Credit firms crack down on fraud
Posted on Tuesday, September 26, 2006
MasterCard Inc. and Visa USA Inc. are clamping down on merchants that flout rules aimed at protecting card transactions from fraud.
In recent weeks, MasterCard has imposed fines on merchants that haven’t met its requirements to keep transactions secure. Starting Saturday, Visa will take aim at the nation’s largest merchants with fines that start at $ 10, 000 a month and can rise to $ 100, 000 a month.
The fines are the latest effort by the credit- and debit-card industry to reduce financial exposure — and bad publicity — from a round of high-profile security breaches. Cardholders normally aren’t responsible for unauthorized purchases, but merchants and banks involved with fraudulent transactions — both at stores and online — can find themselves on the hook.
Visa and MasterCard don’t fine the merchants directly. Instead, they levy fines against those that process the transac- tions on behalf of the merchants. Those entities commonly pass on the fines to their merchant customers. In addition to assessing penalties for failing to comply with the rules, Visa and MasterCard also issue separate fines if a noncompliant merchant has a security breach.
Neither Visa nor Master-Card would identify merchants that are violating the rules. But because Visa is homing in on the biggest merchants — those that ring up more than 6 million transactions a year — they likely include some household names. Visa counts 334 merchants in this category; as of Friday, 20 of them were in violation and could face fines if they don’t comply by the end of the month, according to the card association. These big merchants represent nearly 50 percent of Visa’s transactions each year.
Visa and MasterCard, which operate the massive card networks, have established comprehensive security rules for banks, merchants and other entities that store, process or transmit cardholder data. Among the rules: Merchants aren’t permitted to store data that is contained on a card’s magnetic strip, they must take precautions with people who have access to computer systems and they must restrict access to cardholder information.
Visa has found it difficult to meet its own deadlines. The card association’s debit-card processing arm was supposed to validate its security plan at the end of last year, but got final approval from an outside auditor last week. Some 84 percent of other Visa processors have validated their plans.
“Visa holds itself to the same high security standards as we hold merchants and other processors,” said Rosetta Jones, a spokesman for Visa. She acknowledged that the processing unit had been behind schedule for validation, but stressed that it had been complying with the other security standards.
MasterCard declined to discuss the amount of fines that have been levied, but indicated that the decision to impose financial penalties is taken as a last resort. “We are not levying fines for noncompliance. We are levying them for noncooperation,” said Chris Thom, chief risk officer for the card network.
Although MasterCard has been issuing fines for more than a year, several industry members said that the levies seem to have accelerated recently and a series have been handed down this month. They estimate that fines have ranged between $ 5, 000 and $ 15, 000. MasterCard declined to comment.
“Visa and MasterCard are paying a lot more attention to this, and they should be,” said Robert Carr, chief executive of Heartland Payment Systems Inc., a company that processes transactions on behalf of small- and medium-size merchants.
The security rules are particularly daunting for small merchants, who might not be sophisticated about security issues or don’t want to spend the money necessary for crucial upgrades to their computer systems. For now, Visa is concentrating its efforts on levying fines for noncompliance by the largest merchants. It expects to tackle the issue as it relates to some smaller merchants beginning next year.
Security has become a top issue in the card industry amid mounting concerns about identity theft. Earlier this year, Citigroup Inc., the nation’s largest bank as measured by market value and assets, reissued thousands of MasterCard-branded debit and credit cards after it flagged several hundred fraudulent cash withdrawals at automated teller machines in Britain, Russia and Canada.
Last year some 40 million cards became vulnerable to possible fraud when CardSystems Solutions Inc., a small company that processed transactions for merchants, acknowledged that it had stored customer data in violation of card-industry rules. Retailers also have reported data breaches.
Even Visa isn’t impervious. A breach was reported at one of the company’s on-site cafeterias last year when someone hacked into the server of the vendor that managed the facility. It was determined that the vendor wasn’t complying with Visa rules.
FEEDBACK:
Something to say about this topic? Submit a Letter to the Editor online
