The merchant's side

For merchants, a credit card transaction is often more secure than other forms of payment, such as cheques, because the issuing bank commits to pay the merchant the moment the transaction is authorized, regardless of whether the consumer defaults on their credit card payment (except for legitimate disputes, which are discussed below, and can result in charge backs to the merchant). In most cases, cards are even more secure than cash, because they discourage theft by the merchant's employees and reduce the amount of cash on the premises.

For each purchase, the bank charges the merchant a commission (discount fee) for this service and there may be a certain delay before the agreed payment is received by the merchant. The commission is often a percentage of the transaction amount, plus a fixed fee. In addition, a merchant may be penalized or have their ability to receive payment using that credit card restricted if there are too many cancellations or reversals of charges as a result of disputes. Some small merchants require credit purchases to have a minimum amount (usually between $5 and $10) to compensate for the transaction costs, though this is not always allowed by the credit card consortium. In countries like South Korea, it is illegal for merchants to charge extra to a customer using a credit card and is punishable by law.

In some countries, like the Nordic countries, banks guarantee payment on stolen cards only if an ID card is checked and the ID card number/civic registration number is written down on the receipt together with the signature. In these countries merchants therefore usually ask for ID. Non-Nordic citizens, who are unlikely to possess a Nordic ID card or driving license, will instead have to show their passport, and the passport number will be written down on the receipt, sometimes together with other information. Some shops use the card's PIN code for identification, and in that case showing an ID card is not necessary.

How credit cards work

A user is issued credit after an account has been approved by the credit provider, and is given a credit card, with which the user will be able to make purchases from merchants accepting that credit card up to a pre-established credit limit. Often a general bank issues the credit, but sometimes a captive bank created to issue a particular brand of credit card, such as Chase, Wells Fargo or Bank of America, issues the credit.

When a purchase is made, the credit card user agrees to pay the card issuer. The cardholder indicates their consent to pay, by signing a receipt with a record of the card details and indicating the amount to be paid or by entering a Personal identification number (PIN). Also, many merchants now accept verbal authorizations via telephone and electronic authorization using the Internet, known as a Card not present (CNP) transaction.

Electronic verification systems allow merchants to verify that the card is valid and the credit card customer has sufficient credit to cover the purchase in a few seconds, allowing the verification to happen at time of purchase. The verification is performed using a credit card payment terminal or Point of Sale (POS) system with a communications link to the merchant's acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card; the latter system is in the United Kingdom commonly known as Chip and PIN, but is more technically an EMV card.

Other variations of verification systems are used by eCommerce merchants to determine if the user's account is valid and able to accept the charge. These will typically involve the cardholder providing additional information, such as the security code printed on the back of the card, or the address of the cardholder.

Each month, the credit card user is sent a statement indicating the purchases undertaken with the card, any outstanding fees, and the total amount owed. After receiving the statement, the cardholder may dispute any charges that he or she thinks are incorrect (see Fair Credit Billing Act for details of the US regulations). Otherwise, the cardholder must pay a defined minimum proportion of the bill by a due date, or may choose to pay a higher amount up to the entire amount owed. The credit provider charges interest on the amount owed (typically at a much higher rate than most other forms of debt). Some financial institutions can arrange for automatic payments to be deducted from the user's bank accounts, thus avoiding late payment altogether as long as the cardholder has sufficient funds.

Credit card issuers usually waive interest charges if the balance is paid in full each month, but typically will charge full interest on the entire outstanding balance from the date of each purchase if the total balance is not paid.

For example, if a user had a $1,000 transaction and repaid it in full within this grace period, there would be no interest charged. If, however, even $1.00 of the total amount remained unpaid, interest would be charged on the $1,000 from the date of purchase until the payment is received. The precise manner in which interest is charged is usually detailed in a cardholder agreement which may be summarized on the back of the monthly statement. The general calculation formula most financial institutions use to determine the amount of interest to be charged is APR/100 x ADB/365 x number of days revolved. Take the Annual percentage rate (APR) and divide by 100 then multiply to the amount of the average daily balance (ADB) divided by 365 and then take this total and multiply by the total number of days the amount revolved before payment was made on the account. Financial institutions refer to interest charged back to the original time of the transaction and up to the time a payment was made, if not in full, as RRFC or residual retail finance charge. Thus after an amount has revolved and a payment has been made that the user of the card will still receive interest charges on their statement after paying the next statement in full (in fact the statement may only have a charge for interest that collected up until the date the full balance was paid...i.e. when the balance stopped revolving).^[1]

The credit card may simply serve as a form of revolving credit, or it may become a complicated financial instrument with multiple balance segments each at a different interest rate, possibly with a single umbrella credit limit, or with separate credit limits applicable to the various balance segments. Usually this compartmentalization is the result of special incentive offers from the issuing bank, either to encourage balance transfers from cards of other issuers, or to encourage more spending on the part of the customer. In the event that several interest rates apply to various balance segments, payment allocation is generally at the discretion of the issuing bank, and payments will therefore usually be allocated towards the lowest rate balances until paid in full before any money is paid towards higher rate balances. Interest rates can vary considerably from card to card, and the interest rate on a particular card may jump dramatically if the card user is late with a payment on that card or any other credit instrument, or even if the issuing bank decides to raise its revenue. As the rates and terms vary, services have been set up allowing users to calculate savings available by switching cards, which can be considerable if there is a large outstanding balance (see external links for some on-line services).

