Credit Card Processing Blog

Once you or your customer has swiped her card through your point-of-sale (POS) terminal, industry rules require you to ensure that she is an authorized user of the account. It is also of course in your own best interest to do so, as any unauthorized transaction will almost certainly end up being charged back to you.

The first step in the verification process is requesting an authorization approval from the card issuer, without which you should not complete the transaction. Obtaining one, however, does not guarantee that the transaction is legitimate. An authorization approval merely confirms that there are sufficient funds available and that the card has not been reported as lost or stolen. At this point you need to confirm that your customer is authorized to use the card. Here is how to do that.

4 Steps to Authenticating Cardholders

Once you’ve obtained an authorization approval, you need to ensure that:

1. The card is genuine and it has not been tampered with. Inspect the card’s security features for any signs that they may have been altered. Make sure that the account number is clear and all digits are uniform in size and spacing and appear on one line. We’ve written detailed, step-by-step articles on validating the cards of each major brand and you can read, for example, the one for MasterCard for guidance.
2. Match the account number on the card to the one on the receipt. Your POS terminal should automatically print out a sales receipt, which will display only the last four digits of the account number. Make sure that they match the last four digits of the number on the card itself.
3. Match the signature on the back of the card to the one on the receipt. Unless the transaction is PIN-based, the sales receipt will feature a signature line that your customer must sign (alternatively, the signature may be made on the terminal’s display). The first initial and spelling of the last name must match, but the name on the card and the signature do not need to be identical. Take a look at our detailed guide on verifying signatures for more information.
4. Do not accept unsigned cards. Unsigned cards are considered invalid and should not be accepted. If your customer presents an unsigned card, the following procedures should be followed:
   • Request an ID. Ask your customer for some form of government-issued identification, e.g. a driver’s license or passport.
   • Obtain a signature. Ask your customer to sign the card and if she refuses, do not proceed with the transaction, but ask for another form of payment.
   • Compare the signature on the card to the one on the ID. Needless to say, they need to match. If they do not, or you have other reasons to believe that your customer is not the authorized user of the card, make a Code 10 call.

   
   Some cardholders have been led to believe that writing “See ID,” “Ask for ID” or something to that effect in the signature panel of their cards, rather than actually signing them, protects them against fraud. The reasoning behind it is that, having not seen the signature, the criminal would not be able to forge it. In reality, criminals rarely practice signatures, but count on the merchant not to look at the back of the card. In any case, such cards are considered invalid, and the above procedures for unsigned cards need to be followed.

The Takeaway

If you go through these verification steps every time you accept a card for payment, you will all but eliminate the possibility of processing unauthorized transactions. There is no excuse for not doing it. It takes seconds to go through the authentication process and you will get faster as you gain experience. The alternative is equivalent to accommodating fraud. And you will be paying for it.

Image credit: Modern Business Therorie.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

NYT’s James Warren grabs our attention from the very beginning of his piece on an identity theft case that resulted in the convictions and prison sentences of the perpetrators (the ring leader received quite a lengthy one). “You would ditch your credit cards and just carry cash if you knew the tale of” the criminals, he warns us.

Well, I did read the tale and it is indeed a scary one. The criminals stole credit card information from the “clientele books” of several high-end stores, which they then used to place orders on these retailers’ websites. The merchandise was then kept for personal use, sold or returned for cash or store credit, Warren tells us. Here I have to say that, if the report is correct, by issuing cash credit for returns of merchandise purchased with credit cards, the stores have been in clear violation of payment card industry rules. Credits should have been issued to the same cards that were used in the sales transactions.

So I did get scared by the story, but I also do love my credit cards. They give me cash-back, while relieving me of the necessity of having to carry cash and to fill my pockets with coins. So I’m quite reluctant to throw them away. Is there really nothing that can be done to protect ourselves against identity thieves? Well, there is actually quite a bit that we can do, as evidenced by the long list that follows. We really shouldn’t allow criminals to scare us into making decisions we wouldn’t make on our own free will.

