Académique Documents
Professionnel Documents
Culture Documents
desc
From cca.ucsf.edu!ucsfcgl!ucbvax!tut.cis.ohio-state.edu!rutgers!dptg!lznv!ziegle
Article 2226 of misc.consumers:
Path: wet!cca.ucsf.edu!ucsfcgl!ucbvax!tut.cis.ohio-state.edu!rutgers!dptg!lznv!z
>From: ziegler@lznv.ATT.COM (J.ZIEGLER)
Newsgroups: misc.consumers
Subject: Credit Card 101 Part 1 of 6 - The Players
Keywords: Credit Debit Charge Banks
Message-ID: <1656@lznv.ATT.COM>
Date: 25 Sep 89 20:13:50 GMT
Distribution: usa
Organization: AT&T ISL Lincroft NJ USA
Lines: 197
DEFINITIONS
-----------
First some terms, along with the meanings they have in the industry:
Many issuers are also acquirers. Some issuers allow other acquirers to
provide authorizations for them, under pre-agreed conditions. Other
issuers provide all their own authorizations.
TYPES OF CARDS
----- -- -----
Issuers of credit cards make money from cardholder fees and from
interest paid on outstanding balances. Not all issuers charge fees.
Even those that do, make most of their money on the interest. They
really LIKE people who pay the minimum each month.
Issuers of charge cards make money from cardholder fees. Some charge
cards actually run at a loss for the company, particularly those that
are free. The primary purpose of such cards is to stimulate business.
Issuers of debit cards may make money on transaction fees. Not all
debit card transactions have fees. Most debit cards exist to stimulate
business for the bank and to offload tellers and back-room
departments. To date, third-party debit cards exist solely to
stimulate business. Providers of such cards make no direct money from
their use.
Until fairly recently, the only motivation for accepters was to expand
their business by accepting cards. Reduction of fraud was enough
reason for many merchants to pay authorization fees, but in many cases,
it isn't worth the cost. (That is, it is cheaper to pay the fraud than
to prevent it.) Recently, electronic settlement has provided merchants
with an added benefit by reducing float on charged purchases.
Merchants can now get their accounts credited much faster than before,
which helps cash flow.
Companies that issue charge cards are real keen on float reduction.
The sooner they can bill you, the sooner they get their money. Credit
card companies are also interested in float reduction, since the sooner
they bill, the sooner they can start charging interest. Debit cards
typically involve little or no float.
Master Card (MC) is very much like VISA. There are some differences
that are important to those in the industry, but from the consumers
standpoint they operate pretty much the same.
Most large banks are issuers and acquirers. Things get real
interesting when it's time to settle up. Some small banks are only
issuers. There are third parties that are only acquirers.
In future episodes, I'll explain how standards help all this chaos work
together, and give details about how the authorization process happens.
Joe Ziegler
att!lznv!ziegler
This is part two in a planned six-part series about the credit card
industry. It would be best if you read part one before reading
this part. Enjoy.
DEFINITIONS
-----------
THE ORGANIZATIONS
--- -------------
ISO sets standards for plastic cards and for data interchange, among
other things. ISO standards generally allow for national expansion.
Typically, a national standards organization, like ANSI, will take an
ISO standard and develop a national standard from it. National
standards are generally subsets of the ISO standard, with extensions as
allowed in the original ISO standard. Many credit card standards
originated in the United States, and were generalized and adopted by
ISO later.
The ANSI committees that deal with credit card standards are sponsored
by the ABA. Most members of these committees work for banks and other
financial institutions, or for vendors who supply banks and financial
institutions. Working committees report to governing committees.
PHYSICAL STANDARDS
-------- ---------
ENCODING STANDARDS
-------- ---------
Track 1 is encoded at 210 bits per inch, and uses a 6-bit coding of a
64-element character set of numerics, alphabet (one case only), and
some special characters. Track 1 can hold up to 79 characters, six
of which are reserved control characters. Included in these six
characters is a Longitudinal Redundancy Check (LRC) character, so that
a card reader can detect most read failures. Data encoded on track 1
include PAN, country code, full name, expiration date, and
"discretionary data". Discretionary data is anything the issuer wants
it to be. Track 1 was originally intended for use by airlines, but
many Automatic Teller Machines (ATMs) are now using it to personalize
prompts with your name and your language of choice. Some credit
authorization applications are starting to use track 1 as well.
