Fraud Newsletter

December 2009

December 11, 2009

Forward| Bancard Site| Subscribe
Today's Headlines:
New PIN-Based Card Shines Light on Fraud Battle
Card Trapping: Migrating from Europe?
Latest Phishing Attack Attempts to Steal Consumers' Data via Bogus Live-Chat Support
The Foreign Threat
Real-Time Falcon Statistics
E-Merchants: Improve Manual Transaction Review Staff During the Holidays
Cybersecurity Awareness: Start Somewhere
Dumping Paper Data: Still a Problem
Latest Online Banking Fraud Alert: ACH Hacking
Holiday Alert: Beware of Buying Gift Cards on eBay
Busted: “Most Sophisticated Computer Fraud Attack Ever”
Preventing Card Skimming: Best Practices for Merchants
Visa US Issued Only (Fraud as a % of Total Fraud)
Lawsuit Sues POS Maker For Facilitating ID Theft
Targeted by Data Thieves?

New PIN-Based Card Shines Light on Fraud Battle

Cincinatti-based Fifth Third Bank became the first bank to sign on as an issuing bank with the upstart credit card company, Revolution Money.

According to the Wall Street Journal, Revolutionary Money’s flagship product is a credit card that displays no cardholder information and is activated by a PIN instead of a signature. By using the Internet as its payment platform, the company is reportedly able to cut costs to merchants for accepting credit cards by up to 75 percent.

The company was created in 2005 by AOL founder, Steve Case, who is currently its largest shareholder. However, since its launch, Revolutionary Money has raised over $100 million from top Wall Street entities such as Deutsche Bank, Goldman Sachs, Citigroup and Morgan Stanley as well as individual investors, company chairman, Ted Leonsis, former Charles Schwab Chief Executive David Pottruck and former JP Morgan Vice Chairman David Golden.

Key details: Revolution Money’s Internet-based, proprietary RevolutionCard Network supports two products: RevolutionCard and RevolutionMoneyExchange.

RevolutionCard is a general-use credit card that charges no interchange fees and only a 0.5 percent processing fee per transaction to accept – compared to a 1.5 percent to 4 percent fee charged by traditional card companies. Merchants turn some of these savings into customer loyalty and cash-back programs.

Example: Cardholders can save three cents per gallon at the nearly 1,000 Murphy USA and Murphy Express gas stations typically located in Wal-Mart Supercenter parking areas across 20 states. RevolutionCard is accepted at more than 650,000 merchant locations and 85 percent of all ATMs throughout the U.S.

Important: RevolutionCard claims to reduce the risk of identity theft because the card does not display the cardholder`s name or signature. This may also benefit merchants by helping to reduce chargeback and fraud risk.

Revolution MoneyExchange is a no-fee, online, peer-to-peer payments service that enables users to exchange money for free. Users can also access their online funds at all merchants and ATMs on the RevolutionCard Network.

Leonsis was quoted as saying that Revolutionary Money is aggressively targeting new retailers and expects to reach 80 percent of the merchant community in three years. No indications of further bank issuers joining have yet been made available.

Currently, participating retail locations include Barnes & Noble, Bed Bath & Beyond, Bloomingdale’s,, CVS, KOHL’s, Macy’s, Marshalls, Walgreen’s, Nordstrom, Office Depot, Office Max, T.J. Maxx and Whole Foods.

Back to Article List

Card Trapping: Migrating from Europe?

If your credit or debit card gets eaten by the ATM machine, it may not end up in the hands of a bank employee.

European financial institutions are seeing a sharp rise in card "trapping," where criminals use various tricks to capture and retrieve a person's ATM card for fraudulent use.

For the first half of this year, financial institutions reported 1,045 trapping incidents, according to a new report from the European ATM Security Team (EAST), a nonprofit group composed of financial institutions and law enforcement. The figure, which covers 20 countries within the Single Euro Payments Area (SEPA), represents a 640 percent increase over the first half of 2008.

"For the first time, we've seen a significant spike in the number of card-trapping incidents," said Lachlan Gunn, EAST's coordinator. "It's a new trend."

Criminals may be turning to trapping as an alternative way to get around the main security feature for payment cards issued in Europe: the microchip.

European banks now use chip-and-PIN (personal identification number) cards, also known as EMV cards. During face-to-face transactions, customers must enter a PIN into point-of-sale devices, which authenticates the transactions. ATMs verify the presence of a chip to prevent the use of cloned cards without a microchip.

So far, it's not believed criminals have been able to successfully clone a microchip. Instead, they attach "skimming" devices onto ATMs or POS devices, which record a card's magnetic stripe that contains account details. Cameras or special keypad overlays can be used to obtain the PIN.

The magnetic stripe can then be copied onto a dummy card. But the criminal then has to find an ATM that doesn't check for the microchip. Usually, they've turned to countries further afield in Europe that haven't quite fully deployed chip-and-PIN compliant ATMs.

But now 92 percent of the cash machines in the SEPA verify the presence of the chip before allowing a withdrawal, Gunn said. Some fraudsters have looked to the U.S. to use cloned cards.

"A significant part of these losses are occurring in the USA, where magstripe signature-based transactions are allowed and where there are no current plans to introduce EMV at ATMs or other payment terminals," according to EAST's report.

But it appears some fraudsters would rather keep it local, instead trapping cards and then withdrawing money. Since they have the genuine card, they don't have to worry about the microchip.

Gunn said they've been known to trap cards and then pull them out with tweezers. Another method is the "Lebanese loop." A device is placed on the ATM, which uses tape, a wire or strong thread to retain a card after it has been inserted. The PIN is obtained by shoulder-surfing, and card is retrieved when the customer leaves.

U.K. banks usually limit cash withdrawals to £500 (US$830) a day. The criminal can repeatedly take out money daily until the customer notifies the bank to shut down the card. EAST's report said trapping has been particularly acute in one country but declined to identify the country.

Losses from card trapping still are far less than those from skimming. Trapping losses amounted to €248,000 (US$370,000) compared to €156 million (US$209MM) for skimming for the first half of the year, EAST said. Other kinds of ATM fraud caused €321,000 (US$479,000) in losses.

Back to Article List

Latest Phishing Attack Attempts to Steal Consumers' Data via Bogus Live-Chat Support

A new, unique type of phishing attack targeting online banking customers was recently discovered by the prominent security services provider, RSA. RSA has dubbed this new version of online fraud "Chat-in-the-Middle" (CITM) phishing attack.

Key characteristic: A CITM attack is first executed through “routine” phishing methods but instead of being redirected to the next page of the phishing scheme, victims are presented with a relatively new social engineering phase of online fraud.

Example: The attack may dupe customers into unknowingly entering their usernames and passwords into a phishing site but this triggers the opening of a bogus live chat support window where a “live” fraudster posing as a bank or company employee can obtain even more personal information for later use in committing identify fraud.

Latest finding: In the live chat session, the fraudster poses as a representative of the bank's fraud department and attempts to trick customers who are online into divulging sensitive information - such as answers to secret questions that are used for the ostensible purpose of  “online customer authentication.” This is achieved by falsely stating that the bank is "now requiring each online customer to validate their accounts."

This attack is currently targeting a single U.S.-based financial institution.

Source: RSA, Security Division of EMC, providers of secure data, compliance, PCI, consumer identity, consulting, other Internet security services,
Back to Article List

The Foreign Threat

Credit card fraud perpetrated by overseas criminals is becoming increasingly sophisticated. A recent article in the UK Times Online, citing information from British police and US counterintelligence sources, reported that Chip and PIN readers located throughout Europe had been rigged with sophisticated electronic devices that prompted the readers to record MasterCard numbers and PINs and wirelessly “phone” the data to a known Al-Qaeda group in Pakistan.

Caution: The global nature of credit card commerce means that US issuers, merchants and processors are also potential targets of such high-tech fraud.

Source: Tom Mahoney, CEO, Merchant 911,

Back to Article List

Real-Time Falcon Statistics

Total YTD
# of Actual Fraud Cases
#of Actual Fraud Accounts
Fraud $'s Saved*
January - November 2009

* Potential loss if entire credit line had been compromised

For more information on Falcon statistics and ways that you can protect your bank from fraud attacks, contact Alan Nevels, Senior Vice President, Card Risk at (800) 242-4770 or visit ICBA Bancard's Online Risk Management & Prevention Center.

Back to Article List

E-Merchants: Improve Manual Transaction Review Staff During the Holidays

As most online retail merchants know all too well, credit card orders, which do not pass the automated order screening stage typically enter a manual review queue. During this stage, additional information is collected to determine if orders should be accepted or rejected based on the level of fraud risk.

Problem: Manual review is very costly and puts great pressure on already slim profit margins. It also limits scalability, and potentially compromises customer satisfaction. However, for many merchants it represents fully one-half of their fraud management budget.

It is therefore unsurprising that only 13 percent of merchants say they have a budget available to increase review staff now or in the next twelve months. This presents significant challenges to profit growth since, even at a stable percent of orders sent to review, the total number of orders that must be reviewed increases in step with the total increase of online sales.

In what CyberSource says should be a highly automated sales environment, most merchants are still manually checking large numbers of orders. In fact, in the past six years, 1 out of every 4 total online orders transacted were manually reviewed.

Over the same period, merchants who regularly conduct manual review typically reviewed 1 out of 3 orders they received, with smaller merchants reviewing a higher percentage of orders (perhaps because lower order volumes permit such practice).

Key: One consequence of using more automated fraud detection tools is a greater chance of one or more flags being raised, resulting in more orders being flagged for manual review.


In today’s tough economy, which makes the upcoming holiday season more critical than usual for retailers, E-merchants expecting increased online sales will need to take at least one of the following actions:

  • Dedicate more staff time to the order review process
  • Hire more review staff
  • Allow more time to process orders and ship good ones
  • Improve accuracy of initial automated sorting and make the subsequent review process more efficient.


Currently 1 out of 3 merchants report having a case management system that supports their manual review process and staff. Over one-half of merchants either currently use a case management system or plan to implement one shortly. For large online merchants 65 percent currently use or plan to implement a case management system.

Benefits: Merchants using a case management system are better able to track fraud rates on orders which have gone through manual review. Seventy-four percent of merchants using case management systems report tracking fraud rates for manually reviewed orders compared with only 42 percent being able to do so when not using a case management system.

Surprising: Nearly 45 percent of merchants performing manual order review say they do not track the fraud rates of orders which have been manually reviewed, and 24 percent of large merchants say they do not have this information.

Key: Without knowing the fraud rate on orders undergoing manual review, and who reviewed them, it is difficult to determine training needs or other actions to improve the effectiveness of manual review.


While many of the tools used during automated screening can also be used during manual review, several additional practices and processes are employed by most manual reviewers. These may be especially important during the upcoming holiday season when card fraud is typically at an annual high:

  • Attempting to validate an order by contacting the customer. Most merchants try to clear orders through manual review in one business day and say they will not wait more than three business days for a customer to respond to a request for more information.
  • Contacting the card issuer. This action is taken by almost half of merchants overall and 60 percent of large merchants. Telephone number validation / reverse lookup is the third most popular tool with 56 percent of merchants using it during manual review compared with  25 percent during automated screening.

In 2008, two-thirds of merchants reported using four or more fraud detection tools for manual review, with 4.9 tools being the average. Larger merchants reported using 6.1 detection tools, on average.

Bottom line: The indispensability of these manual anti-fraud measures is not abating; if anything it is increasing. And this is all the more true during the holiday weeks. E-merchants should carefully assess the cost-benefit ratio of bringing on additional manual review personnel during the upcoming busy season in the ongoing battle against growing online credit and debit card fraud.

Sources: CyberSource 10th Annual Online Fraud Report, CyberSource, and credit card industry anti-fraud experts. 

Back to Article List

Cybersecurity Awareness: Start Somewhere

Linda McGlasson, Managing Editor of wrote on October 15 — halfway through Cybersecurity Awareness Month — “that the designation of one month of the year for the “public relation arms of security vendors, governors of states and other political types with predetermined agendas ...  to right a whole year of ignoring the need for strong information security awareness ... is flawed.

She went on to propose that "Every month should be information security awareness month. Security awareness should be part of everyone's job description, and if they're a customer ... well, I think they should sign an agreement to follow some basic standards of safe computing. Here's a thought: How about setting out the 10 rules for safe computing?

With regard to bank security and credit card fraud prevention, McGlasson could not be more on target. She further points out that in any organization, information security is only as strong as the weakest link. “In the case of many businesses, including financial institutions,” she continues, “that weakest link is your customer or your employee sitting at a screen, deciding whether to click on that link that popped up in their instant messaging screen, or direct message box on Twitter, or visit that site that offers free ringtones (and malware as a bonus)”.

No wonder phishing attacks continue to be devastatingly successful. No wonder credit card records keep being stolen by the tens of thousands.

McGlasson’s lesson:You don't pick your customers, they choose you. This is the reason why you'll want to make sure your cybersecurity awareness program is up to date and performed on a regular cycle (think at least quarterly, if not monthly.)

Many bank information security specialists would agree. They would recommend to management, at the very least, implementing and enforcing a set of basic operating standards applicable to everyone in the organization.

In addition to keeping your operating system up to date with the latest patches, McGlasson urges organizations to update anti-virus and anti-spyware applications regularly, keep firewalls up-to-date, and demand that no one in the organization click on links in e-mails that are from unknown or unfamiliar senders.

There are plenty of other such basics that banks and other business institutions absolutely must deploy in order to reduce their vulnerability to hackers and insiders looking to steal their customer data. But making a modest start such as that suggested by McGlasson is better than doing nothing at all.

Back to Article List

Dumping Paper Data: Still a Problem

Despite the prevalence of costly high-tech data breaches, banks should definitely not underestimate the possibility of losing customer data the old-fashioned way—by throwing it away.

Latest incident: The Rodgers Forge, MD branch of M&T Bank lost 52 customer records when an employee mistakenly threw them out without shredding them.

A local ABC News crew found the discarded records by simply looking inside the dumpster one day. Among its discovery was a letter written by a M&T customer describing how someone had used her ATM card to steal hundreds of dollars over the summer. The bank threw it in the trash along with her account number, her statements and even a copy of her driver’s license.

The good news is that physical disposal of confidential customer data by companies in general is relatively rare. According to the Open Security Foundation, a non-profit data breach archiving organization only 37 incidents of physical document disposal occurred in the first 10 months of 2009. And, fortunately, the M&T breach was one of the smallest. But it is by no means insignificant in the context of data security. It is another wake-up call indicating the need for ongoing vigilance in efforts to safeguard customer data by any and all means.

Sources: Open Security Foundationand WMAR-TV, Baltimore, MD. 

Back to Article List

Latest OnLine Banking Fraud Alert: ACH Hacking

The Federal Deposit Insurance Corporation (FDIC) and other organizations have issued warnings to banks and their commercial customers about a new variety of phishing attack based on fraudulent ACH transfers.

Details: Hackers are reported to send e-mails to corporate customers of banks, luring them to fake bank Web sites where they enter their login information to access accounts and initiate funds transfers from accounts used by customers to make ACH payments.

Example: One New England retail fuel company had its bank account compromised when an employee fell for a phishing attack that resulted in hackers (located in Eastern Europe) obtaining the username and password to the bank account into which fuel customers make ACH payments. The hackers fraudulently transferred $150,000 from the account and obtained access to an unspecified number of customer bank account information.

Some attacks also planted sophisticated Trojan horse “crimeware” on bank customer computer to enable hackers to access the customers' bank accounts used to make ACH transfers to vendors with whom they have commercial accounts.

Self defense: Banks that accept ACH payments from customers, should warn these patrons about clicking on links in e-mails from senders purporting to be from their financial institutions. In addition, customers should immediately implement ACH debit blocks. These block any ACH payment that is not pre-scheduled with the bank.

Also effective: Small- and medium-size businesses should use a dedicated computer strictly for all online banking. This should eliminate the opportunity for authorized users to click on risky links or browse the Internet to sites that could inadvertently result in downloading Trojan horses and other malicious applications.

Sources: Linda McGlasson, Managing Editor, BankInfoSecurityFDIC Special Alert

Back to Article List

Holiday Alert: Beware of Buying Gift Cards on eBay

According to PC World, fraudsters are buying gift cards with stolen or counterfeit credit cards and selling them for below face value on eBay.

One of the biggest victims of this scam, reportedly has been Apple whose iTunes gift cards were bought en masse by overseas fraudsters and sold on eBay to unsuspecting buyers at substantially temptingly discounted prices.

Apple has received considerable media coverage of its  crackdown on these frauds. But many other retailers are potential targets as well. These companies will disable the cards or, in the case of Apple, shut down customers’ iTunes accounts if content was purchased with bogus gift cards.
Credit card holders should be wary about buying gift cards on eBay if...

  • The card(s) are for large amounts but are offered at 20 percent-30 percent discounts. This fits the old “too good to be true” rule.
  • The sellers are located overseas. Most of these frauds appear to be committed by foreign fraudsters.
  • The seller lists multiple cards with discounts over $10. The more such cards a seller has for sale, according to one knowledgeable blogger, the likelier they are to be fraudulent.

Self defense: Several experienced eBay users suggest that using PayPal to purchase gift cards on eBay is a good way to reduce the risk of being victimized by scammers, as PayPal’s user verification process is a strong deterrent to fraudsters and it offers dispute resolution opportunities if a purchase does “go bad.”

Back to Article List

Busted: “Most Sophisticated Computer Fraud Attack Ever”

Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and a person known only as "Hacker 3;" were indicted by a federal grand jury in Atlanta, GA, on charges of hacking into a computer network of the Atlanta-based credit card processing company RBS WorldPay, part of the Royal Bank of Scotland.

Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33, each of Tallinn, Estonia, were also indicted for access device fraud.

Details: The indictment alleges that the group used “sophisticated hacking techniques” to compromise the data encryption protocol used by RBS WorldPay to protect personal identifying information on payroll debit cards. Payroll debit cards are increasingly used by various companies to pay their employees. The cards enable employees to withdraw their regular salaries immediately from an ATM.

According to the indictment, one of the co-conspirators, located in Moldova, discovered in an as yet undisclosed way, a technical vulnerability in the RBS WorldPay security system. He relayed this to other members of the ring who subsequently developed a way to circumvent the RBS WorldPay encryption protocol in order to obtain the debit card and PIN numbers on 44 card accounts. Of the 44, 42 belonged to account holders at Palm Desert National Bank, a RBS WorldPay client.

Problem: Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on the compromised accounts, and then deployed a network of "cashers" with the 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of 12 – 24 hours.

The indictment alleges that the "cashers" were allowed to keep 30 percent to 50 percent of the stolen funds, but transmitted the bulk of those funds back to Tsurikov, Pleshchuk and other co-defendants. Upon discovering the unauthorized activity, RBS WorldPay immediately reported the breach.

Cover-up attempt: Following the operation, the hackers allegedly tried to destroy data stored on the card processing network in order to conceal their hacking activity.

International cooperation was a significant factor in breaking the case. In a joint investigation with U.S. law enforcement authorities, Estonian Central Criminal Police apprehended Tsurikov, Ronald Tsoi, Evelin Tsoi and Jevgenov in Estonia earlier this year. Each faces related charges in Estonia. Tsurikov is also in custody in Estonia and is awaiting extradition to the United States. Federal prosecution of the Estonian defendants has been closely coordinated with the Estonian Office of the Prosecutor General.

In addition, cooperation between the Hong Kong Police Force and the FBI led to a parallel investigation in Hong Kong, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATMs there. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Public Prosecutor’s Office also provided significant assistance.

Assistant Attorney General of the Criminal Division,  Lanny A. Breuer called this fraud "perhaps the most sophisticated and organized computer fraud attack ever conducted”.

Back to Article List

Preventing Card Skimming: Best Practices for Merchants

The PCI SSC PIN Transaction Security Working Group of the PCI Security Standards Council recently released a very useful report for retail merchants on how to protect against credit and debit card skimming fraud.

Entitled Skimming Protection: Best Practices for Merchants, the report includes user-friendly explanations of common card skimming schemes currently high on the threat list for merchants and offers useful security checklists to help in determining whether card terminals have been illegally compromised.

Click here to obtain a copy of the report.

Back to Article List

Visa US Issued Only
(Fraud as a % of Total Fraud)

Fraud Types
(Jan.- Mar.)
Card Not Present
Fraud Application
Misc/ID Theft/Account Takeover

Back to Article List

Lawsuit Sues POS Maker For Facilitating ID Theft

Seven restaurants in Louisiana and Mississippi filed a class action lawsuit in November against point-of-sale (POS) vendor Radiant Systems and its distributor Computer World. The suit claims that hundreds of restaurant patrons had their identities stolen because the restaurants were using payments terminals that were not PCI-DSS compliant.

Details: Atlanta-based Radian Systems and its distributor are accused of "poor business practices and faulty software" that led to customers' identities being stolen. The restaurants include Best Western, Mel's Diner, Sammy's Grill, Crawfish Town USA, Jone's Creek Cafe, Don's Seafood and Picante's Mexican Grill.

According to the charges, Radiant Systems' negligence and failure to either instruct or monitor Computer World's work led to payment systems being compromised, leaving customers vulnerable to identity theft and fraud.

The restaurants claim they then incurred hefty fines and had to reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to victimized individuals. They were also fined $5,000 by Visa and were required to have forensic audits conducted to determine the origins of the breach.

The suit seeks compensation to repay the penalties levied by the credit card companies and costs to track down and repair the POS system problems. (Visa and MasterCard do not levy fines against merchants but fine their acquirers, who then pass on the cost to the merchants involved).

Background: Businesses that accept credit cards for payments are contractually obligated to use equipment and software from PCI-DSS compliant vendors.

Charles Hoff, a hospitality lawyer and member of the Executive Committed of the Board of Directors of the Georgia Restaurant Association, is one of the attorneys advising the restaurants in the class action. He said that a special investigation by the U.S. Secret Service found that Computer World -- exclusive area distributor of Radiant Systems' "Aloha" POS software -- violated PCI-DSS provisions by:

  • Using a remote access system that did not have adequate security patches.
  • Using the same password for at least 200 operators.
  • Failing to remove prior sensitive customer credit data upon installation of Radiant POS systems.

The breach: According to news reports, the Secret Service discovered that a Romanian hacker breached the Radiant system using a common default password and installed keylogger software on all of the restaurant computers to capture the customer card data.

Visa charged the restaurants $5,000 each and ordered them to conducted a forensic audit to determine the source of the breach.

Radiant and Computer World were reportedly warned by Visa in 2007 that their software was non-compliant, but the restaurants allegedly didn't know this when they acquired the Aloha system.

Deception to boot? The restaurants also claim they were sold earlier model POS systems despite being told they were new. 

NOTE: Visa requires U.S. acquirers to maintain a Level 4 Merchant Compliance Program to mitigate risk within their small merchant population. Click here to learn more.


Back to Article List

Targeted by Data Thieves?

Protect Your System to Avoid the Malware Nightmare

Attached is an article reprint that was published in the Fall 2009 HOSPITALITY UPGRADE magazine. The author, Eduardo Perez, works for Visa Inc. and addresses recent trends in criminal attacks on data in motion using viral malware. The piece provides security practices that can help prevent intrusions and detect malware.
This piece is particularly timely because hotel franchises have recently been targets for data thieves. With many hotels and restaurants using a network POS model connected to a central back-end host, criminals have been exploiting the same vulnerabilities from chain to chain.

Read Article Now >>

Back to Article List

You are receiving this e-mail because you are a participant of ICBA Bancard or you registered to receive it. Note: When available, Web links are provided as a convenience. However, the location or accessibility of links may change during or after publication.

To change your e-mail address, please
go here. If you wish not to receive ICBA "Bancard E-News", please opt-out here. If you prefer not to receive any future e-mails from ICBA Bancard, please unsubscribe here. View our Privacy Policy.

Calendar & Events:

Fraud Training Calendar:

There is currently no fraud training scheduled. We are working on several informative Webinars and courses for the coming year. Please refer back to the ICBA Bancard Calendar for newly announced fraud training in January 2010.

Training Opportunity:

FraudAware, the leading provider of fraud awareness training has a limited number of slots for ICBA member banks to sign up for specially discounted live workshops or web-based (e-learning) bank anti-fraud training. For a free, no-obligation consultation call Peter Goldmann, Training Developer at 1 (800) 440-2261 or e-mail


ADCR Qualified Events


CyberSource Enterprise Payment Security 2.0 Document

Visa LiabilityWaiver Program

2010 Visa PIN Security Compliance Validation Training



Payment Application Data Security Standard

In 2008, the PCI Security Standards Council (PCI SSC) adopted Visa’s PABP and released the standard as the Payment Application Data Security Standard (PA-DSS). The PCI SSC is responsible for maintaining and updating the PA-DSS and all related documentation, Payment Application Qualified Security Assessor (PA-QSA) qualification and training, Reports of Validation (ROV) submissions and quality assurance as well as the listing of PA-DSS validated payment applications. The PA-DSS now replaces PABP for the purpose of Visa’s compliance program.

For more information on the PA-DSS, including program and validation requirements please visit the PCI SSC website. Click here for PCI SSC’s List of PA-DSS Validated Payment Applications.


Fraud Loss Protection Plan

This "Members only" program assists your bank in recouping losses that would otherwise be unrecoverable.

Coverage included for cards:
• Lost & Stolen
• Not Received Issued
• Counterfeit
• Skimmed Counterfeit
• Account Take Over
• Identity theft

More information

Confirm coverage

Online Fraud Claims Tool

Allows ICBA Bancard Fraud Loss Protection Plan participants to track status of reimbursement claims.

• Track claims from date of
   receipt to completion
• View processing comments
   entered by analysis
• View compensation amounts
   processed for your bank
• Examine or print claims
• Secure login access

View claims

Custom Portfolio Consultation:

As a dedicated resource to all community banks, ICBA Bancard offers risk, marketing and operational consultations at no cost to community banks.

Request a free consultation today

TCM Bank

This limited purpose credit card bank is designed to position community banks in the credit card business, promoting the bank's identity while limiting or eliminating the bank's exposure to risk and marketing costs.

More Info About TCM


PCI Security Standards
Merchant 911
Visa (CISP)
MasterCard Online
Fiserv EFT
Visa Online

Product Hightlight:


This technology makes use of Behavior-Metrics science that individually or concurrently authenticates that the correct people are accessing and/or receiving information in a secure and efficient environment.

More Info


Bancard Fraud Quarterly
Published by ICBA Bancard
© 2008 ICBA

Contact Editors of
Bancard Fraud Quarterly

1615 L Street NW
Suite 900
Washington, DC 20036
Ph: (202) 659-8111