||Read e-Path's eCommerce Payment Gateway Blog on how the world can work towards genuinely ending credit card and identity data theft and the majority of credit card fraud.
Credit card fraud is one of the most challenging issues facing business, credit card providers, the banking industry and law enforcement authorities today. According to JPMorgan' 13 Annual Report,
in 2011 online fraud costs in the area of $3 Billion dollars for a single year.
But firstly, what exactly does credit card fraud mean to you, the business owner? Consider this all too common scenario sent in from a new e-Path gateway merchant. We have published it here with permission as it perfectly illustrates not only the risks of accepting credit cards online
but also what can be done to help eliminate them ...
|Thanks for the info. I have to let you know of a real brush we had with a crim last week.
We received an order for a $799.00 digital camera a pretty typical order for us and like you say we always do a check on a few things before we do the charge. The email address was from a free yahoo account so it was sus to start with and he wasn't in the phone book either.
We smelled a rat so we tried calling the customer but the phone number turned out to be fake.
On this one we decided to ring our bank to check and was told the credit card was active, we could have got an authorisation number if we wanted to, I think they gave us one anyway, can't remember. So it hadn't been reported stolen.
If we had stayed with XXXXXXXXXXX [real time credit card payment gateway - name removed] it would have just done the transaction and we'd have sent out the cam.
But we didn't send anything out cause it looked like we were being shafted big time. I contacted the bank a few days later and they told me the card had now been cancelled. Must have happened over the previous two days. They couldn't tell me if it was stolen only it was cancelled, but I knew it was stolen that's a no brainer.
Had we sent out the camera we would have been hit with a charge back of $799.00 debited from our account plus pay a charge back fee plus we would have had to go hunting to get the cam back. Fat chance of that.
I thought you would like to know our new e-Path account has just saved us a fortune just on this one order. To say we are impressed is a bit of an understatement. Thanks heaps for a totally awesome service and we will be recommending you to everyone wanting to accept credit cards on the internet for sure.
Falling victim to credit card fraud causes inconvenience, frustration and financial loss. It can have a severe impact on the bottom line of any business. For the smaller business operator especially, falling victim to credit card fraud can be a very costly and painful experience.
Despite the best efforts of the banking industry and the card vendors themselves, the risk of falling victim to credit card fraud and then having to pay for the consequent loss is still very much a part of accepting credit cards online for the business owner ... but not so for the business in the above example!
Identify what causes vulnerability & risk . . . . then terminate them!!
To understand the significance of what e-Path has brought to the industry in terms of improved online ecommerce security
and what this means in real terms for you as the merchant (business owner) and for your online credit card paying customers, we first need to look at what the main root causes of vulnerability and risk are with the current system.
e-Path is not about adding to the endless variety of automated fraud screening plug-ins and add-ons that try to address symptoms, e-Path is about going right back to the heart, to the mechanics, to the very core reasons why there is vulnerability and risk with accepting credit cards online
today .... and then we attack them by engineering a system where those vulnerabilities and risks are either reduced considerably or simply do not even exist.
The two main areas are:
ROOT CAUSE #1 - MERCHANT FACILITY VULNERABILITY
THE PROBLEM: When credit cards are accepted online today it is usually through an automated internet based online processing system that will live communicate to merchant facility systems in order to transact credit cards instantly online.
ROOT CAUSE #2 - PERMANENT STORING OF SENSITIVE CREDIT CARD DATA
Lets put aside the wonderment of automation for a moment and look at this process for what it is.
Any anonymous person located anywhere can enter any credit card they like directly into your online payment processing system and this will be attempted to be transacted into your merchant account without you knowing. Your own private merchant account facility at your bank is therefore open to the entire population of the internet and will receive and attempt to transact any data your credit card processing system communicates to it. This is what 'live' and automated online credit card processing is all about.
It should be no surprise to learn that this is the exact method by which almost the entirety of online credit card fraud is perpetrated in the world today.
If the transaction turns out to be fraudulent some time later, then it is the business owner who invariably has to pay for the loss - a hugely unfair situation played out tens of thousands of times every single day around the world and the indisputable number one reason why accepting credit cards online is considered the highest risk transaction type of all. Derservedly so.
THE SOLUTION: Engineer a payment gateway that removes the card processing process away from the internet and removes the merchant account facility from having to be sitting open and accessible to all on the open internet.
e-Path completely eliminates all risks associated with when transactions are performed automatically online without the business owners knowledge. This simply can not occur with e-Path.
With e-Path the business owner becomes the one who is in control over their own merchant account facility. Nothing is transacted into the merchant account unless the bank approved merchant facility owner, themselves, perform it.
The merchant (business owner) implements a pre-authorisation manual review process where highly pertinent details about the buyer is checked and cross referenced prior to performing the charge on the card. The information available to merchants to assist in their own fraud prevention and management processes is extensive.
