buy by up to twice the actual amount, until the hold expires. These
- problems are getting better as the software gets more sophisticated.
- Some issuers are also starting to use much more sophisticated usage
- checks as well. They will not only detect number of uses and amount
- over time, but also types of merchandise bought, or other patterns to
- buying behavior. Most of this stuff is new, and is used for fraud pre-
- vention. I expect this to be the biggest effort in authorization soft-
- ware for the next few years.
- American Express does things completely differently. There are no
- credit limits on AMEX cards. Instead, AMEX relies entirely on usage
- patterns, payment history, and financial data about cardmembers to de-
- termine whether or not to automatically approve a transaction. AMEX
- also has a policy that a cardmember will never be denied by a machine.
- Thus, if the computer determines that a transaction is too risky, the
- merchant will receive a "call me" message. The operator will then get
- details of the transaction from the merchant, and may talk to the
- cardmember as well, if cardmember identity is in question or a large
- amount is requested. To verify cardmember identity, the cardmember
- will be asked about personal information from the original application,
- or about recent usage history. The questions are not the same each
- time. If an unusually large amount is requested, the cardmember may be
- asked for additional financial data, particularly anything relating to
- a change in financial status (like a new job or a promotion). People
- who are paranoid about Big Brother and computer databases should not
- use AMEX cards.
- SETTLEMENT
- ----------
- So far, no money has changed hands, only financial liability. The pur-
- pose of settlement is to shift the financial liability back to the
- cardholder, and to shift the cardholder's money to the merchant.
- Theoretically, all authorization information can be simply discarded
- once an approval is received by a merchant. Of course, contested
- charges, chargebacks, merchant credits, and proper processing of holds
- require that the information stay around. Still, it is important to
- realize that an authorization transaction has no direct financial con-
- sequences. It only establishes who is responsible for the financial
- consequences to follow.
- Traditionally, a merchant would take the charge slips to the bank that
- was that merchant's acquirer, and "deposit" them into the merchant ac-
- count. The acquirer would take the slips, sort them by issuer, and
- send them to the issuing banks, receiving credits by wire once they ar-
- rived and were processed. The issuer would receive the slips, micro-
- film them (to save the transaction information, as required by federal
- and state laws) charge them against the cardholder's accounts, send
- credits by wire to the acquirer, and send out the bill to the
- cardholder. Problem is, this took time. Merchants generally had to
- wait a couple of weeks for the money to be available in their accounts,
- and issuers often suffered from float on the billables of about 45
- days.
- Therefore, nowadays many issuers and acquirers are moving to on-line
- settlement of transactions. This is often called "draft capture" in
- the industry. There are two ways this is done - one based on the host
- and one based on the terminal at the merchant's premises. In the
- host-based case, the terminal generally only keeps counts and totals,
- while the acquirer host keeps all the transaction details. Peri-
- odically, the acquirer host and the terminal communicate, and verify
- that they both agree on the data. In the terminal-based case, the ter-
- minal remembers all the important transaction information, and peri-
- odically calls the acquirer host and replays it all for several
- transactions. In either case, once the settlement is complete the mer-
- chant account is credited. The acquirer then sends the settlement in-
- formation electronically to the issuers, and is credited by wire
- immediately (or nearly so). The issuer can bill directly to the
- cardholder account, and float can be reduced to an average of 15 days.
- The problem is, what to do with the paper? Current regulations in many
- states require that it be saved, but there is no need for it to be sent
- to the issuer. Also, for contested charges, a paper trail is much more
- likely to stand up in court, and much better to use for fraud investi-
- gations. Currently, the paper usually ends up back at the issuer, as
- before, but it doesn't need to be processed, just microfilmed and
- stored.
- Much of the market still uses paper settlement methods. Online settle-
- ment will replace virtually all of this within the next 5 to 10 years,
- because of its many benefits.
- This was pretty long, but there is a lot of information, and I skimmed
- over a lot of details. Future installments should be shorter. Coming
- up next is a discussion of fraud and security, and then a special dis-
- cussion of debit cards. Hang on, we're halfway through this!
- Joe Ziegler
- att!lznv!ziegler
- This is part four of a planned six-part series on the credit card in-
- dustry. It will be helpful if you have read parts one through three,
- as I use a lot of terminology here that was introduced earlier. Enjoy.
