Systemic Transformation For Avoiding Credit/Debit card frauds

Continued discomfort at Card Transactions

 

Some of our Relationship Managers have been wanting to take up the premium account in LinkedIn. The only reason deterring them is that the payment mode is Credit Card and that too one has to share all the credentials of a credit card, even for the trial, which might permanently reside in LinkedIn’s database. There is no message of guarantee of security of these details. Not just LinkedIn, many e-tailers who offer one-click payment (E.g. Amazon Kindle Store) seek to store the entire credit card details of an individual. It is not clear what infrastructure is maintained by these entities to secure these details. Very often they have outsourced agencies who handle payments and collections. A customer sitting far has no way to know who all have access to his/ her data.

Since past 2 weeks, a whatsapp message has been making rounds about different scenarios by which credit/ debit card details can be compromised at the retail outlets. Without repeating the entire message, summarizing below the major areas of gaps in security of Card Details

1. A card can be easily photographed for its details using a mobile phone by the cashier
2. A card can be switched with another expired card from the same bank
3. Details of the card can be captured digitally on the billing software, for a later use
4. Many online transactions insist on sharing all details for periodical billing

The well known weak spot causing Card frauds : Details printed on a card alone is sufficient to conclude transactions.: the aspect that needs to change.

CSAT360 spoke to a few consumers and payment vendors for their suggestions.  Excepts

 

• Online commerce site should also make it mandatory to use static Pin numbers or a random number generated on the mobile or email must be insisted before the transaction is processed
• SMS alerts for card transactions for all amounts, big or small.
• Any auto-billing based on stored card details should entail a guarantee from the Retailer as to the security provided to the data; the actual people or roles that have access to it and precede any auto debit with an email alert in advance and a confirmation post the transaction. The best thing would be to secure the card database such that any access by anyone internal to the retailer will automatically create an audit log of the user who has accessed it, even if it is the backend administrator or a system and such log is shared with the card holder. System audit should have specific provisions to support protection of card data of consumers. We just need a mechanism to ensure traceability of every ‘glance’ at the card data by either a human or a system.
• To secure online transactions even further, a mechanism of traceability to the bank issuing the card about every such auto-debit instruction will also be important to avoid any out of the ordinary use.
• In retail outlets it could be made mandatory that a card cannot be taken ‘away’ for a period of time and every outlet should function with wireless machines and use it swipe right in front of the customer
• Retail outlets could give an undertaking that their billing software does not store the card details in the software, in all its bills. This could be a point of audit.
• Continue insistence of Pin number for all card transactions

 

Without security to card details adopting mobile payments and mobile banking is a no-no for many risk-averse consumers, considering the pathetic consumer grievance support in the country.

In summary, make any card transaction totally impossible just on the basis of card details.

CSAT360 is seeking opinions of Payment Vendors, Bankers, the RBI and the Cybercrime agencies in India on the feasibility of the above. Please watch this page for more updates.

Share your opinion on content@csat360.com. CSAT360 has disabled general comment box to facilitate open and confidential opinion sharing by readers.