Track 2 is encoded at 75 bits per inch, and uses a 4-bit coding of the
ten digits. Three of the remaining characters are reserved as
delimiters, two are reserved for device control, and one is left
undefined. In practice, the device control characters are never used,
either. Track 2 can hold up to 40 characters, including an LRC. Data
encoded on track 2 include PAN, country code (optional), expiration
date, and discretionary data. In practice, the country code is hardly
ever used by United States issuers. Later revisions of this standard
added a qualification code that defines the type of the card (debit,
credit, etc.) and limitations on its use. AMEX includes an issue date
in the discretionary data. Track 2 was originally intended for credit
authorization applications. Nowadays, most ATMs use track 2 as well.
Thus, many ATM cards have a "PIN offset" encoded in the discretionary
data. The PIN offset is usually derived by running the PIN through an
encryption algorithm (maybe DES, maybe proprietary) with a secret key.
This allows ATMs to verify your PIN when the host is offline, generally
allowing restricted account access.
Track 3 uses the same density and coding scheme as track 1. The
contents of track 3 are defined in ANSI X9.1, "American National
Standard - Magnetic Stripe Data Content for Track 3". There is a
slight contradiction in this standard, in that it allows up to 107
characters to be encoded on track 3, while X4.16 only gives enough
physical room for 105 characters. Actually, there is over a quarter of
an inch on each end of the card unused, so there really is room for the
data. In practice, nobody ever uses that many characters, anyway.
The original intent was for track 3 to be a read/write track (tracks 1
and 2 are intended to be read-only) for use by ATMs. It contains
information needed to maintain account balances on the card itself. As
far as I know, nobody is actually using track 3 for this purpose
anymore, because it is very easy to defraud.
COMMUNICATION STANDARDS
------------- ---------
ISO maintains a registry of card numbers and the issuers to which they
are assigned. Given a card that follows standards (Not all of them
do.) and the register, you can tell who issued the card based on the
first six digits (in most cases). This identifies not just VISA,
MasterCard, etc., but also which member bank actually issued the card.
Most ATMs use IBM synchronous protocols, and many networks are
migrating toward SNA. There are exceptions, of course. Message
formats used for ATMs vary with the manufacturer, but a message set
originally defined by Diebold is fairly widely accepted.
Many large department stores and supermarkets (those that take cards)
run their credit authorization through their cash register controllers,
which communicate using synchronous IBM protocols.
Joe Ziegler
att!lznv!ziegler
From cca.ucsf.edu!ucsfcgl!ucbvax!tut.cis.ohio-state.edu!rutgers!dptg!lznv!ziegle
Article 2307 of misc.consumers:
Path: wet!cca.ucsf.edu!ucsfcgl!ucbvax!tut.cis.ohio-state.edu!rutgers!dptg!lznv!z
>From: ziegler@lznv.ATT.COM (J.ZIEGLER)
Newsgroups: misc.consumers
Subject: Credit Card 101, Part 3 - Authorization and Settlement
Keywords: credit, banks, authorization
Message-ID: <1661@lznv.ATT.COM>
Date: 27 Sep 89 21:56:38 GMT
Distribution: usa
Organization: AT&T ISL Lincroft NJ USA
Lines: 282
THE ACCEPTER
--- --------
An important fact to note is that a card accepter does not have to get
approval for any purchases using credit or charge cards. Of course, a
merchant is usually interested in actually getting money, and so must
participate in some form of settlement process (see below). Usually,
the most acceptable (to a merchant) forms of settlement are tied (by
the acquirer) to authorization processes. However, a merchant could
simply accept all cards without any validation, and eat any fraud that
results.
There are two basic tools used - bulletins and online checks.
Bulletins may be hardcopy, or may be downloaded into a local controller
of some form. Online checks could be done via a voice call, a
standalone terminal, or software and/or hardware integrated into the
cash register.
