A security vendor has made a business out of selling merchants information about stolen payment cards accounts — data that banks could often provide for free but generally are reluctant to share.
Steven Peisner, the president of Sell It Safe Inc., spends his days in online chat rooms and underground Web sites used by hackers, searching for stolen card data. Many criminals offer small batches of valid card numbers as free samples, hoping to attract buyers for larger lists of stolen accounts. Mr. Peisner packages these samples into a database that he sells to merchants, which use the data to head off fraudulent transactions.
Reissuing cards after a data breach can be expensive for issuers, which sometimes try to hold costs down by not reissuing cards on accounts they suspect have been compromised until they are actually misused.
But Mr. Peisner said that merchants dislike this strategy, because it means they may be accepting bad transactions on cards that banks already know are suspect. Services like his can give merchants the same information to work with that the banks have; in some cases, he said, his database has information that issuers have not yet received.
"Banks are going to have to take a look at companies like us," he said.
The cards in Sell It Safe's database are almost certain to be used for fraud, Mr. Peisner said. "What the hackers actually do in the chat rooms is they're basically showing their wares. They'll take 20 to 30 to 40 cards, and they'll post them to other hackers" as a sample of the larger set of cards they wish to sell. The other hackers "grab that data very quickly and start to make purchases with it" to verify that the accounts are valid.
Mr. Peisner grabs the data, too, he said, so his merchant customers can be prepared for the impending wave of fraud.
People Data, a unit of Zaba Inc. that operates an online directory, was an early Sell It Safe customer, using the service when it became available in 2004. Robert Zakari, Zaba's president, said a lot of the unit's customers were using fraudulent card accounts, and that the antifraud measures available through the card associations were not enough to solve the problem. (He tried both Verified by Visa and the card verification value 2 numbers that are printed on credit cards to prove that customers actually have possession of the cards.)
With Sell It Safe, Mr. Zakari said, he was able to cut his fraud rates by 40% to 50%. Though he said that figure was good, it was not high enough; eventually he changed his business model altogether and stopped charging people to use the People Data's Web site. (Another Zaba site, Zabasearch.com, is supported by advertisers.)
"That tide that we were fighting was just getting larger and larger, and we didn't want to deal with that anymore," Mr. Zakari said.
However, Sell It Safe has tinkered with its service since 2004, he said, and if the current version were available then, it would have been able to stop even more fraud on People Data's site — enough that Zaba would not have been forced to change its model.
Mr. Zakari called Mr. Peisner an "online Zorro" coming to the aid of merchants. "I'm just glad somebody even cares about the merchants."
It is a sentiment echoed by even powerhouse merchants like eBay Inc. Meg Whitman, eBay's president and chief executive, made a similar point last month in a keynote address at a security conference hosted by Visa U.S.A. Inc.
"When data breaches occur, acquiring banks and issuing banks do not notify or share that information about exposed cards with alternative payment providers like eBay" or its PayPal Inc., she said. "Therefore, we are tremendously disadvantaged."
Merchants "end up paying for these charges that in fact could have been prevented in the first place," if the banks informed them that the accounts were at risk, she said.
Mary T. Monahan, an analyst and editor for Javelin Strategy and Research of Pleasanton, Calif., said that merchants and banks must work together to fight fraud, and that the relationship between the two is strained in part because costs are not spread equally.
"Reissuance is a huge cost to banks," Ms. Monahan said. "They're taking the major hit, not the merchant."
Keeping compromised cards active until fraud occurs keep banks' costs in check but upsets merchants, she said, because they are burdened with at least one fraudulent transaction before the account is shut down.
Once fraud occurs on one of those compromised accounts, the issuer "will protect other merchants, but that first merchant is going to be the sacrificial lamb," Ms. Monahan said.
Merchants that must bear the brunt of those bad transactions want to be notified earlier in the process, she said. "It just makes sense. The merchants need to be protected too."
Javelin surveyed 1,200 holders of credit and debit cards in February and March and released its findings late last month.
In a report on that survey, Ms. Monahan wrote that 76% of consumers polled by Javelin said credit card companies and merchants share an equal responsibility for data security. Thirty-seven percent said that in the event of a breach, the company that experienced the breach should notify consumers, and 30% said notification should be up to the issuing banks.
Merchants typically do not block all transactions on suspect accounts, she said, because "the merchant doesn't want to lose a legitimate transaction, especially a large one." Instead, they use information about suspect accounts in the same way banks do: to know which accounts require extra scrutiny.
To address the problem, merchants are turning to vendors, Ms. Monahan said, because otherwise "there is no protection in place for that merchant when a data breach occurs, other than what that issuing bank puts in place."
She cautioned that if the financial services industry does not address merchants' concerns on its own, the matter may end up being settled by legislative action.
"Everybody has to work together," she said.
