PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

How to Detect, and Prevent, Credit Card Tumbling

PaymentsJournal by PaymentsJournal
January 30, 2023
in Credit, Featured Content, Fraud
0
credit card tumbling
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
https://media.blubrry.com/paymentsjournal/paymentsjournal.com/wp-content/uploads/2023/01/NCR-004-001-Final-Draft.mp3

Podcast: Play in new window | Download

Credit card tumbling (CCT) is a subset of credit card fraud in which a hacker has some, but not all, of a customer’s information and attempts to guess the rest. The word tumbling is a reference to the tumblers, or knobs, on an old-fashioned safe, which a robber would open by listening carefully to the moving tumblers to detect a click, an indication that a code number had been reached. Today’s hackers aren’t listening to moving tumblers until they hear that click, but they are leveraging partial credit numbers or expiration dates and continuing to guess the missing information until a purchase goes through. 

It’s no surprise that CCT is top of mind for merchants, who are continually looking to offer more security and prevent such fraud from accelerating.

In a recent PaymentsJournal podcast, Alok Kumar, chief information security officer, NCR Retail & Payments; and Brian Riley, head of credit and co-head of payments at Mercator Advisory Group, discussed the threat CCT poses and offered best practices for merchants who are tackling this issue.

PaymentsJournal
How to Detect, and Prevent, Credit Card Tumbling
PaymentsJournal How to Detect, and Prevent, Credit Card Tumbling
PaymentsJournal

Preventing CCT Fraud

Detecting CCT fraud is relatively simple. It shows up when a bill is disputed by a customer who’s unaware that information has been stolen. Preventing CCT fraud before it happens is more challenging, but can be done if the appropriate precautions are taken.

“The passive way is to sit there and wait for a bill to tell you of an attack,” Riley said. “The proactive way involves a process that pre-identifies where that risk is and allows you to catch things way before the problem turns into a real big problem.”

According to Kumar, the most important aspect of a proper information security control system is to prevent CCT fraud. “Today, with many of the vendors [out there], if I go to their website, they don’t ask for a CVV,” Kumar said. “The CVV is the card verification value, which is on the back of the card. That number is not saved in any database. So even if the hacker takes the credit card info online, they never have the CVV. That’s something we need to verify every time.”  

Velocity checking, also referred to as rate limiting, is another key factor to watch out for. “You need to check and see how many attempts at a payment you’re getting per minute from the same session,” Kumar said. “Sometimes people do up to 30 tries, and there’s no reason for someone to do that many per minute.”

Other security checks involve corroborating customer information. For example, it’s important to make sure the card number matches the address presented by the customer and that the IP address is legitimate. There are IP reputation lists published by different vendors—a merchant can subscribe to that service and verify that a customer is not coming from an IP that has already been blacklisted.

Companies can leverage these strategies in-house or outsource them. “There are a lot of third-party vendors that you can outsource the traffic to,” Kumar said. “Those companies have security services, where you can route your [customer] traffic through them. They also offer customizable solutions, blocking certain cards under custom rules, and only send the proper traffic to your website.”

Preventing CCT fraud also involves focusing on data storage. Merchants should make sure to have intrusion detection prevention services, such a firewall and antivirus file integrity monitoring. Databases should be encrypted, along with credit card information.

“When you’re sending credit card information to a processor for any reason, you should not leave any of the plain text of the credit card in any file, whether it’s a database or a flat file,” Kumar said. “Many people do manual processing at the end of the day. They sometimes leave log files on their computers with credit card text in them, which can be stolen.”

Another common mistake that can be easily avoided is the sending of sensitive log files to the trash folder. When malware gets into a computer, it looks in the trash folder first. People who handle credit card information daily can be trained to not leave sensitive files in the trash folder.

Overall, avoiding CCT fraud is possible with the right steps. Checking for a CVV, checking card submission frequency, and corroborating customer information are important to sniffing out fraudsters. Securing customer information via encryption and disposing of data properly are also important. Companies can implement much of this in-house or partner with organizations that specialize in these tasks. With the right plan, companies can improve their bottom line significantly by working to reduce fraud before it happens.

Tags: Credit CardDatafraudMerchantsNCR
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    digital payments

    Navigating the Future: Top Digital Payment Trends to Watch

    March 31, 2023
    scams

    As Scams Become Omnipresent, New Tools Can Help FIs Fight Back

    March 30, 2023
    item clearing

    As Check Volumes Decrease, Financial Institutions Need to Consider Alternative Clearing Options

    March 29, 2023
    payments friction

    Too Much Payments Friction Can Lead to Customer Chafing

    March 28, 2023
    online fraud

    Understanding the Cost of Online Fraud and How to Prevent It

    March 27, 2023
    live shopping, ebay

    Q&A: eBay Exec on Live Shopping and the Future of Payments

    March 24, 2023
    AI and Biometrics in Regulatory Compliance in Finance

    The Importance of AI and Biometrics in Regulatory Compliance in Finance

    March 23, 2023
    Everyone Benefits from the Real-Time Payment Networks  

    Everyone Benefits from the Real-Time Payment Networks  

    March 22, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result