One of the many modern conveniences today is the credit card. It grants the card holder a line of credit which is guaranteed by an issuing bank and is used to purchase goods and services without using cash. Due to the convenience they provide to consumers credit cards have gained significant importance and acceptance within the economy. Their growth has been fuelled by various incentives offered by banks, card issuers, businesses, retailers, e-commerce sites and so on. Their penetration has reached such huge proportions that today in a single month the total value of transactions runs into a few hundred billions. For example in the month of May 2017 alone these cards were used for more than a hundred million transactions with a total value exceeding three hundred billion rupees. The figure is as per records published by the RBI, which also states that the total number of credit cards outstanding within India has crossed thirty million. The increased ownership and use of credit cards has also increased frauds involving credit cards. Credit card fraud includes theft of the actual card or the theft of card details and usage of such information for illicit and illegitimate gains. The incidence of fraudulent activity is more for ‘card not present’ transactions where the physical card cannot be produced while transacting, such as in case of online or e-commerce transactions.
Nowadays a number of features are used to prevent credit card frauds. Here we take a look at some of the methods that are used to secure credit cards. Some of these features are integrated within the card and some are implemented within the card-processing infrastructure.
The following image shows a transaction flow using a credit card.
Image 1: Transaction Cash Flow for the Payment Card Industry
Payment Card Industry Data Security Standard (PCI DSS)
This is a security standard prescribed by the Payment Card Industry Security Standards Council which has to be followed by the acquiring banks on their merchant network and is applicable for all card based merchant transactions. This standard was developed to provide additional security and reduce fraudulent use of credit cards at merchant establishments. All merchant establishments which accept, process, store and transmit credit card information need to comply with this standard. They also face regular audits to ensure continued compliance to the standards. The PCI DSS standard involves six groups comprising of a total of twelve requirements for compliance shown in image#2 below.
Image 2: PCI DSS Compliance Groups
Credit Card Number Display and Storage
To ensure secrecy certain standards are followed while displaying card information such as while printing it on a credit card statement or on a charge slip. Usually some form of masking is always used to hide a part of the card number. One commonly used masking method known as ‘PAN Truncation’ displays only the last four digits and replaces the other digits with asterisks. The absence of the full card number makes it difficult for an unauthorized person to guess it.
The databases on which credit card information is stored have strict security measures implemented to prevent any unauthorized access. Access to such database is usually need-based and all activity is monitored continuously to deter any unauthorized access. These also undergo regular system audits to check for any unauthorized activity such as unauthorized access, alteration and download. This also ensures continued compliance to recommended practices. For further security the card numbers are stored in a nonreadable format either by encrypting them or by generating tokens in place of the numbers. Encryption uses a security algorithm to generate an encrypted non- readable output. In case of a data breach the non-readable output prevents the unauthorized person from knowing the actual credit card numbers. In the other method called ‘Tokenization’ the card numbers are replaced with randomly generated token numbers. The token numbers are by themselves meaningless and contain no card information. Even if the token numbers are leaked there is no way to associate these to the actual card numbers.
Fraud Detection and Prevention Software
Every time a credit card is used the card details get validated by the payment processor, the card network and the issuing bank. Transactions which receive a positive validation from the issuing bank are cleared for order fulfilment at the seller’s end. Transactions entered using cards that are reported stolen or are already blacklisted get denied automatically by the payment processor during card validation so that the order cannot be completed at the seller’s end. These functions are carried out by specialised fraud detection and prevention software implemented by these intermediaries.
Such anti-fraud softwares keep track of card activity and analyze these to detect potential fraud. Any transaction not falling within the card holder’s normal buying pattern gets red-flagged which causes a second authentication method to be invoked to authenticate the identity of the card user. Alternatively such activity gets reported to an intervention team which contacts the card holder to verify the transaction. In case the card holder cannot be contacted the transaction is either put on hold or cancelled to prevent fraud. The card may be blocked till such time as the card holder proves his credentials usually by answering certain challenge questions. Deviations from normal pattern include deviations beyond a tolerance limit from the average value of transactions entered over a period of time by the card holder, or a change in the location where the card is used or a different website or service than the usual ones, or known compromised websites or online platforms. Often card issuers call the card holder and confirm a transaction if the transaction value exceeds a certain threshold.
