As we were saying last week, credit card fraud perpetrators insert phony refund or credit transactions into a merchant’s online processing service by defeating weak login credentials. The fake refunds are sent to a series of debit cards (linked to a checking account) where the thief or one of the thief’s associates withdraws the funds before the loss is noticed. Some hackers even inserted phony charge records to offset the refunds thus camouflaging their crime even further. The PCI DSS or payment card industry data security standards contain strong recommendations for logging management. Visa has recommended that acquirers, processors and merchants periodically review their credit transaction monitoring rules. This will increase the likelihood that unusual credits without offsetting sales will be detected early enough to prevent loss of revenue.
One goal I strive for in this blog is to constantly reinforce the facts about PCI compliance and also to dispel some of the myths floating around. Simply reading and robotically following the PCI DSS goals may not be enough. Maintaining your business’s PCI compliant status is a constant work in progress. Doing the bare minimum may not afford as complete protection as is possible for your business or your customers’ sensitive information. Some additional precautions may also be taken. These precautions include:
- Use strong authentication methods for online accounts to protect online credentials.
- Issue alerts to customers to be on the lookout for social engineering schemes such as phishing, voice phishing (also known as vishing) that seek to obtain online login credentials.
- Keep a lookout for unusual refund transactions, paying particular attention to those without an offsetting sale transaction or those where the sale account number doesn’t match the refund number.
- Set exceptions or limits for refund transactions that mirror average sale amounts. Quarantine or hold for investigation any refund transaction amounts that exceed thresholds.
- Make sure credit or refund transactions correspond to a previously processed sale amount. Match the account numbers too and investigate mismatches.
- Require customers and merchants to immediately report any lost or stolen credit card equipment or computers hosting credit card processing software. Disable any terminal or software ID numbers and block any transactions from these terminals.
- Require customers and merchants to return or destroy old credit card processing equipment or software so that no proprietary information is compromised.
- For online web portal access, only allow trusted IP filtering connections
- If fraudulent credit or refund activity is detected, immediately report the suspicious transactions to the issuer of the account to which credits are routed. The issuer may be able to hold questionable transactions and assist with monitoring.
- Always report any suspected fraudulent activity to appropriate law enforcement and regulatory agencies.
More tips and other important PCI compliance information to follow next week. See our homepage to find out how to make sure your business is PCI compliant for free.