Web Security, Privacy and Commerce, 2nd Edition

only for RuBoard - do not distribute or recompile

25.1 Charga-Plates, Diners Club, and Credit Cards

The Oxford English Dictionary lists more than 20 definitions for the word credit. Credit is belief, faith, and trust. Credit is trustworthiness. It is reputation. It is power derived from reputation, or from a person's character. It is an acknowledgment of payment by making an entry into an account. It is an amount of money at a person's disposal in the books of a bank:

Pat deserves credit for coming up with that idea. Jane sent in her check and I have posted a credit to her account. Ted has no money and must buy those RAM chips on credit. Andrea's answer on the test was so absurd I could hardly give her credit for it.

When used colloquially in the world of commerce, the word credit has all of these meanings, and many more. Perhaps the most important is this: credit is trust in a person's ability and willingness to pay at a later time for goods or services rendered now. Obtaining that trust requires a good reputation for handling debts and a system for keeping accurate accounts.

The credit card is one of the most widely used credit instruments in the United States today. It's also by far the most popular form of payment on today's Internet, according to both the first and second studies of Internet commerce by Global Concepts.[2] Not surprisingly, most systems for placing charges on the Internet today seek to leverage the credit card system, rather than replace it.

[2] See http://www.global-concepts.com/ for further information.

25.1.1 A Very Short History of Credit

Credit predates the use of money. References to credit appear in the Code of Hammurabi, circa 1750 BC. Credit is also discussed in the Bible together with edicts forbidding the charging of interest.

The modern notion of consumer credit dates to the late 18th and early 19th centuries, when liberal British economists argued against laws restricting credit. In the United States, credit took hold after the Civil War, when companies started selling sewing machines, pianos, household organs, stoves, encyclopedias, and even jewelry to consumers on installment plans.

By the early 1910s, many department stores and retailers were extending credit to their wealthier customers: credit allowed a customer to make purchases without having to pay at the point of sale with checks or cash. For many middle-class customers, credit purchases became a natural extension of installment plan purchases.

Oil companies pioneered the use of charge cards in the early 1920s. Called courtesy cards, the cards were actually made of paper and were reissued every three to six months. Although oil companies lost money on the cards themselves, they were seen as a way of attracting and retaining customers.

In 1928, the Farrington Manufacturing Company of Boston introduced the charga-plate, a small metal plate resembling an army dog tag on which a customer's name and address were embossed. Although charga-plates were initially confined to a particular store, within a few years stores in large urban centers such as New York City had formed cooperative agreements allowing a customer to use a single plate at a variety of stores.

Still, the modern credit card didn't come into existence until one afternoon in 1949, when Alfred Bloomingdale, Frank McNamara, and Ralph Snyder conceived of the idea of a universal charge card while having lunch. The trio saw an opportunity for a card that could be used by salesmen for their travel and entertainment expenses, for example, eating at restaurants while entertaining potential clients and paying for hotels and food while on the road. The card, they decided, would be paid for by a monthly fee for the card holders and a seven percent surcharge on all restaurant transactions. They called their card Diner's Club.

In 1958, American Express and Carte Blanche entered the travel and entertainment card business. That same year, Bank of America and Chase Manhattan, the country's first and second largest banks, introduced their own cards. Bank of America's card was called BankAmericard, which changed to Visa in 1976. Chase Manhattan's card was called MasterCharge; the division was sold in 1962 and renamed MasterCard in 1980.

25.1.2 Payment Cards in the United States

Today there are thousands of different kinds of payment cards circulating in the United States. Some of these cards, such as American Express and Diner's Club, are issued by a single financial institution. Others, such as MasterCard and Visa, are in fact large membership organizations. When consumers are issued a MasterCard or Visa, they are actually issued a card from a member bank. Most banks set interest rates and other financial terms, but contract with a bank card processor for the actual running of the computers that maintain the customer and merchant accounts. The service provided by MasterCard and Visa is the setting of systemwide policies and the operation of the interbank network that is used for authorizing and settling charges.

25.1.3 The Interbank Payment Card Transaction

Today the interbank payment card transaction has evolved into a complicated electronic dance among many characters. A typical card transaction involves up to five different parties:

The typical charge card transaction consists of ten steps:

  1. The consumer gives her charge card to the merchant.

  2. The merchant asks the acquiring bank for authorization.

  3. The interbank network sends a message from the acquiring bank to the consumer's bank, asking for authorization.

  4. A response is sent on the interbank network from the consumer's bank to the acquiring bank. (The consumer's bank may also place a certain amount of the consumer's credit line on hold, pending the settlement of the transaction.)

