Visa Warns of New Fraud Scheme
Alert to Banks, Processors Describes Bogus Batch SettlementAccording to Visa's alert, a copy of which was obtained by Information Security Media Group, the payment card giant has information about criminals who claim to have access to account numbers and the ability to submit a large batch settlement upload to occur over a weekend. (Merchants usually send their credit card transactions by batches at the end of a business day to be settled by the credit card companies and acquiring banks.)
Visa does not have any information as to when the fraudulent settlement activity may occur. The criminals claim to have access to a merchant account placed with a bank in Eastern Europe.
"Although the source of the information is reliable, the information that Visa has received coming forward so far is limited," the alert states. "Visa suspects that this scheme may be linked to a consortium of online merchants that have been trying to secure processing arrangements after being shut down at several acquirers across many geographies."
This alert comes after last year's record-breaking Heartland Payment Systems data breach and other noted incidents, including the Network Solutions breach that involved its merchant client database of more than 4,000 small business accounts.
Visa's Quick Action
Once Visa received the information from the third-party source, according to the alert, it immediately implemented monitoring of large settlement activity for banks located in Eastern Europe. Up to now, Visa says it hasn't seen abnormal or large settlement activity. Visa says it is continuing to monitor and will alert any affected Visa clients of abnormal activity, if needed.
Institutions should monitor for large or unusual settlement activity -- particularly during weekends and holidays. They should also closely review settlement and chargeback activity for high risk merchants and agents.
Visa declined to comment further on the alert, but offered the following statement: "As Visa receives critical information about potential criminal schemes, we take immediate steps to stop fraud and support law enforcement efforts. When appropriate, we also notify critical stakeholders so they can take cautionary or mitigating steps. Although issuers and acquirers actively monitor for unusual batch settlements, Visa sent out a client communication as a reminder to be on heightened alert. Active system monitoring across all stakeholders significantly decreases the risk of this type of fraud."
Analyst: Banks Should Be 'Very Concerned'
These types of thefts have been around for a long time, says Gartner analyst Avivah Litan.
"Financial institutions should be very concerned about this alert because they are the ones who get stuck with the bill and the chargebacks once cardholders notice the unauthorized charges," Litan says. "These 'fake' merchants will undoubtedly bail out of the system once they get their money, so the banks don't have a prayer of recovering money from the bad guys."
Litan says this type of fraud is likely to continue, as the biggest problem in preventing batch settlement fraud is how merchant accounts get created and underwritten in the first place. "Visa, MasterCard and the acquiring banks need to tighten up their accreditation process and how they onboard new merchants," she says. "There are too many 'third parties' and ISOs in the system, allowing too many illegitimate merchants to establish accounts and access to the payment systems."