Inside the Black Hole

Mail order and direct order (MO / TO) merchants, just like e-commerce organizations, accept payments in a card-not-present environment. The difference is that, while e-commerce services enable cardholders to enter their account details on the merchant’s website, MO / TO services allow the merchant to complete transactions by entering the cardholder’s account information their customer has provided over the phone or in the mail.

MO / TO merchants must validate the cardholder’s identity and the validity of the transaction, to the best of their ability, and here they have an advantage over their e-commerce counterparts. While e-commerce payments are processed, and must be verified, within seconds, MO / TO merchants have much more time to investigate the provided information. With that in mind, your fraud prevention procedures should include the following actions:

• Obtain an authorization. Avoid using a $1 authorization to verify if the account is in good standing.
• Obtain the card expiration date. Include the expiration date in your authorization request. An invalid or missing expiration date can be an indicator that the person does not have the actual card in hand.
• Obtain the card security code. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit numbers found above and slightly to the right of the account numbers of American Express (CID) cards. Card security codes were introduced as an additional tool to help ensure that the customer is in a physical possession of the card at the time of the transaction.
• Use the Address Verification Service (AVS). AVS verifies the validity of the billing address provided by your customer by comparing it to the one on file with the card issuer.
• Submit the authorization request with the billing address and security code. The authorization response will include the result codes for both.
• Perform transaction screening. Transactions should be screened, either internally or using third-party tools, for questionable transaction data or other potential warning signs indicating “out of pattern” orders. Transactions with suspicious characteristics should be reviewed for fraud.

When you identify a transaction with high-risk characteristics:

• Make a Code 10 call. Code 10 is a voice authorization request that alerts the card issuer to the suspicious activity. The issuer’s voice authorization center representative will ask you a series of questions to determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
• Call your customer. Call your customer at the number they have provided and ask for additional information, e.g., bank name on the front of the card.
• Confirm the order with your customer. Send a confirmation note to your customer’s billing address, not to the shipping address.

Implementing these suggestions into your fraud prevention procedures will help substantially reduce fraud and the number of customer complaints that lead to chargebacks. It is important that, whenever you get to contact a customer for additional details, you are courteous and polite. Do not tell them that you are attempting to verify the validity of a transaction. If the customer refuses to provide additional information, simply state that this is a standard procedure that your business always takes for such types of transactions to protect cardholders from fraud. Always report suspicious activity to your processing bank.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

A face-to-face environment provides a much more secure way for accepting card payments than a non-face-to-face setting. As a result, brick-and-mortar businesses typically suffer from less fraud and chargebacks and pay lower transaction fees than e-commerce and direct marketing (MO / TO) merchants. Let’s take a look at the typical characteristics of a face-to-face transaction, what makes it safer and how to keep it that way.

Card-present transactions are those in which both the card and the cardholder are present at the time the payment is processed. Card-present merchants include grocery stores, department stores, fast-food restaurants, movie theaters, etc. Card acceptance settings where cardholders use unattended point-of-sale (POS) terminals, such as gas stations, are also defined as card-present transactions.

Visa and MasterCard require that merchants make all efforts to ensure that all card payments they accept are legitimate. This is in the merchant’s best interest as well, as fraud is costly, damages its reputation and, if unchecked, can lead to the suspension of the merchant account.

All card-present transactions are executed at a POS terminal. Whether you are experienced at the job or are new to it, if you follow a few simple card acceptance procedures, you will be sure to do it right every time a card is presented by a customer. A typical face-to-face card acceptance procedure goes through the following stages:

1. Swipe the card. The first step in the payment acceptance process is swiping the card. Once the card is swiped, you should take it in your possession for the remainder of the transaction.
2. Authorization. Authorizations are required before completing a card-present transaction in the following instances:
   • The transaction amount exceeds your floor limit or the floor limit applicable to the transaction.
   • The card is expired or not yet valid.
   • The card is not signed.
   • You wish to delay presenting the transaction record.
   • The transaction receipt cannot be imprinted although the card is present.
   • The terminal is unable to read the magnetic stripe or the chip (if one is present) on the card.
   • The account number is listed on the Electronic Warning Bulletin or on the regional Warning Notice. If an account is listed in on the Electronic Warning Bulletin or regional Warning Notice, you must call your processor’s voice authorization center. You may be instructed to retain the card, which you should only do if it is safe to do so.
   • The transaction is a recurring payment installment and a previous authorization request was declined by the card issuer.
   • You are suspicious of the transaction for any reason. If the card or the cardholder looks suspicious, you must contact your processor’s voice authorization center and make a Code 10 call.

   
   Listed in the table below are the possible responses to your authorization request and advice on how to proceed when you receive the response:
   
   

   Response	Explanation
   Approved	Issuer approves the transaction. This is the most common response – about 95% of all authorization requests are approved.
   Declined or Card Not Accepted	Issuer does not approve the transaction. The transaction should not be completed. Return the card and instruct the cardholder to call the Issuer for more information on the status of the account.
   Call, Call Center, or Referrals	Issuer needs more information before approving the sale. Most of these transactions are approved, but you should call your authorization center and follow whatever instructions you are given. In most cases, an authorization agent will ask to speak directly with the cardholder or will instruct you to check the cardholder’s identification.
   Pick Up	Issuer wants to recover the card. Do not complete the transaction. Inform the customer that you have been instructed to keep the card, and ask for an alternative form of payment. If you feel uncomfortable, simply return the card to the cardholder.
   No Match	The embossed account number on the front of the card does not match the account number encoded on the magnetic stripe. Swipe the card again and re-key the last four digits at the prompt. If a “No Match” response appears again, it means the card is counterfeit. If it can be done safely, keep the card in your possession, and make a Code 10 call.

