Visa is the world's largest consumer payments system. Visa is made up of nearly 21,000 financial institution members from around the world. There are more than 580 million Visa cards held by consumers globally, which are accepted at more than 14 million merchant locations and 350,000 automated teller machines worldwide. Visa -- which provides transaction authorization, clearing and settlement, and risk management services to member financial institutions -- supports more than $1 trillion in Visa-related payment transactions annually. Visa's transactions volume in the United States is approximately $470 billion per year.
Visa is delighted to present this statement to the Financial Services and Technology Subcommittee concerning Visa's experience with Visa card fraud.
In summary, while some fraud artists have become more organized and there are now more "high tech" tools available to perpetrate fraud, Visa currently is battling the same type of fraud that it has been seeing for more than a decade, or new variations on old fraud schemes. Over these years, Visa has developed and refined fraud detection and avoidance programs, which -- combined with close cooperation with law enforcement officials -- have succeeded in reducing the incidence of fraud significantly. As a result of these programs, the ratio of fraud to sales recently has been significantly reduced. Indeed, the absolute number of fraudulent transactions has actually been reduced, even as Visa card volume has risen dramatically. Looking to the future, new technologies such as digital signatures, used in combination with Secure Electronic Transaction (SET) and smart card technology, will be important to further reducing card fraud.
The greatest threat in recent years has been from organized gangs and is international in scope. Organized crime gangs, dealing in counterfeit cards, fraudulent applications for credit cards, cards stolen from the mail, and merchant fraud, have given rise to increased international fraud. While the account information may be acquired in one geographic region, the cards may actually be manufactured in another region and then used in a third region. Many times a gang will cooperate with other gangs to achieve their goals. More frequently, investigators are seeing the revenue of credit card crime being used to purchase drugs and weapons, and in many locales credit card crime is associated with crimes of violence.
More than half of this fraud results from Visa cards lost by or stolen from consumers. Cards stolen from the mail account for an additional 15 percent of this fraud. These types of fraud, as well as the other types of fraud tracked by Visa, are discussed in this section.
Lost/Stolen Cards
Transactions with a card that had been reported lost or stolen by the cardholder. It will probably come as a surprise that the greatest number of stolen bank cards were taken from glove compartments of parked cars. In fact, based on a sampling of some 12,000 incidents of fraud in which a Visa card or MasterCard was reported as stolen, 18 percent were stolen from the cardholder's vehicle.
Vying for first place as a locale where credit cards are stolen is the workplace. The same study revealed that 17 percent of the 12,000 fraudulently used cards were stolen at the cardholder's place of employment, most often from a jacket or purse left unattended at the office, or from an unsecured locker. Another 10 percent of this same sample were cards stolen from lockers at recreational facilities such as squash clubs, golf courses, swimming pools and health clubs.
Somewhat surprisingly, 10 percent of the sampling indicated that cards were stolen by pickpockets, purse snatchings, etc. While pickpockets are certainly not a new phenomenon, there would appear to be a recent increase in this form of theft. Subway stations, tourist attractions, sporting centers and crowded places generally are work zones for the light-fingered of the underworld, and their target is every bit as much the credit card as cash.
Not Received Items (NRI)
Transactions with a new or replacement card mailed to the proper individual; claimed not to have been received. Mailboxes in apartment blocks are favorite targets for credit card thieves. Acting on inside information, the thief will sometimes know when the cards are being delivered and will follow the mailman's rounds.
As a security measure, card issuers may announce the card's impending arrival with a pre-mailer. Sometimes used in connection with the post-mailer is a system known as "dual-dating". It makes the effective operational date on a card a month or so after it has been mailed. In the case of non-receipt, ample time is available for reporting and listing the card on the exception file. Some issuers ask the intended cardholder to acknowledge receipt of the card.
Another method used to avoid NRI is Card Activation. Under these programs, the card is mailed in a blocked status on the exception file. Upon receipt the cardholder must notify the issuer prior to first use in order to activate the card.
Account Takeover
Account Takeover results from an unauthorized takeover of an account resulting for example from an unauthorized change of address.
In a typical case of address change fraud, a perpetrator gains access to the account information of a valid cardholder either by stealing a monthly statement from the cardholder's mail box or by some other illegal means. Posing as the cardholder, the perpetrator then contacts the card issuer to request a change of address and an additional card in a second name. At this time or soon after, the perpetrator may also request a PIN (Personal Identification Number) for making cash withdrawals at automated teller machines.
Fraudulent Applications
Fraud that occurs by obtaining a bank card through misrepresentation of information provided to the issuer on the application. Use of a true name with a false address on the application is a common way to obtain the card illegally. The underworld puts a higher value on cards obtained this way because, unlike stolen cards, they are not signed and will not have appeared on the exception file.
