Cards

Dan Clements is not a card executive, a merchant, or a banker, but he says he is helping organizations such as Visa U.S.A. Inc., MasterCard International, and the Federal Bureau of Investigation to control the menace of hackers.

Mr. Clements is the president of CardCops.com, a three-year-old “merchant resource site” in Malibu, Calif., that has become the vehicle for his antifraud crusade.

The quest began when ADS360.com, the Internet advertising agency he started in 1997, discovered that certain Web sites were generating “false clicks” on banner ads to reap higher fees from advertisers who paid a per-click fee. (His partner in CardCops, Mike Brown, still runs ADS360.)

Not satisfied merely to detect the trick, Mr. Clements said that he wanted to meet the “clever Webmaster” who had designed the scam. He did, and the encounter inspired Mr. Clements to establish an “amnesty program” to allow hackers with a conscience (known as “white hats”) to divulge their secrets anonymously.

Some hackers actually “want to help e-commerce,” he said. “They’re usually smart young people with good IT jobs who just like to rattle the door at night to see if someone’s left the key in” the lock.

Through CardCops, Mr. Clements has persuaded white hats to send him evidence of break-ins and has exposed vulnerabilities even in systems that appear very secure. CardCops displays the evidence in its “Fraud Museum.”

The archive of hackers’ tools and accomplishments — most of which look to the layman like lists of code — includes programs designed to decode CVV2s (the numbers printed on the signature panels of credit cards for extra authentication); a screen shot of an illegal entry into PayPal Inc.’s secure server; and records of fraudulent transactions made through the payment processor Authorizenet.com, which last month had to temporarily suspend merchants’ ability to issue credits.

The archive is meant to help a merchant “see that his secure server could be hacked into,” Mr. Clements said. “When you tell him that, he doesn’t believe you. When you show him, it’s a different world.”

The site’s subscribers pay $29.95 for the first month of membership and $9.95 a month thereafter. The list of subscribers includes Bank of America Corp., Wachovia Merchant Services, and Walt Disney Co., as well as many law enforcement agencies, Mr. Clements said.

CardCops also licenses its logo to other Web sites for $99 a year. Retailers post it on their sites to deter hackers, he said. So far 1,200 sites have licensed the logo, including Amazon.com and buy.com.

Mr. Clements said most merchants don’t do anything to prevent online fraud until it is too late. “Quite frankly, the merchant just wants to sell widgets. They don’t know anything about online fraud until they get a case of it.”

Both Visa and MasterCard use information gathered by CardCops to develop their merchant protocols, and merchants can use the Web site’s security guidelines to fulfill the requirements for Visa’s Cardholder Information Security Program, he said. Visa published those requirements in September 2000 and mandated compliance on Jan. 1, 2002.

“Merchants won’t take control of their own fates,” Mr. Clements said. “What we have suggested many times to Visa and MasterCard is to make the merchant go through Fraud 101 and comply with site requirements.”

As for Verified by Visa — a program in which cardholders register personal identification numbers with their issuer and enter them when they shop online — he said that at least “in theory the design looks great.” However, the key to getting merchants to adopt the program is “letting them off the hook” for fraudulent transactions, he said.

Retailers currently absorb the cost of fraud in card-not-present transactions. Visa has said it plans to change its liability rules by next year to allow Internet merchants that implement Verified by Visa to avoid liability for unauthorized charges.