- WARNING
- This installment describes various methods of perpetrating fraud
- against credit and charge card issuers, acquirers, and cardholders. Le-
- gal penalties for using these methods to commit fraud are severe. The
- reason for sharing this information is so that consumers will be aware
- of the importance of security and be aware of the procedures used by
- financial institutions to protect against fraud. Neither I nor my em-
- ployer advocate use of the fraudulent methods described herein.
- All the information here is publicly available from other sources. Un-
- necessary detail is purposely not included, particularly as it applies
- to detection and prevention of fraud.
- CARDHOLDER FRAUD
- ---------- -----
- The most common type of fraud against credit cards is cardholders fal-
- sifying applications to get higher credit limits than they can afford
- to pay, or to get multiple cards that they cannot afford to pay off.
- Sometimes this is done with intent to defraud, but most often it is
- done out of desperation or sheer financial ineptitude. Those who in-
- tend to defraud generally use the multiple-card approach. They give
- false names and financial data on several (sometimes as many as hun-
- dreds) of applications. Often, the address of a vacant house that the
- crook has access to is given, making it difficult to track the crook's
- real identity. Once cards start showing up, the crook uses them for
- cash advances or charges merchandise that is easy to sell, like con-
- sumer electronics. The crook will run all the cards up to the limit
- immediately, and will generally move on by the time the bills start ar-
- riving. This type of fraud is not applicable to debit cards, since
- they require an available account balance equal to or greater than any
- purchases or withdrawals.
- Protecting against this type of fraud, either intentional or otherwise,
- is exactly the purpose of credit bureaus such as TRW. Issuers have be-
- come more aware of the need for careful screening of applications, and
- are using better techniques for detecting similar applications sent to
- multiple issuers. More sophisticated velocity file screening can also
- be used to detect possibly fraudulent usage patterns. Since this is a
- method of fraud that can be used to gain really large amounts of
- money, it is a high priority with issuers' security departments.
- A variant of this scheme is much like check kiting. Can you use your
- VISA to pay your MasterCard? Well, you might be able to manage it, but
- if you're doing it with intent to defraud, you can be prosecuted. Kit-
- ing schemes typically don't last long, have a low payoff, and are very
- easy to detect.
- Another type of cardholder fraud is simply contesting legitimate
- charges. Most often, retrieving the documents gives pretty convincing
- proof. Frequently, a family member will be found to have used the card
- without the cardholder's permission. Such cases are usually pretty
- easy to resolve. In the case of an ATM card, cameras are often placed
- at ATMs (sometimes hidden) to record users of the machine. The camera
- is usually tied to the ATM, so that a single retrieval stamp can be
- placed on the film and the ATM log. If a withdrawal is contested, the
- bank can then retrieve the picture of the person standing at the ma-
- chine, and conclusively tie that picture to the transaction.
- A type of cardholder fraud that is endemic only to ATMs is making false
- deposits. You could, theoretically, tell the ATM that you are deposit-
- ing a large amount of money, and put in an empty envelope. Most banks
- will not let you withdraw amounts deposited into an ATM until the de-
- posit has been verified, but some will allow part of the deposit to be
- withdrawn. Typically, you can't get away with much. If you have any
- money actually in your account, the bank has easy, legal recourse to
- seize those funds. Most banks have no sense of humor about such
- things, and will remove ATM card privileges after the first offense.
- THIRD-PARTY FRAUD
- ----------- -----
- The simplest way for a third party to commit fraud is for them to get
- their hands on a legitimate card. There is a large black market for
- credit cards obtained from hold-ups, break-ins and muggings. Perhaps
- one of the cruelest methods of getting a card is a "Good Samaritan"
- scam. In such a scam, credit cards are stolen by pick-pockets,
- purse-snatchers, etc. That same day, someone looks up your number in
- the phone book and calls you up. "I just found your wallet. All the
- money is gone, but the credit cards and your driver's license are still
- here. It just happens that I'll be in your neighborhood next Wednesday
- and I'll drop it off then." Since the cards are found, you don't re-
- port them stolen, and the crooks get until next Wednesday before you're
- even suspicious. If such a thing happens to you, ask if you can come
- and pick the cards up immediately. A true good samaritan won't mind,
- but a crook will stall you. If you can't get your hands on the cards
- immediately, report them as stolen. Most issuers will be able to get
- you a new card by next Wednesday, anyway.
