||Read e-Path's eCommerce Payment Gateway Blog on how the world can work towards genuinely ending credit card and identity data theft and the majority of credit card fraud.
Credit card fraud is one of the most challenging issues facing business, credit card providers, the banking industry and law enforcement authorities today. According to industry sources fraud costs in the area of $2.4 billion dollars+ per year (world wide) and is on the rise.
But firstly, what exactly does credit card fraud mean to you, the business owner? Consider this all too common scenario sent in from a new e-Path gateway merchant. We have published it here with permission as it perfectly illustrates not only the risks of accepting credit cards online
but also what can be done to help eliminate them ...
|Thanks for the info. I have to let you know of a real brush we had with a crim last week.
We received an order for a $799.00 digital camera a pretty typical order for us and like you say we always do a check on a few things before we do the charge. The email address was from a free yahoo account so it was sus to start with and he wasn't in the phone book either.
We smelled a rat so we tried calling the customer but the phone number turned out to be fake.
On this one we decided to ring our bank to check and was told the credit card was active, we could have got an authorisation number if we wanted to, I think they gave us one anyway, can't remember. So it hadn't been reported stolen.
If we had stayed with XXXXXXXXXXX [real time credit card payment gateway - name removed] it would have just done the transaction and we'd have sent out the cam.
But we didn't send anything out cause it looked like we were being shafted big time. I contacted the bank a few days later and they told me the card had now been cancelled. Must have happened over the previous two days. They couldn't tell me if it was stolen only it was cancelled, but I knew it was stolen that's a no brainer.
Had we sent out the camera we would have been hit with a charge back of $799.00 debited from our account plus pay a charge back fee plus we would have had to go hunting to get the cam back. Fat chance of that.
I thought you would like to know our new e-Path account has just saved us a fortune just on this one order. To say we are impressed is a bit of an understatement. Thanks heaps for a totally awesome service and we will be recommending you to everyone wanting to accept credit cards on the internet for sure.
Falling victim to credit card fraud causes inconvenience, frustration and financial loss. It can have a severe impact on the bottom line of any business. For the smaller business operator especially, falling victim to credit card fraud can be a very costly and painful experience.
Despite the best efforts of the banking industry and the card vendors themselves, the risk of falling victim to credit card fraud and then having to pay for the consequent loss is still very much a part of accepting credit cards online for the business owner ... but not so for the business in the above example!
Identify what causes vulnerability & risk . . . . then terminate them!!
To understand the significance of what e-Path has brought to the industry in terms of improved online ecommerce security
and what this means in real terms for you as the merchant (business owner) and for your online credit card paying customers, we first must recognise what the actual root causes of vulnerability and risk are with the current system.
We're not proposing adding to the endless variety of automated fraud screening plug-ins and add-ons that try to address symptoms, we are going right back to the heart, to the design, to the mechanics, to the very core reasons why there is so much vulnerability and risk with accepting credit cards online
today .... and then we terminate them by engineering a system where those vulnerabilities and risks are either reduced substantially or simply do not even exist.
The two main areas are:
ROOT CAUSE #1 - MERCHANT ACCOUNT VULNERABILITY
ROOT CAUSE #2 - PERMANENT STORING OF SENSITIVE CREDIT CARD DATA
When you accept credit cards online using a costly third party 'real time' payment processing gateway it communicates directly with your merchant account facility in order to attempt to process the credit card charge, straight away, live and in real time.
Lets put aside the wonderment of automation for a moment and look at this process for what it is.
Any anonymous person located anywhere in the world can enter any credit card they like directly into your real time payment gateway and thus into your merchant account without you knowing. Your own private merchant account facility at your bank is therefore open to the entire population of the internet and will receive and attempt to transact any data your 'real time' gateway communicates to it.
For those not within the culture of the online credit card payment processing
industry the insanity of allowing merchant account facilities to be sitting on the open internet and be accessible to any anonymous individual to transact any credit card they like directly into it, without the actual merchant having any form of control, speaks for itself.
It is no surprise that this is the exact process by which almost the entirety of online credit card fraud is perpetrated in the world today, over 2 billion dollars worth per year.
If a credit card is stolen but not reported stolen and funds are available on the card then there is the likelihood the transaction will be approved. Fraud screening systems such as Verified By Visa and Mastercard Secure Code are designed to assist in preventing this from happening, however, if the response returned is "approved" then instantly the fraud has been perpetrated, again totally without the actual merchant knowing.