It has long been recognised that when potential fraud victims are themselves put in control of preventing themselves from falling victim to credit card fraud in the first place, the result is perhaps the most powerful and effective fraud prevention system available today.
e-Path sees this on a regular basis with those businesses who have made the switch from other gateway types to e-Path. Because of e-Path and their own vigilance they are now dramatically reducing, and in most cases, completely eliminating instances of falling victim to credit card fraud. We do not mention this lightly, this is exactly what occurs.
At this point it is important that you understand this will not stop attempts at credit card fraud. However, what it does guarantee is a total change of the status from 'falling victim to credit card fraud' to 'receiving a credit card fraud attempt'. The difference is that one has already done irreparable damage and the other hasn't done a single thing - a most glaring difference between the e-Path payment gateway and the typical third party online credit card payment processing system.
e-Path has just eliminated root cause of vulnerability #1.
It is common knowledge the vast majority of the world's credit card and identity data theft can be traced directly back to data being compromised when permanently electronically stored in databases, within storage devices, on online networks and other forms of storage appliances and systems ....
More than 100 million credit cards may have been compromised in data breach
Credit card breach exposes 40 million accounts
40M credit cards hacked
40 million credit cards exposed
Visa confirms another payment processor breach
If you had been puzzled as to how it is that criminal elements could possibly be trading in hundreds of thousands, or even tens of millions of stolen credit cards, well, this is largely how they acquire them.
When a network system, a secure database or storage device is 'hacked' or compromised it can have catastrophic consequences simply because the destination device or system may contain thousands, hundreds of thousands or even millions of credit card details, transaction data and highly sensitive identity information.
In a recent case a high profile credit card payment processor that was certified PCI compliance Tier 1 was successfully and brutally 'hacked'. It has widely been reported (see above links) that cyber criminals netted in the vicinity of 100+ million credit card details of which the exact cost of that one particular breach is perhaps even beyond being calculated.
Despite hundreds of millions of dollars being continually spent in attempts to protect sensitive credit card and other forms of highly sensitive data from risk, breaches still happen, 'hackers' are still getting through and credit card details and sensitive identity information is still being stolen.
If is an uncomfortable fact that no matter how secure systems are, if highly confidential data is being electronically stored either online, within a newtork or database or storage device then there is always an element of risk. This risk will of course vary. For example, it will be at its lowest when the service provider has implemented highest level security provisioning and be compliant to PCI requirements.
Therefore, it is the very fact that highly sensitive credit card data and personal identity information needs to be electronically permanently stored by various payment processing and card handling systems that is the core root cause of this vulnerability and risk.
Engineer a payment method that does not electronically permanently store credit card, personal identity or transaction data online or in any database, storage device or on any network.
e-Path does not permanently store credit card details, transaction data or highly sensitive identity information. No names, no credit card numbers, no expiry dates, no addresses, we don't even have databases, nothing is permanently stored. Once the merchant is in receipt of their customers credit card payment authorisation, as far as e-Path and the internet is concerned it is as if the credit card payment never occurred in the first place.
But even going further than that, e-Path is the only gateway that guarantees merchants can ensure their customers credit card details don't exist anywhere after the transaction has been performed on the card. And without any credit card or identity data even existing cardholder data security is absolute.
A method that allows the safe accepting of credit cards online without credit card data (or any other data for that matter) being electronically permanently stored by the payment gateway is an advancement in security of very tangible proportions for the entire industry. It provides the absolute ultimate form of protection for online cardholder data - if it doesn't exist on the internet it can't possibly be stolen from the internet
e-Path has just eliminated root cause #2.
By recognising and then engineering to eliminate core root causes of vulnerability and risk rather than just continue on trying different things to plug-up the symptoms, e-Path has established a payment method that provides a level of security and protection for its gateway merchants and ordinary cardholders that, we believe, is beyond anything seen before within the online credit card payment industry. A true new era in e-commerce online security where sensitive data is never permanently stored online any longer.
Achieving 'Above and Beyond' PCI
We do not hide the fact that one of our primary objectives is for e-Path to be seen as a service provider that offers a service that goes "above and beyond PCI".
When cardholder and identity data does not even exist after the transaction has been performed then cardholder data security becomes absolute, thereby surpassing all and any known security requirements.
Defence Signals Directorate Gateway Certified Telecommunications Carrier
Few other areas are as critically vital to the security of the e-Path service as the actual hosting infrastructure utilised to host and deliver our services to the internet.
e-Path's host, Netports Australia
, exclusively utilises a datacentre and telecommunications carrier which has achieved Defence Signals Directorate Gateway Certification. This certification conforms with ASCI-33 and the PSM (Protective Security Manual)
This security certification assures that the datacentre gateway provides protection from external threats appropriate for systems and data up to and including the “Highly Protected” and "Restricted" level of classification. This certification is a prerequisite to providing secure gateway services to Commonwealth and Agencies using FedLink, a secure VPN service, administered by the National Office for the Information Economy (NOIE).
See: Department of Defence Defence Signals Directorate Gateway Certification Guide
Open and honest disclosure to cardholders and online business owners about the very environment responsible for handling their highly confidential data is an important part of this new era in ecommerce security. It is also a requirement of the new Australian National Privacy Laws that call for truthful disclosure of all factors involved in the handling of personally identifiable and confidential information. So, not only do you have a right to know about e-Path's hosting arrangements, but we are required to disclose details of it to you by law.
e-Path uses powerful cryptography to further encrypt the payment data entered by the customer. 2,048 bit RSA encryption is a patented algorithm and recognised by Visa, Master Card, American Express and Diners Club as an approved encryption type. With e-Path there are multiple instances of this which all occur on top of and in addition to the SSL encryption that exists to protect the live connection between cardholder and the business owners e-Path gateway system.
According to Qualys CEO Philippe Courtot: "The challenge with encryption is that older payment systems were not built to support the scrambling technology... Encryption is the ultimate measure of security.." From: http://news.zdnet.com/2100-1009_22-6072594.html
Here is a example of how a credit card looks when it is encrypted by e-Path. This data is utterly useless to anyone other than the specific merchant it has been encrypted for in the first place ...
You may be interested to learn the above is a true example, it is the actual credit card belonging to e-Path's founder. It remains totally and absolutely secure despite being publicly viewable on this website since 2007. A bold but very effective demonstration of the strength of the encryption used by e-Path.
Once an individual gateway and its encryptions systems have been set up for an online business owner they become the only party in the world capable of decrypting card data encrypted on their unique gateway. Each and every e-Path gateway is separate with its own unique encryption system.
Asymmetric cryptography is used by the Department of Homeland Defence in the U.S., ASIO here in Australia and numerous other government departments, intelligence services and other high level enterprises and organisations serious about keeping highly sensitive data protected and secure.
Asymmetric cryptography is used by e-Path to afford extreme protection for data during the 'transporting' stage, from the cardholder directly to the official bank approved merchant account owner.
All e-Path communication between cardholder and any e-Path gateway is protected by THAWTE SSL. This is completely separate and in addition to the various encryption systems we utilise to protect actual data as mentioned above. THAWTE is a recognised world leader in SSL security.
A secure connection can be confirmed by a small padlock (1.) that appears bottom right of customers browser window and with newer browsers will appear in the address bar. Customer may also click on the THAWTE link (2) top right of all e-Path secure pages to obtain confirmation directly from THAWTE that SSL is currently valid and protecting the connection.
|1. The Padlock
||2. The THAWTE SSL Graphic
e-Path, PCI DSS and McAfee™
e-Path utilises the Payment Card Industry Security Standards Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).
Footnote to the issue of credit card fraud - a bold observation and suggestion:
|McAfee™ is best known for their McAfee Secure trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services.
The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB.
Our secure systems are physically located in the Macquarie Telecom datacentre in Sydney. Macquarie Telecom is the first telecommunications carrier in Australia to achieve Defence Signals Directorate Gateway Certification, conforming to ASCI-33 and the PSM (Protective Security Manual). ISO 9001:2000, PCI DSS Certification and SAI Global - ISO 27001:2005 are amongst other high level accreditations that combine to establish Macquarie Telecom as being recognised as Australia's most highly security accredited datacentre.
The above graphic is an actual screen capture of part of e-Path's McAfee™ PCI DSS auditing program control panel
A great deal of resources are currently being devoted by card vendors to develop various ways to stop stolen credit card details from being used by fraudsters and criminals, such as the advancement of PIN and chip technologies.
This seems to suggest there is a general acceptance of the likelihood that credit card data may become stolen or compromised at some point, otherwise there would not be such a focus on attempting to stop unauthorised use of credit card details which is actually only the end result of credit card data theft.
The fact is if credit card and identity data was not able to be stolen or compromised in the first place there would not be any, or very little, credit card fraud to speak of. Except in some very rare instances, credit card fraud simply can not happen without credit card details being compromised or stolen to begin with.
If highly sensitive credit card and identity data was suddenly NOT permanently stored within any internet connected system, database, storage device or network the core cause of the overwhelming majority of all credit card and identity data theft in the world today would be completely terminated.
Credit card and identity data can not possibly become compromised or stolen if that data is not there to be compromised or stolen in the first place, no matter how complex or advanced the hacking method or technique cares to be. And if credit card and identity data is unable to be compromised or stolen then credit card fraud can not happen.
Therefore, e-Path would like to take this opportunity to very respectfully and politely suggest that credit card vendors consider adjusting their focus from attempting to protect against the result of credit card and identity theft to instead terminate the core reason why the overwhelming majority of credit card and identity data becomes potentially available to be compromised or stolen in the first place.
While developing ways to attack the symptoms of credit card and identity data theft has excellent merit, terminating the actual root cause of it will achieve the ultimate result. You can continue to treat a cancer or you can choose to remove it.
This would be achieved by making CDU an official and enforceable data security standard, perhaps included within or in addition to PCI.
And if the third party online credit card payment processing industry and other credit card handling organisations and service providers object, saying "that's an impossible level of online credit card data security to comply with" ... you can tell them its already been achieved ... and its called e-Path!!