An even more elaborate operation, again usually perpetrated by a gang, involves obtaining several telephones with different numbers in one apartment, then applying for cards using one or more of the telephone numbers as the phony applicant's "work number". A gang member is always available in the apartment to confirm the applicant's place of employment.
Counterfeit/Altered Card
A counterfeit card is one which is illegally manufactured and embossed, sometimes with an encoded magnetic stripe which has been electronically compromised. An altered card is a genuine credit card manufactured by a certified printer but which has one or more features changed by mechanical or electronic means.
If heat is applied to the card, for example, an embossed number can be flattened out and a new number embossed in its place. The number can also be removed with the flattening key of a portable embossing machine. Numbers or letters can even be cut from one card using a one-hole punch and be replaced with numbers or letters from another.
Counterfeit cards are of grave concern to issuers because of the much higher dollar losses involved. At present, counterfeit cards from offshore sources (mostly Asian) are a major concern for investigators. Counterfeit cards are usually made by using the offset or silk-screen printing method. However, the reproduction of hologram pictures on plastic is an extremely complicated process and costly for forgers to replicate. This security feature has reduced considerably the incidence of counterfeiting.
Unauthorized Use/No Card Present Fraud
Fraud that occurs on an account where the card is not physically present, such as sales by telephone, mail, or non-imprinted paper. "No Card" fraud occurs when a customer uses someone else's account number to purchase by telephone or mail. The card and number are valid but the use is not. This is a popular fraud used to obtain computer and electronic items, jewelry and other high priced but easily resold goods via the mail.
Merchant Collusion
Occurs when dishonest merchants enter into collusion with one another, or with a "customer" or card thief, to defraud a financial institution. This scheme is difficult to combat and can account for large losses. For example, two merchants may collaborate in exchanging lost or stolen cards to record fictitious transactions. Alternatively, a merchant will record a transaction with a customer, keep the item but bill the financial institution for it and split the amount billed with the customer or fraud artist.
Another scheme that could involve a dishonest merchant, or anyone in possession of a valid authorization number that financial institutions issue to merchants, consists of making a seemingly routine request for authorization for a big ticket purchase. The call to the institution's authorization center will confirm whether or not the card has been reported stolen. If not, a crooked merchant may process a fairly high fraudulent purchase through his own establishment. If it is reported stolen, he might spread the amount of the purchase over several invoices, ensuring the amounts are below his own floor limit.
Laundering or Factoring
Refers to the depositing of sales drafts by a merchant legitimately established on the Visa system on behalf of an operator who does not have a merchant agreement with a financial institution. Usually, such operators cannot obtain a merchant agreement with a financial institution, thus they approach legitimately-signed merchants to submit sales drafts to the Visa system for them. Sometimes, they employ a broker to approach legitimate merchants. In exchange for depositing the drafts, the legitimately-signed merchant is given a percentage of the value of the drafts. It can range from 1% to 20%. In many instances, the fraud operator launders with the legitimately-signed merchant for several weeks before moving on to another legitimate merchant - usually before the chargebacks start piling up. Federal legislation was passed in late 1994 making laundering of credit card sales drafts a violation under the Credit Card Fraud Act of 1984, which has been helpful in combating this type of credit card fraud.
White Plastic Fraud
White plastic is a generic term which applies to any piece of plastic, regardless of color, on which an account number, expiration date and cardholder name have been embossed and is accepted by a merchant. There is no resemblance to any credit card other than the size and the embossed data. The acceptance of a white plastic card generally requires conspiracy between the merchant or its employee and the defrauder. The card is then used to imprint sales drafts which are deposited into the merchant's account.
Electronic Funds Transfer (EFT)/Point-of-Sale (POS) Fraud
More recently, merchant frauds have included electronic funds transfer/Point-of-Sale fraud. POS fraud refers to the use of a Point-of-Sale terminal to key-enter fraudulent transactions using the manual override feature on the POS terminal, a much faster process than imprinting paper drafts or completing drafts by hand. The merchant then transmits the fraudulent transactions to the financial institution, and the funds are credited to his account typically within 48 hours. Severe losses can be sustained before any increase in deposit activity is discovered by the financial institutions.
Fraudulent Telemarketing
Fraudulent telemarketing is the term used to describe the solicitation of cardholder information by telephone or mail for fraudulent use. Fraudulent telemarketers often obtain the account data from cardholders through contests or offers of merchandise or services at no cost or for reduced rates. In some cases, telemarketers announce that consumers have won vacations to Hawaii, Acapulco or other exotic locations. Or, they offer vitamins, water purifiers or travel packages at a discount.
Frequently, the contest or product is available for a limited time only. Telemarketers use high-pressure sales techniques to close the sale quickly, before consumers can ask for more information. Cardholders are then billed for the merchandise, which is never delivered, or is vastly different from what was originally represented. Sometimes fraudulent telemarketers use POS terminals either their own or that of a merchant that launders sales drafts for them to manually key-enter transactions. The federal legislation passed in late 1994 described above also has been helpful in addressing this type of fraudulent activity.
