Fraud Alert: Transaction Declined.
The likely incomplete list of all the ways you’re being protected from card theft and fraud
Your mundane evening was just hit with a jolt of excitement! Just as you were settling into the cozy couch cushions to relax after finishing dinner, your phone dinged!
Giddy with excitement your mind lights up with possibilities…
Who could it be?
As you reach for your phone, dare I say, a hint of dopamine hits your brain just from the thrill of hearing that oh so satisfying ding.
You’re excited, but as you lift your phone, turning the screen towards your face that excitement turns to dread.
You realize, this isn’t a convivial compatriot texting to talk, amiable anon liking your latest tweet, nor is it a nerdy newsletter emailing with enchanting insights.
No, this notification is from your credit card app, delivering some stomach turning news: “Transaction Declined”.
Your dread is muddied with confusion and a foreboding feeling starts to sink in as you sit up straight, gazing at your phone, wishing this notification away.
Clearly, you’re sitting down to relax. You’re not in the midst of making a purchase.
Despite your best efforts at manifestation, the notification is not going away.
Someone is trying (and failing) to use your card.
In a moment of clarity, you sigh with a bit of relief: at least the transaction was declined.
The fraudster wasn’t able to get away with their con.
But who foiled their heist, and how?
Drama aside, if you have a debit or credit card, odds are that you’ve experienced that sinking feeling in your stomach that comes with the realization that someone either has attempted or has successfully used your card fraudulently.
This week, I’ve been Nerding Out on card security. Come along as we investigate all of the ways that banks, card networks, payment processors, merchants, and a variety of other service providers work to protect your information from being stolen.
The Case for Fraud Prevention
According to the FTC, credit cards were still the #1 type of identity theft in 2023. Despite modern fraud prevention capabilities, card fraud (debit and credit) made up 42% of all incidences of payment fraud with total losses amounting to $446 million in the US alone in 2023.
Half a billion dollars, just in the US 😅.
Sounds high - but to really put in perspective how pervasive card fraud is: 2 out of every 3 card holders have had a fraudulent charge made on their account according to security.org.
You certainly don’t want to be responsible for someone else’s fraudulent charges on your account. Nobody wants to pay for goods for strangers that they don’t know.
Yet, as a card holder, your more likely to be a victim of fraud, than not.
With the prevalence of fraud this high, it’s almost enough to say having a card isn’t worth it. Your card issuer knows this but they want you to continue to use their product. What’s a bank to do? Lucky for them, cards are so profitable that they can instead limit your liability and guarantee that you’re protected from bearing the cost of any fraud that happens on your account.
Ultimately, the risk of fraudulent payments sits with the merchant. They’re the ones doing business so they’re responsible if they’re defrauded. This is true whether they accept a bad check, counterfeit cash, or a fraudulent card. So if your card is used fraudulently, the bank who issued your card will typically try to recoup their costs by issuing a chargeback to the merchant.
Simple in concept but there is a bit of a careful balance at play. Keep in mind, your bank charges merchants interchange fees on every transaction so while they want to keep you happy and ensure they’re not fully responsible for fraudulent charges, they’re also incentivized to keep merchants happy. Happy merchants continue to accept cards keeping the whole ecosystem running.
At the same time, your mom and pop merchant is probably VERY ill equipped to spot a fraudulent transaction on their own. Fraudsters are good at what they do. They’re typically practiced professionals. So merchants need someone in their corner. That’s where payment processors come in. Processors see a wide variety of transactions, across many merchants. Because of their vast exposure to different transactions, they’re able to spot patterns of fraud. Consequently, they can provide merchants with tools to help better identify risky transactions.
What’s in it for the processors? Merchants know that additional means of payment reduces friction and results in more sales. They also know that they’re ill equipped to accept the variety of payments and spot fraud across all of them on their own. Consequently, they’re willing to pay payment processors for the help.
In the middle, facilitating transactions and disputes, is the card networks. Networks are tasked with setting the rules for transacting, facilitating communication, and sharing data between both sides. They charge a network fee on each transaction so they’re also incentivized to increase the number of payments made on cards and therefore try to keep both sides happy.
