ICBA Bancard - News and Information - Fraud Newsletter - March 2008

Fraud Newsletter

March 2008

January 26, 2009

Forward| Bancard Site| Subscribe
Today's Headlines:
Level 4 Merchant Payment Application Security
Surfing the Rough Seas – Best Practices from Fiserv EFT
Subprime Fraud In the Credit Card Business
Is PCI-DSS Compliance Doing its Job?
Data Compromise Events – Best Practices & Considerations
Red Flags Requiring Special Awareness Now
Newest Phishing Ploy Uses Bogus Text Messaging
Latest Findings on What Makes Fraudsters Tick
Real-Time Falcon Statistics
Did You Know?

Level 4 Merchant Payment Application Security:
Visa's Compliance Best Practices

As most merchants are aware, last October, Visa introduced a series of U.S. requirements to enhance secure payment applications ... and eliminate the use of vulnerable payment applications from the Visa payment system.


Objectives: To cut the number of data compromises among Visa's largest category of merchants—those with Visa transaction volume of 20,000 or fewer per year (or 1 million cumulative transactions)... and to promote merchant use of secure payment applications that comply with Visa's Payment Application Best Practices (PABP).


Acquirers have until June 30, 2008 to provide Visa with a compliance plan—including a timeline of critical events, risk-profiling strategy, merchant education strategy, compliance strategy and compliance reporting. The new rules also require ongoing monitoring and management of this compliance plan.




For New Merchants:

  • Identify merchant PCI Data Security Standard (DSS) status on all new merchant agreements.
  • Inquire about the merchant's processing history, including any current or prior data compromise investigations on new merchant agreements.
  • Identify payment applications used by new merchants on new merchant agreements.
  • Require upgrading of any payment applications known to be vulnerable—as a condition of processing. (This requirement actually came into effect on January 1, 2008, as Phase I of Visa's 5-phase compliance timetable that concludes on July 1, 2010.)
  • Require the use of PABP-compliant applications as a condition of processing—as required in Phase III of the payment application security mandates.
  • Include data security and PCI DSS compliance education as a part of the merchant welcome kit.

For Existing Merchants:

  • Prioritize Level 4 merchants into appropriate risk categories in order to efficiently focus your security resources on merchants that pose the greatest potential risk to the payment system.

Factors to consider:

    • Sensitive data retention
    • Acceptance channel
    • Payment technology
    • Transaction volume
    • Number of locations
    • Market segment

(For more examples, refer to the Level 4 Merchant Compliance Program Requirements bulletin, available at www.visa.com/cisp).

  • Apply specific compliance measures to each merchant subgroup based on the following risk-prioritized steps:
    • Eliminate prohibited cardholder data (including full magnetic stripe, CVV2 and PIN data)
    • Protect stored data
    • Secure the environment in accordance with the PCI DSS.
  • Discourage merchants from retaining cardholder account numbers unless there is a specific business need to do so. (For details, refer to the Visa Data Security Alert,, at www.visa.com/cisp.)
  • Identify payment applications (including application vendor and version) used by all merchants.
  • Target merchants using known vulnerable payment applications, followed by merchants using integrated point-of-sale payment applications. Ensure that merchants immediately upgrade all known vulnerable payment applications to compliant versions.
  • Contract with a Qualified Security Assessor, or other security vendor who can provide automated risk assessment tools.
  • Require the use of PABP-compliant applications—as required in Phase V of the payment application security mandates.
  • Conduct data security training and education for all merchants, incorporating multiple channels of communications—such as direct mailings, E-mail blasts, sales calls and Web site postings.

Also helpful: Security tools and resources available at www.visa.com/cisp, including Visa Data Security Alerts, Data Security Bulletins and webinars, to educate all merchants about cardholder data security so they may take steps to address critical security risks.

  • Use the new self-assessment questionnaires released by the PCI SSC in February 2008. The four self-assessment questionnaires are each targeted for a specific payment processing environment and can be found at www.pcisecuritystandards.org.
  • Train all staff with direct customer contact (account executives, sales personnel and customer service representatives) on data security and PCI compliance issues.
  • Identify and work with corporate franchisor accounts to disseminate data security and PCI DSS compliance best practices to their franchisees.