Usually a lot of effort is taken to use the least expensive tools that
are required by the expected risk of fraud. Typically, communication
costs for authorizations make up the biggest single item in the overall
cost of providing credit cards.
For voice authorizations, the merchant ID, PAN, expiration date, and
purchase amount are required for an approval. Some applications also
require the name on the card, but this is not strictly necessary. For
data authorizations, the merchant ID, PAN, PIN (if collected),
expiration date, and purchase amount are required. Typically, the
"discretionary data" from track 2 is sent as well, but this is not
strictly necessary. In applications that do not transmit the PIN with
the authorization, it is the responsibility of the merchant to verify
identity. Usually, this should be done by checking the signature on
the card against the signature on the form. Merchants don't often
follow this procedure, and they take a risk in not doing so.
The first screening by the acquirer would be a "sanity" test, for valid
merchant ID, valid Luhn check on PAN, expiration date not past, amount
field within reason for type of merchant, etc. After that, a floor
limit check will be done. Issuers generally give acquirers higher
floor limits than acquirers give accepters, and floor limits may vary
by type of merchant. Next, a "negative file" check would be done
against a file of known bad cards. (This is essentially the same as
the bulletin.) Then a "velocity file" check may be done. A velocity
file keeps track of card usage, and limits are often imposed on both
number of uses and total amount charged within a given time period.
Sometimes multiple time periods are used, and it can get fairly
complicated.
Transactions that pass all the checks, and are within the authority
vested in the acquirer by the issuer, are approved by the acquirer.
(Note that, under the business arrangement, financial liability still
resides with the issuer.) An "advice" transaction is sometimes sent to
the issuer (perhaps at a later time), to tell the issuer that the
transaction took place.
Transactions that "fail" one or more checks are denied by the acquirer
(if the cause was due to form, such as bad PAN) or sent to the issuer
for further checking. (Note that "failure" here can mean that it's
beyond the acquirer's authority, not necessarily that the card is bad.)
Some systems nowadays will periodically take transactions that would
otherwise be approved locally, and send them to the issuer anyway.
This serves as a check on the screening software and as a
countermeasure against fraudulent users who know the limits.
The difference between the credit limit and the sum of holds and
outstanding balance is often referred to as the "open to buy" amount.
Once a hold is placed on an account, it is kept there until the actual
the transaction in question is settled (see below), in which case the
amount goes from a hold to a billed amount, with no impact on the open
to buy amount, theoretically. For authorizations of an estimated
amount, the actual settled amount will be less than or equal to the
approved amount. (If not, the settlement can be denied, and the
merchant must initiate a new transaction to get the money.)
Theoretically, in such a case, the full hold is removed and the actual
amount is added to the outstanding balance, resulting in a possible
increase in the open to buy amount.
Some issuers are also starting to use much more sophisticated usage
checks as well. They will not only detect number of uses and amount
over time, but also types of merchandise bought, or other patterns to
buying behavior. Most of this stuff is new, and is used for fraud
prevention. I expect this to be the biggest effort in authorization
software for the next few years.
American Express does things completely differently. There are no
credit limits on AMEX cards. Instead, AMEX relies entirely on usage
patterns, payment history, and financial data about cardmembers to
determine whether or not to automatically approve a transaction. AMEX
also has a policy that a cardmember will never be denied by a machine.
Thus, if the computer determines that a transaction is too risky, the
merchant will receive a "call me" message. The operator will then get
details of the transaction from the merchant, and may talk to the
cardmember as well, if cardmember identity is in question or a large
amount is requested. To verify cardmember identity, the cardmember
will be asked about personal information from the original application,
or about recent usage history. The questions are not the same each
time. If an unusually large amount is requested, the cardmember may be
asked for additional financial data, particularly anything relating to
a change in financial status (like a new job or a promotion). People
who are paranoid about Big Brother and computer databases should not
use AMEX cards.