Think of it like a boxing match. In one corner you have you and your bank. In the other is the merchant and their payment processor. The card network acts as the referee.
Fight!
Identity Fraud and Card Fraud
One thing that’s helpful to distinguish up front is the difference between identity fraud and card fraud.
Identity fraud would be someone using personal details about you (a username and password, social security number, address, etc.) to either open up a new card or take over an existing one.
Fraudsters don’t necessarily need to steal your identity to commit fraud on your card though. Card fraud can be committed simply with access to the details of your card (number and security code) rather than your identity. Access to these card numbers can come from data breaches, phishing, manually copying information, or a variety of other means.
It may feel like I’m splitting hairs; either way, fraudsters are getting access to your account. But the distinction is important because it starts to identify different modes of attack. To prevent identity fraud, banks specifically need to be performing checks during the account creation and account access processes. To prevent card fraud, companies across the entire payment stack need to perform checks during the payment process. In either case, companies are trying to verify that you are you and that you’re intending to make take the actions requested. But the verification steps will look slightly different.
Preventing Identity Fraud
Preventing identity fraud is almost entirely on you and your bank. For cards, there’s two main concerns relating to identity fraud.
Someone pretending to be you opens a new account in your name.
Someone gains unauthorized access to one of your accounts and takes it over by changing credentials and/or adding their own details to the account (e.g. adding themselves as a authorized user to your card).
When you open a bank account, your bank puts you through what’s known as a Know Your Customer (KYC) process. During the KYC process, banks need to verify at least 4 pieces of information: name, date of birth, address, and an ID number (like social security number).
If you go into a branch, they’ll likely ask for an ID, your social security number, and a second means to verify your address (a bill, or piece of mail). Physically, they can confirm that things align - does the picture on your ID match your face, are the names on the various forms of ID the same, do the addresses match. They’re likely also using digital verifications to ensure the social security number matches your name and that matches to the ID provided.
The same thing happens when you open an account online but, it’s riskier for the bank because you aren’t interacting with them in person. To make up for this, a lot of banks also check your digital footprint to see if things “add up”. For example, Plaid provides APIs for financial institutions to verify the identities of new customer. Some notable capabilities from Plaid - they can ask you to take a picture for comparison to your ID. While taking that picture, they’re looking to make sure it’s a live person rather than a photograph that someone is holding up to the camera. They’re also checking for how data is entered into online forms. Fill out a form too fast and it will get flagged as a risk. Quick data entry can be a sign of someone who’s filling out a large number of forms - by virtue of the practice, they get good at it. It can also be a sign of a bot, automated to fill out the form. Plaid’s also looking at device characteristics like the IP, Network, and Browser. Signing up for a US account from Asia? It likely gets flagged.
To prevent identity thieves from accessing your existing accounts, banks employ similar measures each time you log in online or call support. We’re all familiar with the typical security questions, PIN numbers, and “verify a recent transaction” techniques, but more and more banks are employing additional security measures that are harder to spoof and contribute to an overall view of risk for a specific interaction. Schwab among others, is employing voice recognition software when you call in. The voice recognition platforms also offer behavioral analysis tools to help alert bank representatives to fraud. Pindrop’s platform checks for spoofed phone numbers and looks at other device details to flag potentially suspicious activity.
And that’s just the phone. When you login online, similar things are taking place. Again, we’re all familiar with multi-factor authentication (where the bank sends you a text with a code to confirm your identity) and security questions. SEON provides a platform that helps prevent account takeovers by tracking IP addresses and device characteristics when you login. They also help banks monitor other behaviors that take place on accounts (like changing a lot of account information all at once) to flag suspicious activity to the banks they work with. Change your email, password, address and start spending in new places in quick succession and your account will likely get flagged to the bank that something funky is going on.
All of these checks that Plaid, Pindrop, and SEON perform for a bank or other card issuer, all help to verify that you are you and not a fraudster impersonating you.
Preventing Card Fraud
But what about someone that isn’t trying to spoof your identity? Rather the actor that just has your card information. How are they prevented from using your card?
The Physical Security of Your Card
Security starts on the card itself. Throwing it way back - cards used to not have chips or strips or even embossed lettering and to use your card, merchants would copy your card information down manually. By present day standards, this is incredibly unsecure. Lots of trust was needed that merchants weren’t going to use the number for other purposes or even accidentally lose the copied information.