   
   

3. Examine the card. While waiting for the authorization result, check the card’s security features to make sure it is authentic. Make sure that the card account, the expiration date and the card security code not been altered or tampered with and that the back of the card is signed.
4. Customer signature. If the transaction is authorized, you should obtain the cardholder’s signature on the printed sales receipt. If the signature is missing, you may lose re-presentment rights if the transaction is charged back.
5. Compare signatures. Compare the signature provided by the customer to the one on the back of the card and make sure they match. Also compare the account name and number printed on the receipt to the ones on the card.
6. Return the card and receipt to your customer. If you are satisfied that the transaction is legitimate, return the receipt and the card to the cardholder, along with the purchased merchandise to complete the transaction.
7. Make a Code 10 call. If you believe that a fraudulent activity is taking place, make a Code 10 call to your processor’s authorization center for instructions on how to proceed.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.

Merchants are responsible for ensuring the validity of each payment card that is presented for payment. Visa and MasterCard require that, for all card transactions, except for mail orders, telephone orders, non-face-to-face unique transactions, e-commerce transactions, and pre-authorized orders, the card must be presented to the merchant.

If you follow a few simple card acceptance procedures every time a card is presented to you, you will greatly minimize the probability of fraud:

• Swipe the card and request transaction authorization. Hold the card through the entire transaction. Do not complete the transaction unless you obtain authorization from the card issuer.
• Verify the account number. Most point-of-sale (POS) terminals today allow merchants to verify that the card number that is printed on the face of the card matches the account number that is encoded on the card’s magnetic stripe. The verification procedure varies by terminal type. In some cases, the magnetic stripe number is displayed on the terminal or printed on the sales receipt, while in others the terminal may be programmed to check the numbers electronically. In the latter case, you will be prompted to enter the last four digits of the embossed account number, which will then be compared to the last four digits of the magnetic stripe number. Similarly, if the account number is printed on the receipt, only the last four digits will be visible. If the numbers don’t match, you will receive a “No Match” message. In such instances, you should make a Code 10 call.
• Check the card’s expiration date on the face of the card. You should only accept a card that is not expired or you should request an alternative payment method from the customer.
• Check the Electronic Warning Bulletin or International Warning Notices. If the account number is listed, do not complete the transaction without obtaining an authorization from the issuer.
• Compare the four-digit truncated account number imprinted in the signature panel on the back of the card with the last four digits of the account number on the face of the card. These numbers should match. A non-match is a strong indicator of fraud and the card should not be accepted.
• If a photograph of the cardholder is present on the card, compare the photograph on the card with the person presenting the card.
• Check that the card is signed. The card is not valid unless it is signed. See below for procedures regarding unsigned cards.
• For unique transactions processed in a card-present environment, request personal identification of the cardholder in the form of an unexpired, official government document. Unique transactions include transactions at Cardholder-Activated Terminals (CATs), which are usually unattended terminals that accept credit and debit cards. These terminals are frequently installed at rail stations, gas stations, toll roads, parking garages, and other card locations. However, for unique transactions processed in a card-present setting, such as In-Flight Commerce (IFC) terminals, you should compare the signature on the personal identification with the signature on the card. If the signatures do not match, you should make a Code 10 call.

If the card is not signed, the merchant must complete the following steps:

• Obtain an authorization from the card issuer.
• Ask the cardholder to provide identification.
• Require the cardholder to sign the card.

The merchant must not complete the transaction if the cardholder refuses to sign the card.

If any of the card security features is missing or it looks as if it has been altered, you should keep the card in your possession and make a Code 10 call to your voice authorization center. You may be instructed to retain the card or simply to return it to your customer and decline the transaction.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.

Both Visa and MasterCard offer merchants, accepting payments in a face-to-face environment, an additional procedure for verifying the validity of a suspicious transaction and even have the same name for it, which is quite unusual – Code 10. Code 10 is an authorization request that alerts the card issuer to the suspicious activity – without alerting the customer. Merchants are encouraged to make a Code 10 call to their processor’s authorization center whenever they suspect that a customer is attempting to commit a fraud at the point of sale. There are two general causes for suspicion:

• The card looks as if it has been altered in some way. Merchants operating in a card-present setting are responsible for ensuring that the card used for payment is a genuine card. The card’s security features should be examined to ensure that they have not been tampered with. Representatives at the point of sale (POS) should be adequately trained to be able to perform such examinations.
• The customer is behaving in a suspicious manner. If the customer is attempting to rush you into completing the transaction or otherwise acting in an unusual manner, this may be a sufficient reason to make a Code 10 call. It is important to remember, however, that there may be a perfectly legitimate reason for the customer’s behavior.

If you believe that there is enough evidence to suspect that fraudulent activity may be taking place, you should make a “Code 10″ call and request a voice authorization for the transaction at issue from your payment processor. You will be transferred to the card issuer’s special operator who will provide instructions on any necessary action.

Processing a “Code 10″ transaction authorization is fairly straightforward. It is important that you remain calm when calling your processor’s voice authorization center and follow these simple steps:

• Keep the card in your possession and dial your processor’s voice authorization center.
• Calmly state to the representative who picks up the call “I have a Code 10 authorization request.” At this point you may be asked for some transaction details and then the call will be routed to the card issuer.
• Answer the card issuer operator’s questions with a simple yes or no. The card issuer’s representative will then determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
• Follow the card issuer representative’s instructions.
• If the operator asks you to retain the card, you should only do it if it is safe to do so. Otherwise the transaction should be completed and further action should be taken after the customer leaves the store. You should never confront or try to apprehend the customer.

In cases when a suspicious transaction is completed, placing a Code 10 call after the customer has left the store is very important. Even though fraud may already have been committed, making the call at that time will prevent the same fraud from taking place elsewhere or even in the same store in the future.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).