American Express Card Security Features and Fraud Prevention Strategies
You work hard to protect the interests of your business and cardholder. Unfortunately, fraudulent card use can undermine your best efforts and millions of dollars are lost each year because of such fraud.
American Express offers a full suite of tools and programs that can help to mitigate the chances of fraud on American Express cards and reduce this cost to your business.
Some merchants may not be eligible to participate in the full suite of fraud tools and fraud liability shift programs offered. Additionally, American Express may suspend or terminate a merchant from using any fraud tool or participation in any fraud liability shift program and may suspend or terminate any fraud tool or fraud liability shift program at any time.
This article offers fraud mitigation tips for both card present and card not present transactions. Contact your Merchant Services Provider for information related to fraud mitigation tools and resources that may be available for your use.
Strategies for Deterring Fraud
Implementing multiple layers of fraud protection to help secure your business is recommended. These layers may include a combination of your point of sale procedures and controls as well as implementation of fraud mitigation tools.
Your first layer for mitigating fraud is to follow the card acceptance policies and procedures, as outlined previously here. Other fraud mitigation strategies that you choose to implement may include any combination of:
- Recognition of suspicious behaviors or circumstances that may signal fraudulent activity.
- Implementation of fraud mitigation tools that take advantage of American Express’ risk controls to identify fraudulent activity.
- Additional risk models or controls that you can develop internally or obtain externally from third parties.
American Express and your Merchant Services Provider work together to deploy tools that can help reduce the likelihood that fraudulent charges will be approved. The implementation and use of the strategies and tools detailed in this article, however, does not guarantee that:
- The person making the charge is the cardholder,
- The charge is in fact valid or bona fide,
- You will be paid for the charge or
- You will not be subject to a chargeback.
The following illustration compares data captured during a standard Card Not Present charge (left) with the amount of data that can be captured when fraud mitigation tools are implemented (right).
Card Acceptance Policies
A critical component in your overall fraud mitigation strategy is to follow your Merchant Services Provider’s operating instructions including American Express card acceptance procedures, as defined here. These procedures can also serve as your first line of defense against potential fraud. The additional layers of fraud mitigation mentioned previously can supplement this line of defense.
Card Security Features
In many cases, the physical appearance of the American Express card will offer the most obvious clues of fraudulent activity. American Express card security features are designed to help you assess whether a card is authentic or has been altered. Ensure that all of your personnel are familiar with American Express card security features, so they can identify potentially compromised Cards.
The picture to the left is just one example of an American Express card as a number of different cards are offered. These are some things you must look for:
- Pre-printed CID Numbers usually appear above the Card Number, on either the right or the left edge of the card.
- All American Express Card Numbers start with “37” or “34”. The Card Number appears embossed on the front of the card. Embossing must be clear and uniform in sizing and spacing. Some cards also have the Card Number printed on the back of the card in the signature panel. These numbers, plus the last four digits printed on the Charge Record, must all match.
- Do not accept a card outside the Valid Dates.
- Only the person whose name appears on an American Express card is entitled to use it. Cards are not transferable.
- Some cards contain a holographic image on the front or back of the plastic to determine authenticity. Not all American Express cards have a holographic image.
- Some cards have a chip on which data is stored and used to conduct a charge.
- The signature on the back of the card must match the cardholder’s signature on the Charge Record, and must be the same name that appears on the front of the card. The signature panel must not be taped over, mutilated, erased or painted over. Some cards also have a three-digit Card Security Code (CSC) number printed on the signature panel.
Compromised Card Security Features
In the example of an altered card to the left, the signature panel has been painted white under the signature. In addition, the Card Number has been erased from the back panel.
Do not accept a card if:
- Altered Magnetic Stripe:
- The Magnetic Stripe has been altered or destroyed.
- The Card Number on the front of the card does not match the number printed on the back (when present) or the last four digits printed on the Charge Record (or both).
- Altered Front of the Card:
- The Card Number or cardholder name on the front of the card appears out of line, crooked or unevenly spaced.
- The ink on the raised Card Number or cardholder name is smudged or messy.
- The Card Number or cardholder name is not printed in the same typeface as the American Express typeface.
- Altered Back of the Card:
- The Card Number printed on the back of the card (when present) is different from the Card Number on the front.
- The Card Number on the back of the card (when present) has been chipped off or covered up.
- The signature panel has been painted-out, erased or written over.
- Altered Appearance of the Card:
- There are “halos” of previous embossing or printing underneath the current Card Number and cardholder name.
- A portion of the surface looks dull compared with the rest of the card. Valid American Express cards have a high-gloss finish.
- The card has a bumpy surface or is bent around the edges.
- You suspect any card security features have been compromised.
- The card appears physically altered in any way.
If you suspect card misuse, follow internal store policies and, if directed to do so, call your Merchant Services Provider and state that you have a Code 10. Never put yourself or your employees in unsafe situations, nor physically detain or harm the holder of the card.
Often, you can look closely at cards to determine if they are altered or counterfeit. As another layer in your internal fraud prevention program, educate yourself and all your personnel on how to identify a potentially altered card.
Recognizing Suspicious Activity
Diligently scrutinizing behaviors and circumstances can help prevent you from being victimized by fraud. As a prudent merchant, you must always be aware of circumstances that may indicate a fraudulent scheme or suspicious behaviors that may flag a fraudulent customer.
Suspicious Behavior
A suspicious situation may arise, causing you to question the authenticity of the card or the legitimacy of the person presenting it. Any single behavior may not be risky. However, when customers exhibit more than one of the following behaviors, your risk factor may increase:
- Larger-than-normal transaction dollar amounts,
- Orders containing many of the same items,
- Orders shipped to an address other than a billing address,
- Orders using anonymous / free email domains,
- Orders sent to postal codes or countries where you show a history of fraudulent claims,
- Orders of a “hot” product (i.e., highly desirable goods for resale),
- Customer is a first-time shopper,
- Customer is purchasing large quantities of high-priced goods without regard to color, size, product feature or price,
- Customer comes in just before closing time and purchases a large quantity of goods,
- Customer wants to rush or overnight the order,
- Customer has a previous history of Disputed Charges,
- Customer is rude or abusive toward you; wanting to rush or distract you,
- Customer frequents your establishment to make small purchases with cash, then returns to make additional purchases of expensive items with a card.
If you suspect card misuse, follow your internal store policies and immediately call your Merchant Services Provider with a Code 10. Never put yourself or your employees in unsafe situations, nor physically detain or harm the holder of the card.
Prepaid Card Security Features
You are responsible for following all American Express’ Prepaid Card acceptance procedures. Although there are a number of unique Prepaid Cards, all Prepaid Cards share similar features, except that:
- Prepaid Cards may or may not be embossed, and
- The following features may appear on the front or back of the card (or a combination of both):
- The American Express logo generally appears in the bottom right corner.
- The words PREPAID or INCENTIVE will generally be shown above the American Express logo.
- Cards pre-loaded with funds may show the dollar amount or the total points (reloadable Cards generally will not show a number).
- The CID Number will appear usually above the Card Number or above the logo.
- The Card Number appears on the card.
- The Valid Date or Expiration Date appears on the card.
- The recipient’s name or company name may appear on the card; otherwise a generic “Recipient” or “Traveler” may appear or this area might be blank.
Recognizing Suspicious Activity for Prepaid Cards
It is recommended that you follow the procedures in the preceding section “Recognizing Suspicious Activity”, in addition to being vigilant for the following suspicious behaviors related specifically to Prepaid Cards:
- Customer frequently makes purchases and then returns goods for cash. (To avoid being the victim of this scheme, you should follow your internal store procedures when you cannot issue a Credit on the Card used to make the original purchase.)
- Customer uses Prepaid Cards to purchase other Prepaid Cards.
- Customer uses large numbers of Prepaid Cards to make purchases.
Travelers Cheque and Gift Cheque Security Features
Even though American Express’ Travelers Cheques and Gift Cheques offer more convenience and security, counterfeit products circulate worldwide. You must verify all cheque products presented at your Establishment and contact the Travelers Cheque / Gift Cheque Customer Service with questions or suspicions.
One of the easiest and most effective tests to determine authenticity is the smudge test:
- Turn the cheque over (non-signature side).
- Locate the denomination on the right side of the cheque. Wipe a moistened finger across the denomination. The ink should not smudge.
- Wipe a moistened finger across the denomination on the left side of the cheque. The ink should smudge.
The following shows an example of a smudge test:
It is also recommended that you follow the procedures in the preceding section “Recognizing Suspicious Activity” to assist you in the mitigation of fraud.
As another layer of protection, there are a number of security features inherent in American Express’ Travelers Cheque and Gift Cheque products. Following are a few security features to help you recognize an authentic Cheque.
Fraud Mitigation Tools
Fraud mitigation tools are available for both Card Present and Card Not Present Transactions to help verify that a Charge is valid. These tools help you mitigate the risk of fraud at the point of sale, but are not a guarantee that:
- The person making the charge is the cardholder,
- The charge is in fact valid or bona fide,
- You will be paid for the charge or
- You will not be subject to a chargeback.
For optimal use of the tools, it is critical that:
- You comply with the applicable sections of the Technical Specifications and
- You provide high quality data in the authorization request.
American Express offers strategies and tools for preventing fraud. For more information about what you and your business can do, review the tools listed below and contact your Merchant Services Provider to determine what tools are supported.
Card Not Present Fraud Tools
Card Identification (CID) Verification Tool | Automated Name and Address Verification | Email Verification | Billing Phone Number Verification | Enhanced Authorization | Charge Verification | |
Description | 1. You request the four-digit CID number printed on the card from the cardholder and send it with the authorization request to the Issuer.
2. Issuer compares the CID number provided with that on file for the card and, based on the comparison, returns a match code to you. |
1. You request name and address information from the cardholder at the point of sale, and provide this information electronically during authorization, through your POS terminal. 2. Issuer compares the name and address information you provided with cardholder’s billing records and provides a response code indicating full, partial, or no match. | 1. You request email address from the customer at the point of sale, and provide this information electronically during an authorization.
2. Issuer compares the email address you provided with email addresses on file at American Express and returns a match result. |
1. You request billing phone number from the customer at the point of sale, and provide this information electronically during an Authorization.
2. Issuer compares the phone number you provided with cardholder billing phone number and returns a match result. |
Provides additional data elements in Authorization requests describing the transaction and enabling a more informed Authorization decision. | 1. You may call your Merchant Services Provider for additional verification when an approved order is over $200 and you suspect fraud.
2. Issuer will attempt to contact the cardholder to validate the transaction. |
Purpose | Helps to ensure that the person placing the order actually has the card in his or her possession and is not using a stolen Card Number. | Helps Issuer evaluate cardholder identity by comparing information provided by the cardholder at the point of sale with cardholder billing information not available on the card. | Email Address Verification helps evaluate cardholder identity by comparing information provided by the customer during the check-out process with cardholder information not available on the card. | Billing Phone Number Verification helps evaluate cardholder identity by comparing information provided by the customer during the check-out process with cardholder information not available on the card. | 1. Helps mitigate fraud before a transaction is authorized by analyzing key data elements submitted with authorization requests.
2. Data elements include shipping address, transaction origin, and airline ticket details. |
1. Enables you to obtain additional verification on orders you suspect may be fraudulent.
2. Facilitates sales of goods / services by verifying the transaction directly with the cardholder. |
How to Implement | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider |
Card Present Fraud Tools
Card
Identification (CID) Verification Tool |
Track 1 | Chip | Terminal ID | Code 10 | |
Description | 1. You request the four-digit CID number printed on the card from the cardholder and send it with the authorization request to the Issuer.
2. Issuer compares the CID number provided with that on file for the card and, based on the comparison, returns a match code to you.
|
1. POS terminal captures data encoded in the Track 1 of the Magnetic Stripe and sends it to the Issuer with the Authorization request.
2. Issuer compares information in track to information on file and sends approval decision. |
Chip technology uses an embedded microchip to encrypt card information, making it more difficult for unauthorized users to copy or access the data. Data can only be accessed when the Card is inserted into a chip-enabled terminal. | Captures a numeric identifier uniquely assigned to each POS device and sends it to the issuer with each authorization request. | A special phrase you use to indicate to your Merchant Services Provider that you have suspicions concerning the cardholder, the card, the CID, and / or the circumstances of the sale. |
Purpose | Helps to ensure that the person making the purchase is not using an altered or duplicated card. | Can signal tampering and alteration of the Card’s Magnetic Stripe. | Provides enhanced protection against fraud from lost, stolen, and counterfeit cards. | Helps detect high risk patterns of a particular POS device. | Enables your Merchant Services Provider to speak with an American Express Authorizer on a card present transaction they assess as high risk. |
How to Implement | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider | Contact your Merchant Services Provider | If you suspect card misuse, follow your internal store policies, and, if directed to do so, call your Merchant Services Provider with a Code 10 Authorization Request. Only pick up a Card if directed to do so by your Merchant Services Provider or the Issuer. Never put yourself or your employees in unsafe situations. |
And here are the fraud tools again for those of you who cannot clearly view the tables:
Image source: Wikimedia.