Over the years, cards have gone through many iterations. In fact, many features on our cards that we take for granted now, started as security features. As fraudsters learned how to game one feature, new security measures would be introduced.
One of the first evolutions was using embossed numbers and names. Prior to electronic processing, embossing provided quicker means for merchants to copy down card information by making carbon copy prints of cards. While cards were still being manually inspected, lack of these features could be clues that a card was not legit. One important number that remains not embossed today: the security code. If someone were to quickly take a piece of paper and scribble over your embossed card numbers, they’d miss the Security Code and would need to copy it manually if they were trying to steal your card.
Magnetic strips were created in 1970 in an effort to eliminate the need to manually copy card information but it wasn’t until 1981 with the creation of the first point of sale machine that they really became useful. POS machines enabled electronic processing which started to limit who actually had access to your card information - instead of every cashier at the supermarket physically taking your card to copy the details, numbers were kept in the machine where a limited number of people could access them.
50 years on, magnetic strips are starting to be phased out in favor of EMV chips and contactless payments which offer even better security (more on that in a second).
So, we have some insight into the security features card issuers have been baking into our cards over time, but what happens when we actually make a transaction? How is that all protected?
Purchase Protections
For purposes of preventing fraud (and assessing transaction fees) transactions are split into two categories: where the physical card is used for payment and where the card is not present (CNP transactions) that happen over the phone or online.
Card Present
In transactions where you are physically present with the card at the merchant, the security protocols are much more about the physical features of the card.
When’s the last time you actually swiped the magnetic strip on your card? Signed a receipt (in a store, not a restaurant)? Many of the classic security features are starting to be phased out. Signatures started to be phased out in 2018 and Mastercard announced that by 2029 they’ll remove magnetic strips from cards all together.
One of the big problems with magnetic strips and signatures is that they’re easy to fake. If someone can get your card number, whether by copying it manually, skimming it, or any other means, they can create a fake card with the same number and begin using your account. Signatures were also not secure - they change over time and we’ve all experienced a glitch on the machines collecting them that made the signature come out wonky. This makes comparing one signature to another difficult and unreliable means for checking for fraud.
Instead, we’ve moved to EMV chip and contactless cards. The big benefit of these types of cards is that the card number is “tokenized”. More on tokenization in a minute. For now what you need to know is that means the number on the chip of the card is constantly changing. This means that when you dip or tap your card, the card is providing a number that is valid only for that transaction. If someone were to try to skim your card, the number they get would be worthless instantaneously, thus protecting your account.
Digital Wallets (Apple Pay, Google Pay, Samsung Pay, etc.)
This is a good point to talk a bit about digital wallets because they’re starting to bridge the gap between Card Present and Card Not Present transactions.
Using cards stored in these wallets is similar to using the EMV chip in your card. Your actual card number is not stored on the device, rather the wallet is storing a rotating number that’s encrypted by the card issuer or network. That number can also be specific to the device that it’s stored on. Have the same card stored on your watch and phone? Those devices will have different identifier numbers to match to the card. Lost your watch? You can just revoke that device from making payments. You don’t need the bank to issue a whole new account number and card or remove the card from your phone.
Additionally, digital wallets are typically secured by biometrics. If you want to complete a purchase, your device will typically prompt for a fingerprint, face scan, iris scan, or passcode. This means that Joe Schmo (or more likely your kids) can’t just pick up your phone and purchase things using the cards stored on it like they could with your physical card. Again, lose your device and there’s layers of protection keeping your cards safe.
Digital wallets have also brought digital first cards, like the Apple Card and Samsung Money card. By being digital first, these cards have unique features that can make them more secure. For example, Apple Card does not print the security code on the card itself. It’s stored on the device. Because of this, you can adjust a setting so that the security code rotates periodically all without having to receive a new physical card (note: this is incredibly less useful if you use the card for subscriptions as it will likely result in more failed payments than it’s worth).
Card Not Present
Digital wallets bridge us to Card Not Present transactions as often digital wallets can be used for online purchases as well as in person. To be clear, card present and card not present transactions still apply to digital wallets. Hopefully someday digital wallet payments made online will become closer to Card Present transactions CNPs cost merchants more in transactions fees due to a higher likelihood of fraud. With the added security protections, hopefully those fees can be lowered in the future.
I digress: Card Not Present security!
If a merchant is unable to see you or your card in order to verify authenticity, how do they keep the transaction secure?
Keep in mind, one result of a merchant accepting a fraudulent card payment is that they receive a chargeback and effectively had the inventory stolen. They have every incentive to try to make the transaction as secure as possible.
As I mentioned at the beginning, merchants are typically ill-equipped to spot fraud so payment processors like Stripe, Square, Shopify, and Worldpay do a lot of heavy lifting here. By virtue of processing payments across a variety of merchants, they have a lot more data to work with to identify patterns of fraud.
Fraud prevention for payment processors starts by collecting some basic information from you. These are pieces of information we’re all familiar with entering as we check out online:
Card number
Security code
Card expiration date
Name on the card
Billing address associated with the card
As you’re completing the purchase process, the separate pieces of information are submitted to the card network and card issuer to verify your identity. The card information (number, security code, and expiration date) are submitted as a primary verification of the card details (i.e. is the card even a valid card). Then, the name can be submitted as an Account Name Inquiry (ANI) to verify that the name provided matches the name on file with the card issuer. And finally, the billing address can be submitted using the Address Verification Service (AVS) to again, verify that the address given matches the address that the card issuer has on file.
On it’s own, this provides a good level of protection. If someone obtained your card number from a hack, they likely wouldn’t have your name or address. Additionally, if someone had physical access to your card, they’d likely still be missing your address.
However, with a little diligence, like simple social media tracking or targeted social engineering, (or even a good guess) a fraudster could track down all of this information. That’s why behind the scenes the payment processor is looking at your behavior as you fill out this form - again do things add up? This is very similar to the things banks look at as you’re signing up or signing into your account.
Has this card ever made a purchase from this device?
Is this device using many different cards to make purchases?
Where is the IP address making the purchase? Where is that in relation to the shipping address and billing address?
Are they using a proxy or VPN?
Is the purchase for an unusual amount?
Is the purchaser plugging in a bunch of expiration dates (like they’re trying to guess vs knowing)?
Each one of these is slightly suspicious but none of these pieces of information alone would result in a denied transaction. Combined together they start to paint a picture of the likelihood of fraud. Payment processors can feed all of this information into proprietary machine learning models which generate a score of potential fraud. Stripe has Radar, Shopify Payments has Fraud Indicators and Recommendations, Square has Risk Manager, WorldPay has FraudSight, and there’s a variety of other processors and models. Based on the rating, merchants can then either automatically reject transactions above a certain threshold, require additional verification steps, or subject the transaction to manual review before fulfillment occurs.
Additional verification steps? But Eric, what more could I possibly provide short of uploading a picture of my ID or putting in my social security number (which I have no desire to do for this random merchant)?
Enter 3D Secure.
This is essentially Multi-Factor Authentication (MFA) by a different name. If the merchant decides that the transaction should go through the 3D Secure process, you’ll typically see one additional screen during the checkout process. Behind the scenes, the payment processor is prompting your card issuer to verify your identity. Typically they’ll do this by sending you a code via text or email, though it could be a prompt to confirm the transaction in your credit card’s mobile app. From there you’ll enter the code (or approve the transaction) and the payment processor will approve the transaction.
Now, if you were trying to commit fraud, the likelihood that you would have access to credit card details as well as the victim’s texts or emails would be extremely low. So if you encountered a 3D Secure prompt, you’re likely stuck. Someone in this position would need the five pieces of personal and card information listed above and access to your email, texts, or banking app. While it’s up to the merchant to set their threshold to activate 3D Secure, it further raises the bar for criminals trying to fraudulently use your card. Further, once 3D Secure is activated, the liability for fraud shifts from the merchant to the card issuer, basically implying that merchants should have a pretty low threshold for submitting transactions for 3DS verification.
When in doubt: verify.
After you “Buy”
Ok, we’ve made it through the purchase process. Now this random merchant has my card info. GReAt.