It is common knowledge that all a criminal needs to do with a stolen credit card is to locate a website that accepts credit cards online and if the transaction comes back 'approved' they know they may have a short period of time to undertake their criminal activities in the physical world.
Unfortunately the business owner who has fallen victim to this fraud has no idea at this stage. The business owner will send out the goods or provide the service , which they are required to do in a timely fashion, and it may be many weeks before the bank breaks the news the transaction was in fact a fraudulent one.
A merchant (business owner) cannot keep funds from a credit card payment that was not authorised to be paid to the merchant by the legitimate cardholder. Therefore the entire amount is reversed out of the business owners bank account by the bank in a process called 'charge back'. Some banks even charge an hefty extra fee for this.
Without any form of control the online business owner is totally at the mercy of the system and it is the business owner who invariably has to pay for the loss - a highly undesirable event played out tens of thousands of times every single day around the world, and the indisputable number one reasons why accepting credit cards online is considered the highest risk transaction type of all.
Engineer a payment gateway that does not require private merchant accounts to be sitting open and accessible to the entire population on the open internet.
e-Path completely removes the merchant account from the internet thereby denying access to anonymous individuals and transactions from being performed automatically online without the business owner's knowledge.
With e-Path the business owner becomes the one who is in control over their own merchant account. Nothing is transacted into the merchant account unless the bank approved merchant account owner, themselves, perform it. And to be frank we don't know of one single business owner who does not want to be in control over what goes in to and comes out of their own bank account.
The merchant (business owner) can check the order and buyers details first before they perform the charge on the card.
Criminals never use their real address, phone number, fax etc., so it can be surprisingly easy to identify then delete attempts at fraud as they are received. e-Path provides you with the ability to check things first before the charge is performed which gives online business a powerful and highly effective tool in the fight against falling victim to credit card fraud and having to deal with costly bank 'charge backs'.
It has long been recognised that when potential fraud victims are themselves put in control of preventing themselves from falling victim to credit card fraud in the first place, the result is perhaps the most powerful and effective fraud prevention system available today.
e-Path sees this on a regular basis with those businesses who have made the switch from other gateway types to e-Path. Because of e-Path and their own vigilance they are now dramatically reducing, and in most cases, completely eliminating instances of falling victim to credit card fraud. We do not mention this lightly, this is exactly what occurs.
At this point it is important that you understand this does not guarantee you won't receive an attempt at credit card fraud. However, what it does guarantee is a total change of the status from 'falling victim to credit card fraud' to 'receiving a credit card fraud attempt'. The difference is that one has already done irreparable damage and the other hasn't done a single thing - a most glaring difference between the e-Path payment gateway and the typical third party payment gateway processing system.
e-Path has just eliminated root cause of vulnerability #1.
It is estimated that somewhere around 95% (some statistics compilers suggest it is higher) of the worlds credit card and identity data theft can be traced directly back to data being compromised when permanently stored in databases, within storage devices, on online networks and other forms of internet accessible appliances and systems ....
More than 100 million credit cards may have been compromised in data breach
Credit card breach exposes 40 million accounts
40M credit cards hacked
40 million credit cards exposed
Visa confirms another payment processor breach
If you had been puzzled as to how it is that criminal elements could possibly be trading in hundreds of thousands, or even tens of millions of stolen credit cards, well, this is largely how they acquire them.
When a database, storage device or network system is 'hacked' or compromised it can have catastrophic consequences simply because the destination device or system may contain thousands, hundreds of thousands or even tens of millions of credit card details, transaction data and highly sensitive identity information.
In a recent case a high profile real time payment gateway processor was 'hacked' into. It has widely been reported (see above links) that cyber criminals netted nearly 100 million credit card details of which the exact cost of that one particular breach is still being calculated to this day. See above links.
Despite hundreds of millions of dollars being continually spent in attempts to protect sensitive credit card and other forms of highly sensitive data from risk, breaches still happen, 'hackers' are still getting through and credit card details and sensitive identity information is still being stolen.
The reason why the majority of hackers, cyber criminals and internet crooks have success is not because they use technologies and methods that are already recognised by security standards and security defences, its because of the exact opposite - they use technologies and methods that security standards and defences either don't know about or don't yet know how to defend against.
No official security standard today, including the PCI DSS, can possibly protect against a brand new hacking technology or method that may be invented and unleashed on the internet tomorrow morning.