Because of intense competition in the credit card industry, credit providers often offer incentives such as frequent flyer points, gift certificates, or cash back (typically up to 1 percent based on total purchases) to try to attract customers to their program.

Low interest credit cards or even 0% interest credit cards are available. The only downside to consumers is that the period of low interest credit cards is limited to a fixed term, usually between 6 and 12 months after which a higher rate is charged. However, services are available which alert credit card holders when their low interest period is due to expire. Most such services charge a monthly or annual fee.

Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the bank's attention. A website known to be susceptible to carding is known as a cardable website.

In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiry date, as well as the more prevalent use of wireless card scanners that can process transactions right away.^[3] Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by Skimming or Phishing.

A set of credit card details that has been verified in this way is known in fraud circles as a phish. A carder will typically sell data files of phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.

Skimming

Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant, and can be as simple as photocopying of receipts. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The skimmer will typically use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code which is not present on the magnetic strip. Many instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (Automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pinhole camera to read the user's PIN at the same time.^[2]

Skimming is difficult for the typical card holder to detect, but given a large enough sample, it is fairly easy for the bank to detect. The bank collects a list of all the card holders who have complained about fraudulent transactions, and then uses data mining to discover relationships among the card holders and the merchants they use. For example, if many of the customers used one particular merchant, that merchant's terminals (devices used to authorize transactions) can be directly investigated. Sophisticated algorithms can also search for known patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe in cases of compromise, ranging from large fines to complete exclusion from the merchant banking system, which can be a death blow to businesses such as restaurants which rely on credit card processing.

Account takeover

There are two types of fraud within the identity theft category, application fraud and account takeover.

Application fraud occurs when criminals use stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Alternatively, they may create counterfeit documents.

Account take-over involves a criminal trying to take over another person's account, first by gathering information about the intended victim, then contacting their bank or credit issuer - masquerading as the genuine cardholder - asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent. The replacement card is then used fraudulently.

Mail/Internet order fraud

The mail and the Internet are major routes for fraud against merchants who sell and ship products, as well Internet merchants who provide online services. The industry term for catalog order and similar transactions is "Card Not Present" (CNP), meaning that the card is not physically available for the merchant to inspect. The merchant must rely on the holder (or someone purporting to be the holder) to present the information on the card by indirect means, whether by mail, telephone or over the Internet when the cardholder is not present at the point of sale.

It is difficult for a merchant to verify that the actual card holder is indeed authorizing the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually are not involved in processing payments for the merchandise. A common preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information.

Additionally, smaller transactions generally undergo less scrutiny, and are less likely to be investigated by either the bank or the merchant, since the cost of research and prosecution usually far outweighs the loss due to fraud. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates to merchant banks for the privilege of accepting cards. Anonymous scam artists bet on the fact that many fraud prevention features do not apply in this environment.

Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.

Stolen cards

When a card is lost or stolen, it remains usable until the holder notifies the bank that the card is lost; most banks have toll-free telephone numbers with 24-hour support to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on that card up until the card is cancelled. In the absence of other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the card holder or the bank realize that the card is in the wrong hands.

In the US, federal law limits the liability of card holders to $50 in the event of theft, regardless of the amount charged on the card; in practice, many banks will waive even this small payment and simply remove the fraudulent charges from the customer's account if the customer signs an affidavit confirming that the charges are indeed fraudulent. Other countries generally have similar laws aimed at protecting consumers from physical theft of the card.

The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Many merchants will demand to see a picture ID, such as a driver's license, to verify the identity of the purchaser, and some credit cards include the holder's picture on the card itself. Self-serve payment systems (gas stations, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder's identity. A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a US driver license commonly has the holder's home address and ZIP code printed on it.

Banks have a number of countermeasures at the network level, including sophisticated real-time analysis that can estimate the probability of fraud based on a number of factors. For example, a large transaction occurring a great distance from the card holder's home might be flagged as suspicious. The merchant may be instructed to call the bank for verification, to decline the transaction, or even to hold the card and refuse to return it to the customer.

Citibank Credit Card

With your Citibank credit card comes a host of benefits & services that only the world's largest financial institution can provide Exclusive shopping, cafe and clubbing privileges in Malaysia Adventure travel vacations customised to your budget and lifestyle Enjoy discounts from our merchant partners in Singapore Shop online without worry with your free Virtual Card Account Rewards Program allows annual fee waiver and gift voucher redemption with Citibank Clear Card partners. Points do not expire Professional courses at 0% interest flexipayment MIM: 0% up to 6 months KDU:0% up to 9 months

What You Need

Minimum income of RM 18,000 per annum Copy of graduate certificate Copy of latest payslip or appointment letter Copy of IC