By Joanna Seow

INCONSISTENT security standards across the electronic payment industry is a major reason for the prevalence of credit card fraud, a newly established industry body has warned.

The Secure Point-of-sale Vendor Alliance (SPVA) was set up in the United States last month in a bid to to enhance the level of security for consumers and banks around the world.

It says fraud is a serious problem in the US and Malaysia. Ultimately, it hopes to roll out a higher and more consistent standard of security that will benefit consumers, banks and merchants. The body is made up of the industry's three biggest members - Ingenico, VeriFone and Hypercom - which together hold 85 per cent of global market share.

The SPVA's secretary and treasurer, Mr Paul Rasori, said in a telephone interview with The Straits Times that one of its key goals is to 'create more consistency in how individual vendors interpret the existing security guidelines'.

In recent years, several different types of security guidelines have been put in place by various standard-setting bodies. But given the differing standards which vary by country or card brand, vendors of point-of-sale (POS) equipment may not be consistent in adhering to all these standards. 'When there's no clarity there's the opportunity for people to interpret things in different ways and what winds up happening for the customer...is really a varying level of security,' he said.

Point-of-sale equipment comprises the hardware and software used for electronic transactions such as credit card readers. These are used by merchants, banks and credit card acquirers.

Criminals tend to use three main ways of getting the information they use to clone credit cards. Some put small bugging devices in the credit card machines that merchants use, or attack the IT infrastructure or database systems of large merchants and processors to steal the stored information. They also tap into the communication lines between the merchants and their banks. Stealing information in this way is made easier by the lack of data encryption on these lines.

The SPVA also hopes to ensure the encryption of payment data throughout the process and to create more awareness of credit card fraud risks.

Mr Rasori mentioned Malaysia and the US as two countries where credit card fraud is most widely reported.

'Primarily because we're still using magnetic stripes (in the US). There's a lot of focus in the US in terms of criminals trying to steal that magstripe information,' he added.

Magstripe cards have been used for more than 30 years and have little or no protection against card cloning. An online check indicated that reading devices that can show the information on magstripes are readily available.

Cloned cards are difficult to differentiate from authentic cards. Smart cards, or EMV cards , on the other hand, work on encrypted data which is more secure. They are designed with card authentication features, making it easier to tell real ones from fraudulent ones. The use of chips embedded in the cards also makes information more secure.

Mrs Lim Choy Yoke, an administration manager here, welcomes any move to make electronic payments safer. Her card details had been stolen before while she was overseas. 'Once when I was in Jakarta I was charged for expenses in Samarang although I was not even there. All I did was use my credit card in Jakarta.'

Another time, she was charged for a purchase in a part of Malaysia she had not visited. But the credit card company realised something was wrong, alerted her and stopped the stolen card details from being used further.

Although security standards exist for newer POS equipment, there is little regulation of older systems. One of the issues the SVPA will be lobbying the other standards bodies to look into is retiring these less secure devices.

'Part of the problem if you're a consumer is that the current standards-setting organisations typically require only the higher level of security on new systems that are purchased or deployed into the market and they rarely ever tell a merchant they have to take an existing system out,' Mr Rasori said.

This article was first published in The Straits Times.