What prevents web shop owners from misusing credit card data?

Question

I don't own a credit card but read much about fraud with stolen credit cards. Since I don't own one, I don't know how you exactly buy online using your credit card, so please correct me, if I am wrong (and I hope so).

Customer choses articles in online shop and puts them into shopping cart.
Customer goes to the virtual check out.
Customer enters delivery address and his cc data(?) and sends them to the server of the shop owner.
Shop server sends the cc data the customer entered and his data and the amount to the cc card server and receives the money.
Customer receives bought articles.
The shop owner wasn't very honest and uses the cc data the customer entered to shop on other online shops (especially non-trackable goods like software licenses, ...). Since the data is the same for all shops, nobody knows which shop misused the cc data.

Why not use an one-time authentification code or token instead? For example the customer enters the cc data on the server of the cc company which sends a confirmation to the shop owner or gives a signed token (like gpg) which the user gives the shop to prove he sent the money or the shop just waits till it sees the money on its account? Since I have basic it-security knowledge you might also add technical details. So are my assumptions right and if so, what prevents web shop owners from misusing credit card data?

how would they know which shop owner did this? the common customer uses the same data in multiple shops? he wouldnt care about reimbursements because he already got the license keyor whatever he bought — sweet home, Dec 22 '14 at 17:20
@DavidFoerster Or, given that stealing credit cards is a crime, the credit card company cooperates with law enforcement and the shop owner goes to prison. — cpast, Dec 22 '14 at 19:22
if they find out it was him. But I was thinking about purchases they cannot track back to him. So he is clever enough not to use his house as delivery address ;) — sweet home, Dec 22 '14 at 19:43
There are multiple good and valueable answers with partly different information but I can only accept one. I hope the others will be rewarded by upvotes. :) — sweet home, Dec 23 '14 at 15:13
Online credit card payments are authenticated through One Time Password (OTP) sent to user's registered mobile number (RMN) / email in India. Payment succeeds only after this step. — Chethan S., Dec 24 '14 at 13:14
MasterCard and Visa now has 2FA as a standard feature as and when provided by your issuing bank. Typically this involves entering a secret code sent as SMS to your registered mobile phone or generated in a hardware token. If your bank doesn't support this yet, I urge you to demand they adopt this additional layer of security as soon as possible. — ADTC, Dec 25 '14 at 13:52
Somewhat related, but this is a problem for CC only because it's a pull payment mechanism. Bitcoin on the other hand, uses a push mechanism so fraudulent charges like this aren't possible. — greatwolf, Dec 26 '14 at 10:13

score 58 · Accepted Answer · answered Dec 22 '14 at 17:23

58

The liability for a disputed transaction falls upon the merchant for Card-Not-Present transactions. Essentially, if you dispute a transaction, if the merchant doesn't have your signature, then if you persist they will end up footing the bill. By the same token, when a CNP merchant double bills you, they're going to end up paying when you dispute the bill.

As @DavidFoerster points out, the processors and card companies track chargeback rates. They eye the statistics and, when a merchants is having too many chargebacks, they get cut off. (Usually they get booted from their processor, and go find another processor who'll charge them more for the higher risk).

The same is true with stores that re-abuse cards elsewhere. The card brands look at fraud reports and determine that these 20 fraud report cards all had Bob's Web Shack in common as a past transaction. They will then investigate Bob's Web Shack - both because it might be a bad shop owner, and because it might be a shop that's compromised. And - again - if a shop is a source of problems, they'll get cut off.

That's what prevents web shop owners from abusing the cards. They'll lose any disputes, and then they'll get dropped and be unable to process cards.

answered Dec 22 '14 at 17:23

gowenfawr

72,893
17
165
200

I should make it clear, that he wouldnt use it in his own shop but for example to shop on ebay etc. so nobody could track it back to his own shop because he doesnt use his own name – sweet home Dec 22 '14 at 17:28
9

Updated to handle that case. The card brands are smart; they go all statistical on Fraud's ass. – gowenfawr Dec 22 '14 at 17:29
4

that they all will have Bob's Web Shack in the transaction history is a valid point if he uses this with multiple cards – sweet home Dec 22 '14 at 17:32
Another little data point is the likelihood of cardowner legitimate item to purchase. As an example a cardowner buys a PC. Cardowner buys another PC from a different store, resulting in a fraud check denial. Then they will start tracing things back to see where the cards were used. – Jim B Dec 23 '14 at 00:18
2

