Recently, with the growing popularity of mobile wallets and contactless cards, we are seeing criminals using contactless near-field communication (NFC) acceptance as an alternative way to monetize stolen magnetic stripe data. With the number of cardholder payment options available to consumers (e.g. magnetic stripe, mobile, contact chip, and contactless chip) it is increasingly important for issuers to take a comprehensive validation approach across the different form factors and interfaces through which a payment can be made. Use of best practices for point-of-sale (POS) entry modes validation is an essential step for identifying and preventing fraud.
Criminals have learned that if proper checks and controls are not in place, then it is possible for them to submit fraudulent contact-less magnetic stripe data (MSD) transactions using some of the following criminal methods.
» Fraudsters leverage mobile applications that advertise the ability to emulate Visa MSD transactions with account track data loaded into the application.
» Stolen account track data loaded into the mobile applications is typically obtained from merchant data breaches or through saved account inventory attacks.
» Fraudsters then visit brick-and-mortar merchants and use mobile devices loaded with the application data to trigger the NFC circuitry and feed the point-of-sale terminal with the fraudulent account information. If the issuer approves initial transactions, the fraudsters continue conducting transactions at multiple merchants.
Approach for Mitigating this Type of Fraud Attack
Issuers must look at a combination of data elements—including Card Verification Vales (CVV), POS entry modes, merchant service codes, and/or presence of a valid token indicator—to identify conflicts.
» Ensure that the POS entry mode identifies a supported interface for the payment account and that the service code contains a valid value.
» Validate the CVV that corresponds to the POS entry mode as part of the decision process.
- Verify whether the POS entry mode, service code and card values are logically consistent.
- Decline transactions with an invalid service code such as 999 or 000 or when the acceptance channel is one not currently supported for the payment account.
- Regardless of cardholder verification method, issuers should validate all data received as part of the transaction.
- Review and implement risk strategies to decline contactless transactions on accounts that are NOT enabled or provisioned with contactless functions.
- Decline non-tokenized contactless transactions if the issuer has not issued a contactless card for that payment account.
- If the issuer supports contactless payments, always validate for Dynamic Card Verification Value (dCVV) on POS entry mode 91 transactions and decline if dCVV fails.
- If the issuer relies on the Visa Chip authenticate service to validate dynamic CVV, check the authentication result field and decline if authentication fails.
Verification of Point-of-Sale Entry Mode Is a Must
The POS entry mode (Field 22)—sent in each Visa transaction—tells the issuer how the transaction data was acquired at the merchant. Because the POS entry mode identifies the acceptance channel in combination with other authorization parameters, verification of this information is an essential step to identifying and preventing fraud.
The most common POS entry modes include:
» 01—Manual key entry
» 02 or 90—Magnetic stripe read
» 05 or 95—Chip read
» 07—Contactless, using chip data rules » 91—Contactless, using magnetic-stripe data rules
The service code is a sequence of digits that—taken as a whole—allows the issuer to define various services, differentiates card usage in international or domestic interchange, designates PIN and authorization requirements and identifies card restrictions. The use of a service code is applicable to all Visa products.
Typical service code examples are:
» 101—International-use credit and debit cards
» 120—International-use credit and debit cards where PIN is required
» 201—EMV chip credit card
» 221—EMV chip debit card
» 601—Domestic-use EMV chip credit and debit cards
IMPORTANT NOTE: Service codes of 000 or 999 are not valid as identifiers of the card capability or usage, but rather are used in the calculation of CVV2 or iCVV. Therefore, service codes of 000 or 999 should not be encoded on a magnetic stripe. Visa is aware of scenarios in which either 000 or 999 has been encoded on the magnetic stripe of counterfeit cards, resulting in issuer fraud losses.
Taking a comprehensive approach to detecting and identifying payments fraud is essential for both Issuers and Acquirers in protecting them-selves. With the increasingly sophisticated ways and methods in which cardholders use to pay for goods and services, all players in today’s payments environment needs to know what protection values to look for to help mitigate attacks.