The convenience of making purchases or borrowing money through the use of a credit card has made credit card transactions more popular now than at any other time in history. Unfortunately, credit cards are vulnerable to fraud. Credit card fraud increases the cost of providing the convenience of credit card transactions to cardholders and merchants.
Credit cards are usually issued by an issuing bank. Issuing banks generally advance or loan a cardholder (consumer) the money that is exchanged in a credit card transaction. While the cardholder may use a credit card to simply borrow money from the issuing bank, the most common credit card transaction involves a cardholder and a merchant. The cardholder initiates the credit card transaction by permitting the merchant to charge a purchase against the cardholder's account with the issuing bank. Typically, the account is represented by an account number indicated somewhere on the cardholder's credit card.
Cardholder-merchant credit card transactions are typically executed by an electronic transfer of credit card transaction data over a data connection between the merchant and a credit card processing center. Such transaction data typically includes a sale amount, the merchant's identification number, and the transaction date. The processing center usually includes a transaction processor for executing credit card transactions and an authorization source for authorizing or declining a proposed credit card transaction. The authorization source performs or facilitates the function of authorizing or declining a proposed credit card transaction based on information about the cardholder's account. Such account information may include credit limits, security checks, card expiration dates, and the issuing bank's identification number (BIN). In short, the authorization source analyzes the account data and the transaction data to make an authorization decision about a particular transaction. Typically, the authorization process involves the communication of transaction data and account data between the processing center and the issuing bank before an authorization decision is made.
Early credit card fraud was perpetrated at the expense of issuing banks, by generating bogus account numbers that were valid for the purposes of executing at least one fraudulent credit card transaction. Issuing banks developed and utilized a standardized algorithm to create erratically non-sequential account numbers in an effort to avoid sequential account numbers. By avoiding sequential account numbers, valid account numbers could be hidden among a multitude of invalid account numbers. Unfortunately, credit card thieves developed a computer program that was capable of mimicking the standardized account number generating algorithm used by credit card issuers. By using the software package, valid account numbers could be uncovered and fraudulent credit card transactions could be successfully effected. Credit card thieves could simply input a known, valid account number into the algorithm and the next valid account number would be generated by the algorithm. The generated account number could be used to make fraudulent credit card transactions until the fraudulent activity was discovered and the account number inactivated.
Processing centers and issuing banks responded to this type of fraud by developing a security code that was a cryptographic representation of the account information for each valid account number. In the credit card industry, the security code is commonly referred to as either a Card Verification Value (CVV) or a Card Validation Code (CVC). For example, the security code of a particular credit card account may be the sum of all of the digits of the account number divided by the number of letters in the cardholder's first name. Thus, a credit card thief's knowledge of a valid account number was no longer a sufficient condition to the perpetration of credit card fraud.
Implementation of the security code as a prerequisite to a credit card transaction authorization significantly reduced credit card fraud. Unfortunately, many issuers still find themselves unprotected for various common reasons. One common reason is that a service misunderstanding exists between the issuer and the processing center, and the security code protection has not been enabled as a prerequisite to a credit card transaction authorization. Another common reason is that the issuer has chosen not to enable the security code protection. Whatever the reason, the absence of security code protection leaves the issuer exposed to an increased risk of credit card fraud.
Credit card thieves can determine exposed issuers by an activity referred to as "probing". Probing involves the submission to a processing center of multiple bogus credit card transactions or authorization requests, until an approval authorization is received. The bogus transactions are transmitted to the processing center containing a known, bogus security code. Because the credit card thief knows that the security code is bogus, he/she also knows that an approved credit card transaction indicates that the issuer of that account number is not using the security code as a prerequisite to authorization (i.e., the issuer is unprotected). With this knowledge in hand, the credit card thief can execute fraudulent credit card transactions using the account number and bogus security code, until the fraudulent activity is detected and the account number inactivated. Of course, other means of determining the identity of issuers that are so exposed may exist, such as in cases where inside knowledge of an issuer's security operations is passed to a credit card thief.
This kind of credit card fraud can be costly to the issuer, the merchant, and the cardholder. Additionally, many processing centers guarantee the authorization of a credit card transaction against credit card fraud. In such a case, the processing center may be ultimately responsible for any fraud. In all cases, consumers ultimately bear the burden of costs incurred through credit card fraud.
Accordingly, there is a need to overcome the limitations of the prior art by providing an early warning system for notifying issuers that they are exposed to an increased risk of credit card fraud. There is also a need for an early warning system that can provide information about suspected credit card thieves such that an investigation can be initiated to apprehend credit card thieves. The early warning system should be able to be implemented within the confines of an existing credit card authorization system, such that it has little impact on the normal operations of the authorization system.