- Often stolen cards will be used for a time exactly as is. The best
- tool for preventing this is verification of the signature, but this is
- ineffective because most merchants don't consistently check signatures
- and some people don't even sign their cards. (I guess these people
- figure that all purse snatchers are accomplished forgers as well.)
- Many cards will eventually be modified as the various security schemes
- start catching up.
- It is a very easy matter, for example, to re-encode a different number
- on the magnetic stripe. Since the card still looks fine, a merchant
- will accept it and run it through the POS terminal, completely ignorant
- of the fact that the number read off the back is not the same as that
- on the front. Although the number on the front would fail a negative
- file check, the number on the back is one that hasn't been reported
- yet. A card can be re-encoded almost any number of times, as long as
- you can keep coming up with new valid PANs. To protect against this,
- some merchants purposely avoid using the magnetic stripe. Others have
- terminals that display the number read from the stripe, so the cashier
- can compare it to the number on the card. Some issuers are experiment-
- ing with special encoding schemes, to make re-encoding difficult, but
- most of these schemes would require replacing the entire embedded base
- of POS terminals. An interesting approach I've seen (it's probably
- patented) uses a laser to burn off the parts of the magnetic stripe
- where zeroes are encoded, leaving only the ones. This severely limits
- the changes you can make to the card number. Some issuers use the
- "discretionary data" field to encode data unique to the card, that a
- crook would not be able to guess, to combat this type of fraud.
- Since an ATM doesn't have a human looking at the card, it is especially
- susceptible to re-encoding fraud. A crook could get a number from a
- discarded receipt and encode it on a white card blank, which is easy to
- obtain legally. Many people use PINs that are easy to guess, and the
- crook has an easy job of it. Most ATMs will not give you your card
- back if you don't enter a correct PIN, and will only give you a few
- tries to get it right, to prevent this type of fraud. Velocity file
- checks are also important in detecting this. You should always take
- your ATM receipts with you, pick a non-obvious PIN, and make sure that
- nobody sees you enter it.
- One place that a crook can get valid PANs to encode on credit cards is
- from dumpsters outside of stores and restaurants. The credit slip
- typically is a multipart form, with one copy for you, one for the mer-
- chant, and one for the issuer (ultimately). If carbon paper is used,
- and the carbons are discarded intact, it's pretty easy to read the num-
- bers off of them. Carbonless paper and forms that either rip the car-
- bons in half or attach them to the cardholder copy automatically are
- used to prevent this.
- There are a lot of scams for getting people to tell their credit card
- numbers over the phone. Never give your card number to anyone unless
- you are buying something from them, and make sure that it is a le-
- gitimate business you are buying from. "Incredible deal!! Diamond
- jewelry at half price!! Call now with your VISA number, and we'll rush
- you your necklace!!" When you don't get the necklace for four weeks,
- you might start to wonder. When you get your credit card bill, you'll
- stop wondering.
- There are other, more sophisticated ways to modify a credit card. If
- you're skillful, you can change the embossing on the card and even the
- signature on the back. For most purposes, these techniques are more
- trouble than they're worth, since it's not difficult to come up with a
- new stolen card, or fake ID to match the existing card.
- MERCHANT FRAUD
- -------- -----
- There are many urban rumors of merchants imprinting a card multiple
- times while the cardholder isn't looking, and then running through a
- bunch of charges after the cardholder leaves. I don't know of any case
- where this is an official policy of a merchant, but this is certainly
- one technique a dishonest cashier could use. The cashier can then take
- home a bunch of merchandise charged to your account. Although some
- people are afraid of this happening in a restaurant, where a waiter
- takes your card away for a while, it's actually less likely there,
- since there isn't anything the waiter can charge against your card and
- take home.
- A merchant could also make copies of charge slips, to sell the PANs to
- other crooks. (See above for use of PANs.) Most credit card investi-
- gation departments are sensitive to this possibility, and catch on real
- fast if it's happening just by looking at usage history of cards with
- fraudulent charges.
- A merchant is also in a position to create many false charges against
- bogus numbers, to attempt to defraud the acquirer or issuer. These
- schemes are usually not too effective, since acquirers generally re-
- spond very quickly to an unusual number of fraudulent transactions by
- tightening restrictions on the merchant.