Just what we all want - another firm that’s storing our card information that could be subject to a cyber attack where our credit card is compromised.
The situation may not be as dire as it used to be. Major payment processing platforms and storefront platforms (which offer payment integrations) have grown in popularity since 2010. Prior to the launch of these platforms, when making purchases online, you were often trusting merchants directly to protect your information.
PCI Compliance
Why are major players important to your card security? PCI.
The card networks (Visa, Mastercard, American Express, Discover, JCB, and Unionpay) got together and formed the Payment Card Industry (PCI) consortium. The consortium was formed largely because of the lack of standards for processing and storing card information online. In 2004, the group launched their first set of standards which are known as the Data Security Standards (PCI DSS). Today, the group has evolved to include members from major merchants (like Walmart), card issuers (like Chase), payment processors (like Toast), and identity verification services (like IDEMIA). Additionally, the set of standards have evolved to version 4.0 to reflect the current state of online payments and fraud (incorporating things like digital wallets, and new anti-fraud methods).
Why does this matter to you, dear card holder? Well, in the early 2000s, before set standards and major (online) payment processors were created, you were basically trusting the merchant to comply with PCI and protect your card information. Now, as I talked about in “Interfaces & Services & Rails, Oh My!”, the responsibility has been outsourced to a company that specializes in detecting fraud, complying with PCI standards, and protecting your card information.
PCI specifically mandates that firms processing card data adhere to 12 (simplified) requirements. Most notably that they have protections on cardholder data - including policies on disposing of old data, limiting the amount of information that is stored, and not storing certain pieces of information at all. Additionally, they must encrypt cardholder data when sending it over the open internet. Lastly, they must submit to an audit every year to verify that they’re complying with all the standards.
So, assuming the site you’re using is PCI compliant, they’ll be encrypting your information as they verify it. Additionally, once the card information is verified, they’ll delete a good amount of the information that they collected in the first place.
Tokenization
That brings us to tokenization (see, I promised I would come back to it). I noted previously that EMV chips, tap payments, and digital wallets could all provide a randomized card number to complete a transaction rather than your actual card number when paying in person. The same is true when paying online… almost.
When you click “buy”, one of the first things a payment processor can do is submit your card number for tokenization. Companies like VGS provide a service called a Vault that collect credit card numbers and provide corresponding “tokens” (again the encrypted card numbers that match to your actual credit card). They’ll send the token back to the payment processor and/or merchant. From there, the processor and merchant will typically do away with your actual card number and rely on the Token Provider should they need to track down your payment information again (e.g. for a recurring subscription or to issue a refund).
Token Providers have their own set of security standards that they need to comply with as prescribed by PCI (given they’re collecting a lot of highly sensitive card information).
The same is true when paying online… almost.
Why the “almost”?
When you use a digital wallet, EMV chip, or contactless payment, you’re in control. You are choosing to use a protocol that’s using a tokenized version of your card number. Online, that’s not the case. The merchant and payment processor has to opt to tokenize your card number for you, which they may or may not do.
Behind the Scenes
While the payment processors are doing a lot of the heavy lifting in the transaction, the role of the card networks can’t be understated. They influence and enable security best practices in all of this:
EMV - Card networks.
ANI - Card networks.
AVS - Card networks.
3DS - Card networks.
PCI - Card networks.
Tokenization Standards - Card networks.
But it goes even further. Banks and Card Networks also work together to provide data on known fraudulent transactions to help identify new potentially fraudulent transactions as they take place.
Let’s say a fraudulent transaction actually made it’s way through on your card. You flag it to your credit card company and they remove it from your account. End of story, right?
Wrong.
Your bank actually reports it to the card network, potentially looking for a chargeback from the merchant. The card network in turn creates a report. Visa calls these reports TC40s, Mastercard calls them Systems to Avoid Fraud Effectively (SAFEs). These reports contain information on the transaction - the merchant, bank information, time, location, etc. While they sound pretty straightforward, they’re incredibly useful because fraud tends to cluster.
