Security Overview

Credit card security is based on privacy of the actual credit card number. This means that whenever a person other than the card owner reads the number, security is potentially compromised. Since this happens most of the time when a transaction is made, security is low. However, a user with access to just the number can only make certain types of transactions. Merchants will often accept credit card numbers without extra verification for mail order, but then the delivery address will be recorded, so the thief must make sure he can have the goods delivered to an anonymous address (ie. not his own) and collect them without being detected. Some merchants will accept a credit card number for in-store purchases, whereupon access to the number allows easy fraud, but many require the card itself to be present, and require a signature. Thus, a stolen card can be cancelled, and if this is done quickly, no fraud can take place in this way. For internet purchases, there is sometimes the same level of security as for mail order (number only) hence requiring only that the fraudster take care about collecting the goods, but often there are additional measures. The main one is to require a security pin with the card, which requires that the thief have access to the card.

Security Problems credit cards

The low security of the credit card system presents countless opportunities for fraud. This opportunity has created a huge black market in stolen credit card numbers, which are generally used quickly before the cards are reported stolen.

The goal of the credit card companies is not to eliminate fraud, but to "reduce it to manageable levels", such that the total cost of both fraud and fraud prevention is minimized This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction.

 

Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant's webserver can be sent directly to the payment processor.

Controlled Payment Numbers are another option for protecting one's credit card number: they are "alias" numbers linked to one's actual card number, generated as needed, valid for a relatively short time, with a very low limit, and typically only valid with a single merchant.

The Federal Bureau of Investigation and U.S. Postal Inspection Service are responsible for prosecuting criminals who engage in credit card fraud in the United States, but they do not have the resources to pursue all criminals. In general, federal officials only prosecute cases exceeding US $5000 in value. Three improvements to card security have been introduced to the more common credit card networks but none has proven to help reduce credit card fraud so far. First, the on-line verification system used by merchants is being enhanced to require a 4 digit Personal Identification Number (PIN) known only to the card holder. Second, the cards themselves are being replaced with similar-looking tamper-resistant smart cards which are intended to make forgery more difficult. The majority of smartcard (IC card) based credit cards comply with the EMV (Europay MasterCard Visa) standard. Third, an additional 3 or 4 digit code is now present on the back of most cards, for use in "card not present" transactions. See CVV2 for more information.

The way credit card owners pay off their balances has a tremendous effect on their credit history. All the information is collected by credit bureaus. The credit information stays on the credit report, depending on the jurisdiction and the situation, for 1, 2, 5, 7 or even 10 years after the debt is repaid.

 How credit cards work

user is issued credit after an account has been approved by the credit provider, and is given a credit card, with which the user will be able to make purchases from merchants accepting that credit card up to a pre-established credit limit. Often a general bank issues the credit, but sometimes a captive bank created to issue a particular brand of credit card, such as Chase, Wells Fargo or Bank of America issues the credit.

When a purchase is made, the credit card user agrees to pay the card issuer. The cardholder indicates their consent to pay, by signing a receipt with a record of the card details and indicating the amount to be paid or by entering a Personal identification number (PIN). Also, many merchants now accept verbal authorizations via telephone and electronic authorization using the Internet, known as a Card not present (CNP) transaction.

Electronic verification systems allow merchants to verify that the card is valid and the credit card customer has sufficient credit to cover the purchase in a few seconds, allowing the verification to happen at time of purchase. The verification is performed using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant's acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card; the latter system is in the United Kingdom commonly known as Chip and PIN, but is more technically an EMV card.