This page last updated  2010 Jan 26
see also
INTRODUCTION The big three credit card companies welcome e-business for the simple reason that in these early stages of the first decade of the new millenium, the primary way that people buy products online in B2C situations is with a major credit card - which is good for the credit card business. What worries these credit card companies is
  • the continued concerns of internet shoppers over security
  • there have been some widely spread stories of hackers that stole credit card info over the net
  • credit card purchases online are still a relatively small percentage of total consumer credit card purchases
  • the threat from new types of payment systems
  • rapidly rising numbers of charge backs
Visa, Mastercard and Amex have been incurring big losses due to credit card fraud and charge backs. Most of the charge backs have been related to customers of adult web sites and gambling sites who later withdraw from a service and find it difficult because the web site keeps debiting their card. This has become such a big problem that Visa, Mastercard and Amex have had to hire many many people to deal with incoming telephone complaints from customers. - at the same time  they have become much more stringent in evaluating new companies who would like to get a merchant account so they can charge customers credit cards.
Influences of the Political Legal / Regulatory Environment

update Nov 2004

Even though the government says online gambling is illegal in the U.S., an estimated 80 percent of worldwide gambling revenues come from U.S. players. U.S. players are logging on to Internet gambling sites based in other countries -- including the UK -- where they are legal. ran a story in November 2004 about how gambling sites are developing new promotional angles, in the meantime, the credit card companies are trying to protect their customers from fraud, chargebacks etc. 
"The U.S. authorities have been trying to crack down on online gambling sites (wherever they may be based) for years, and have put increasing pressure on U.S. companies involved in running or providing services to such sites. Major U.S. credit card companies now refuse to process transactions for such sites, while U.S.-based site owners and search engine companies, including MSN, Yahoo and Google have stopped taking their advertising. "
Credit Card scams


Credit Card scams


. Mazaher J. BCS 555 student in Oct 2003, sent us a story from ABC News about credit card skimming.
"Skimming is costing credit card users stateside and worldwide millions in phony  charges, as stolen clones are sold and used in the United States and elsewhere  around the globe." 

According to Samira Beavis, writing for ABC News, " The practice took off in the United States several years ago and is beginning to approach the scale of fraud that plagued credit cards in the early 1990s before new  precautions were taken, according to Gregg James, a special agent with the Secret Service's Financial Crimes Division in Washington.


Beavis explains
" Here’s how the scam is run. Criminal gangs recruit gofers, who then find temporary work within restaurants, hotels and retail outlets. The recruits are given small, illicit,  electronic devices known as skimmers that capture all of the credit or debit card’s details in the few seconds that it takes to swipe the card through the machine.

When unsuspecting customers go to pay their bill, their card is first swiped through  the legitimate credit card machine, but then, secretly, it is also swiped through the  smaller skimmer machine.  The gofers then pass the gadgets onto counterfeiters, who pay them the equivalent of around $150 for their part in the crime. Once the details have been given to counterfeiters, they download the information onto a computer and make up a fake card.

The "cloned" card is embossed with the details of the victim’s credit card and passed on to gang members who, police say, may sell it for between $400 and $700,  depending on the perceived credit limit."

. Credit Card Skimming
University of Toronto (UTM) students Bashir K., and Jawad K., and Nomaan C. in MGD 415 in March 2008 created a kewl video in which they describe several components of how Skimming a credit card can lead to an Identity Theft situation. Watch the video carefully.

Often skimming is done at gas stations or restaurants, since those are the places that hire people who work for minimum wage, - and many times such businesses don't bother doing background checks cause the employees are mostly part-timers.

b Social Engineering / Identity Theft - example of 2 techniques
1 - cross contamination re: RFID
2 - skimming Credit Cards
University of Toronto (UTM) students in MGD415 in early April 2009
Altin E, Trevor G
Mark Teh-Yu H, Gianmarco R
Nicholas S, Tiffany (Wutang) W.
created an informative video in which they mixed in  Social Engineering tricks and Skimming which lead to an Identity Theft situation
also posted at
m Identity Theft - example of 
 - skimming Credit Cards at a gas station

from Seneca students in BCS555 in 2009

video created by Mark D.
It is quite a long drama the way they play it out, and very realistic to what actually happens in such a "skimming" situation, watch closely for the DOUBLE SWIPE

Skimming Prevention Tips
1. I (WTGR) always pay cash at gas stations, it is faster to lay down one or two twentys instead of waiting in line anyway - and with gas prices so high, nobody puts a lot of gas in anyways these days.
2. If you do use the card, don't let the attendant take it out of your hand (sometimes they just rudely grab it) and swip it on their keyboard, insist on swiping it on the terminal passed to customers.
3. At restaurants, don't put your card on the little tray they sometimes bring out, instead, walk back to the cash register and swipe it yourself, this way you can make sure it is not being swiped twice.
- ways small merchants can protect themselves

- ways small merchants can protect themselves

student Alice C. in BCS 555 in Sept 2004 emailed Prof. Richardson to say

"I found this interesting site about how to protect your business from credit card fraud.  It gives businesses some tips on what to check when 
consumers make purchases on their site."