- ACQUIRER AND ISSUER FRAUD
- -------- --- ------ -----
- The place to make really big bucks in fraud is at the acquirer or is-
- suer, since this is where you can get access to large amounts of money.
- Fortunately, it's also fairly easy to control things here with audit
- procedures and dual control. People working in the back offices, pro-
- cessing credit slips, bills, etc. have a big opportunity to "lose"
- things, introduce false things, artificially delay things, and tempo-
- rarily divert things. Most of the control is standard banking stuff,
- and has been proven effective for decades, so this isn't a big problem.
- A bigger potential problem to the consumer is the possibility of an em-
- ployee at the issuer or acquirer selling PANs to crooks. This would be
- very hard to track down, and could compromise a large part of the card
- base. I know of no cases where this has happened.
- Programmers, in particular, are very dangerous because they know where
- the data is, how to get it, and what to do with it. In most shops, de-
- velopment is done on completely separate facilities from the production
- system. Certification and installation are done by non-developers, and
- developers are not allowed any access to the production facilities.
- Operations and maintenance staff are monitored very carefully as well,
- since they typically have access to the entire system as part of their
- jobs.
- Another type of fraud that is possible here is diversion of materials,
- such as printed, but not embossed or encoded, card blanks. Such mate-
- rials are typically controlled using processes similar to those used at
- U.S. mints. Since most of the cards issued in the United States are
- actually manufactured by only a handful of companies, it's not too hard
- to keep things under control.
- There are many types of fraud that can be perpetrated by tapping data
- communication lines, and using protocol analyzers or computers to in-
- tercept or introduce data. These types of fraud are not widespread,
- mainly because of the need for physical access and because sophisti-
- cated computer techniques are required. There are message authentica-
- tion, encryption, and key management techniques that are available to
- combat this type of fraud, but currently these techniques are far more
- costly than the minimal fraud they could prevent. About the only such
- security technique that is in widespread use is encryption of PINs.
- The next episode will be devoted to debit cards, and the final episode
- will talk about the networks that make all this magic happen.
- EVOLUTION OF DEBIT CARDS
- --------- -- ----- -----
- The debit card originated as a method for bank customers to have access
- to their funds through Automatic Teller Machines (ATMs). This was seen
- as a way for banks to automate their branches and save money, as well
- as a benefit for customers. A secondary intent was for the card to be
- used as a method of identification when dealing with a human teller.
- Although that idea never really caught on, it has seen renewed interest
- from time to time.
- One problem with using cards to access bank accounts is that federal
- regulations required a signature be used for each withdrawal transac-
- tion. After much debate, the concept of a Personal Identification Num-
- ber (PIN) was invented, and federal regulations were modified to allow
- PINs for use in place of signatures with bank withdrawals. ATMs also
- faced many other regulatory difficulties. In many states, for example,
- there are limitations on the number of branches a bank can have. In a
- conflict that only a lawyer could conceive of, a ruling was required
- about whether an ATM constitutes a bank branch or not. Since such rul-
- ings were made on a state by state basis, it varies across the country.
- This results in some very odd arrangements in some states, because of
- requirements placed on bank branches.
- In early attempts, the card actually carried account information and
- balances. The cardholder would bring the card into a branch, and bank
- personnel would "load" money onto the card, based on the customer's ac-
- tual account balance. The cardholder could then use the card at a
- stand-alone machine that would update the information on the card as
- money was withdrawn. The information was stored on track 3 of the mag-
- netic stripe, as mentioned in an earlier installment. This approach
- had many problems. It was far too susceptible to fraud, it could not
- reasonably handle multiple accounts, and it could not be used as a ve-
- hicle for other services. Since it was pretty much limited to with-
- drawals, it didn't even automate much of the bank branch functions.
- The online ATM offered a solution to the problems of the early ATM
- cards. Since the ATM was connected to the bank's host, it was no
- longer necessary to maintain account balances on the card itself, which
- removed a major source of fraud. Also, access to multiple accounts be-
- came possible, as did additional services, such as bill payment.