SETTLEMENT
----------
Traditionally, a merchant would take the charge slips to the bank that
was that merchant's acquirer, and "deposit" them into the merchant
account. The acquirer would take the slips, sort them by issuer, and
send them to the issuing banks, receiving credits by wire once they
arrived and were processed. The issuer would receive the slips,
microfilm them (to save the transaction information, as required by
federal and state laws) charge them against the cardholder's accounts,
send credits by wire to the acquirer, and send out the bill to the
cardholder. Problem is, this took time. Merchants generally had to
wait a couple of weeks for the money to be available in their accounts,
and issuers often suffered from float on the billables of about 45
days.
The problem is, what to do with the paper? Current regulations in many
states require that it be saved, but there is no need for it to be sent
to the issuer. Also, for contested charges, a paper trail is much more
likely to stand up in court, and much better to use for fraud
investigations. Currently, the paper usually ends up back at the
issuer, as before, but it doesn't need to be processed, just
microfilmed and stored.
This was pretty long, but there is a lot of information, and I skimmed
over a lot of details. Future installments should be shorter. Coming
up next is a discussion of fraud and security, and then a special
discussion of debit cards. Hang on, we're halfway through this!
Joe Ziegler
att!lznv!ziegler
WARNING
-------
A variant of this scheme is much like check kiting. Can you use your
VISA to pay your MasterCard? Well, you might be able to manage it, but
if you're doing it with intent to defraud, you can be prosecuted.
Kiting schemes typically don't last long, have a low payoff, and are
very easy to detect.
The simplest way for a third party to commit fraud is for them to get
their hands on a legitimate card. There is a large black market for
credit cards obtained from hold-ups, break-ins and muggings. Perhaps
one of the cruelest methods of getting a card is a "Good Samaritan"
scam. In such a scam, credit cards are stolen by pick-pockets,
purse-snatchers, etc. That same day, someone looks up your number in
the phone book and calls you up. "I just found your wallet. All the
money is gone, but the credit cards and your driver's license are still
here. It just happens that I'll be in your neighborhood next Wednesday
and I'll drop it off then." Since the cards are found, you don't
report them stolen, and the crooks get until next Wednesday before
you're even suspicious. If such a thing happens to you, ask if you can
come and pick the cards up immediately. A true good samaritan won't
mind, but a crook will stall you. If you can't get your hands on the
cards immediately, report them as stolen. Most issuers will be able to
get you a new card by next Wednesday, anyway.
Often stolen cards will be used for a time exactly as is. The best
tool for preventing this is verification of the signature, but this is
ineffective because most merchants don't consistently check signatures
and some people don't even sign their cards. (I guess these people
figure that all purse snatchers are accomplished forgers as well.)
Many cards will eventually be modified as the various security schemes
start catching up.
There are a lot of scams for getting people to tell their credit card
numbers over the phone. Never give your card number to anyone unless
you are buying something from them, and make sure that it is a
legitimate business you are buying from. "Incredible deal!! Diamond
jewelry at half price!! Call now with your VISA number, and we'll rush
you your necklace!!" When you don't get the necklace for four weeks,
you might start to wonder. When you get your credit card bill, you'll
stop wondering.
MERCHANT FRAUD
-------- -----
A merchant could also make copies of charge slips, to sell the PANs to
other crooks. (See above for use of PANs.) Most credit card
investigation departments are sensitive to this possibility, and catch
on real fast if it's happening just by looking at usage history of
cards with fraudulent charges.
There are many types of fraud that can be perpetrated by tapping data
communication lines, and using protocol analyzers or computers to
intercept or introduce data. These types of fraud are not widespread,
mainly because of the need for physical access and because
sophisticated computer techniques are required. There are message
authentication, encryption, and key management techniques that are
available to combat this type of fraud, but currently these techniques
are far more costly than the minimal fraud they could prevent. About
the only such security technique that is in widespread use is
encryption of PINs.
The next episode will be devoted to debit cards, and the final episode
will talk about the networks that make all this magic happen.
Joe Ziegler
att!lznv!ziegler
/usr/staff/cc/misc [66]
<< DOS Shell >>. Type 'EXIT#' to return to Telix.
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
Full access for first-time callers. We don't want to know who you are,
where you live, or what your phone number is. We are not Big Brother.
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X