Level 4 Merchant Compliance Program Reporting Templates:

Source: Level 4 Merchant Compliance Program Best Practices and Reporting Requirements, by Michael E. Smith, Head of Payment System Risk, writing in Visa Business Review, February, 2008, www.volenroll.com


Back to Article List

Surfing the Rough Seas – Best Practices from Fiserv EFT

Your card programs—and cardholders—are navigating through rough waters. Thieves are skimming, phishing and stealing identities in a far more sophisticated manner than ever before. You need help to get through this storm and find a safe harbor. Here are some best practice recommendations for Fiserv EFT Debit Card issuers:

Employ a Neural Network
Neural networks build cardholder profiles and use predictive models to detect potentially fraudulent ATM and POS card usage. Fiserv EFT deploys eNFACTSM, a solution that leverages the FalconTM debit model software from Fair Isaac, the leader in neural technology. When the probability of fraud reaches a client-specified threshold, eNFACT refers the case to you or a fraud analyst for action.

Make Use of Compromised Card Tracking
Visa and MasterCard provide alerts to you or your sponsoring institution when a debit card data breach or compromise occurs. With Fiserv EFT's CardTrackerSM product, we obtain your Visa or MasterCard alerts and use that information to set an indicator on your card records residing at Fiserv EFT. Additionally, if you use eNFACTSM, the indicator is passed to the neural network with each transaction to create cases based on the transaction score and severity of compromise.

Look at Authorization Level Transaction Blocking
This tool provides a method of blocking transactions you consider likely to be fraudulent by denying the transactions in the authorization process. Visa and MasterCard have capabilities for blocking countries but they do not address other high-risk criteria. Fiserv EFT's TranBlockerSM product gives you the ability to block transactions at the BIN and individual card levels, including:

  • All international transactions
  • Specific country codes
  • Specific merchant types (MCCs)
  • Specific merchant IDs

*Be aware of Visa and MasterCard compliance regulations associated with blocking countries  

Use Available Call Center Services
Call Center services enhance neural network implementation by providing a 24/7 presence and a support model to remediate and detect risk activity affecting your card base. The eNFACT solution provides the Call Center with high-risk scored transaction data for handling. The Call Center can, at your direction, directly contact the cardholder or you via Voice Response Unit (VRU), operator contact and/or mail and take other appropriate action such as restricting cards when fraud is suspected.

When fighting card fraud, a layered product approach has proven most effective. Above all of these recommendations, encouraging your cardholders to monitor their card transactions regularly will be a means by which to detect and stop fraud faster. Financial institutions will not begin to get their arms around fraud until they are successful at enlisting their cardholders' help in monitoring their own accounts. Community banks are in the best position to do so.


Back to Article List

Subprime Fraud

Subprime fraud in the credit card business costs elected official his job and creates defendants out of victims.  Former Bank of America vice president Robert Conner was sentenced to 9½ years in federal prison for a unique credit card fraud scheme.

The crime: In exchange for kickbacks of between $2,000 and $6,000, Conner approved applications for credit cards or lines of credit with $25,000 limits to people who wouldn't otherwise qualify. He would require the "applicants" to use the first transaction in their new fraudulent accounts to obtain cash to pay him the necessary kickback money.

At his trial in November in Federal District Court, 14 cardholders told jurors that Conner filled out credit applications for them with phony income and  other financial information. Some involved fake companies, incorporated subsequent to completing the applications.

According to prosecutors, Conner spent $235,000 of the kickback cash in the six months after initiating the scheme, including a SUV for his then-wife, a Mustang GT for his girlfriend and a Hummer H2 for himself.

As for the fraudulent credit cards and credit lines, these were used to make some $1.2 million in fraudulent charges.

Jurors convicted Conner on 17 counts of bank fraud  and 19 counts of unauthorized use of an access device.

Unusual legal twist: During the trial, Assistant U.S. Attorney Matt Schelp called Conner a "financial predator" who sought out and exploited desperate people to satisfy his uncontrolled greed. The judge, also showing no mercy, sentenced him to 114 months in federal prison and ordered him to repay $1.42 million to Bank of America.

However, in addition to Rep. Bowman, 20 other "victims" of Conner's alleged predatory activities are also in legal hot water for defaulting on debts they signed up for with Conner. Though none of the individuals went to trial, they were charged with fraud and either pleaded guilty, entered pretrial diversion programs to avoid prosecution or had their cases dismissed.