- Once banks started buying and installing ATMs, they quickly realized
- that it is very expensive to maintain a large number of machines. Yet
- customers began demanding more machines, so they could have easier ac-
- cess to their funds. Since many banks in an area would have ATMs, the
- obvious solution was to somehow cross-connect bank hosts so that cus-
- tomers could use ATMs at other banks, for convenience. The lawyers
- struck again. Does a shared ATM count as a branch for both banks? Does
- a transaction at a shared ATM mean that one bank is doing financial
- transactions for another, which is not allowed? If two banks share
- ATMs, but refuse to allow a third bank, is that monopolizing or re-
- straint of trade? Strange restrictions on shared ATM transactions re-
- sulted.
- Soon interchange standards began to evolve, and ATM networks became a
- competitive tool. Regional and national networks started to emerge.
- And the lawyers struck again. If a network allows transactions in one
- state for a bank in another state, isn't that interstate banking, which
- was at the time forbidden? Should an ATM network that dominates a re-
- gion become a regulated monopoly? Should an ATM network that gets re-
- ally big be considered a public utility?
- Today, the regional and national networks continue to grow and offer
- more services and more interconnections. All of the regulatory issues
- have not been resolved, and this is creating a lot of tension for eas-
- ing banking restrictions.
- An ATM card is just an ATM card, regardless of how many ATMs it works
- in. Most banks long ago saw an opportunity for the ATM card to be used
- as a debit card, presumably to replace checks. A tremendous number of
- checks are used each year, and it costs banks a lot of money to process
- them. Debit card transactions could cost less to process, given an ap-
- propriate infrastructure. Some of the costs could potentially be
- passed on to the merchants or the consumers, who are notoriously reluc-
- tant to directly pay the cost of checks. So far there have been many
- trials of using ATM cards as debit cards at the point of sale, but they
- have, in general, met with consumer apathy. In some areas, where banks
- have aggressively promoted debit, things have gone better. Still, gen-
- eral acceptance of debit seems a ways off.
- One interesting twist to the debit card story, as mentioned earlier, is
- the emergence of third party debit cards. Issuers of these cards have
- no real account relationship with the cardholders. Instead, they ob-
- tain permission from the cardholders to debit their checking accounts
- directly through the Automated Clearing Houses (ACHs), the same way
- checks are cleared. (Think of it as direct deposit, in reverse.) Oil
- companies first started experimenting with this a couple of years ago,
- and it has met with surprising success. Banks dislike this concept,
- because it competes directly with their debit cards, but isn't subject
- to the same state and federal regulations. ACHs like this, because it
- bolsters their business, which otherwise stands to lose a lot by
- acceptance of debit cards. Merchants generally like this, especially
- the large retailers, because it allows them to get their payment sys-
- tems out from under the control of the banks.
- THE ATM
- --- ---
- An ATM is an interesting combination of computer, communication, bank-
- ing, and security technology all in one box. A typical machine has a
- microprocessor, usually along the lines of an 8086, a communications
- module (which may have it's own microprocessor), a security module
- (also with a microprocessor), and special-purpose controllers for the
- hardware. The user interface is typically a CRT, a telephone-style
- keypad, and some soft function keys. Typically there is a lot of
- memory, but no disk. The screens and program are usually downloaded
- from the host at initialization, and are stored in battery-backed RAM
- indefinitely. The machine typically interacts with the host for every
- transaction, but it can operate offline if necessary, as dictated by
- the downloaded program. The downloaded program is often in an
- industry-standard "states and screens" format that was created by
- Diebold, a manufacturer of various banking equipment, including ATMs.
- Most machines can use a few IBM protocols (bisync, SNA, and an outmoded
- but still used "loop" protocol), Burroughs poll/select, and perhaps
- some others, depending on which communications module is in place.
- This allows the manufacturer to make a standard machine, and plug in
- different communications hardware to suit the customer. The IBM bisync
- and SNA protocols are most common, with most networks moving toward
- SNA.
- The security modules do all encryption for the ATM. They are separate
- devices that are physically sealed and cannot be opened or tapped with-
- out destroying the data within them. In a truly secure application, no
- sensitive data entering or leaving the security module is in cleartext.
- Arranging this and maintaining it is more complicated than I can go
- into here.
- Most ATMs contain two bill dispensers, a "divert" bin for bills, a
- "capture" bin for cards, a card reader, receipt printer, journal
- printer, and envelope receptacle. Some ATMs have more than two bill
- dispensers, and can even dispense coins.
