Merchants are one of the corners of the ‘four corner’ model in the payment world. In what follows, we will explain some of the security mechanisms for Merchants to prevent unauthorized transactions and payment card fraud.
A merchant is defined as a vendor (“Acceptor”) of goods or services who accepts payment cards and delivers a product or service in exchange for a successful transaction.
In payment industry terminology, a merchant does not need to be a physical person. An unattended automated machine can also be considered a merchant. Automatic teller machines (ATMs) are the most common example of such “robotic ” merchants.
There are also automatic vending machines that can sell a wide range of goods, beverages, food, etc., as well as self-cash-outs or self-checkouts, for instance. These are all valid examples of merchants.
A merchant usually assumes most of the risks in a transaction. The biggest threat for them is dealing with counterfeit payment cards, stolen cards or someone impersonating a legitimate cardholder. In such a situation, the merchant usually has to assume the cost of the fraud and the loss.
Safety of the Merchant
The safety of the merchant is generally the problem of the acquirer. However, the acquirer will only provide a “base” to guarantee the merchant’s security. The acquirer often provides the merchant with secure, tamper-proof payment terminals. But often this is only to protect the cardholder from skimming devices or other illegal devices that could be installed fraudulently on the merchant’s terminals.
A payment terminal is required to provide PIN encryption, as per the PCI-PIN requirements. Again, this is clearly only focused on the cardholder's safety. The burden of PCI-DSS on merchants is also focused on the cardholder's security and preventing the theft of cardholder data. It does not have a direct impact on the merchant’s safety.
The acquirer holds the funds owned by the merchant coming from the transactions for a ‘safety period’ (e.g., some sort of escrow). That safety period may vary according to the bank and country, but it’s usually one to three months.
In case of fraud or chargeback request because of a fraud, the acquirer will immediately or almost immediately freeze the merchant’s funds or refund the cardholder account. This is because fraud is usually declared within the safety period. There are very few things a merchant can do to prevent the acquirer from refunding the cardholder. It depends on the country as certain countries have specific legal frameworks aimed at protecting the merchant. That’s why in the payment industry, merchants are better protected when they implement controls by themselves, even if that may result in losing customers.
As a result, the merchants must often seek their own resources on how to guarantee their payment safety and security.
Overview of the Merchant Protection Techniques in the Payment Industry
The best ‘weapons’ for merchants are systems using various algorithms (often rule-based or using heuristics) that predict the likelihood of a fraud. Merchants have a strong ‘arsenal’ at their disposal:
- Geolocation of the cardholders (card not-present) via various methods
- AVS: Address Verification Service (card not-present)
- Bayesian statistics for anti-fraud (card not-present)
- Artificial intelligence to detect fraud (card not-present)
- Identity control (card present or card not-present)
- Selfies (card not-present)
- Manual bank verification (card present)
- Paper Signature (card present)
- Control via an operator - physiognomist (card present)
These techniques often create hindrances during the payment process and may slow down the merchants’ daily operations. Often, they also could cause false declines, which can sometimes have a worse effect than fraud.
Compared to cardholder protection, merchants cannot really use cryptography; all the cryptography that is required for the merchants is focused on cardholder protection. Merchants must resort to law enforcement techniques to protect themselves.
Offline Authentication for Chip Cards Only
A merchant terminal can verify a card without the need for a connection to a payment network by using an offline PIN cardholder verification method.
A typical payment terminal does not really hold any special secret keys except for connecting to the payment networks. The only way a merchant terminal can ensure that a card is not counterfeited is by using offline authentication as designed by EMVco. There are three offline authentication schemes allowed by EMV:
- SDA - Static data authentication
- DDA - Dynamic data authentication
- CDA - Combined data authentication
In all three methods, the merchant’s terminal must fetch a public key from a database by using the RID provided by the payment card of the cardholder. These public key databases are maintained by the card schemes. They also provide an optional certificate repudiation list mechanism. Therefore, the cardholder will provide a certificate that the payment terminal can validate (SDA). The method may also involve the terminal providing certificates or random elements to be signed (DDA) or that an EMV cryptogram (issued from a GENERATE AC command) is signed (DDA).
This provides some security to the merchant and these methods can be used even if the transaction will go online. However, these methods have debatable security. SDA was broken a long time ago (“yes cards”) and DDA is not considered as very safe. At this moment, CDA remains the best EMV offline authentication method and offers maximum protection to merchants.
Most of the EMV flow is streamed between the cardholder’s payment card chip and its issuer bank via the acquirer, who receives financial messages from the terminal. The merchant’s terminal is often only used as a ‘relay’ and not much more.
In the four-corner model, merchants must rely on themselves and on third-party services to protect their assets. There is no real cryptographic protection for them, except the offline authentication as designed by EMVco.