Visa International says merchants should take a greater responsibility for credit card security, for example by complying with the security standards in the Account Information Security programme (AIS). This is sponsored by Visa and run by Visa’s member banks. However, uptake among merchants in New Zealand, especially small-and medium-sized ones, has been slow, says Iain Jamieson, Visa International’s New Zealand country manager.
“I’m a little concerned that the message we are trying to get out there hasn’t got much traction at the moment,” he says.
“[In collaboration] with the banks, we need to interact at a much lower level with the merchants in this country, to make sure that they understand what the requirements are for ensuring that cardholder information is stored correctly. And if they don’t need to store it, they should delete it,” he says.
Visa Asia-Pacific cooperates with website security company ScanAlert, which performs vulnerability tests of merchants’ systems free of charge.
“I suppose the issue is that [to go through with the scan] you need to have the latest security software in place, and I think this is where New Zealand falls behind the rest of the world a little bit. [Do] the small-and medium-sized merchant, in New Zealand actually have that software?”
“If merchants are storing [cardholder] information ... they should encrypt it. If they don’t need that information, they need to change their business practices and get rid of that cardholder data.”
Cardholder information, stored on a server, for example, could be an easy goldmine for criminals, he says.
“You don’t need to have a direct internet connection for a criminal to get into the system. If you have got an external email system or a corporate internet system that could be the hole that lets a criminal in.”
John Albertson, chief executive of the New Zealand Retailers Association, says the primary responsibility for the security of credit cards lies with customers, but that retailers have a responsibilty to ensure that credit card information is not made available to anyone.
“In terms of card security overall, the key security point is with the customers themselves, for example, making sure that PIN numbers are kept absolutely confidential,” he says.
One of the aspects that has changed over recent years is the detail shown on the credit card docket, he says.
“Going back some years, basically the full [credit card] number was printed [on the credit card chit]. That is now changed and the full number is no longer shown. That was quite a significant step in terms of security,” he says.
The information retailers might store, for balancing their accounts, no longer has the details of the customer’s account on it, he says. However, he can’t guarantee that all retailers in New Zealand have changed their systems. Albertson recommended Computerworld talk to ETSL (Electronic Transaction Services Limited) for more information, but ETSL was not immediately available for a comment.
The international EMV-standard (Europay, Mastercard, Visa) chip cards are to be fully introduced in New Zealand by January 2008. In Europe, the move to chip cards happened because of the fraud issue, Jamieson says. But in New Zealand, fraud is not an issue. According to Visa’s research, fraud in New Zealand and Australia is at an all-time low. Only 0.03% of Visa sales are lost through fraud, compared to a world average, of 0.07%. Online fraud in New Zealand and Australia has halved in the last five years, mainly thanks to investments that banks and financial institutions have made in advanced technology to prevent fraud, Jamieson says.
“There is no business case [in New Zealand] to move to chip on fraud [ground] alone — there has got to be something more to add value to the customer.”
Malaysia used to have one of the highest fraud rates globally before the government decided that the country should migrate to chip cards, and they did it within a couple of years, says Jamieson.
However, fraud doesn’t go away. It just goes to go places that are easier to attack, he says.
“What we noticed was that as fraud dropped in Malaysia, fraud increased in Thailand, across the border,” he says. “So, my message to the New Zealand community is that we might not have a problem now, but if other countries decide to move to ‘chip’, the fraudsters are going to look for places that are easier to attack and, at the moment, we don’t have chip cards. It’s easier to attack a bank in New Zealand than one in Malaysia or Japan that has implemented chip technology.”
Jamieson thinks that banks in New Zealand will start moving towards the EMV-standard in the next 12 months.
Mobile commerce is another new technology that might be coming our way in a couple of years. Jamieson says there are a number of pilots being conducted around the world.
“Some Nokia phones have the ability to have a second chip put into the handset, and that second chip can be used as a payment application,” he says.
There are two types of trials going on, according to Jamieson. One uses the infrared application on the handset. The user points the phone at a specialised point-of-sale device and sends a payment request via infrared, he says.
“The other one uses a contactless-type approach, where the Visa-chip in the phone will have a contactless application.”
The user pays by pushing the phone towards a contactless plate at the point-of-sale.
Fraud might be declining but other threats are on the rise. For example, the number of phishing sites have increased 3.5 times since last year, he says.
“In May 2005 there were 3,326 phishing sites that had been detected, and in May 2006 there were 11,976 phishing sites.”
Although it should be a well-known fact by now that no bank or financial institution will ever ask clients to put any financial or personal information in an email, phishing scams still succeed, he says.
“It’s unfortunate that every time a phishing attack occurs a couple of customers have obliged the fraudsters.”