Witiger says "Thanks Alice, a lot of the info we have is about how to protect the cardholder, but also want to know how to spot fakes so if we are a small business we do not get ripped of"
- ways small merchants can protect themselves
PowerHomeBiz provides a list of steps to protect a business that wants to accept credit cards for payment

1. Subscribe to checking systems offered by your bank
2. Manually verify the address
- if the address on the card does not exist, it is fake
3. Call the cards' bank
4. Watch the email address - hotmail and yahoo mail can be easily faked
5. Call the cardholder
- which means they have to provide a telephone number
6. Be cautious of bulk orders
7. Shipping and billing address should match


- chip based cards

Dana Flavelle, Business Reporter for the Toronto Star, wrote a piece in The Star
Jan 30th, 2007 titled
"Chip-based cards may cut fraud"

Flavelle writes "Credit and debit cards embedded with computer chips have virtually wiped out the kind of security breaches that compromised millions of cards used at Winners and HomeSense stores in Canada, industry officials say. But it will be another three years [from Jan 2007] before the cards are widely available in Canada."

Mais G., BCS 555 student in Sept 2004, sent us a story from E-commerce Times about how credit card hackers sell stolen credit cards online in chat rooms.

Another good example of how the technology of the Internet is being used to facilitate crime ! - WTGR

"Credit-Card Hackers Swap Tricks Online"
By Dinah Greek posted online July 28, 2003 
Greek says "  Thieves are using chat rooms to sell stolen credit-card details and advise others how to hack Web sites containing credit information, security experts have warned. Groups using Internet relay chat (IRC) are playing a growing role in online credit-card fraud."

The thieves are also using advanced techniques to ascertain critical information about the stolen card numbers. Greek explains "Software programs can determine which bank issued a card, harvest the three-digit card verification number and  even let thieves determine the available credit-card limit. They can check a card number's validity and personal information about its owner. "

The thieves are not getting away with this completely, they are being tracked by Dr. Bill McCarty and his students at Azusa Pacific University who call their project the Honeynet Project.

see also

Credit Card scams

Identity Theft

"real example"


Natalie, a BCS 555 student in Dec 2003, sent us a story about how her Aunt was  tricked out of a credit card. Apparently some person had applied for a credit card in the name of her Aunt, and they used it fraudulently. The sequence of the story is illustrated below so you can understand that this really does happen and it happens often enough that chances are it will effect you, or one of your fellow students.

here is the story in Natalie's words
"On Tuesday October 21, 2003, my aunt received a call from Scotia Bank. 
The bank was calling her informing her that they saw that she had received her new Visa card. To my aunts’ surprise, she started to question the representative because she had not done business with Scotia Bank in over a year. She had bought a brand new van in 2002, got a loan from Scotia Bank to finance the van but paid off the balance in cash months after the loan, since she had sold her house and moved to another one. She was informed by the bank that they had issued her a Visa card that she applied for with a $7600 limit and that she activated the card on October 13th, made purchases totaling over $800 on the same day, took $1000 cash advanced on the 14th and another on the 15th.As furious as my aunt was, she started asking the representative some questions.  She asked her the maiden name that was given when the application was filled out and it was a different maiden name that the bank had in their records. This should have been the 1st red flag for the bank. The second was that on the application that was completed, they put the previous name of the company that she works for; her company had a name change just after she had the load to finance the purchase of her van and she sent them a letter in writing informing them of the name change. This information was in her records but the bank was so eager to send her a card that they didn’t even do a complete background check. It turned out that someone had applied for a Visa card from Scotia Bank in her name, had it sent to an address in Ajax (she lives in Brampton), had a Drivers License in her name and also a SIN card. How they got all of the info is a mystery. I am still puzzled about how all of this happened. The case is still under investigation. The fraud investigators gave her some points
   o Never put your SIN number on a job application, 
   o Once you have received the job, then give then your SIN number.
   o Avoid doing telephone/web banking. (though a lot of people do this safely)
   o Never throw out your bills that contain your card numbers on them, always shred them."
Credit Card 



Edward S. a BCS 555 student in November 2005 works at Rogers Wireless and provided some perspective on credit card features designed to prevent fraud

Ed sent an email to Prof. Richardson Nov 2nd, 2005 in which he said;

"I did more research today on our case study and I found out something that you may want to add to your website. IT goes under credit card, and probably credit card fraud
Basically this just says to prevent credit card fraud and theft, all the major credit card companies are adding these security codes onto the card, which you can ONLY find on a real credit card.Even if a thief has your credit card number, they probably didn't have enough time to write down the security code that might be embedded at the back or front of the credit card. I work at Rogers Wireless, and I know that all credit card payments, and credit checks that deal with credit card will require that security code that is only found on the card, and will only processed if the correct security code is entered!
Hope that helps!"


Chpt 14


Creating Stores on the Web Chpt 14, "Payment Acceptance and Processing"

Lowering your merchant rates

"VISA and Mastercard take a cut of between two and three percent of each sale and American Express takes even more... As you begin to sell a higher volume, your rates will go down"

VISA and Mastercard are the most popular cards on the Net, Amex is also one of the "big three" but some people say it is not too popular with vendors because they claim not only does Amex charge the merchants more, but they also take longer to pass the money on to the merchant.


"Your rates are also effected by the amount of fraudulent charges that are run through your store."

Reducing the number of times you have charge backs - will contribute to lowering your rate.

Credit Card 

Competition ??

"Visa and MasterCard hold a 75 percent share of the general-purpose credit and charge card network market in the United States. In large part because board members of one serve on the governing  committees of the other, Visa and MasterCard   effectively act as a single entity, and have conspired to limit competition in the U.S. card industry.”
from the AMEX web site which also gleefully describes the current U.S. Justice Dept. case against VISA and MasterCard
Harvey Golub, chairman and chief executive officer of American Express...“Visa and MasterCard’s  anticompetitive behavior has damaged the interests of consumers; eliminated banks’ freedom of choice to carry out business as they see fit; increased operating costs to merchants, particularly in the debit card arena;  and retarded innovation in the credit card industry.”
What you should look for in reading the material in these next few boxes is information about new products the big three are bringing out as they forecast what the new payment processes are moving towards. Also, look for ways they are trying to reinforce use of their existing product mainstays - the credit card, at the same time hedge their bets by striking alliances with new situations..


Visa's section on their web site titled "Internet shopping" unfortunately is not about the business aspects involved but simply a portal to a lot of web sites were you can buy product using your Visa card

Electronic Wallets are one of the new  features being used in electronic payment systems, unfortunately, the link on Visa's site which is supposed to explain this was down in August 2000 when we first checked

"Visa Sets new security rules for online purchases"
title of Reuters story Aug 10th, 2000

Visa announced it was setting 10 new security rules for transactions done over the internet
(later changed to 15 rules in 2003)

These rules are in effect things which merchants (who handle Visa cards) must do or Visa will withdraw their merchant account. The rules are aimed at making sure these merchants have more stringent security processes as well as better encryption etc.

Read about Visa's product "Visa ePay"
One of the selling points of this product, targeted at vendors who want a better way of collecting money, is that , your customers' financial   institutions secure funds from their accounts before sending payment orders to your financial institution. This authorization and settlement of transactions in good funds  means payment assurance and one-time processing 

kewl partnerships
Visa has partnered with Palm. "The Palm VII organizer uses a wireless radio transmitter and web clipping technology along with the new Palm.Net(sm) service to let users get information, conduct e-commerce transactions, and perform instant messaging...Visa's ATM Locator pinpoints the location of any of Visa's 531,000 ATMs in 120 countries worldwide."

Single-use credit card numbers

"... By mid-October,[2000] consumers will be able to obtain a number  from a secure Web site and use it - just once - to buy from any online merchant  accepting Visa."

full story from Rachel Ross, Toronto Star Technology Reporter 

On this page, Mastercard had an interesting little demo about how e-wallets work plus they have a link to another page that has some very good explanations of the fundamentals of e-wallets, including points explaining the difference between Server Based and Client Based systems

2006, Mastercard have a product called Tap N Go™
" The MasterCard PayPass card has built-in chip and antenna technology, as well as a standard magnetic stripe. The card and specially equipped PayPass terminals communicate payment card details using very short range radio waves."
AMEX AMEX use of Digital Certificates
"AMEX currently offers a blue card embedded with a smart chip containing a digital certificate.  "Smart chip technology is very  flexible, and we specifically designed the blue card on a multi-application platform," says  AMEX spokesperson Molly South. 

The card is inserted into a free smart card reader plugged into the user's computer.  The card, together with a PIN number, allows consumers to buy on the Net using their certificate. The card allows access to an online wallet, which contains information such as shipping and  ordering preferences.  This information is automatically transmitted to the merchant's online  order forms.  The system provides instant user-friendly security for both consumer and  merchant.  AMEX officials are hoping it will encourage more widespread consumer  acceptance of online shopping.  Initiatives like this could, however, eventually become the  thin edge of the wedge for developing a universal digital signature for individuals."

by Paul Zaleski, a reporter and staff researcher for Offshore Finance USA magazine.

AMEX Single-use credit card numbers

"Last week, (Sept 7th, 2000) American Express announced it will issue single-use credit card numbers to help reduce the risk posed by hackers who steal and reuse numbers from online
 merchants' databases..."

story came from Rachel Ross, Toronto Star Technology Reporter at

The use of single-use credit cards was announced in 2000 -  Ronny P. in BCS555 Sept 2003 found a page in that discusses AMEX's current situation with disposable credit card numbers. 

details explain at in an article written by Sarah D. Scalet  titled Safer Plastic

main points
"American Express has a new set of security and privacy offerings, the flashiest of which are disposable credit card numbers. With the free Private Payments system, customers can get unique credit card numbers linked to their standing account each time they make a purchase online. They thus avoid transmitting their "real" numbers and leaving them in the hands of online merchants. The single-use numbers don't work for recurring charges, of course, but they also don't work for thieves who try to make multiple purchases. "

. Chargebacks are a growing problem.
Wendy W. in MGTC50 in Nov 2001 found two good articles that discuss this challenge.
Christi Frum writes [Aug. 15, 2000]

"Chargebacks are refunds issued to cardholders by card issuers in cases where there's been a dispute over a charge. Examples of such cases include fraudulent use  of a card by a third party, or a cardholder's winning of a dispute with a merchant over whether a charge was actually authorized. Any time a chargeback occurs, the merchant pays a fee, on top of having to pay back the amount of the original charge." 

"The new rules introduced by Visa and MasterCard   consist of a classification of certain types of businesses  into a high-risk category. Businesses considered high  risk include travel agencies, taxi and limousine services,  computer network and/or information services, mail-order  houses, catalog merchants, membership clubs, and some online merchants.."..."If your e-business does fall into this high-risk category, the penalties Visa and MasterCard can enact for chargebacks rise exponentially"


Visa Rules and Fees 
  • Chargebacks must be less than 2.5% of total  monthly dollar volume or fewer than 50 chargebacks per month 
  • One-time $5,000 "review fee" for violations occurring in months one through five 
  • $25,000 fee after six months of violation 
 mastercard MasterCard Rules and Fees
  • Chargebacks must be less than 2.5% of total monthly dollar volume or 1% of total monthly  transactions 
  • $25,000 fee per month for the 3rd, 4th, and 5th months of violation 
  • $50,000 fee per month for the 6th and 7th months  of violation 
  • $75,000 fee per month for the 8th and 9th months of violation 
  • $100,000 fee per month for all subsequent months of violation 
So now that we know the credit card companies are putting the "squeeze" on vendors to deal better with chargebacks - how are the vendors handling this?

A 2000 article by Peter Lucas suggests that credit card companies will make digital signatures more popular - though this technology had existed for some time - but was not widely known.

Peter Lucas wrote

"Online merchants face the inability to verify whether buyers are who they claim to be because no credit card is present or signature obtained at the time of purchase. This means when a customer claims a particular purchase  was not made, an online merchant can't prove otherwise. This is the case whether or not the chargeback is fraudulent. The good news for online merchants: Several new technologies [2000] can verify a customer's identity at the time of purchase, thereby reducing the rate of fraudulent chargebacks. Two of the most talked-about are digital signatures and smart cards."

By 2006 we can know that is has been 5 years later and this is still not a commonly used thing.


It is the opinion of witiger that the credit card oligopoly will push vendors too much - small and medium sized companies will aggressively look for alternate e-payment systems and eventually the credit card companies will either

On the plastic horizon in 2007


On this page there are several quotes from
Permission was given by Richard Kern, Associate Publisher of the E-Commerce Times,
in an email to Prof. Richardson 2004 Dec 10th, a hard copy of the email is kep on file in Richardson's permissions binder.

  Prof. W. Tim G. Richardson ©