[pbreit]

Checks are typically very simple, no regex-ing involved.

First, names are not really checked.

For addresses, usually only the number (and sometimes just first three digits) are checked as well as the zip.

Generally the processor tries to decline as few txns as possible and instead deliver the information to the merchant to make a decision. The merchant can usually pre-configure error codes that it would like the processor to decline. This might be preferable to the merchant from a cost-saving standpoint as well as not needing to "void an auth" in order to free up the cardholders spendability.

The idea behind CVVs is that merchants are disallowed from storing them so they are far less likely to be included in stolen credit card databases. Thus, requiring them significantly decreases fraud risk. And, yes, many gateways/processors charge more for missing or incorrect CVVs.

It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe. It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software. I'm guessing more current terminals/software is simply harder to compromise. "Chip & pin", as is widely used in places such as Canada and Europe, might help a bit since you would need the PIN to shop off-line. But it would have minimal effect for online shopping since PIN is typically not requested.

The reason we still sign receipts and yes, you still see a carbon copy here and there, is mainly because it protects the merchant if the cardholder does a "chargeback". Merchants typically store the receipts and only turn them over if a chargeback is received. Showing the signed receipt to your processor will usually absolve you from any loss.

I think the above is accurate or close to.

[jonknee]

> It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe. It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software. I'm guessing more current terminals/software is simply harder to compromise. "Chip & pin", as is widely used in places such as Canada and Europe, might help a bit since you would need the PIN to shop off-line. But it would have minimal effect for online shopping since PIN is typically not requested.

Limiting the fraud to online only would have greatly reduced the potential damage. There was a reason why carders were making physical cards to use, it's muuuch easier to get a transaction through. Address verification and CVV (not part of Target's dump because it's not on the mag stripe and is not collected by Target) would catch anyone using a stolen number online.

[sliverstorm]

It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software

From my understanding, chip cards implement challenge-response. So unless the terminal is capable of placing the card in debug mode and dumping any keys, I would expect chip-and-pin would have prevented the Target breach.

(If the terminal is capable of this... well, that is a gigantic hole)

[aestra]

>The reason we still sign receipts and yes, you still see a carbon copy here and there, is mainly because it protects the merchant if the cardholder does a "chargeback". Merchants typically store the receipts and only turn them over if a chargeback is received. Showing the signed receipt to your processor will usually absolve you from any loss.

I wonder what would happen in this case if you turned in one of these?

(taken from the internet archive site apparently went down)

https://web.archive.org/web/20050317031541/http://www.zug.co...

[michaelt]

Can I piggyback on this and ask an unrelated question I'm curious about?

Let's say an online merchant gets a transaction they very strongly suspect is a stolen credit card (perhaps it's from a customer with a long history of using stolen cards) but it validates just fine. Is there any provision in the interface for merchants to ask the credit card company to perform extra fraud checks, like calling the cardholder?

[kevinconroy]

No, there are no such provisions. The card companies have their own fraud prevention/detection departments which mine transactions and look for abnormal behavior. If they spot something out of the ordinary (big purchase, foreign purchase, etc) then they will call you to validate.

[mjwhansen]

Anecdote: I used to work with donation processing, and we had a situation where we had transactions that I knew we're identity theft (email addresses were the same, IP the same, but zip, CVV, name correct, and all submitted in a short timeframe). I refunded the transactions and called the banks to report that the cards had been stolen, and the banks basically threw their hands up in the air.

[kevinconroy]

I work with donation processing. We found the same response from the banks, so we've started trying to look up the identify theft victims in the white pages and calling them. Sadly, we only get a 20% hit rate for working phone numbers and typically only get in touch with half of them.

[bigd]

Which is why, every time I travel, I end up with all the cards blocked. I hate you visa.

[vidarh]

My bank has done the same in the past, but now the offer an interface in online banking to inform them when I'm travelling.

It still annoys me though: Their fraud system keeps flagging regular transactions that I've done for similar amounts to the same companies, at the same times of month or year for years, yet when someone did two transfers of 3000 GBP each to a credit card account in a different bank that I've never dealt with before, in someone elses name, their fraud system did not trigger...

From my perspective, their blocks are nothing but a nuisance.

[yummyfajitas]

Call before you go and tell them you are traveling.

[Daniel_Newby]

Somewhere I read that such a call triggers a fraud red alert.

[ycombobreaker]

That would be counterintuitive. I always inform my bank before traveling out of the country. They want to know the destination nation and a date range, which is necessary to avoid triggering red flags when "card present" transactions start showing up from an unexpected location.

[csixty4]

Nope. Once the credit card company authorizes the transaction, it's entirely up to the merchant whether to fulfill the transaction and close it out, or refund the customer. The credit card companies will do nothing to assist in making this decision.

But be sure you choose correctly, because they will take the entire payment away from you if there's a chargeback.

[nandemo]

Some processors return a numeric risk score, or a ternary result (OK,Review,Denied). Then the merchant might choose to review the transaction if the risk score is above a certain threshold (or the result is Review), then cancel or capture it accordingly.

For example, merchant's staff calls the shopper. This adds some cost, but for some merchants it might save money overall since chargebacks can be very costly (even if the merchant manages to challenge and win).

[pbreit]

Can't resist a shout out for a friend's new company that makes a lot of sense: http://chargeback.com (outsourced chargeback handling).

[parfitt]

>It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe.

Well, yes. But really it's mostly the POS device sending data to the chip which then performs operations and returns a result code or a data block to the POS device.

When you enter a PIN in the POS device it is sent to the chip and it verifies that the PIN is correct. A yes/no result code is returned to the POS device.

In a POS transaction your PIN is not sent to your card issuing bank for it to verify like it is for ATM.

Instead the POS device sends about a dozen data elements about the transaction to the card which runs them through an algorithm and encrypts (maybe not encrypts but that's the best term I can think of right now) it with a key it and the issuing bank knows. The resulting hash is returned to the POS device and is sent to the bank for authorisation. The bank then performs the same algorithm and verfies the hash is valid.

I am not sure if you could literally copy a chip, but it is doing more than just storing data like you have with a mag stripe only card.

"Chip&PIN" would have zero effect for an online transaction as neither the chip or the PIN are in play.

[Bentis2k]

Since the chip verifies the PIN, is it protected against brute force cracking? I know some cards become "blocked" if a wrong PIN is presented three consecutive times. Is this a chip feature, and if so can the chips be "reset" by the bank?

[henrikschroder]

> charge more for missing or incorrect CVVs.

Wait, what? Can transactions still go through without the CVV, except the merchant's transaction fee is a bit higher? They're just not declined outright?

[pfg]

Yes. Quite a lot of merchants do not ask for CVV/CVCs (Amazon being an example).

[thomaslangston]

Yes, the CVV is not required. If you think about it, it is obvious CCV isn't since many self-serve card swipe machines (gas stations, grocery stores, fast food restaurants) don't ask you for it.

[kalleboo]

There are two CVVs: one printed on the card, one on the magstripe. So for swipe transactions they're still getting a CVV.

[pbreit]

CVV is unnecessary for offline payments because the physical card is being presented.

[msherry]

Yup -- you can authorize a card with a missing, or even incorrect, CVV.

I work at Balanced payments, and this frequently trips up a lot of people. If incorrect CVV information is entered, we note that in our response, but it's up to the user of our API to decide if they want to accept that card or not. (We also use this information as one component of many in our internal fraud systems, of course).

[dylz]

Yes. Physical transactions, card present, with chip and pin have lowest txfee.

You can run a card with only a number and exp even. No AVS at all. Just higher cost higher risk.