- When an ATM is dispensing money, it counts the appropriate bills out of
- the bill dispensers, and uses a couple of mechanical and optical checks
- to make sure it counted correctly. If the checks fail, it shunts the
- bills into the divert bin and tries again. Typically, this is because
- two bills were stuck together. I've seen ATMs have sensor faults, and
- divert the total contents of both bill dispensers the first time a user
- asks for a withdrawal. "Gee, all I did was ask for $50, and this ma-
- chine made all kinds of funny whirring noises and shut down." Most
- banks will put twenty-dollar bills in one of the dispensers and five
- dollar bills in the other. Some use tens and fives, or tens and twen-
- ties. Depending on the denominations of the bills, the size of the
- dispensers, and the policy of the bank, an ATM can hold tens of thou-
- sands of dollars.
- The journal printer keeps a running log of every use of the machine,
- and exactly what the machine is doing, for audit purposes. you can of-
- ten hear it printing as soon as you put your card in or after your
- transaction is complete.
- When you put an envelope into an ATM, the transaction information is
- usually printed directly on the envelope, so that verifying the deposit
- is easier. Bank policies typically require that any deposit envelope
- be opened and verified by two people. In this, you're actually safer
- depositing cash at an ATM than giving it to a human teller.
- A card will be diverted to the capture bin if it is on the "hot card"
- list, if the user doesn't enter a correct PIN, or if the user walks
- away and forgets to take the card.
- On some machines, the divert bin, capture bin, envelope receptacle, and
- bill dispenser bins are all separately locked containers, so that re-
- stocking can be done by courier services who simply swap bins and re-
- turn the whole thing to a central site.
- The entire ATM is typically housed in a hardened steel case with alarm
- circuitry built in. These suckers have been known to survive dynamite
- explosions. The housing typically has a combination lock on the door,
- and no single person knows the entire combination. The machine can
- thus be opened for restocking, maintenance, or repair, only if at least
- two people are present.
- DEBIT CARD PROCESSING
- ----- ---- ----------
- Debit card processing is fairly similar to credit and charge card pro-
- cessing, with a few exceptions. First, in the case of ATMs, the ac-
- cepter and acquirer are usually the same. For debit card use at the
- point of sale, the usual acquirer-accepter relationship holds. In gen-
- eral, acquirers may do front-end screening on debit cards, but all ap-
- provals are generated by the issuer - the floor limit is zero. This
- makes it possible to eliminate a separate settlement process for debit
- card transactions, but places additional security and reliability con-
- straints on the "authorization". Often a separate settlement is done
- anyway.
- One problem that has caused difficulties for POS use of debit cards is
- the use of PINs. Many merchants and cardholders would rather use sig-
- nature for identity verification. But most debit systems grew out of
- ATM systems, and require PINs. This is an ironic reversal of the early
- ATM card days, when people were trying to avoid requiring signature.
- Other than the PIN, the information required for a debit transaction is
- the same as that required for a credit transaction.
- One last installment on the networks that tie this all together, and
- the Credit Card 101 course will be complete. There will be no final
- exam - you will be graded entirely on classroom participation. Most of
- you are failing miserably...
- ACCESS NETWORKS
- ------ --------
- For most credit card applications, the cost of the access network is
- the single biggest factor in overall costs, often accounting for over
- half of the total. For that reason, there are many different solu-
- tions, depending on the provider, the application, and geographical
- constraints.
- The simplest form of access network uses 800 service, in one of its
- many forms. Terminals at merchant locations across the country dial an
- 800 number that is terminated on a large hunt group of modems, con-
- nected directly to the acquirer's front-end processor (FEP). The FEP
- is typically a fault-tolerant machine, since an outage here will take
- out the entire service. A large acquirer will typically have two or
- more centers for terminating the 800 service. This allows better
- economy, due to the nature of 800 service tariffs, and allows for di-
- saster recovery in case of a fdailure of one data center. An advantage
- of 800 service is that it is quite easy to cover the entire country
- with it. It also provides the most effective utilization of your FEP
- resources. (A little queuing theory will show you why.) However, 800
- service is quite expensive. It always requires 10 (or 11) digits di-
- aled, and in areas with pulse dialing it can take almost three seconds
- just to dial 1-800. The delay between dialing and connection is longer
- for 800 calls than many other calls, because of the way the calls get
- routed. All of this adds to the perce
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement