Guide for Payment Cardholders to avoid falling victim to frauds:
Payment Cards is the generic name used to indicate all kinds of cards that allow the cardholder to transact using them. A Payment card can be a Debit Card or a Credit Card or a Prepaid Card. Banks issue these card types to suit particular customer segments and those cards can be used for some specific, defined purposes. We will see what all these card variants mean, in a moment. But if you are reading this article on this website, chances are that you already have some kind of a Payment Card in your wallet, or at least have somebody at home, who has one. And before we actually touch the central theme of this write-up (which is how to avoid falling victim to Card Frauds), it will be worth the while to have a little practical information about the amazing world of Payment Cards.
We will not be delving deep into the history of Payment Cards. It is sufficient to know that Payment cards as we know today have evolved over the last 50 years and more. The Magnetic Stripe card that we see today originated over 30 years ago. These cards, although they have basically remained the same in form & design, have added various features over the years to facilitate immediate recognition & identification, to ease usage, and to enhance security. Some of these features include the inclusion of Holograms, Special Embossed or Indent-Printed characters, Special anti-counterfeiting markings and micro-printing, Tamper-evident signature panels, inclusion of a unique Card Verification Code/ Value (CVC or CVV) indent printed on the signature-stripe of the card etc.
Most payment Cards are either issued on a MasterCard or a Visa platform by the Card Issuing Institutions, which in India are Banks. There are other proprietary card brands such as American Express, Diners Club, Discover and JCB which are issued in some regions. But MasterCard & Visa card products are the ones which are universally issued and accepted by Banks and financial institutions and this article will dwell mostly on those. In practice, you will never see a payment card with just a MasterCard or a Visa logo or brandmark. MasterCard & Visa are called “Card Associations” or “Schemes”, and they license Member Banks to issue cards with rigourous controls and standard specifications. Cards issued under this licensing regime by banks are therefore called bankcards.
There are over 20,000 or so member institutions worldwide, which issue either MasterCard or Visa branded cards .These cards are expected to give the holder unique privileges and rights to use the product seamlessly at any outlet, which is capable of accepting the same, across the globe. Most payment cards can be used both at Point-Of-Sale (POS) machines to pay for goods & services and at Automated Teller Machines (ATMs) to withdraw cash.
Therefore the elements & components of a payment card are very standard. These cards need to be universally recognized by Merchants, and should work well on the existing card acceptance infrastructure. The Cards acceptance infrastructure has a common architecture or backbone for all the countries across the world, but has varying levels of sophistication depending on how progressed that country is. Under the MasterCard or Visa licensing regime, a member Bank which issues a payment card is called an “Issuer”, and a member Bank which accepts a payment card through an ATM owned & operated by it or through a POS machine located at a Merchant recruited by it is called an “Acquirer”. A member bank can both be an Issuer and Acquirer of Cards, and often, Banks opt for issuance and acceptance of both MasterCard & Visa products. Such banks are therefore called dual issuers or acquirers.
Some of the things that MasterCard & Visa do are as follows:
1. Encourage Member Banks to issue various Payment Cards, under strict licensing & operating regimes, to suit various customer segments. They encourage Member Banks to recruit merchants & set-up cardholder interaction devices (EDC/ Card Swipe/ POS machines, ATMs, Proximity readers etc) where these cards can be used. Both issuance and acceptance of cards are commercial decisions of the Member banks, and Banks are free to offer the services & charge fees for features which they think will be most attractive to their target consumers – both cardholders and merchants.
2. Set-up the standards & systems for the reasonably secure & efficient networks which allows all these 20,000+ Member Banks to “talk” to , or have interface with each other for authorization and daily settlement process between them. Thus MasterCard & Visa help set-up the infrastructure for payment Card usage and administer the same.
3. Intervene in and resolve any disputes between the Member Banks as per the operating regulations. Refine the operating regulations to meet evolving challenges.
4. They also work hard to protect the integrity & value of their respective brand by controlling what their cards, systems and networks can be used for. They manage the risks associated with Payment Card transactions.
MasterCard & Visa do NOT do the following:
1. They do not issue any cards directly under their brand names (often advertisements give a wrong impression)
2. They do not encourage nor tolerate an environment where the usage of a card product by a consumer is disadvantaged in favour of other forms of payment (such as cash or cheque). Thus, MasterCard & Visa require Member Banks not to tolerate practices such as surcharging of Cardholders by Merchants, except wherever permitted by local laws (In India, for example, Petroleum Companies and Railways surcharge their cardholder customers since this is allowed by local regulations)
Types of Cards, by product features:
Credit Cards: These are “Buy Now- Pay Later” cards. A credit card is offered to a customer who has adequate and declared income resources and often a well-established credit standing with a financial institution. The Issuer is effectively giving an unsecured line of credit to the cardholder, and bearing the credit risk for the same. Therefore, often this is a fee-based product to partly offset the credit risk of the issuing bank. A fixed credit limit is assigned to the customer after careful profiling & scrutiny of his/her credentials & income, and perceived ability and willingness to repay. Depending on the transaction date and the billing date, the customer enjoys an interest-free credit period of between 20-50 days. The customers are also given the option of typically repaying back anything between 5% to 100% of their total monthly outstanding, and to roll-over or “revolve” the remainder to suit their financial convenience. Interests or “Annual Percent Rates” charged for such revolved amounts can be very high – often to the tune of about 36-45%. A credit card is typically used by a customer for high-ticket spends such as purchasing durables, travel & entertainment etc. Credit Cards can also be used in both Cardholder Present (CP) mode as in a shop, or in Cardholder-Not-Present (CNP) mode, which are Mail Order or Internet E-Commerce transactions. Comparatively, there can be more risks in the latter.
Most Credit Cards in India are signature based for use at the Point-Of-Sale, but in the near future many Indian Banks are likely to issue Chip based credit cards which are more secure and versatile. Most countries in Europe have already migrated to Chip + PIN based cards because their issuance & acceptance infrastructure is geared-up for such cards.
Debit Cards: These are “Buy Now- Pay Now” type of cards. The Cardholder has an account with the card issuing bank, and for all practical purposes, s/he is accessing their own account or funds to pay for a transaction at a merchant location or to access cash at an ATM. These are technically “deposit access” cards. Thus this card is purely used as a convenient payment mechanism rather than to draw on credit. Issuers in India and other developing countries have started seeing a huge upswing in the number of customers opting for debit cards because many customers in these countries are traditionally credit-averse, or because they are often unable to meet the credit approval norms of the Issuers. Thus they use the monies in their Bank accounts through these cards. Most Debit Cards are indent printed (not embossed), and many Issuers restrict their debit cards usage only to the scenario where the cardholder is present at the scene of transaction, such as on a POS machine or at an ATM.
Prepaid Cards: These cards are “Pay Now- Buy Later” Cards and the most common examples are “Gift Cards”, “Travel Cards” or “Payroll / Employee Benefits Cards” etc. These are aimed at particular segments of the market to migrate and wean customers away from cash.
Gift Cards are a niche market, and can come in attractive alternate shapes and forms.
Travel Currency Cards can be denominated in one or more currencies of the country where the customer is intending to travel, and Foreign Exchange allowance can be purchased in Indian Rupees and loaded onto the Card in terms of the designated Foreign Currency.
Payroll/ Employee Benefits Cards are for organizations to streamline their payroll functions & facilitate payouts of commission, allowances etc by avoiding writing & dispatching of cheques for recurring payments to agents/vendors etc. These cards help overcome logistical hurdles.
Risks associated with Payment cards:
Well, now that you have reached thus far within this write-up, let us address the main theme of the same. Please note that the risks dealt with here are from a Cardholder perspective.
Risks associated with Debit Cards:
Since issue of debit cards and prepaid cards involves interaction with and scrutiny by the Bank’s internal staff, often these will be issued to you across the counter within committed turn-around time after due verifications.
In case personalized debit cards are to be sent to the account-holder, banks often send debit cards and PIN-mailers separately through two different channels (One by courier & another by post) and with a time lag. Then also banks often require that the Debit cards be activated by cardholder for POS purchase by using them first at their own ATMs with the correct ATM PIN.
What the cardholder needs to remember is to change the PIN at the first usage, and never to write the PIN on the card or keep it along with the card. The PIN should be committed to memory. Some banks issue photo-cards, which affords an additional security.
Signature-based Debit Cards: MasterCard unembossed, and Visa Electron are the two common debit card types which are signature-based for acceptance at POS terminals. You should immediately sign the card on receipt therefore, and keep it at all times securely within your full control. In case the card goes missing, you should immediately get it blocked and replaced by calling-up your Bank’s Customer Service helpline, and following it up with a written complaint. Usually, but depending on the Bank’s policy your liability for any POS misuse of a lost/ stolen signature-based debit card ceases the moment you have reported the loss in writing.
“PIN-required-at-POS” Debit Cards: You may additionally consider the benefits of a PIN enabled Debit Card (MasterCard’s Maestro Debit Card in India is the one debit card that also requires usage of PIN at Point of Sale machine, apart from at ATMs). Please check with your Issuer, if they issue such a card. Sometimes customers can not remember their PINs at POS machines, or the POS machine may not have a PIN pad. These can be limiting factors, and according to some people, hinder convenience. It is an individual preference, which debit card type to opt for.
Some banks will give you the option of enabling your Debit Card for Cardholder-Not-Present transactions. Consider the pros and cons fully before you give the consent to activate this feature on your card.
Risks associated with Credit Cards:
A credit Card is an unsecured product, but that does not mean that Issuers will tolerate the Cardholder’s negligence or active / passive participation in allowing their misuse, should it ever happen. In case you ever fall prey to a fraud, immediately report the matter to the Bank in writing. Follow-up with a written complaint to the Law Enforcement authorities, if the Bank’s primary investigation indeed points out to a fraud/ misdemeanor. This way, you shall be demonstrating your good faith and sincere intent. In negligence or collusion on your part is ruled out, you will be immune from any losses.
Application Fraud: If you are applying for a Credit Card through a Direct Sales Executive of the Bank, please verify his/ her credentials and check the ID proof. Most people who get conned by unscrupulous elements simply sign a credit card application form, without filling-in the details; and also hand over the legitimate collaterals such as the pay-slip, address proof etc to an individual whose identity and credentials they have never checked.
Cases of identity theft are sometimes uncovered, where the bad guys use copies of these documents to apply for loans & credit cards of other banks, by mentioning their own address as the primary address for communication. If the Issuer does not properly scrutinize an application at multiple points, and fails to physically verify all the details, they may end up issuing a card in your name, but to the bad guys. When Credit Cards are thus fraudulently obtained, the fraudsters misuse these. When collection attempts fail, and Issuers come to the secondary address (which is most often your work address), you realize that you have been conned. Convincing the Issuers & banks of your innocence and keeping a clean credit reputation then becomes difficult.
To avoid such situations, you should always fill-in the form completely and accurately in your own handwriting. You should also sign and date it. Strike out what is not applicable, including portions in the form for add-on cards, if you are not applying for one. Always keep a photocopy of the entire set of documents submitted, including the numbered application form. Please be careful while responding to tele-verification calls and do not be tempted by the offers from agents to confirm the details of having applied for Card from another Bank, if the main bank whose card you apply for fails to give you one. Chances are that you may fall into a trap and the agent or his accomplice may pump-in an application in your name, for which you will become a passive participant in the Application Fraud by confirming all your details during tele-verification by the other Bank. Worse, this card may be diverted by them and misused – - to be billed to you.
Also, in case you are applying for a Card on the basis of surrogate documents (Existing Card and Statement), please remember to give the agent a photocopy of only the front of your Card, and not the backside of the card. By giving away the card’s backside copy, you are exposing the CVC2 / CVV2 value unnecessarily. This can invite Mail Order / Internet frauds on your existing card. More about those types of frauds, later.
Frauds during the lifetime of the Card:
Identity Theft & Interception of Cards: Frauds of this nature include interception/ diversion and account takeover. Criminals may intercept a new or renewed plastic, which is being couriered to you. Fraudsters can use your sensitive personal details available with them to divert the card to another address by requesting an address change, and “take over” your card account by impersonation or identity theft. Such cards are misused soon after criminals lay their hand on them. Always be on the lookout for the delivery schedule or delivery status of a new or a renewed card plastic while it is being dispatched to you. And never divulge your intimate personal details that can be used by a third party for account validation, which can lead to their impersonating your identity to a financial institution. Be wary of disclosing your Card details and personal details to a tele-caller, unless YOU made the call to a known customer service number of the bank.
Additional precautions: As with any payment card, keep all your Credit Cards securely. Do not carry too many cards in your wallet. PINs should best be changed from the issued default ones and memorized. But if you must retain them, keep Cards & PINs separately. Always have the numbers of your 24-Hour Customer Service Centre handy to call in an emergency. Note down your card numbers and these phone numbers separately on a sheet of paper, which should be securely kept but easily retrievable in an emergency. Do not hand over your cards to anybody for getting them “upgraded” or “replaced”. Always destroy old/ expired cards by cutting them through the magnetic stripe, multiple times. Always mark the dates when banks are due send renewed cards to you, and keep an eye open. In case of delays, call-up customer service and ask. You should ideally sign your card with an indelible pen (for example, a fine-tip permanent marker). Opt for a photo-card whenever you can, to reduce the risk of your stolen card being misused by a different-looking imposter.
Skimming Fraud: The magnetic stripe on the back of your card has all information about your card encoded on it. Sometimes, when the card is handed over, or gets out of sight of the cardholder, fraudsters will use small pager-size devices called “skimmers” or readers/writers to copy the information on the magstripe of the card. This information can be then put on other cards having a magnetic stripe. These cards then become and behave like an exact replica or clone of the cardholder’s existing card and these cloned or “skimmed” counterfeit cards can be used by fraudsters at conniving/ ignorant merchants. Unless the original cardholders can conclusively establish their own absence at those misuse locations, the genuine cardholders could be in a spot.
In case you happen to be a victim of such frauds, of course your Bank and Law Enforcement officers will closely scrutinize all electronic & physical evidence. But ultimately you will need to work very hard to clear your name and to stave off any financial liabilities.
To avoid being the victim of skimming fraud, never hand over your card where you will lose the sight of it, for example at a restaurant or at a petrol-pump. Do not leave your wallet or cards in swimming-pool changing rooms or gymnasium lockers. Even when handing over your card at the cashier’s counter of a shop, ensure that the cashier does not swipe it at any other device before or after swiping the same at the legitimate Electronic Data Capture (EDC) or POS machine. Please do not be excessively alarmed, though. Instances of skimming domestically are extremely rare. Some of the countries facing illegal skimming activities include Taiwan, Malaysia, Indonesia, Philippines, Australia, and Sri Lanka. But Law Enforcement authorities in those countries and elsewhere are continuously working with member banks to identify and weed out the activity. The advent of chip-based cards is expected to put an end to skimming, as we know today.
Mail Order/ Internet Fraud: With the advent of E-Commerce Merchants, fraudsters started exploiting weak links in the way such businesses operate. The biggest advantage that the fraudsters had was that they could now commit the frauds remotely and anonymously. After all, most E-Commerce website still require just the 3 basic inputs: Card Number, Expiration Date and Card Security Code. Thus fraudsters started obtaining these 3 details, and started ordering through the Internet, drop-shipped merchandise to be picked-up at a convenient time. Most of these items were with a re-sale value, such as Laptop PCs, Electronics items, Mobile Phones. Some misuse was for services that give instant gratification such as prepaid Mobile airtime purchase, Online Adult Content, Online Gaming, Downloadable Computer Software etc
With mail order or catalogue merchants/ Internet merchants eager to fulfill orders without doing any due diligence or order analysis, for some time the fraudsters had a gala time. But as losses started mounting, E-commerce and Catalogue merchants realized that they were bleeding. Cardholders who had their cards misused found that “wrong” charges were billed to their accounts. As the extent of Card Information misuse on the Internet (CNP Card Account misuse) became widespread, it was soon realized that though there was a lot of “Third-party Fraud”, there was also the “Buy-and-Deny” or “First Party Fraud”.
Even in India, airlines ticketing E-fraud hit headlines in the recent past, where E-Tickets worth Crores of rupees were booked by fraudsters using stolen card number information and these were sold to tempted or unwary customers for cash at 50-60% discount. Often, even as the kingpins or main perpetrators evaded arrest, the bottom-rung operatives and passengers using those tickets were nabbed. As an industry initiative, and with the active involvement of Mumbai Police Crime Branch and the Cyber Crimes Cell, most Airlines merchants in India are now tightening the passenger checks to ascertain the legitimacy of the ticket booking. “Sight Card” requirement at the time of getting boarding pass, and ID/ Address checks of the person who made the booking, apart from reservation analysis are some of the tactics and measures being used by the Industry to counter this menace. These best practices are being rolled-out across major air-travel origins & destinations across India. Banks have started challenging customers suspected of being involved with “First-Party” frauds.
As available in other advanced markets, to effectively and accurately authenticate Internet transactions, some Card Issuing banks in India have started rolling out SecureCode & Verified-by-Visa (VbV) facility for their cardholders, and Internet Merchants have started participating in the same. This technology uses a standard protocol called Triple Data Encryption Standard (3DES), and though it works in exactly the same way, MasterCard call it SecureCode and Visa call it Verified-by-Visa or VbV. We will look at the same in a moment.
Relevance of CVC or CVV in Internet transactions: Many people today ask the relevance of banks’ printing the CVC or CVV code on the reverse of the Card, especially because there are so may internet frauds that happen nevertheless. But when it was introduced, the utility of CVC or CVV value was just to ascertain that a cardholder was actually in possession of a specific card. This value was supposed to be used as a verification step during telephonic interaction with the bank’s personnel. It is another thing that CVV or CVC values were introduced well before the era of E-Commerce. And regardless of its actual potential to stop card misuse on the Internet, the same value started getting used as an additional card account verification detail even for Internet transactions.
What is SecureCode and VbV Authentication?
SecureCode & VbV program involves a two-factor authentication for cardholders who have registered for the same. Apart from the Card Number, Expiry Date and Card Security Code, the Cardholder is shown an inline window, which displays a Security Challenge phrase set by them, and they have to also key-in their PassCode to answer the same. This means the Cardholder authenticates positive involvement in the transaction by supplying information that they and they alone know. This is called a two-factor authentication (“What you have and what you know”). This is akin to using an ATM card with the PIN. Only the genuine holder would have access to both the Card details and the correct PassCode. SecureCode & VbV authentication is also seamlessly integrated in the payment page. A SecureCode or VbV window also gives a confidence to the cardholder that s/he is dealing with a legitimate e-commerce merchant website, and not a spoofed one.
It is understood that presently HSBC, HDFC Bank, ICICI Bank & UTI Bank are allowing some of their cardholders to register for this facility. E-Commerce Merchants in India are also gradually moving towards the same.
To conclude, one may say that eternal vigilance and precaution is the way to stay on top of the card fraud situation. Diligence will go a long way towards ensuring a cardholder’s safety and well being while dealing with both physical and E-Commerce merchants. Banks, Card Associations and Law Enforcement are doing all they can. You as an individual cardholder can also help.
Some of the measures that you can take to prevent becoming victims to E-Commerce related frauds are as follows:
1. Never, without reason share your Card Number, Expiry and Security Code/ PIN with any entity – even friends, colleagues and family.
2. Never transmit these details in an unencrypted medium such as the Email.
3. Destroy copies of your POS charge-slips, unless the card number is masked.
4. Verify the legitimacy of the website you are dealing with. Establish their credentials and always deal with well-known, reputed merchants.
5. If a deal at an unknown Internet/ E-Commerce Merchant seems too good to be true, often it isn’t. Never register at any website with the same E-mail ID as your username & Password that you use for mainstream banking transactions.
6. Be aware of the dangers of realistic looking, spoofed websites. Have a good anti-phishing software, apart from anti-virus and firewall protection installed on your PC. Have a good spyware blocker. Keep your browser and security software always updated. Always double-check for the authenticity of any transactional website. Never click on any embedded links in an E-mail, nor confirm any account/ card details on the internet if you receive a “Warning” email threatening you with de-activation of your privileges.
7. Always keep an eye on your card statements and register for account alerts using E-mail or SMS, if your Issuer has this facility. Report to your Bank if any irregularity is noticed or suspected. Promptly report to your Issuer any transactions that you do not recognize.
8. You may reserve a special low-limit credit card for all your internet transactions.
9. It is also a good idea to use limited validity, low-limit “Virtual Cards” that some Issuers allow you to generate on the fly, and which expire in 24-72 hours. But these should not be obviously used at merchants who have “sight card” requirement before service can be rendered.
10. Register for SecureCode & Verified-by-Visa facility your Cards used for internet transactions, and use this facility to authenticate your E-Commerce transactions.
Note: All data believed to be accurate as at the time of writing, namely 20 March 2007. Copyrights and other privileges for all the products, institutions & brand names mentioned herein rest with the respective legal rights holders and have been mentioned here for the purpose of depiction & to draw reference only. Product features described may vary by location and by Institution, and the write-up is meant as a general guide for the un-initiated. Readers are requested to accurately ascertain the currently applicable and available product features with the respective Institutions. This is not an endorsement for any particular Institution or Product/Service.
Though this article has been voluntarily written on an honorary, non-commercial basis by Niranjan Upadhye & submitted to the Cyber Crime Cell, Mumbai Police at their request, Niranjan Upadhye asserts his moral right to be identified as the author of this original work.