Lack of fraud reporting paths considered harmful.
Perry E. Metzger
perry at piermont.com
Fri Jan 25 18:01:39 EST 2008
lists at notatla.org.uk writes:
>> His firm routinely discovers attempted credit card fraud. However,
>> since there is no way for them to report attempted fraud to the credit
>> card network (the protocol literally does not allow for it), all they
>> can do is refuse the transaction -- they literally have no mechanism
>> to let the issuing bank know that the card number was likely stolen.
>
> A former boss has become "Head of Fraud Technology" (I asked him who
> was "Head of Anti-Fraud Technology") and he answers like this.
>
> I am not really a cards man but I would have said the good
> old telephone, a call to the acquirer, would be the way. The
> acquirer would then pass that on to the issuer. Granted the
> merchant may not know for certain that had happened, but he
> has done his duty at that point.
That's not practical. If you're a large online merchant, and your
automated systems are picking up lots of fraud, you want an automated
system for reporting it. Having a team of people on the phone 24x7
talking to your acquirer and reading them credit card numbers over the
phone, and then expecting the acquirer to do something with them when
they don't have an automated system either, is just not reasonable.
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list