Sun | Dec 11, 2016

As fraud grows, privacy erodes

Published:Sunday | March 21, 2010 | 12:00 AM

Avia Collinder, Business Reporter

The Jamaica Public Service Company (JPS) allows a very narrow choice of credit cards for bill payments online - Visa and MasterCard.

But now, the utility company has gone a step further in the name of security, insisting that customers must register their cards - including the sensitive code unique to each user - on the JPS website to continue utilising the tele-payment service.

The growing sophistication of commerce has thrown up a new area of worry at the Consumer Affairs Commission (CAC), which says there is no designated body under the Electronic Transaction Act to police companies that collect sensitive client information electronically.

So, while the JPS is assuring the public that their credit-card details will be safe because of the firewalls it has thrown up around the data, the CAC says if its system - or any other merchant's - were to be breached, there is no entity that would hold the power provider to account.

"We are not sure who is doing monitoring to ensure they follow internal security rulesthat are intended to protect card owners," said CAC information systems manager Andrew Evelyn.

"There is no independent body which checks the security of these organisations. Supervision is not done generally."

The issue has been brought into sharp focus, with one of Jamaica's largest banks encouraging merchants to put in place systems to register customers who make electronic payments using credit cards.

The JPS implemented its system in October 2009 at the urging of Bank of Nova Scotia Jamaica (BNS). The bank, however, has not said whether others have followed suit.

Omar Ellis, product manager for the electronic commercial services, retail and electronic banking unit, tells Sunday Business that BNS recommends registration to its merchants as "a fraud-mitigation tool", and that the process does require disclosure of the card-verification value, or CVV number, as a secondary security layer, in addition to card number and expiry date.

Approximately 1.5 per cent of JPS customers, covering some 8,760 accounts, currently use electronic channels to pay their light bills, the utility company said.

Audrey Williams, communications officer at the JPS, said the company introduced registration because of high levels of fraud detected through the online payment system, whereby cloned or stolen cards were being used to pay multiple bills for some families.

Incidents of fraud in 2009 were found to have doubled that of 2008, the utility company said, but did not quantify the amount in dollar terms. The switch to registration was positioned as taking "steps to protect both the interests of its customers and the company".

Williams, who insists that the JPS asks for no more data than is absolutely required, says the information is encrypted and protected according to the Payment Card Industry Data Security Standard (PCIDSS) guidelines.

"Neither credit-card numbers nor CVV data are stored to facilitate registration," she said.

Instead, "Customers are recognised by a non-reversible 'hash' on card data, which is calculated each time they present the card for use to JPS."

Williams said the practice of credit-card registration is widespread and operates successfully in many countries.

Nascent electronics law

Jamaica, however, is operating under a nascent electronics law that has not been tested for consumer protection, though Andrew Evelyn, the CAC's information systems manager, says that under the new law, companies "are obliged to ensure that consumer data is encrypted".

Merchants are not independently monitored under the eletronics transactions law, which took effect April 2, 2007, but Evelyn says there may be other recourse for security breaches; that consumers are protected by the card issuers refund policy.

"If an unauthorised transaction occurs on the card, then the cardholder can make a claim on the bank. Usually, they get a refund," he said.

He adds: "JPS is a reputable organisation and as a service supplier of a major utility, they should ensure that the customers' data is kept secured."

National Commercial Bank (NCB) of Jamaica has its own security measures, but it does not seem to go as far as BNS. The two banks are the largest in Jamaica, together accounting for 70 per cent of a $583.5 billion industry valued by assets.

NCB has implemented its own registration process, but its added layer of security does not require disclosure of sensitive CVV data to merchants.

"NCB does not allow its merchants using interactive voice response or e-commerce platforms the option of storing this sensitive data," said Claudette Rodriguez, assistant general manager of the card services and e-channels unit.

Rodriguez said NCB prided itself on complying with the PCIDSS.

"These standards dictate that sensitive card-authentication data, such as the card security code, not be stored due to the risk of data theft by way of hacking or other methods," the card services manager said.

The bank claims its own hybrid registration process has reduced card fraud to zero.

The process requiresthe cardholder, having carried out preliminary registration set-up on a webpage, to contact his or her bank to obtain either a small transaction value or a code that is processed against his or her card at set-up.

Only when this value or code is inputted successfully on the merchant's website is the cardholder allowed to use the card to carry out the transaction.

avia.collinder@gleanerjm.com