A specific merchant has a large number of reports because they’re selling counterfeit goods
A specific merchant has a large number of reports because they were recently hacked
A specific card has been flagged for theft, resulting in a high number of fraudulent transactions in a short period of time
The card networks provide these reports to payment processors and other fraud detection firms for analysis to feed them into their ML models to bolster the models with additional data to detect fraud.
Another point for the card networks.
Fraud Detection Firms
Speaking for fraud detection firms, I’d also be remiss if I didn’t talk about the risk platforms underlying the whole payment stack. We talked about the ML models that banks and payment processors are using to prevent fraud - there are companies that specialize in building those models. Sardine is a great example. They provide a fraud and compliance platform to firms across the payment stack to help get to transaction approval or denial.
Assuming a fraudulent transaction has made it’s way through this gauntlet of checks and somehow still been approved, what’s your card issuing bank doing?
The Role of Banks
To convince you that your card is a safe way to spend money, the card issuers (the bank) typically guarantee that you’ll be held harmless for fraud on your account. If you report something as fraud, they’ll bend over backwards to clear the transaction from your account.
While banks rely heavily on the card networks to collect data and prevent fraudulent transactions, the banks have also started to provide a number of features to help you prevent fraud or at least alert you to it sooner.
Probably the most popular at this point is simple alerts. Many banks allow you the ability to setup custom notifications that can be sent via text, app notification, or email. Many banks take this a step further by also alerting you if the ML models that they’re running behind the scenes catch something that’s suspicious. Discover, for example, provides both types of alerts. Want to know if a transaction is made on your card for more than $100? Setup an alert. Want to be notified if something changes on your account (like your email or address)? You can setup an alert of that too. And if Discover finds something suspicious, they’ll notify you via text and ask you to confirm if the transaction is legit or not.
Another widespread capability from your bank is card control - the ability to lock and unlock your card. American Express calls this feature “card freeze". While traditionally, this feature is used if you lose your card, there’s no reason why you can’t default your card to locked and only unlock it when you’re shopping (though that may be overkill and more annoying than it’s worth. YMMV).
Getting into more niche features, Chase provides a tool that allows you to see all the different places your card information is stored, across merchants who have your card saved in order to process recurring payments, to the digital wallets that you use. If you learn of a data breach, this can come in pretty handy as a one stop spot to see if you Chase card information may have been on file and preemptively request a new card to avoid headaches later.
We’ve talked about the importance of tokenization, randomization, and placeholder card numbers. Similar tech is also making it’s way into the banks. Capital One has a feature that allows you to create virtual cards that can be assigned for use at single merchants online. There’s effectively two layers of protection here. First, if the virtual number is compromised, it’s easy to turn off without having to get a whole new card and account number from your bank. Second, the virtual number is only valid for purchases at a single merchant. If someone attempts to use the virtual card number elsewhere, Capital One automatically declines the transaction. Pretty neat.
Your Role
As you apply for and use cards, companies all along the payment stack are trying to protect your card information from being used fraudulently. As your bank has probably let you know, there is still a role for you to play in securing your card too.
Utilize the features that your bank provides. They’re there to protect you.
If you lose your card, call your bank. In the grand scheme it’s much easier to get a new card number than deal with fraud later.
Use reputable sites that work with reputable payment processors - they’re likely to be PCI compliant and use tokenization protecting your information from future data breaches
If you notice suspicious transactions, flag them as soon as possible. This creates data to help feed the whole ecosystem that’s trying to find patterns of fraud. ✨Teamwork makes the (fraud free) dream work✨
Who knew that that high stakes boxing match (remember you and your bank, the merchant and their payment process, card network as the referee) was actually more of a friendly game of tennis doubles. There’s still liability being passed back and forth but there’s also a lot of information being shared to help prevent fraud throughout the whole system.
Fraud prevention is BROAD. What’s more, by nature, it’s a secretive practice. There’s an element where companies trying to protect us from fraud, don’t want to say too much about their tactics because knowledge of the tactics enables criminals to think up ways to get around them.
So what did I miss? What other fraud prevention mechanisms are out there?
Thank you so much for Nerding Out with me this week. I hope this gave you some insight into how your card is being protected. If you found this insightful, forward it on to a friend.
If you’re not already subscribed and want to get additional bi-weekly notes on Fintech, Data, and Systems, you can do so here: