Visa Inc. last week sent a fraud alert to banks and payment processors warning them to look out for a “large batch settlement fraud scheme” involving a merchant account in East Europe.
That alert is focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.
Batch settlements refer to the common practice where merchants store all authorized payment card transactions that occur during a day and then send them in a batch for settlement to their acquiring bank at the close of business. An “acquiring” bank, in payment industry parlance, is the financial institution that basically vets and clears a merchant to accept payment card transactions.
In its alert, Visa said it had received reliable information from a “third-party entity” that a criminal group planned to submit a large batch settlement through a merchant account approved by a bank in Eastern Europe. “The criminals claimed to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend,” Visa warned.
The company said it had no details about who exactly was involved or when the fraudulent activity might occur. The alert noted that the people behind the scheme were likely a “consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies.”
In an e-mailed comment, a Visa spokesman said that card issuers and acquiring banks routinely monitor for unusual batch settlements. Even so, it issued the alert as a reminder to “critical stakeholders so they can take cautionary or mitigating steps” against fraud..
Avivah Litan, an analyst with Gartner Inc. said that the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant’s accounts the funds are quickly withdrawn and the merchant drops out of the payment system, she said.
The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions, Litan said. Credit card companies and acquiring banks, “need to tighten up their accreditation process and how they onboard new merchants.”
She said there are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts, Litan said. The standards for approval used by such organizations have allowed “too many illegitimate merchants to establish accounts and access to the payment systems,” she said.
Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said that poor merchant validation is a problem — especially with e-commerce.
Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.
Acquiring banks that are approving new e-commerce merchants for credit card transactions should, at a minimum, ensure that the merchant has acquired an Extended SSL certificate, Petitti said. Those certificates offer a much higher degree of identity validation because they’re issued only after the certificate authority has verified the legal, physical and operational existence of a company.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld