Credit Card Fraud and Theft are referred to in N.J.S. 2C:21-6.

2C:21-6. Credit cards

a. Definitions. As used in this section:

(1) "Cardholder" means the person or organization named on the face of a credit card to whom or for whose benefit the credit card is issued by an issuer.

(2) "Credit card" means any tangible or intangible instrument or device issued with or without fee by an issuer that can be used, alone or in connection with another means of account access, in obtaining money, goods, services or anything else of value on credit, including credit cards, credit plates, account numbers, or any other means of account access.

(3) "Expired credit card" means a credit card which is no longer valid because the term shown either on it or on documentation provided to the cardholder by the issuer has elapsed.

(4) "Issuer" means the business organization or financial institution which issues a credit card or its duly authorized agent.

(5) "Receives" or "receiving" means acquiring possession or control or accepting a credit card as security for a loan.

(6) "Revoked credit card" means a credit card which is no longer valid because permission to use it has been suspended or terminated by the issuer.

b. False statements made in procuring issuance of credit card. A person who makes or causes to be made, either directly or indirectly, any false statement in writing, knowing it to be false and with intent that it be relied on, respecting his identity or that of any other person, firm or corporation, or his financial condition or that of any other person, firm or corporation, for the purpose of procuring the issuance of a credit card is guilty of a crime of the fourth degree.

c. Credit card theft.

(1) A person who takes or obtains a credit card from the person, possession, custody or control of another without the cardholder's consent or who, with knowledge that it has been so taken, receives the credit card with intent to use it or to sell it, or to transfer it to a person other than the issuer or the cardholder is guilty of a crime of the fourth degree. Taking a credit card without consent includes obtaining it by any conduct defined and prescribed in Chapter 20 of this title, Theft and Related Offenses.

A person who has in his possession or under his control (a) credit cards issued in the names of two or more other persons or, (b) two or more stolen credit cards is presumed to have violated this paragraph.

(2) A person who receives a credit card that he knows to have been lost, mislaid, or delivered under a mistake as to the identity or address of the cardholder, and who retains possession with intent to use it or to sell it or to transfer it to a person other than the issuer or the cardholder is guilty of a crime of the fourth degree.

(3) A person other than the issuer who sells a credit card or a person who buys a credit card from a person other than the issuer is guilty of a crime of the fourth degree.

(4) A person who, with intent to defraud the issuer, a person or organization providing money, goods, services or anything else of value, or any other person, obtains control over a credit card as security for debt is guilty of a crime of the fourth degree.

(5) A person who, with intent to defraud a purported issuer, a person or organization providing money, goods, services or anything else of value, or any other person, falsely makes or falsely embosses a purported credit card or utters such a credit card is guilty of a third degree offense. A person other than the purported issuer who possesses two or more credit cards which are falsely made or falsely embossed is presumed to have violated this paragraph. A person "falsely makes" a credit card when he makes or draws, in whole or in part, a device or instrument which purports to be the credit card of a named issuer but which is not such a credit card because the issuer did not authorize the making or drawing, or alters a credit card which was validly issued. A person "falsely embosses" a credit card when, without the authorization of the named issuer, he completes a credit card by adding any of the matter, other than the signature of the cardholder, which an issuer requires to appear on the credit card before it can be used by a cardholder.

(6) A person other than the cardholder or a person authorized by him who, with intent to defraud the issuer, or a person or organization providing money, goods, services or anything else of value, or any other person, signs a credit card, is guilty of a crime of the fourth degree. A person who possesses two or more credit cards which are so signed is presumed to have violated this paragraph.

d. Intent of cardholder to defraud; penalties; knowledge of revocation. A person, who, with intent to defraud the issuer, a person or organization providing money, goods, services or anything else of value, or any other person, (1) uses for the purpose of obtaining money, goods, services or anything else of value a credit card obtained or retained in violation of subsection c. of this section or a credit card which he knows is forged, expired or revoked, or (2) obtains money, goods, services or anything else of value by representing without the consent of the cardholder that he is the holder of a specified card or by representing that he is the holder of a card and such card has not in fact been issued, is guilty of a crime of the third degree. Knowledge of revocation shall be presumed to have been received by a cardholder four days after it has been mailed to him at the address set forth on the credit card or at his last known address by registered or certified mail, return receipt requested, and, if the address is more than 500 miles from the place of mailing, by air mail. If the address is located outside the United States, Puerto Rico, the Virgin Islands, the Canal Zone and Canada, notice shall be presumed to have been received 10 days after mailing by registered or certified mail.

e. Intent to defraud by person authorized to furnish money, goods, or services; penalties.

(1) A person who is authorized by an issuer to furnish money, goods, services or anything else of value upon presentation of a credit card by the cardholder, or any agent or employees of such person, who, with intent to defraud the issuer or the cardholder, furnishes money, goods, services or anything else of value upon presentation of a credit card obtained or retained in violation of subsection c. of this section or a credit card which he knows is forged, expired or revoked violates this paragraph and is guilty of a crime of the third degree.

(2) A person who is authorized by an issuer to furnish money, goods, services or anything else of value upon presentation of a credit card by the cardholder, fails to furnish money, goods, services or anything else of value which he represents in writing to the issuer that he has furnished is guilty of a crime of the fourth degree.

f. Incomplete credit cards; intent to complete without consent. A person other than the cardholder possessing two or more incomplete credit cards, with intent to complete them without the consent of the issuer or a person possessing, with knowledge of its character, machinery, plates or any other contrivance designed to reproduce instruments purporting to be the credit cards of an issuer who has not consented to the preparation of such credit cards, is guilty of a crime of the third degree. A credit card is "incomplete" if part of the matter other than the signature of the cardholder, which an issuer requires to appear on the credit card, before it can be used by a cardholder, has not yet been stamped, embossed, imprinted or written on it.

g. Receiving anything of value knowing or believing that it was obtained in violation of subsection d. of N.J.S.2C:21-6. A person who receives money, goods, services or anything else of value obtained in violation of subsection d. of this section, knowing or believing that it was so obtained is guilty of a crime of the fourth degree. A person who obtains, at a discount price a ticket issued by an airline, railroad, steamship or other transportation company which was acquired in violation of subsection d. of this section without reasonable inquiry to ascertain that the person from whom it was obtained had a legal right to possess it shall be presumed to know that such ticket was acquired under circumstances constituting a violation of subsection d. of this section.

h. Fraudulent use of credit cards.

A person who knowingly uses any counterfeit, fictitious, altered, forged, lost, stolen or fraudulently obtained credit card to obtain money, goods or services, or anything else of value; or who, with unlawful or fraudulent intent, furnishes, acquires, or uses any actual or fictitious credit card, whether alone or together with names of credit cardholders, or other information pertaining to a credit card account in any form, is guilty of a crime of the third degree.

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.

The cost of card fraud in 2006 were 7 cents per 100 dollars worth of transactions (7 basis points). Due to the high volume of transactions this translates to billions of dollars.

Origins

The fraud begins with either the theft of the physical card or the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the card holder, the merchant or the issuer, at least until the account is ultimately used for fraud. A simple example is that of a store clerk copying sales receipts for later use. The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised.

Stolen cards can be reported quickly by cardholders, but a compromised account can be hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the compromise. The cardholder may not discover fraudulent use until receiving a billing statement, which may be delivered infrequently.

Stolen cards

When a credit card is lost or stolen, it remains usable until the holder notifies the issuer that the card is lost. Most issuers have free 24-hour telephone numbers to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on a card until it is canceled. Without other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the cardholder or the card issuer realize that the card is in the wrong hands.

The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Some merchants will demand to see a picture ID, such as a driver's license, to verify the identity of the purchaser, and some credit cards include the holder's picture on the card itself. However, the card holder has a right to refuse to show additional verification, and asking for such verification is usually a violation of the merchant's agreement with the credit card companies. Self-serve payment systems (gas stations, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder's identity.

A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder's home address and ZIP code printed on it. Visa Inc. offers merchants lower rates on transactions if the customer provides a zip code.

In Europe, most cards are equipped with an EMV chip which requires a 4 digit PIN to be entered in to the merchants terminal before payment will be authorised.

Requiring a customer's ZIP code is illegal in California where the state's 1971 law prohibits merchants from requesting or requiring a card-holder's "personal identification information" as a condition of accepting the card for payment. The California Supreme Court has ruled that the ZIP code qualifies as personal identification information because it is part of the cardholder's address. Companies face fines of $250–1000 for each violation. Requiring a "personal identification number" (PIN) may also be a violation.

Card issuers have several countermeasures, including sophisticated software that can, before a transaction is authorized, estimate the probability of fraud. For example, a large transaction occurring a great distance from the cardholder's home might seem suspicious. The merchant may be instructed to call the card issuer for verification, or to decline the transaction, or even to hold the card and refuse to return it to the customer. The customer must contact the issuer and prove who they are to get their card back (if it is not fraud and they are actually buying a product).

Compromised accounts

Card account information is stored in a number of formats. Account numbers are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include:

• Name of card holder
• Account number
• Expiration date
• Verification/CVV code

Card not present transaction

The mail and the Internet are major routes for fraud against merchants who sell and ship products, and affects legitimate mail-order and Internet merchants. If the card is not physically present (called CNP, card not present) the merchant must rely on the holder (or someone purporting to be so) presenting the information indirectly, whether by mail, telephone or over the Internet. While there are safeguards to this,it is still more risky than presenting in person, and indeed card issuers tend to charge a greater transaction rate for CNP, because of the greater risk.

It is difficult for a merchant to verify that the actual cardholder is indeed authorising the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually not involved in processing payments for the merchandise. A common recent preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Before this and similar countermeasures were introduced, mail order carding was rampant as early as 1992. A carder would obtain the credit card information for a local resident and then intercept delivery of the illegitimately purchased merchandise at the shipping address, often by staking out the porch of the residence.

Small transactions generally undergo less scrutiny, and are less likely to be investigated by either the card issuer or the merchant. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates for the privilege of accepting cards. Fraudsters bet on the fact that many fraud prevention features are not used for small transactions.

Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.

Identity theft

Identity theft can be divided into two broad categories: Application fraud and account takeover.

Application fraud

Application fraud happens when a criminal uses stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Or they may create counterfeit documents.

Account takeover

Account takeover happens when a criminal tries to take over another person's account, first by gathering information about the intended victim, and then contacting their card issuer while impersonating the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.

Some merchants added a new practice to protect their consumers and their own reputation, where they ask the buyer to send a photocopy of the physical card and statement to ensure the legitimate usage of a card.

Skimming

Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant. The thief can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code which is not present on the magnetic strip. Call centers are another area where skimming can easily occur.

Instances of skimming have been reported where the perpetrator has put a device over the card slot of an ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN at the same time. This method is being used very frequently in many parts of the world, including South America, e.g. in Argentina and Europe, e.g. in the Netherlands. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them when operated, but records or transmits the keylog of the PIN entered by wireless. The device or group of devices illicitly installed on an ATM are also colloquially known as a "skimmer". Recently-made ATMs now often run a picture of what the slot and keypad are supposed to look like as a background, so that consumers can identify foreign devices attached.

Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is fairly easy for the card issuer to detect. The issuer collects a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining to discover relationships among them and the merchants they use. For example, if many of the cardholders use a particular merchant, that merchant can be directly investigated. Sophisticated algorithms can also search for patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they are compromised, ranging from large fines by the issuer to complete exclusion from the system, which can be a death blow to businesses such as restaurants where credit card transactions are the norm.

Carding

Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the card issuer's attention. A website known to be susceptible to carding is known as a cardable website.

In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which were valid accounts. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due to widespread requirement by Internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiration date, as well as the more prevalent use of wireless card scanners that can process transactions right away. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by skimming or phishing.

A set of credit card details that has been verified in this way is known in fraud circles as a phish. A carder will typically sell data files of the phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim.

BIN attack

Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers by changing the last four numbers using a generator. The expiry date of these cards would most likely be the same as the good card.

Fraudulent Charge-Back schemes

There is a class of email spam (usually sent to commercial / corporate email addresses) where the spammer makes an offer to purchase goods (usually not specifically identified) from a vendor. In the email, the spammer makes it clear that they intend to pay for the goods using a credit card. The spammer provides the shipping address for the goods, and requests a product and price-list from the vendor in the initial email. It has been speculated that this is some form of charge-back scheme, whereby the spammer is using a valid credit card but intends to request a charge-back to reverse the charge while at the same time retaining the goods that were shipped to them.

Profits, losses and punishment

United States

Cardholder liability

In the US, federal law limits the liability of card holders to $50 in the event of theft of the actual credit card, regardless of the amount charged on the card, if reported within 60 days of receiving the statement. In practice many issuers will waive this small payment and simply remove the fraudulent charges from the customer's account if the customer signs an affidavit confirming that the charges are indeed fraudulent. If the physical card is not lost or stolen, but rather just the credit card account number itself is stolen, then Federal Law guarantees card holders have zero liability to the credit card issuer.

Merchants

The merchants and the financial institutions bear the loss. The merchant loses the value of any goods or services sold, and any associated fees. If the financial institution does not have a chargeback right then the financial institution bears the loss and the merchant does not suffer at all. These losses incline merchants to be cautious and often they ban legitimate transactions and lose potential revenues. Online merchants can choose to apply for additional services that credit card companies offer, such as Verified by Visa and MasterCard SecureCode. However, these are fiddly for consumers so there is a trade-off of making a sale easy and making it secure.

The liability for the fraud is determined by the details of the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules and regulations the financial institution would bear the liability for the fraud. If the merchant did not get all of the necessary information they would be required to return the funds to the financial institution. This is all determined through the credit card processory.

High-risk industries such as online shops anticipate losses and spread them over the prices that are paid by honest buyers. The FBI's Financial Report to the Public in 2007 estimated such losses to be $52.6 billion that are borne by 9.91 million US consumers. Recently several attempts have been made to amend the legislation to protect cardholders and merchants from fraud, but credit card companies are heavily resistant to such initiatives.