FTC Attorney Discusses Regulatory Focus on Payment Processing Industry

The Federal Trade Commission consistently seeks to expand the scope of potential liability for deceptive advertising practices.  From substantial assistance liability under the FTC’s Telemarketing Sales Rule to theories of agency or vicarious liability, ad agencies, ad networks, lead buyers and aggregators, lead purchasers, merchants and payment processors are all potentially accountable for facilitating the actions or omissions of those that they do business with.

Consider the latter and the FTC’s recent assault on the payment processing industry.  It amply highlights third party accountability remedial theories and the imposition of reasonable monitoring duties.

In January 2020, the FTC announced that an overseas payment processor and its former CEO settled allegations that they enabled a deceptive “free trial” offer scheme.  According to the complaint, the company, its principals and related entities marketed supposed “free trial” offers for personal care products and dietary supplements online, but instead billed consumers the full price of the products and enrolled them in negative option continuity plans without their consent.

To further the scheme, the defendants allegedly used dozens of shell companies and straw owners in the United States and the United Kingdom to obtain and maintain the merchant accounts needed to accept consumers’ credit and debit card payments, an illegal practice known as “credit card laundering.”

The FTC subsequently filed an amended complaint adding a Latvian financial institution and its former CEO to the case, alleging that they illegally maintained merchant accounts for the other defendants in the name of shell companies and enabled them to evade credit card chargeback monitoring programs.

In a press release, FTC attorney Andrew Smith, Director of the Bureau of Consumer Protection, stated that “[t]he FTC will continue to aggressively pursue payment processors that are complicit in illegal conduct, whether they operate at home or abroad.”

The FTC also recently announced that a payment processor for an alleged business coaching scheme settled charges that it ignored warning signs its client was operating an unlawful business coaching and investment scheme.  Here, according to the FTC’s complaint, the company for years processed payments for a purported scheme that charged consumers hundreds of millions of dollars for allegedly worthless business coaching products, and that the company ignored numerous signs that the business was allegedly fraudulent.

The red flags listed in the complaint include questions about whether the company was a domestic or international company, the nature of its business model, the company’s purported history of excessive chargebacks, and claims the company allegedly made in its marketing materials.

Notably, the complaint also alleged that the company failed to follow its own internal policies and failed to review its clients’ business practices in detail, which, according to the FTC, would have revealed numerous elements that should have eliminated the client under those policies.

According to the FTC, even after the company took on the client, the client’s processing data immediately raised red flags related to the quantity of charges it processed and the number of refunds and chargebacks associated with those charges.  When the client experienced excessive chargeback rates, instead of adequately investigating the causes of the chargebacks, the company responded by requiring the client to work closely with chargeback prevention companies, according to the FTC.  The FTC alleged that the company failed to monitor the products its client was selling and the claims it was making to sell those products.

Again, the Director of the FTC’s BCP conveyed that “[i]gnoring clear signs that your biggest customer is a bogus online business opportunity is no way to operate a payment processing business.”  “And, it’s a sure-fire way to get the attention of the FTC,” Smith stated.

Most recently, the FTC announced that a payment processor that allegedly helped perpetuate multiple scams has been banned under the terms of a settlement with the agency and the State of Ohio.  Here, the FTC alleged that the defendants used remotely created payment orders and remotely created checks to facilitate payments for unscrupulous merchants, allowing them to draw money from consumer victims’ bank accounts.

Reaffirming the FTC’s focus on the payment processing industry, FTC lawyer Andrew Smith stated that “[p]ayment processors who help scammers steal people’s money are a scourge on the financial system.”  “When we find fraud, we are committed to rooting out payment processors and other companies who actively facilitate and support these fraudulent schemes,” Smith stated.

The FTC is aggressively policing payment processors that bury their heads in the sand or go a step further and help cover up their clients’ wrongdoing.  Either course of conduct could land them in legal hot water.

The settlement terms of the matters above include permanent bans, hefty monetary judgments and the surrender of assets.


© 2020 Hinch Newman LLP

Mitigating Payment Fraud Risks

For businesses that thrive on person-to-person transactions, cash is quickly being replaced by cards, as well as tap-to-pay systems, mobile wallets and QR-based payment systems. These technologies will continue to dominate the market in the near future, but the long-term future of the payment card industry will likely be shaped by the impact of blockchain and artificial intelligence. These developments will eventually also impact risk management, marketing and financial planning, as they present opportunities for serious risks, including fraud. Hence, it is imperative for risk management professionals to plan for these short- and long-term changes in the industry.

Strong risk monitoring requires proactively assessing threats and planning mitigation measures to minimize risk impact on the company or organization. To help mitigate payment fraud risks, businesses can take the following steps:

Train your Employees Regularly

The more regularly you train your employees, the more likely are they to spot suspicious behavior, no matter what payment technology the business uses. Repeated and regular trainings are essential because employees tend to forget what they have learned with time. These training workshops should teach the workers to never accept damaged cards from customers, confirm customer identities, and never enter a card number manually.

Use Contactless and EMV-Enabled Terminals

As payment technology changes, businesses must evaluate what options are safest and least prone to fraud. Currently, businesses should use EMV (short for Europay, Mastercard and Visa), which involves chips embedded into payment cards—a significant step in making transactions safer. The introduction and adoption of EMV-enabled secure terminals, particularly when using PIN and EMV security together, has helped merchants and customers prevent fraudulent transactions.

Contactless smartcards such as chip and magnetic stripe cards use contactless payment, which can present another secure way to process transactions. Most EMV terminals are also enabled with contactless payment. At such terminals, a fast and secure transaction is possible using Near Field Communication (NFC) or Radio-Frequency Identification (RFID) via smartcard or smartphone. If a merchant chooses to use contactless payment without PIN, they can put a limit to the amount spent on each contactless transaction to further minimize risk.

Beware Uncommon Transactions

Transactions that involve unusually large purchases could be a sign of potential fraud. Businesses should examine such transactions closely and confirm the identity of the customer. Similarly, if several purchases are made with a card in a short timeframe, it could indicate that the card was stolen and being used by someone other than the owner.

Maintain Online Security

As merchants and consumers shift to contactless and EMV-enabled point of sale terminals, risk has shifted towards online transactions. To mitigate this risk, it is important for online businesses to use the Address Verification Service (AVS), which verifies that the billing information matches the one registered with the card issuer. Vendors should also ask for Card Verification Value 2 (CVV2) to verify that the user has the card in hand when placing the order. Another important check is to put a limit on an IP address for the number of cards it can use for online transactions.

Prevent Employee Fraud

Employee fraud is always a major concern for risk management professionals.  Businesses should remember to keep an eye on credit card activity, particularly returns, as employee theft often shows up in fake discounts or returns. Companies should create alerts that set limits on returns at stores and notify management any time those limits are exceeded.

 


Risk Management Magazine and Risk Management Monitor. Copyright 2020 Risk and Insurance Management Society, Inc. All rights reserved.

Bombas Settles with NYAG Over Credit Card Data Breach

Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties.  According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014.  The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that bad actors had accessed customer information (names, addresses and credit card numbers) of almost 40,000 people. While the company notified the payment card companies at the time, it concluded that it did not need to notify impacted individuals because the payment card companies “did not require a formal PFI or otherwise pursue the matter beyond basic questions.”

In 2018, Bombas updated its cyber program, causing it to “revisit” the incident, deciding to notify impacted individuals and attorneys general. The NYAG concluded that the company had delayed in providing notice in violation of New York breach notification law, which requires notification “in the most expedient time necessary.” In addition to the $65,000 penalty, the company has agreed to modify how it might handle potential future breaches. This includes conducting prompt and thorough investigations, as well as training for employees on how to handle potential data breach matters.

Putting it into PracticeThis settlement is a reminder to companies to ensure that they have appropriate measures in place to investigate potential breaches, and understand their notification obligations.

 

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.
For more on financial breaches, please see the Financial Institutions & Banking page on the National Law Review.

Buyer Beware! Despite Tokenization, Mobile Payments are not Bulletproof

Virtual Card Present – A New Breed of Mobile Credit Card Fraud 

As credit card fraud rises, ensuring the security of mobile payments is important for merchants and consumers alike. To combat fraud, the next generation of mobile payment platforms employ tokenization to create more secure mobile payments systems. While tokenization may reduce the susceptibility to mobile payment fraud, it is not bulletproof, leaving room for a new breed of credit card fraud.

Tokenization is a process in which sensitive information, such as a credit card number, is replaced with a randomly generated unique token or symbol. Tokenization helps simplify a consumer’s purchasing experience by eliminating the need to enter and re-enter account numbers when shopping on mobile devices. Tokens benefit merchants too, by eliminating the need for them to store payment card account numbers. Merchants have decreased risk as they are not directly handling sensitive and regulated data. The result is overall increased transaction security and reduction in mobile payment fraud.

For example, Apple Pay uses tokenization to ensure all personal account numbers (PANs) are replaced with randomly generated IDs, or tokens, that are then used to authorize one-time transactions. Although Apple Pay users upload credit card information to their devices, neither Apple nor retailers ever have direct access to this sensitive financial data. The security of the iPhone’s tokenization is further bolstered by the use of a biometric fingerprint that is stored on an isolated chip, separate from the token.

Even with the use of tokenization, there remains a weak link in securing mobile payments: ensuring a mobile payment system provides its app to a legitimate user, rather than a fraudster. And criminals love a weak link.

While Apple Pay’s use of tokenization coupled with the biometric authentication provides strong security, hackers are committing a new type of fraud by exploiting this weakness in user authentication. To circumvent tokenization (and biometrics), hackers have been loading iPhones with stolen card-not-present data to create Apple Pay accounts. This essentially turns the stolen credit card data back into a “virtual” physical card – à la Apple Pay.

The responsibility for this new type of Virtual Card Present (VCP) rests with the card issuers, who have the burden of establishing that Apple Pay cardholders are legitimate customers with valid cards. Some banks have begun addressing the issue of user authentication by requiring customers to call to activate Apple Pay, ensuring their identities are verified.

VCP fraud is sure to increase as additional entrants, such as Samsung and Loop Pay, enter the market with their own mobile payment systems. The largest Apple Pay competitor, CurrentC, backed by the Merchant Customer Exchange (MCX), a consortium of large retailers, is set to be launched later this year. While boasting “Security at Level” including passcode, paycode and cloud protection, how CurrentC intends to combat VCP fraud is yet to be seen.

As cybercriminals grow more sophisticated, mobile payment providers and issuers should react to VCP by focusing on developing innovative and strong user authentication solutions.

This article appeared in the October 2015 issue of The Metropolitan Corporate Counsel. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of Sills Cummis & Gross P.C. Copyright ©2015 Sills Cummis & Gross P.C. All rights reserved

© Copyright 2015 Sills Cummis & Gross P.C.