  5. The acquiring bank notifies the merchant that the charge has been approved.

  6. The merchant fills the consumer's order.

  7. Some later time, the merchant presents a batch of charges to the acquiring bank.

  8. The acquiring bank sends each settlement request on the interbank network to the consumer's bank.

  9. The consumer's bank debits the consumer's account and places the money (possibly minus a service charge) into an interbank settlement account.

  10. The acquiring bank credits the merchant's account and withdraws a similar sum of money from the interbank settlement account.

This process is illustrated in Figure 25-1.

Figure 25-1. The players in a typical charge card transaction

In recent years, the time for a charge card authorization has dropped from nearly a minute to less than five seconds. In the past, many point-of-sale transactions were not authorized: authorizations took so long that banks worried that they would lose more money because of lost sales than they would lose from fraud. Thus, in the 1970s, authorizations were usually reserved for sales above a high threshold: $50 or more. Today in the U.S. virtually all card transactions are authorized. In many other countries, only high-value transactions are authorized.[4]

[4] The threshold at which transactions are authorized and which are allowed through without authorization is determined by the cost of local telephone calls within the country and the likelihood of fraud. Different merchants may obviously have different thresholds.

25.1.3.1 The charge card check digit algorithm

The last digit of a charge card number is a check digit that is used to detect keystroke errors when a charge card number is entered into a computer. Although the check digit algorithm is public (ISO 2894), it is not widely known.

The algorithm is:

  1. Remove any spaces, dashes, and other nonnumeric information from the credit card number. In general, web-based applications should allow people to type spaces or dashes in credit card numbers, because this reduces the chances of a transcription error. That's because it's easier to catch a typo in the entered string "3333 342534 54330" than in the string "333334253454330." Many e-commerce systems do not allow users to type spaces or dashes, or fail silently when these characters are typed. It's best to allow people to type this information and then to have it programmatically removed.

  2. Multiply each digit in the charge card by its "weight." If a charge card has an even number of digits, the first digit has a weight of 2; otherwise the digit has a weight of 1. Afterwards, the weights of the digits alternate 1, 2, 1, 2.

  3. If any digit has a weighted value that is more than 9, subtract 9.

  4. Add together the weights of all of the digits, modulo 10.

  5. The result should be 0.

This algorithm is designed to catch transposed digits or other typing errors; it is not designed as a general-purpose security mechanism.[5] Here is the algorithm coded in Perl:

[5] Unfortunately, some businesses have used the algorithm as a low-cost way of "verifying" credit card numbers. For example, some online services have deployed software that creates accounts for any individual presenting a credit card number that passes the algorithm, in an attempt to save the cost of performing millions of verifications.

sub validate_cc { my ($cc) = $_[0]; my ($digit,$sum,$val); my ($weight) = 1; $cc = s/[^0-9]//g; $weight = 2 if (length($cc) %2 ==0); while($cc ne ""){ $digit = substr($cc,0,1); $cc = substr($cc,1); $val = $digit * $weight; $val-=9 if ($val>9); $sum += $val; $weight = ($weight==2) ? 1 : 2; } return ($sum % 10) == 0; }

Now, let's check it with a charge card randomly taken from Simson's wallet: American Express charge card number 3728 024906 54059.

The charge card has 15 digits. The number 15 is odd, so the first digit has a weight of 1.

To compute the check digit, we multiply:

(3 x 1) , (7 x 2) , (2 x 1) , (8 x 2) , (0 x 1) , (2 x 2) , (4 x 1) , (9 x 2) , (0 x 1) , (6 x 2) , (5 x 1) , (4 x 2) , (0 x 1) , (5 x 2) , (9 x 1)

which is:

(3) , (14) , (2) , (16) , (0) , (4) , (4) , (18) , (0) , (12) , (5) , (8) , (0) , (10) , (9)

Subtract 9 from every value greater than 9, and add them together:

(3) + (5) + (2) + (7) + (0) + (4) + (4) + (9) + (0) + (3) + (5) + (8) + (0) + (1) + (9) = 60

This gives us a check of 0 (as it should), because:

60 mod 10 = 0

Remember: don't use Simson's charge card number. It's a felony.

25.1.3.2 The charge slip

The charge slip tracks charge card transactions. For more than 30 years these charge slips have been paper. Although they were initially returned to the consumer, as with checks, this proved to be too expensive over time. By the mid-1970s, Visa and MasterCard customers were receiving monthly statements summarizing their charges, rather than the original charge slips. In the 1980s, American Express began digitizing charge slips and giving its customers digitized printouts of their charge slips. Today, however, consumers merely receive printed reports listing all of the relevant charges.

Over time, the amount of information on the charge slip has steadily increased. Today there is a large collection of information, including:

Computerized systems largely mimic the paper-based systems that have been used for more than 20 years. That's because the information on the charge slip has been shown to be useful in consummating transactions and combating fraud. Many computerized systems still use the word "slip." Others refer to the charge or payment "record" or "draft."

25.1.3.3 Charge card fees

Banks impose a fee anywhere between one percent and seven percent for each charge card transaction. This fee is paid by the merchant. Thus, a consumer who makes a purchase for $100 may see a $100 charge on her credit card statement, but the merchant may only see $97 deposited into his bank account. The difference is split between the acquiring bank, the merchant's bank, and the network.

Some merchant banks additionally charge their merchants a per-transaction fee and an authorization fee, both of which can be anywhere from pennies to a dollar. Merchants can also be charged sign-up fees, annual fees, and rental fees for the use of their charge card terminals.

Merchant fees are determined by many factors, such as the number of charges the merchant processes in a month, the average value of each transaction, the number of charge-backs, and the merchant's own negotiating power.

Issuing banks make money from annual fees that are imposed directly on the consumer and from interest charges on unpaid balances. The cost to banks for servicing an individual consumer ranges between $50 and $200 per year.

Despite the fact that they lose a few percentage points to service fees, most merchants seem to prefer being paid by credit cards to being paid by check or cash. When they are validated with online systems, credit cards provide almost instant assurance that the payment has been made, and the money is deposited directly into the merchant's bank account. Checks, by contrast, sometimes bounce. Cash is sometimes counterfeit. And even when the checks and cash are good, they still represent physical objects that must be dealt with. Most merchants file their credit card charges electronically, storing the credit slips on-site. Thus, merchants may actually save money by accepting credit cards, even though they are paying the service fee.

25.1.4 Refunds and Charge-Backs

Charge cards are actually two-way financial instruments: besides transferring money from a consumer's account into a merchant's, they can also transfer money from a merchant's account back into the consumer's.

A refund or credit is a reverse charge transaction that is initiated by a merchant. A merchant might reverse a transaction if a piece of merchandise is returned. The consumer can receive either a partial refund or a complete refund. In some cases, the acquiring bank will refund the bank charges as well. For this reason, it's to the advantage of a merchant to issue a refund to a customer's credit card, rather than to simply write a refund check directly to the customer.

Many bank card issuers have rules that state that credits can only be issued in response to charges issued on the same card. That is, if you buy something using an American Express card, and you take it back to the store, the store is supposed to issue a credit on your American Express card, and not on your Discover card or your Visa card. In practice, there are few mechanisms in place to enforce this requirement. However, there is enough auditing of the charge slips that if a merchant were doing a lot of these transactions for fraudulent purposes, that merchant would be leaving quite a paper trail and that would eventually be picked up; at least, that's the way that the system is supposed to work.

Charge-backs are credit operations that are initiated by the customer, rather than by the merchant. A customer might be billed for purchases that were never delivered, for example, or a customer might feel otherwise cheated by the merchant. Federal law allows a customer to dispute charges under a variety of circumstances. Different banks make this process simpler or more difficult. (For example, some banks will allow customers to dispute charges over the phone, while others require disputes to be in writing.) Banks also have different standards for transactions in which there is an actual signature as opposed to transactions that are mail orders or telephone orders: merchants generally have more responsibility for the transaction when they do not have a signature on file, or when merchandise is not shipped to the billing address of the credit card. Charge-backs can also be initiated by the bank itself when fraud is detected.

Makers of computerized credit card processing systems need to build mechanisms into their systems to handle credit card transactions that are initiated by the merchant, the consumer, or the bank. Otherwise, merchants who use these systems will need to constantly enter credit and charge-back transactions by hand into their accounting systems whenever the need arises. Some systems also have built-in checks to protect against common mistakes. For example, some credit card systems will detect duplicate charges and automatically suppress them.

Debit Cards

Many banks are now issuing branded debit cards. These may look exactly like a Visa or MasterCard (or other credit card). However, when a purchase is made using a debit card and an online verification is performed, the charge is immediately deducted from the client's checking account. No credit is actually extended to the consumer. The same interbank network is used to process the transaction as if the card were a credit card.

These cards are very convenient for the consumer because they are accepted at more places than a check would be. Merchants also like them because they can get an immediate authorization code, thus avoiding the risk of fraud.

Debit cards aren't actually the same as credit cards, however. Even though the card numbers look the same as credit card numbers, debit cards clear over different networks and are covered by different regulations from those that cover credit cards. This has an impact on several aspects of use, including automatic fraud protection and regulations regarding charge-backs in cases of dispute. For example, the consumer is not automatically protected if the card or the account number is stolen. If you have a debit card, carefully read the card member agreement to see what you may be risking for the convenience.

25.1.5 Additional Authentication Mechanisms

From the beginning, credit cards have been subject to fraud and misuse. The first Diner's Club cards were cardboard cards that were sent out to every person who had purchased a Rolls Royce from a dealer in Beverley Hills. Many of the recipients of the card thought that it was a gag and threw them away, gave them to friends, or used them without any intention of paying their bills. The resulting losses nearly bankrupted the fledgling company.

Because credit cards are carried in wallets, theft has always been a possibility. For years, credit card companies based their security on the signature strip located on the card's back. The strip was made of a certain material that was designed to clearly show tampering. The theory was that if somebody stole your card, they would have a hard time signing your name exactly the way it was signed on the back of the credit card. As long as the merchant inspected the signature on the back of the card and on the charge strip, fraud could supposedly be prevented or minimized.

The rise of "card-not-present" transactions transactions in which items were purchased by telephone or mail order eliminated any security that the signature strip could provide. At first, to initiate a card-not-present transaction, all a crook needed was the name on the credit card, the credit card's number, and the expiration date. (Early on, the crook didn't even need the name or the expiration date.) This information could easily be obtained from credit card receipts, from the carbon paper used to make the receipts, or even from crooked merchants or their employees. Fundamentally, the problem that the credit card companies faced was that the information used by one merchant to initiate a charge could be reused by others.

Since the 1980s, credit card companies have looked for ways to improve the security of their systems without changing the underlying structure of the credit card number itself or the charge clearing system. They have done this by modifying their systems so that consumers could provide additional information to perform a card-not-present transaction, and then charging merchants a higher percentage rate if this additional information was not presented.

Address verification is one such system. With address verification, a consumer must provide his credit card's billing address for a charge to be approved. The problem with address verification is that consumers sometimes do not know the address that their card bills to, and sometimes an address may be inadvertently mistyped. Thus, there is a trade-off: the system can be programmed to require a very exact match, which will probably reduce the chance of fraud, but highly exacting matches will also disallow some genuinely legitimate transactions. Some credit card companies will tell the merchant's computers exactly how much of the address matched the Zip code, the street number, the street name, or even the telephone number and then allow the merchant to decide whether to accept the transaction or to disallow it.

Another verification system involves the additional digits that are printed above the credit card account number or printed on the credit card's signature strip. These numbers do not appear on the card's magnetic strip, and because they are not embossed, they do not appear on carbon paper. Thus, if the consumer is able to provide this information in a card-not-present transaction, there is a very good chance that the consumer is holding the credit card.

25.1.6 Using Credit Cards on the Internet

Because many merchants already had mechanisms for handling charge card transactions made by telephone, charge cards were an obvious choice for early Internet-based payment systems.

However, credit cards also present a problem for merchants because credit card numbers are essentially unchanging passwords that can be used to repeatedly charge payments to a consumer's account. Thus, charge card numbers must be protected from eavesdropping and guessing.

In recent years, merchants have experimented with three different techniques for accepting charge card numbers in conjunction with transactions that are initiated over the Web:

Offline

After the order is placed over the Web, the customer calls up the merchant using a telephone and recites the credit card number. This technique is as secure as any other purchase made by mail order or telephone (called MOTO by industry insiders). Although credit card numbers can be found if the phone line is wiretapped or if a PBX is reprogrammed, it seems to be a risk that merchants, consumers, and banks are willing to take. Furthermore, people basically understand the laws against credit card fraud and wiretapping in cases of this kind.

Online with encryption

The consumer sends the credit card number over the Internet to the merchant in an encrypted transaction.

Online without encryption

The consumer simply sends the credit card number, either in an email message or in an HTTP POST command. Although this technique is vulnerable to eavesdropping for example, by a packet sniffer there has to date been no publicized case of information gain from eavesdropping being used to commit credit card fraud.[6]

[6] As of October 2001.

only for RuBoard - do not distribute or recompile

Категории