Back to Article List

Is PCI-DSS Compliance Doing its Job?

The recent breach of the Hannaford Bros. Co. supermarket company raises serious questions about the extent of compliance with, and the effectiveness of PCI-DSS credit and debit card security standards.

Details: The Hannaford breach, which exposed some 4.2 million credit and debit card numbers and expiration dates during transmission from more than 250 store POS terminals has caused information security experts to question whether Hannaford was in full compliance with PCI-DSS at the time of the breach – believed to have occurred sometime between December 27, 2007 and late February, 2008.

According to Hannaford CEO, Ronald Dodge, "Hannaford doesn't collect, know or keep any personally identifiable customer information from transactions."

If that is the case, say several card security experts, we must wonder whether PCI-DSS compliance is enough to prevent the kinds of cyber-attacks that have hit Hannaford, TJX and numerous other retail companies.

Visa has not identified any specific fraud related to this exposure, however, issuers report some U.S. losses, as well as fraud associated with transactions coming out of France, Brazil, Italy, Bulgaria, and Mexico.


ICBA member institutions can now take advantage of new services offered by Fidelity National Information Services Inc. (FIS) and Fiserv EFT.

Details: In conjunction with FIS's COMPROMISE MANAGER solution, which provides automated on-line management services for compromised card accounts, Accelerated Reissue enables banks to issue new plastic with the same account number, but with new expiration dates and new CVV/CVC/CVV2 codes on the card. The service also provides automatic deactivation of compromised cards. Fiserv EFT's TranBlocker denies suspicious authorizations while in process, and allows debit issuers to block transactions by merchant type and by country.

Useful Links:

For additional information and pricing, visit: www.fisriskmanagement.com (FIS clients only) or contact your Fiserv EFT Account Executive (Fiserv EFT clients only)

Back to Article List

Data Compromise Events – Best Practices and Considerations

As with any compromise event, you want to determine if you need to monitor, restrict, or reissue cards based on the type of data that has been compromised. For example, in the Hannaford/Sweetbay incident full card track data was reportedly compromised, which puts the accounts at greater risk for card-present counterfeit fraud since the CVV or CVC was captured.  

Before you decide to mass reissue the accounts, take into consideration a few things:

  1. How many of the accounts are still active? Have any already been blocked?
  2. If the accounts are not already blocked, do they have an available line of credit that could be used for fraud? If not, consider whether it is necessary to block and reissue those accounts.
  3. How many accounts are set to reissue in the next 30-60 days? You may want to just move up the reissue date.
  4. Determine which accounts have already been reissued through the normal reissue process. If so, those accounts already have a new magnetic stripe and a new expiration date. That means less risk for those particular accounts.
  5. Also educate and communicate to your cardholders the specifics of your compromise policy. Visa's Security Breach Toolkit may be of help to you in your communication efforts.  

NOTE: Consult your own legal counsel to determine if and how you should notify your cardholders. 

Should you decide to reissue any accounts, monitor your plastic inventory levels to make sure you have an adequate supply for reissue and place any orders early to account for an unexpected increase in demand at card vendors.

Back to Article List

FACTA Facts: Red Flags Requiring Special Awareness Now

New rules by the federal banking agencies require banks, credit unions and other creditors to update their policies and procedures for monitoring for identity theft "red flags."

The rules, required by the Fair and Accurate Transactions Act (FACTA), are designed to help banks more effectively and efficiently prevent, detect and deter ID theft and fraud.


The essence of the new guidelines is a comprehensive listing of such potential identity fraud indicators, as...

  • A fraud alert is included with a consumer report.
  • A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
  • A consumer reporting agency provides a notice of address discrepancy.
  • A consumer report indicates a pattern of activity inconsistent with the history of an applicant or customer, such as:
  • Recent significant increase in the volume of inquiries.
    • Unusual number of recently established credit accounts.
    • A significant change in the use of credit, especially with established credit accounts.
    • An account that was closed for cause or identified for abuse of account privileges by another financial institution.
  • A covered account is used in a way that is inconsistent with prior patterns.
  • Photograph or physical description on the identification is not consistent with the appearance of the applicant or customer.
  • An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
  • Personal identifying information provided is inconsistent when compared against external information sources used by your organization.


    • Address does not match any address in the consumer report.
    • Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

  • Personal identifying information provided by the customer is incomplete and/or inconsistent with other information provided by the customer, such as absence of correlation between the SSN range and date of birth.
  • Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources.
  • SSN provided is the same as that submitted by other persons opening an account or by other customers.
  • A new revolving credit account is used in a way that is consistent with known patterns of fraud patterns.


    • The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
    • The customer fails to make the first payment or makes an initial payment but no subsequent payments.


  • Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003, final rules issued by Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA); and Federal Trade Commission (FTC).
  • Rob Rowe, Senior Regulatory Counsel, Independent Community Bankers of America, www.icba.org

Back to Article List

"Tishing"—Newest Phishing Ploy Uses Bogus Text Messaging

The Missouri Attorney General's office recently warned consumers to be on the alert to a new variety of phishing—where fraudsters attempt to trick people into revealing their personal identifying information on phony Web sites.

Details: A wave of automated text messaging targeted users of Cingular, Alltel and T-Mobile, warning recipients that their on-line banking accounts at Springfield, MO-based Empire Bank had expired, and that they should register with a Web site with the address, www.empireonlineservices.net as soon as possible.

The text messaging blast became so intense at one point that Empire Bank's phone lines were jammed as concerned customers called en masse.

Important: This is the latest in a long string of phishing and related frauds aimed at banking customers about which financial institutions must aggressively inform their patrons.


Back to Article List

Assessing the Fraud Triangle: Latest Findings on
What Makes Fraudsters Tick

What provides the motive, opportunity and ability to rationalize economic crime today? Latest findings...

  • Financial or materialistic gain remains the principal motive for individuals who commit economic crimes.
  • Weak internal controls provide the opportunities.
  • A flawed understanding of values or wrongdoing provides the capacity to rationalize the crimes committed.


  • Over 50% of companies reported that perpetrators had been employed by the company for at least six years.
  • Though external perpetrators are more difficult to detect than internal ones, US companies
    reported that in 73% of instances of economic crime, an external party was in some way involved.


Despite the best efforts of companies to train and educate staff regarding ethics, codes of conduct and business culture, additional steps are required to control fraud risks originating outside the company.


Tougher due diligence on management of outside agents, distributors, consultants or vendors before initiating a business relationship with external parties.


Source: Economic Crime: People, Culture and Controls: The 4th Biennial Global Economic Crime Survey, United States of America, PricewaterhouseCoopers,www.pwc.com.

Back to Article List

Real-Time Falcon Statistics

# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President of ICBA Bancard at 1-800-242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.

Back to Article List

Did You Know?
What a Great Day for Community Banks!!

Chuck T. Doyle, CEO & Chairman of Texas First Bank, Texas City, TX was the only banker on the floor of the New Your Stock Exchange representing the community bank sector at the opening bell to launch the Visa IPO. For more than 2 decades, Chuck Doyle has served on the boards of Visa USA, Visa International, and now the board of Visa Inc.

Source: ICBA Bancard, Inc.


The Castro Phishing Expedition

Cyber-Criminals are exploiting Fidel Castro's recent decision to resign as the leader of Cuba by sending out spam E-mails claiming that the dictator was dead.

Details: The E-mails claim that they are based on reports from the Hispanic television network, Univision. Recipients are lured into clicking the provided link, which promises to bring them to video and photo proof of Castro's demise. Among the images depicted are several of Venezuelan President Hugo Chavez purportedly mourning at Castro's funeral.

Trap: When the link is accessed, an information-stealing Trojan downloader is installed on victims' PCs.

Source: National Cyber-Forensics & Training Alliance, www.ncfta.net


Excellent Information Resource on Security Breaches

Did you know that the Privacy Rights Clearinghouse (PRC) (www.privacyrights.org) maintains a running tally of the number of personal identifying records breached by information thieves? The non-profit organization's "Chronology of Data Breaches" is updated twice a week and lists all reported braches involving the compromise of personal information that can be useful to identity thieves-- such as Social Security numbers, account numbers, and driver's license numbers. Each breach is listed individually and includes the name of the targeted institution, the date and number of records compromised.

The PRC also notes on its Web site that "Some breaches that do not expose such sensitive information [are] included in order to underscore the variety and frequency of data breaches."

Latest year-to-date total of compromised records: Approximately 1.7 million

You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

March 31
Webinar: Data Security Best Practices for Issuers

1:00 p.m. EST
Register >>

April 8
Webinar: Level 4 Merchant and Franchise Security Best Practices

2:00 p.m. EST
Register >>

April 15

2:00 p.m. EST
Register >>

April 29
Webinar: Lost, Stolen, Fraud & Disputes

2:00 p.m. EST
Register >>

Please refer to the ICBA Bancard Calendar for more fraud training.

Fiserv EFT - Hannaford Compromise Response (FISERV EFT Clients Only)

Product Hightlights:

Enhanced Risk Blocking (FIS Clients Only):

The FIS Enhanced Risk Blocking service allows Issuers to employ flexible authorization practices to proactively block suspicious transactions in real-time. Enhanced Risk Blocking lets you protect your bank by minimizing losses from fraud, while eliminating cardholder inconvenience. This product combats:

- Global fraud events
- Localized fraud events
- Persistent portfolio fraud

Contact your FIS client relations representative for more information

Real-Time Processing for eNFACTSM is Generally Available (FISERV EFT Clients Only)

The Fiserv EFT neural network transaction fraud detection system, eNFACT, utilizes Falcon software technology to detect the likelihood of a transaction being fraudulent. eNFACT fraud case management has previously been available in a near real-time environment.

eNFACT Real-Time is an add-on product offering that can be added to a client's existing Case Management or Near-Time program. eNFACT Real-Time allows clients to set filters at the card base that determine which transactions will be scored in real-time and potentially denied during authorization processing based on the score. These filter options are:

  • ATM Amount – Any ATM debit transaction equal/greater than this amount will score in real-time.
  • POS Amount – Any POS debit transaction equal/greater than this amount will score in real-time.
  • International – Transactions that originate from a country other than the issuer's domestic country will score in real-time.
  • TranBlocker Denote & Continue – Transactions that "bump up" against a TranBlocker rule but are not denied will be scored in real-time.
  • CardTracker Compromised Card – Transactions for card numbers that are flagged as compromised via CardTracker will score in real-time.

No additional support on your business unit's part is required beyond what is required for Case Management or Near-Time product support.

(FIS Clients Only)
This newly developed website will allow for better communication between clients, company partners, and processor regarding recent fraud trends as well as the latest products and services FIS is using to combat fraud and maximize recovery. (Available NOW!)

Merchant Statement Program
(FIS Client Only)

Merchants who accept credit cards are required to be compliant with PCI Data Security Standards. The critical focus of these security standards is to help merchants:

  • Improve the safekeeping of cardholder information by enhancing their security standards.
  • Tighten these standards to help reduce the likelihood of experiencing breaches and financial losses.
  • Avoid the possibility of fines and penalties levied by Visa and MasterCard.

In an effort to better educate merchants about compliance and validation requirements of these standards, the FIS merchant team recommends the inclusion of a brief message in each monthly merchant statement. We encourage you to submit your own unique message or authorize us to include a message informing your merchants of the importance of being responsive to Visa and MasterCard compliance mandates, deadlines and other related information.

The administrative cost of this campaign is a monthly flat fee of $25 per bank (or per your agreement) regardless of the number of merchants. In order to facilitate the delivery of this statement message, we ask that you submit your approval to your merchant representative via email. If you have any questions, please feel free to call 727 227-5088.

Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage

Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print any claims
• Secure login access

View claims

Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing, and operational consultations at no cost to community banks.

Request a free consultation today

TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM


• PCI Security Standards
• Merchant 911
• Visa (CISP)
• MasterCard Online
• Fidelity (FIS)
• Fiserv EFT
• Visa Online

Prevention Hightlights:

Web-based Fraud Awareness Training for Bank Employees:

FraudAware is the leading customizable on-line course that equips employees with the knowledge to prevent, detect and report:

• Credit card fraud
• Debit card fraud
• Check fraud
• Internal theft
• Other financial crimes 
   affecting issuing banks.

More information


This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info

Bancard Fraud Quarterly
Published by ICBA Bancard
© 2008 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111