I have triplets and buy computers in threes, and have never had a bank follow up on it :) But yes, the card brands are statistical animals, and spend much effort on sifting through their data. – gowenfawr Dec 23 '14 at 02:47
@gowenfawr more than likely your purchase history indicates that this type of purchase is normal for you. For others it is generally, in a good bank, a red flag that they need to call you. Capital One and Chase will tend to do so especially with purchases across state lines (yea went on vaca in MI, came back home to CO to buy a fridge for deer meat and Chase was calling us as we were trying to load the thing). – scrappedcola Dec 23 '14 at 15:25
4

They'll lose any disputes, and then they'll get dropped and be unable to process cards. and then they'll be investigated and likely fined according to the terms of their agreement with the payment provider. Depending on the circumstances, they'll be investigated for credit card fraud. As someone who has worked in that area before (credit card fraud prevention), I can tell you that it is much more difficult hiding your tracks than you would think. – Dec 23 '14 at 19:17
5

@gowenfawr IF you have 1 bill with 3 computers, it is OK. If you have 3 identical bills, 1 computer each, 3 seconds apart, the bank will follow up instantly – Andrey Dec 23 '14 at 22:27
1

I think it would be appropriate to quote a source for the answer, and point out in which countries / states, it's valid. Assuming USA for answers on the internet is a bit rude to the rest of the world. Specially when USA have the most dated systems and legislation on the topic of credit cards. – Claus Jørgensen Dec 24 '14 at 10:44
2

@ClausJørgensen, these are matters not of law, but of card company (MC, Visa, Amex, Discover) policy and practice. It's valid... everywhere you want to go. – gowenfawr Dec 24 '14 at 14:00
No, liability is a matter of law. – Claus Jørgensen Dec 24 '14 at 14:14
1

Liability is a legal term which is often used in non-legislative contexts. For example, as part of the (US!) shift towards EMV "The payment brand milestones include ... fraud liability shift." This is an example where the card brands are adjusting which party assumes liability based upon their (voluntary) adoption (or lack thereof) of new technology - there's no government involvement in that liability assigmment. Merchants who don't adopt EMV will assume more financial liability in fraud allegations. – gowenfawr Dec 24 '14 at 14:41

score 18 · Answer 2 · answered Dec 23 '14 at 12:59

If you do it on a large scale, you get found out

As with most crimes, there's really nothing that prevents you from doing it if you're determined, other than the risks and consequences of being found out. For small and rare events, it gets written off by the CC companies as a cost of doing business. For large or frequent scenarios, people get found out and they go to jail.

Common point of purchase

Analyzing fraud patterns is done seriously, a lot of talented people and financial resources go into doing it properly. All those risks are not new - before web shops were common, employees at various physical stores had the capability to do the same. For example, a restaurant waiter has access to a lot of cards and can misuse their data.

If it's a single time, then there are no patterns to be found out, but it's ongoing then it's not that hard to automatically determine that a bunch of misused cards share a common point of purchase and then audit that location - depending on the fraud scale this may result in actions by police or simply blacklisting the company and other future companies with same owners or management.

Furthermore, those risks are part of the reasons why it's not trivial to start a web shop where you actually get access to CC data. Often banks don't allow random small companies to accept cards online directly - they accept it with a condition that all the authorisation goes through a trusted payment gateway and your company simply gets a signed token "payment of $xxx accepted" and not the full card data. If you want to handle CC data yourself, get ready for various compliance checks.

Good point that they will accept small cases and speculate on catching the bigger ones so there will be not much value for the shop owner compared to the risk and penalties — sweet home, Dec 23 '14 at 15:03
Also good you mentioned the payment gateways which is what I thought of (alltough in my opionion it would be better the cc companies themself provided it this way by default) — sweet home, Dec 23 '14 at 15:11
As a developer, I'm a big fan of services like Stripe, where I can drop something in place and let them handle the CC data instead of me/my client. One less thing to worry about. For small web stores using WordPress-based websites, they're typically using similar plugins (woo commerce) that similarly hide those sensitive details from the owner of the site. — jleach, Apr 14 '19 at 06:40

Travis Pessetto · Answer 3 · 2014-12-22T17:20:29.337

8

To accept payments many credit card processing companies require that the code of the client be PCI compliant. I am not sure all the rules but, I do believe that it requires someone that did not write the code to look over it. With others, such as Stripe and PayPal, the credit card data never touches the shop owner's server. In the case of Stripe JavaScript submits it to them and then returns a token to the shop owners server that states that they've paid, it's gone through, and can be used for refunds.

See:

https://www.controlscan.com/support-resources-qa.php

https://www.controlscan.com/support-resources-qa.php#6

edited Dec 22 '14 at 17:20

answered Dec 22 '14 at 17:12

Travis Pessetto

670
3
6

if they are stored decryptable on your server (which you might need to process them and send them to the credit card server) it's not hard to get them from the live system or a backup or to do an SSL-Proxy/Mitm-attack while the cc data are submited – sweet home Dec 22 '14 at 17:43
1

@sweethome That is a good point if they choose that particular compliance level. I'm not familiar with all PCI standards, but I would venture to guess there is something in there for storing cc data on the server. This is just a guess from stores, like Target, being fined after credit card information was stolen. – Travis Pessetto Dec 22 '14 at 17:59
3

@sweethome For that exact reason, it violates PCI to store the CVV2 code (the security code on the card) in any form after it's validated. It can't be encrypted, can't be backed up, has to be completely deleted once it gets sent off for validation. – cpast Dec 22 '14 at 19:24
I didn't know that it isn't allowed to store all information. My (seemingly false) assumption was, that the shop owner will have the same needed information as the legitimate cc owner. – sweet home Dec 23 '14 at 15:07
1

So that's not entirely true... The card number CAN be stored, but it's not exactly simple. CVV cannot EVER be, but isn't needed after the card is verified to be legit. see: http://security.stackexchange.com/questions/59520/how-to-store-credit-card-information-for-repeated-transactions-and-still-be-pci for a big discussion on the topic. – BReal14 Dec 23 '14 at 16:11
@briansol interesting information in this link – sweet home Dec 23 '14 at 16:29
Note that the CVV and other sensitive data is allowed to be stored until after authorization, which could be hours, days, or even weeks after the purchase if the merchant batches up transactions and authorizes them after a period of time. Granted most merchants won't need to store the CVV, but it is allowed under some circumstances. – Johnny Dec 24 '14 at 00:51

score 3 · Answer 4 · answered Dec 24 '14 at 04:13

What stops them? Nothing but the consequences.

However, there are third-party processing services that larger online merchants can use who handle all the credit card transactions, and as part of their contract with the merchant, own all the liability for compromises of that data. In these arrangements, the merchant itself never sees the credit card number at all; they only get a token which can be used to bill the same card again through the third party, but is useless to any attacker. (And if the third party does get compromised and millions of numbers leaked, the merchants can wash their hands of it all.)

Of course, even when a merchant uses such a third party, end users must simply take their word for it, if the merchant even discloses this. And of course nothing would stop a corrupt employee of the third party from ripping off the numbers.

To your point, it is possible to employ crypto to secure online transactions. Digital cash cryptosystems do exist out there. But the user experience of using such a system is generally more complicated, and that's only one of many barriers to widespread adoption.

When paying to Fuzbar store, if you are only requested to enter your credentials at a Payfoo window, it can be externally proven that Fuzbar doesn't (assuming Payfoo is a trustable merchant, has its site properly implemented, etc.) Some users could be trivially tricked to think that a Fuzbar window comes from Payfoo, though. — Ángel, Dec 25 '14 at 21:25
That's a bit different architecture and business model actually. In your scenario, the third party has a relationship (i.e. an account) with the user/customer; the same account could be used with multiple merchants. In mine the credit card processing is simply outsourced to the third party; each (merchant, customer) combination is separate. — wberry, Dec 26 '14 at 03:06

score 2 · Answer 5 · edited Apr 13 '19 at 16:41

In the real life, I manage a small shop. You can pay us in person, or over the phone with a credit card.

Once the transaction is done, we can't get to "see" the credit card numbers, they are blocked, and handled by the credit card processing company.

If me, or my employees tried to save the numbers from over the phone transactions, to misuse them: I don't think it would take TOO long to figure out, that all the victims lived in the same area, and used our shop.

============================================

In an online merchant situation, I wouldn't even get to handle or see the credit card numbers. The credit card processing company would just deposit money in an account for me. I suppose, I could try to get customers to email me their credit card information, but, I don't think that too many customers would fall for that trick, lol.

The most "dirty retailers" online play with what item they sent you, or if they even sent the items, or... overcharging for shipping. They are already making some money, and they might try to disreputably make a little more.

But, as I can see it, it requires a malicious third party to intercept and misuse the credit card information.

Thanks the insider info. :-) If I understand you well, it would mean, that if one of your employee misuses the credit card data, your shop will be cut down? — peterh, Apr 13 '19 at 16:37

score 1 · Answer 6 · answered Dec 23 '14 at 10:15

1

Nowadays most web shop will redirect you to a verification page hosted by your card provider. There you need to enter a password (usually just part of it) to verify you are the owner of the card. That doesn't stop the shop owner from stealing your card details, but he cannot see the security password, preventing him to shop on websites using the verification feature.

Unfortunately not all the shops use this feature, but as more and more adopt it, using stolen card details become more difficult.

Until you shop on big companies website you are safe. For smaller, unknown shops, a good way to stay safe is using PayPal: the card details are stored on PayPal servers, or you will enter them on their page if not already registered. In this way the shop won't get your details.

answered Dec 23 '14 at 10:15

algiogia

471
3
5

So it's only shops that don't use this feature whose cc data are stolen? Alltough in the media they mostly report about big shops where I would have thought that they would care about the security of there customers – sweet home Dec 23 '14 at 12:25
Well, no. This feature just adds an extra security step: after entering your cc details on the shop website, you are redirected to the bank website for authentication. The shop can still steal your cc details, but the number of e-shop where he can use it are limited by the verification feature: they know your cc details but not your password. It sounds unlikely that Amazon CEO steal cc details, considered his salary. Small shops are usually run by a single person that can more easily "fall into temptation" – algiogia Dec 23 '14 at 14:27
I hope that also big companies will adopt to this so that underpaid IT-tech or assistant responsible for bringing out the backups or recycling old servers will not "fall into temptation" – sweet home Dec 23 '14 at 15:17

score 0 · Answer 7 · answered Dec 26 '14 at 00:01

PCI DSS is a standards compliance checklist that shops wanting to handle CC info have to adhere to. But, since the regulation isn't widely enforced worldwide, this is just like the iso standards.

In the past, the web shops would use paypal. Or phone in their purchases through their own merchant accounts with the banks. However, the risk of chargebacks, fraud through the web, made it easier to park the risk with a counterparty. Paypal and a few others were the first to take up this risk.

Now, you will see that most ecommerce sites lead you to another page with the counterparty site that handles the transactions, just so they don't have to take up the risk. This is a viable business model for most, since the web shop doesn't have to take up the cost of fraud, but might have to pay fees.

If you look at shopify's risk model, you'll find what they're doing is to go bigger than the spread of fraud through their system.

score 0 · Answer 8 · edited Dec 26 '14 at 14:14

There are a lot of factors at play here.

Firstly, payment gateway is an important component - the encrypted CC data is transferred from the users browser to the gateway. In some cases they may go via the merchant's web server to collect the transaction data (in this case all the PCI DSS standards compliance come into play), sometimes the gateway might bypass the merchant web server altogether and get the transaction data as a separate encrypted connected from the merchant server (not sure of the PCI compliances in this case).

After getting the payment info and the transaction info, they are forwarded to the bank's payment processing server which redirects it to the respective associations (Visa, Mastercard, Amex etc.) which again forwards it to the issuing bank for validation and credit limit/ account balance checks. Once validated they send a success response which follows the reverse path back to the merchant.

Coming to fraudulent transactions, most cards these days have a third layer of protection (called 3D payout)- it can either be a code/password (eg Master Card securecode etc.) or an OTP (one time password sent to registered mobile number) (eg. In AMEX and Citi cards) which the user needs to enter while the transaction hits the payment processing servers, thus minimising the risk of fraudulent transactions.

Apart from these, they track your computers IP address. I would be more concerned about the personal data that I give away to the merchant at each transaction - eg Name, DOB, Address, ph no etc. I do not know of any industry wide compliance protocols for these and hence there might be a huge chance of misuse.

What prevents web shop owners from misusing credit card data?

8 Answers8

If you do it on a large scale, you get found out

Common point of purchase