Security Review: Credit Card Security

The use of credit cards to make purchases is becoming more and more common, but what is being done to ensure its security? When you make a purchase, you have no idea what is being done with the information. Where is it being sent? Where is it being stored? Who has access to it? What is being done to protect it? Credit card fraud affects everybody – the card companies, the stores, and the customers. As a result, a number of new methods have emerged in the past few years that are designed to increase security. Discover Card developed the Secure Online Account Number Program for online purchases. This produces a random number for each transaction to be used instead of the credit card number when an online purchase is made. The merchant gets Discover Card to verify it, before it is connected to your account, so the business you are buying from doesn’t see your real credit card number. Additionally, a combined effort between Visa and MasterCard developed the Payment Card Industry Data Security Standards which is a set of guidelines put in place between the credit card companies and the merchants. Some online retailers are now requiring the shipping address to be the same as the one associated with your credit card. This may reduce the risk of fraud, but it is a huge inconvenience to the customer and may hurt the merchant’s sales. Finally, VeriSign’s provides merchants with up to 256-bit encryption using Secure Sockets Layer (SSL) technology.

With the addition of various types of Card Verification Codes (CVC), the security of transactions has improved. For transactions at physical stores, CVC1 is used for verification. This is a code that is in the magnetic strip on the back of the credit card. On the other hand, CVC2, a three or four digit number on the card, is used for many online, mail order, and over the phone transactions to help prevent fraud. The CVC is created using a key that only the bank knows that includes using a hash function on the expiration date and the card number. The information in the magnetic strip is very valuable because it allows fraudulent credit cards to be made. Therefore, credit card companies are making a greater effort to make sure merchants are not storing this information.

However, CVC2 is still vulnerable to phishing scams. This can be done by either using a typical phishing scam (developing a fake website requesting sensitive information) or by already having the credit card number, giving it back to the cardholder, and requesting the CVC2. In addition to phishing attacks, there are countless other ways to obtain credit card information. A store’s employee could very easily write down a customer’s credit card information and copy the signature, especially at the type of place where they take your card out of sight for a short time (such as a restaurant). With the name of the person, it would be easy to obtain their address and then make online transactions using the stolen card information.

Because credit card information is so valuable (the cardholder’s money is a risk), it is essential to protect the information. In order to mitigate the risk of information being stolen and fraudulent transactions made, I think that a few steps should be taken. First of all, all online merchants should be required to ask for the CVC2 when a transaction is being made. For in person transactions, merchants should not be allowed to store the information on the magnetic strip. They should also be required to ask for another form of ID to make sure it matches the name on the card as well as get a signature. The Luhn Algorithm that we discussed in class helps to verify the integrity of credit card numbers while CVC is used to verify integrity of the user of the credit card information. When credit card fraud is committed, the confidentiality of the cardholders’ information is lost and their money may no longer be available when they need it. The physical card will always be at risk for theft, especially in a situation like the dorms where the mail is left in a pile in the lobby. Despite the numerous ways to commit credit card fraud, I think that the actions card companies are taking will help to decrease the risk. However, there is no way to completely ensure the security of information.

http://news.cnet.com/Putting-the-squeeze-on-credit-card-fraud/2100-7349_3-5856625.html

http://www.creditorweb.com/articles/credit-card-security.html