CSC, CVC and CVV codes
CSC stands for Card Security Code, CVC for Card Verification Code and CVV for Card Verification Value and is printed on the reverse of a credit card. A valid CSC or CVV number is required for completing all ‘card not present’ or online transactions where the card cannot be presented for a visual inspection. Without a valid CVV number a transaction will be declined thus preventing its misuse. Providing the code for an online transaction signifies the customer is in possession of the actual card or has seen it which proves ownership of the card and assumes that an unauthorized user who has obtained the card number by fraud will not have access to the card and so will not be able to provide the CVV number.
Two Factor Authentication
Some of the banks, card networks and e-commerce platforms use a second level of authentication for online transactions. The two factor authentication method adds an additional layer of security to a card transaction and makes it harder for an unauthorized person to use it because the password is no longer sufficient by itself to complete the transaction.
Where two factor authentication is enabled a customer has to clear an additional layer of verification after entering the card details on the payment gateway. This additional factor may be a security token, an additional password, a PIN, or a biometric attribute. Registration for this second factor is usually done by the card holder as part of the card’s security program. There may be a hard token (a physical instrument) or a soft token (software based) which generates random numbers in real time, or a single use password (‘OTP’ or ‘One Time Password’) valid for a short time generated by the card network or the bank for a specific transaction and sent to the registered mobile and email. A fraudster possessing a credit card would not have access to the second authentication factor, the security token or the registered mobile and email of the actual card holder thus preventing fraud.
The following two images (3 &4) show the two factor authentication flow and the various types of second factor authentication methods in use
Image 3: Two-factor Authentication-Information
Flow Image 4: Two-factor authentication methods
Chip & Pin or EMV Cards
The latest security feature introduced in India and in most of the countries is the ‘Chip & Pin’ technology or the EMV Technology. EMV stands for Europay Mastercard Visa and are the three card networks which initially designed this technology. An EMV credit card comes embedded with a chip which stores encrypted data within it. When making a transaction at a point of sale the customer has to enter the PIN associated with the chip embedded in the card. Without this PIN the transaction cannot be completed thus effectively preventing fraud. The chip creates a unique code for each transaction and communicates with the card reader using strong encryption algorithms. The embedded chip of an EMV card itself cannot be copied or cloned by a counterfeiter. The earlier cards that only had the magnetic stripe (i.e. without the EMV technology) had no such security and could be easily cloned while swiping it on a card reader.
SSL and TLS encryption technology
SSL stands for Secure Sockets Layer and TLS for Transport Layer Security. These are cryptographic standards widely used by e-commerce sites, banks and financial institutions for securing all confidential communications using the internet. This provides privacy and data integrity between two computers such as the server of an ecommerce site and the consumer placing an order on it. Websites using the SSL/TLS standards ensure that data transmitted over the network cannot be intercepted or modified by an unauthorized person. As the encryption and decryption keys are stored only in the origin and destination computers, even if the data is intercepted by an unauthorized entity it cannot be decrypted due to the absence of the required decryption key. Besides encryption SSL and TLS also signify authenticity for a website. A website with a SSL or TLS certificate means that the information is being sent to the intended server or website and not to a hacker or attacker trying to steal card information. Websites using the SSL/TLS technologies can be easily identified by the presence of ‘https’ instead of ‘http’ and a green coloured address bar or letters as shown in the image#5 below.
Image 5: How to identify a secure website
Best Practices by Card holders
Ultimately the onus is on the card holder to follow certain guidelines when using credit cards. A few best practices are mentioned below.
- Ensure the physical card is not handed over or card details disclosed to another person.
- Report a stolen credit card immediately to the issuing bank.
- Review charges regularly and report any unauthorized activity.
- Using antivirus software, secure browsers and secure websites for online transactions.
- Not falling prey to phishing, vishing, spoofing and other internet fraud attacks by keeping oneself educated of these threats.
Over the years various new technologies and methods have been adopted by card issuers and networks to combat the menace of card frauds. Yet the number and volume of fraudulent transactions has increased steadily with the increase in credit card usage causing huge financial losses to consumers, card issuers and merchants. The growth of credit cards depends a lot on the availability of a safe and secure financial and technological ecosystem which minimises incidents of fraud. Consumer friendly steps and legal protection to the consumers against financial liability for fraudulent transactions too will help in increasing the penetration and usage of credit cards within the economy. The consumers too have to play an active role in preventing frauds by following recommended best practices and by not falling prey to lucrative offers, threats and a host of other methods employed by unscrupulous people.
1. Reserve Bank of India: Published statistics (https:// www.rbi.org.in)
2. Digicert Inc.
3. Visa India: www.visa.co.in
By :CMA Arnab Chatterjee Ex-Principal Consultant Oracle Consulting (EMEA) Kolkata