That alert, in May 2010, was focusing renewed attention on a longstanding need for banks to tighten up the standards for authorizing merchants who accept credit and debit card payments.
Avivah Litan, an analyst with Gartner Inc. said that “the type of fraud Visa is warning about has been going on for several years. It typically involves certain categories of high-risk merchants, such as porn sites, which often submit fraudulent transactions using credit card numbers they have collected. Once money is moved from cardholder accounts to the rogue merchant’s accounts the funds are quickly withdrawn and the merchant drops out of the payment system.” she said.
“The situation is largely a result of the relatively loose manner in which merchants are approved to accept payment card transactions.Credit card companies and acquiring banks, “need to tighten up their accreditation process and how they onboard new merchants.”
There are too many third parties and Independent Sales Organizations (ISO) acting on behalf of banks to approve merchant accounts. The standards for approval used by such organizations have allowed too many illegitimate merchants to establish accounts and access to the payment systems.”
Michael Petitti, chief marketing officer at Trustwave, a firm that does PCI security audits for some of the largest retail establishments in the U.S., said “poor merchant validation is a problem — especially with e-commerce.
Sometimes, e-commerce merchants are approved for payment card transactions based on little more than their domain validation SSL certificates, he said. But SSL certificates do little more than establish the right of an applicant to use a specific domain name. The certificates are usually issued without any vetting of the information provided by the domain name holder.”
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar’s RSS feed . His e-mail address is firstname.lastname@example.org .