Visa has developed a varied arsenal of fraud control programs. Visa has developed these programs over many years, and is continuously refining them to respond to new or anticipated frauds. These fraud programs are described in this section of the testimony.
Address Verification Service (AVS)
A fraudulent use prevention system that allows mail-order/telephone-order merchants to automatically verify that a billing address provided by a cardholder is the same as the cardholder's billing address currently on file with the Issuer. This service helps merchants minimize the risk of accepting fraudulent mail and telephone order transactions.
Card Activation
An alternative bank card delivery method in which Issuers wait to confirm that a card has been received by the valid cardholder before activating the account. Cards are blocked at the time of mailing; for a card to be activated, the cardholder must call the Issuer to confirm receipt and provide positive proof of identity.
Card Security Features
Alphanumeric, pictorial, and other design and functional elements on bank cards. The exact physical dimensions and placement of these features are specified by the Visa U.S.A. Operating Regulations and are difficult to copy exactly. Card security features are checked by merchants at the point of sale to ensure the card is valid.
Card Verification Value (CVV) A unique three-digit "check number" encoded on the magnetic stripe of all valid cards. The number is calculated by applying an algorithm a mathematical formula to the stripe-encoded account information and is verified on-line at the same time a transaction is authorized.
Cardholder Risk Identification Service (CRIS)
A transaction scoring and reporting service that employs neural network technologies to develop risk-scoring models that identify fraudulent transaction patterns. The service, available by subscription through Visa, can be used by Issuers as a stand-alone fraud detection system or as a complement to their internal fraud detection methods.
Exception File
Visa's worldwide data base of account numbers of lost/stolen or other cards Issuers have listed for pickup, referral, or other special handling. The account numbers for all transactions routed to Visa's stand-in processing system are checked against the Exception File.
Issuers' Clearinghouse Service (ICS)
A bank card application verification system shared by Visa with MasterCard. ICS verifies an applicant's address, phone and Social Security numbers, and whether he or she has a history of excessive applications or credit card fraud or abuse. ICS is a mandated service for U.S. card issuers that are Visa members.
NRI Reporting
A computer program developed by Visa for reporting Not Received Items (NRI). All Visa Issuers are required to report NRI mailing information, whether or not fraud has occurred. Visa will then forward this information along with reported NRI fraud transactions to the U.S. Postal Service on a daily basis. This information will allow the Postal Service to conduct investigations in a more timely manner.
Recovered Account Analysis
Assistance to law enforcement for recovered account numbers due to arrests and/or searches. Individual Issuers are identified, contacted and requested to provide information directly back to the investigating law enforcement agency.
Risk Identification Service (RIS)
The Risk Identification Service identifies concentrations of fraud activity at merchant locations. RIS monitors activity such as reported fraud transactions, suspicious fraud activity, and merchant deposits. By carefully monitoring such activity and imposing timely corrective measures, Visa members can reduce their exposure to fraud and subsequent financial losses.
VisaLine
A subscription service providing an interactive computer network dedicated to the communication of time-sensitive risk management and business information between Visa and its members and their third-party processors.
While certain of the types of fraud described in this statement, such as account takeover and fraudulent application fraud, have received significant recent media attention, we in the credit card industry have been fighting these types of fraud for more than a decade. These frauds involve little that is new. Stealing mail and filling out fraudulent credit card applications, for example, have been going on for several years.
As described above, Visa has developed various programs to address these frauds. As with the NRI reporting program, these programs often involve Visa and its members working closely with the appropriate law enforcement authorities. Moreover, as always, a critical component of the defense against these frauds is consumer vigilance. Most of these frauds can be stopped cold or nipped in the bud if the consumer keeps a close eye on his or her Visa cards, promptly and carefully reviews his or her card statements, and immediately contacts the card issuer if he or she suspects anything might be wrong. With law enforcement, consumers, Visa and Visa's members working together, Visa believes we can stay one step ahead of the fraud artists.
To continue to be able to stay one step ahead, however, Visa must -- and Visa must be able to -- use the latest technology. This is particularly important since you can be sure that the fraud artists will take full advantage of the latest technology available to them. We have already seen them create software programs to generate on the Internet valid Visa card account numbers.
Visa believes that the chip card, Secure Electronic Transaction (SET)
technology, and the supporting key cryptography security -- including digital signatures -- will be important fraud prevention tools in the coming months and years. It is
anticipated that these advances will be significant in effectively addressing not only the
types of fraud described in this statement, but also the new fraud opportunities that new
payments products such as smart cards and internet payments will present.
Home | Menu | Links | Info | Chairman's Page