Therefore, it is the very fact that highly sensitive and private credit card data and personal identity information is permanently stored in the first instance by current third party online credit card payment processing gateway systems and other organisations involved in credit card processing and handling , such as online shopping cart software programs, that is the core root cause of this vulnerability and risk.
THE SOLUTION: Engineer a gateway that does not permanently store credit card data, that does not permanently store transaction details and does not permanently store personal identity information.
e-Path does not permanently store credit card details, transaction data or highly sensitive identity information. No names, no credit card numbers, no expiry dates, no addresses, we don't even have databases, nothing is permanently stored. Once the merchant is in receipt of their customers credit card payment authorisation, as far as e-Path and the internet is concerned it is as if the credit card payment never occurred in the first place.
A method that allows the safe accepting of credit cards online without credit card data (or any other data for that matter) being permanently stored by the payment gateway is an advancement in security of very tangible proportions for the entire industry. It provides the absolute ultimate form of protection for cardholder data - if it doesn't exist on the internet it can't possibly be stolen from the internet, which in itself has the potential to make the largest single contribution in the fight against the very reason why online credit card fraud can exist in the first place of any service or method to date.
e-Path has just eliminated root cause #2.
By recognising and then engineering to eliminate core root causes of vulnerability and risk rather than just continue on trying different things to plug-up the symptoms, e-Path has established a payment gateway that provides a level of security and protection for its gateway merchants and ordinary cardholders that, we believe, is beyond anything seen before within the payment gateway industry. A true new era in e-commerce security where sensitive data is never permanently stored online any longer.
However, improving the way online credit cards payment authorisations are handled online doesn't come without a trade off. In e-Path's case this trade off is automation. e-Path does not transact credit cards online in real time. We are not a payment processor. Furthermore, because there is no data permanently stored by e-Path we do not provide a credit card transaction history reporting facility - we can't do anything with data that doesn't exist .... but then again neither can 'hackers' or 'cyber criminals'!
Physical credit card data security: the raw truth
Mostly all third party real time online credit card payment processing systems permanently store credit card details, i.e., the PAN (primary account number), name on card, expiry date etc. Countless online shopping cart websites, service providers and other similar organisations do the same thing.
Many businesses and organisations involved in handling and permanently storing highly sensitive credit card and identity details within their systems will be doing so in accordance with the required security standards, such as in compliance to PCI DSS.
However, even with all precautions taken and all requirements met it is the fact that highly sensitive credit card and identity information is permanently stored in online payment gateway systmes, online storage devices, on networks and other similar internet connect appliances and systems in the first place that inadvertently creates the perfect environment to be targeted by hackers, cyber criminal syndicates and other internet crooks in the first place ....
More than 100 million credit cards may have been compromised in data breach
Visa confirms another payment processor breach
Credit card breach exposes 40 million accounts
40M credit cards hacked
40 million credit cards exposed
But, it is estimated that less than 2% of credit card and identity data theft (some suggest it is even less than this) can be attributed to credit card data being physically stolen when credit card details are in the sole physical possession of the bank approved merchant account owner in the bricks and mortar world i.e., when processing is performed manually offline and well away from the open internet or any online processing system.
Let me ask you, have you ever heard of 100 million credit cards being physically stolen from the local business where you last paid by credit card in person - in the real physial world? Of course not, but it can and has happened when credit card data is permanently stored within payment gateway systems, databases, online storage devices, internet connected systems and networks.
Just pause for a moment and think about that. A method responsible for roughly around 95% of the world's credit card and identity theft as opposed to a method responsible for under 2%. Which method would you feel is more likely to be keeping your own credit card details safe and secure?
When you consider credit card fraud can't really happen without credit card details being stolen in the first place, the solution to the global problem of credit card and identity theft as well as the overwhelming majority of credit card fraud itself is right there in front of us -> get this critically sensitive data off of and away from being permanently stored on the open internet or on internet connected systems, databases, storage devices or networks and put it safely back only with the official bank approved merchant account owner in the real bricks and mortar physical world. This is precisely what e-Path does
The fact is when the bank approved merchant account owner is processing the transaction manually offline credit card details and highly confidential identity information is nowhere near any third party payment gateway processing storage system or shopping cart database and is not being permanently stored on any internet connected appliance, system or network. Therefore around 95% of the core reason why credit card and identity theft can happen in the first place is terminated.
So, for actual physical credit card and identity data security the clear facts speak for themselves, the manual method is insurmountably more secure.
In fact, we would go as far as suggesting that if everyone was using e-Path to pay online by credit card and only official bank approved merchants were themselves processing credit card details manually into their own manual merchant accounts well away from the internet, then the world's credit card and identity theft and indeed even credit card fraud itself would dry up to a trickle.
The actual practice has a name, its called CDU (Critical Data Unplugged).
Critically sensitive data is 'unplugged' from the internet
In a new initiative known as CDU (Critical Data Unplugged)
, highly sensitive and critically confidential data, such as credit card details, business transaction history and identity information is not permanently stored online or on any system, device, database or network connected to the internet. The CDU initiative advocates the removal of all sensitive data from being potentially at risk in the first instance.
The initiative is a culmination of latest Police and internet crime specialists advice to the public and business communities the world over on how to truly secure and protect all forms of critically sensitive data in respect to the increasing risks of the internet where no system, database, network or storage device can be made permanently immune to the risk of threat.
But when critically sensitive data is removed from being potentially available to be compromised in the first place that data is protected. If data doesn't exist it can't possibly be stolen.
CDU may be a new initiative in the public eye but in fact governments, intelligence services and other organisations involved in the handling or management of critically sensitive data have been practising it for years. Thanks to e-Path, now credit card and identity data can be afforded with the same level of protection.
Not only is the e-Path gateway system designed to never permanently store credit card data or any other sensitive data, but also the delivery method to the merchant further ensures the data is not stored on the hard disk of a system connected to the internet.
e-Path is proud to be offering CDU (Critical Data Unplugged)
security to its gateway customers and their cardholder customers.
Defence Signals Directorate Gateway Certified Telecommunications Carrier
Few other areas are as critically vital to the security of the e-Path service as the actual hosting infrastructure utilised to host and deliver our services to the internet.
e-Path's host, Netports Australia
, exclusively utilises a datacentre and telecommunications carrier which has achieved Defence Signals Directorate Gateway Certification. This certification conforms with ASCI-33 and the PSM (Protective Security Manual)
This security certification assures that the datacentre gateway provides protection from external threats appropriate for systems and data up to and including the “Highly Protected” and "Restricted" level of classification. This certification is a prerequisite to providing secure gateway services to Commonwealth and Agencies using FedLink, a secure VPN service, administered by the National Office for the Information Economy (NOIE).
See: Department of Defence Defence Signals Directorate Gateway Certification Guide
Open and honest disclosure to cardholders and online business owners about the very environment responsible for handling their highly confidential data is an important part of this new era in ecommerce security. It is also a requirement of the new Australian National Privacy Laws that call for truthful disclosure of all factors involved in the handling of personally identifiable and confidential information. So, not only do you have a right to know about e-Path's hosting arrangements, but we are required to disclose details of it to you by law.
e-Path uses powerful cryptography to further encrypt the payment data entered by the customer. 2,048 bit RSA encryption is a patented algorithm and recognised by Visa, Master Card, American Express and Diners Club as an approved encryption type. With e-Path there are multiple instances of this which all occur on top of and in addition to the SSL encryption that exists to protect the live connection between cardholder and the business owners e-Path gateway system.
According to Qualys CEO Philippe Courtot: "The challenge with encryption is that older payment systems were not built to support the scrambling technology... Encryption is the ultimate measure of security.." From: http://news.zdnet.com/2100-1009_22-6072594.html
Here is a example of how a credit card looks when it is encrypted by e-Path. This data is utterly useless to anyone other than the specific merchant it has been encrypted for in the first place ...
You may be interested to learn the above is a true example, it is the actual credit card belonging to e-Path's founder. It remains totally and absolutely secure despite being publicly viewable on this website since 2007. A bold but very effective demonstration of the strength of the encryption used by e-Path.
Once an individual gateway and its encryptions systems have been set up for an online business owner they become the only party in the world capable of decrypting card data encrypted on their unique gateway. Each and every e-Path gateway is separate with its own unique encryption system.
Asymmetric cryptography is used by the Department of Homeland Defence in the U.S., ASIO here in Australia and numerous other government departments, intelligence services and other high level enterprises and organisations serious about keeping highly sensitive data protected and secure.
Asymmetric cryptography is used by e-Path to afford extreme protection for data during the 'transporting' stage, from the cardholder directly to the official bank approved merchant account owner.
The difference between symmetrical and asymmetrical cryptography
The most important difference between symmetrical and asymmetrical cryptography is that symmetric encryption uses the same key for encrypting and decrypting, while asymmetric encryption uses different keys.
The e-Path system utilises asymmetric
cryptography which means the data encrypted for a particular merchant is encrypted using only that merchants unique key which in turn can only be decrypted by that particular merchant. Each gateway has its own unique and exclusive encryption/decryption systems which are entirely separate and exclusive.
All e-Path communication between cardholder and any e-Path gateway is protected by THAWTE SSL. This is completely separate and in addition to the various encryption systems we utilise to protect actual data as mentioned above. THAWTE is a recognised world leader in SSL security.
A secure connection can be confirmed by a small padlock (1.) that appears bottom right of customers browser window and with newer browsers will appear in the address bar. Customer may also click on the THAWTE link (2) top right of all e-Path secure pages to obtain confirmation directly from THAWTE that SSL is currently valid and protecting the connection.
|1. The Padlock
||2. The THAWTE SSL Graphic
e-Path, PCI DSS and McAfee™
e-Path utilises the Payment Card Industry Security Standards Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).
|McAfee™ is best known for their McAfee Secure trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services.
The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB.
Our secure systems are physically located in the Macquarie Telecom datacentre in Sydney. Macquarie Telecom is the first telecommunications carrier in Australia to achieve Defence Signals Directorate Gateway Certification, conforming to ASCI-33 and the PSM (Protective Security Manual). ISO 9001:2000, PCI DSS Certification and SAI Global - ISO 27001:2005 are amongst other high level accreditations that combine to establish Macquarie Telecom as being recognised as Australia's most highly security accredited datacentre.
The above graphic is an actual screen capture of part of e-Path's McAfee™ PCI DSS auditing program control panel
PCI DSS compliance helps but CDU compliance gets the job done
PCI DSS compliance has revolutionised credit card data handling and storage security. However, PCI DSS compliance alone does not guarantee absolute and total security of credit card data ...
Heartland data breach proves PCI compliance is not enough
Does the Heartland breach prove PCI useless?
Heartland breach shows PCI compliance is not enough
When credit card data is stored online or within any gateway system, device, database or network connected to the internet there will always be an element of risk involved. This is an uncomfortable fact.
Security standards of today, including the PCI DSS, can not possible guard against a new hacking technology that may be invented and unleashed onto the internet tomorrow, but CDU does.
In e-Path's case our PCI DSS compliance forms an important component of our overall security provisioning but it is one component only and certainly does not demonstrate the entirety of our security.
While our PCI DSS compliance is critically important, it is in fact our use of 2048bit asymmetric cryptography unique per gateway and our unique CDU compliance
that all combine to provides our gateway clients and their credit card paying customers with a level of protection and security that is of the highest possible order.
Footnote to the issue of credit card fraud - a bold observation and suggestion:
A great deal of resources are currently being devoted by card vendors to develop various ways to stop stolen credit card details from being used by fraudsters and criminals, such as the advancement of PIN and chip technologies.
This seems to suggest there is a general acceptance of the likelihood that credit card data may become stolen or compromised at some point, otherwise there would not be such a focus on attempting to stop unauthorised use of credit card details which is actually only the end result of credit card data theft.
The fact is if credit card and identity data was not able to be stolen or compromised in the first place there would not be any, or very little, credit card fraud to speak of. Except in some very rare instances, credit card fraud simply can not happen without credit card details being compromised or stolen to begin with.
If highly sensitive credit card and identity data was suddenly NOT permanently stored within any internet connected system, database, storage device or network the core cause of between 85% to 90% of all credit card and identity theft in the world today would be completely terminated.
Credit card and identity data can not possibly become compromised or stolen if that data is not there to be compromised or stolen in the first place, no matter how complex or advanced the hacking method or technique cares to be. And if credit card and identity data is unable to be compromised or stolen then credit card fraud can not happen.
Therefore, e-Path would like to take this opportunity to very respectfully and politely suggest that credit card vendors consider adjusting their focus from attempting to protect against the result of credit card and identity theft to instead terminate the core reason why the overwhelming majority of credit card and identity data becomes potentially available to be compromised or stolen in the first place.
While developing ways to attack the symptoms of credit card and identity data theft has excellent merit, terminating the actual root cause of it will achieve the ultimate result. You can continue to treat a cancer or you can choose to remove it.
This would be achieved by making CDU an official and enforceable data security standard, perhaps included within or in addition to PCI.
And if the third party online credit card payment processing industry and other credit card handling organisations and service providers object, saying "that's an impossible level of online credit card data security to comply with" ... you can tell them its already been achieved ... and its called e-Path!!