Merchant security monitoring is a key factor for any organization processing credit card data. So how many transactions can any acquirer or financial institution safely handle in a day? We tend to see in the marketplace hundreds of thousands of transactions being processed per second. And that is most likely only one rack in the data center. Just realistically speaking what human-reading system can monitor all those transactions to ensure they are legit? If they did, would they see the right things?
Brands like Visa, MasterCard and JCB have implemented merchant compliance programs to help acquirers understand their responsibilities to protect the brands and customers.
They have developed a program framework to help financial institutions and third-party agents in provisioning and monitoring new merchants. This is a must for any institution that processes credit or debit card payments on behalf of a merchant. Brands take extreme measures to ensure illegal and or brand-damaging transactions are not injected into their payment system. That’s why they require all financial institutions (yes, it’s a requirement) to have specific polices to onboard merchants and monitor them. This is to introduce some continuing due diligence. Policies for operations are important in any organization processing credit card data and the brands are rightly insisting on well-thought out risk polices. This is where the PCI DSS standard comes in. It is based on the ISO 27001 standard and helps organizations operate an Information System Management System (ISMS) and manage risk responsibly. Once the policies are approved by the board or qualifying officers, they are submitted to the brands. Then the monitoring starts.
Download the Web Risk Monitoring: How to Hit the Moving Target of Card Brand Compliance white paper!
What is a financial organization to look for among its thousands of transactions per second?
Programs like Visa’s Global Brand Protection Program (GBPP), MasterCard’s Merchant Monitoring Program (MMP) and JCB’s Merchant Licensing Data Security Program all require organizations to be on the lookout for specific characteristics for fraudulent activity. If you read the program brochures, it reads like a use case wish list for any security operation center analyst. Taking from Visa’s Global Acquirer Risk Standard document (Dated 1 October 2018), financial processors should be on the lookout for:
- Sudden or unusual changes in transaction velocity
- High occurrences of transactions with rounded sales draft amounts. (i.e. Transactions from the same card in a short timeframe, transactions outside the merchant area (for card-present)
- Unusual credit voucher activity (rounded amounts, credit vouchers and offsetting sales)
- Dispute and fraud advice activity that exceed Visa’s thresholds
- Force transaction activity (identical, missing or potentially fictitious) authorization codes.
- New and inactive merchant transaction activity (dormant or low-processing merchants suddenly having velocity spikes
- Negative or net-zero balance batch deposits
- Transaction laundering
- Low-value transactions compared to the merchant’s average transaction value
- Average elapsed time between the authorization and settlement for a transaction
Any enterprising security analyst with a small amount of statistical training and armed with some Perl, R, Ruby, F# or Python can create some spectacular graphing visualizations to help detect some of these use cases. But some other use cases like transaction laundering or human trafficking may take some outside intelligence sources. A few QSA companiesoffer such services and can help with the merchant onboarding efforts and subsequent transaction monitoring. Services such as these can pay for themselves because the costs for submitting illegal transactions to the brands can be steep. Visa for example has two tiers of violations; Tier 1 involves selling illegal Pharma, Miscoded Gambling, Prohibited Pornography and a general “Illegal transactions” category. Each initial infraction can cost up to $25,000 and additional infractions range from, $25,000 to $200,000. Tier 2 violations involve Intellectual property, contraband cigarettes and deceptive marketing.
Recall how many transactions per second many acquirers process per second, and you can instantly see the benefit of buying such a monitoring service.
However, because money is involved, there is incentive not to terminate some merchant contracts by acquirers and is exactly why mandatory compliance in these programs is obligatory and good for the brands. They are looking out for themselves, the service provider and the consumers’ best interest in order to make the world a better place.
Dennis Steenbergen is a Qualified Security Assessor (QSA) working for SecureTrust’s EMEA Global Compliance and Risk Services as a Security Consultant. He holds a Master of Arts in Information Management from Webster University and Bachelor of Arts degree in Economics from Colorado State University.