14 Tips for Protecting Your Credit Card Information

1. Never share your personal information over the phone. You should also avoid, when possible, mailing out forms containing personal information, as they can be easily intercepted. Use SSL-secured websites instead.

2. Examine all of your credit card and other financial statements for any unusual activity. If you see an item that you don’t recognize, contact your bank for more information.

3. Shred your credit card statements before throwing them out. Better yet, sign up for online statements.

4. Carry no more than two credit cards. If you own more than two credit cards, there is no reason to carry all of them on your person at any given time. Most of us have one primary card and another one can be used as a back-up.

5. Never carry your social security card on your person. There is absolutely no reason for doing that.

6. Only share your SSN when required by law or when absolutely necessary. An example for a necessary sharing of your SSN would be to prove your identity when calling your card issuer. However, you should never reveal it to someone who is calling you, whoever they claim to be.

7. Be creative with your personal identification numbers (PINs) and passwords. Do not make it easy for the criminals to guess them.

8. Do not carry your PINs and passwords on your person. You should memorize them instead.

9. Do not throw credit card and ATM receipts in a public trash container. At the very least, you should tear up the receipt into pieces, before throwing it away.

10. Keep an eye out for the new card you are expecting. Make a note to yourself about when the card you were approved for should arrive. If it is late, contact the issuer.

11. Do not use your card, if you suspect that the merchant cannot be trusted to protect your information. It can be difficult to know how trustworthy a retailer is, but use your common sense. If it tells you to be careful, use cash.

12. Do not use your card on e-commerce websites that are not SSL-protected. You should never make an online payment, unless the checkout pages are SSL-protected, i.e. the URL starts with “https,” not with just “http.”

13. Contact your card issuer immediately if your card is lost or stolen. If you don’t have their phone number memorized in your phone, you will be able to quickly find it online. Even if you don’t have your card number available, the issuer’s representative will be able to locate it.

14. Do not give your personal information to anyone who asks for donations. Nor should you make a donation in response to a phone call. Instead, you should make your donations directly to organizations you know and trust. If unsure, check the non-profit’s Better Business Bureau profile.

The Takeaway

Now, I know that many more items can be added to this list, but the most important thing you should get out of it is the need to be vigilant when handling your cards. It is true that there is not much you can do to protect the credit card information that is stored in a retailer’s system. However, if you follow my advice, you will be able to quickly identify any unauthorized use of your card and alert your issuer. The transaction will be immediately reversed, you will be issued a new card, the old one will no longer be valid and that will be the end of it. You will not suffer any financial loss, nor will your credit history be damaged in any way.

So I, for one, refuse to be scared into ditching my credit cards and choose to keep using them and be rewarded for it.

Image credit: Affordable-Payday-Loan.info.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

When it comes to fraud prevention, the size of your average sale’s amount is of a huge importance. In effect, it sets a limit on the amount you can spend on verifying each transaction’s validity, which places small-ticket merchants at a disadvantage, while the opposite is true for their big-ticket counterparts. Not to mention that it is often physically impossible for merchants selling small-ticket items to scrutinize each transaction, even if it were financially justifiable.

On the other hand, the good news for small-ticket merchants is that they can absorb much more easily a number of fraudulent transactions that would be totally unacceptable (possibly ruinous) to a seller of large-ticket items. It is a numbers game for both merchant types and you need to know how to play it.

Why Fraud Is Hard to Combat

In theory, e-commerce merchants can prevent just about all fraudulent credit card transactions from being processed. Online shopping has been around long enough to have allowed for solid fraud prevention tools and best practices to be developed that could, if applied consistently, shut down the vast majority, if not all, of fraudulent transactions. And yet, fraud stubbornly persists and even thrives. Yes, criminals are hard at work at devising ever more sophisticated strategies of their own, but their ingenuity can take us only so far towards explaining why fraud is so hard to combat.

Part of the reason for the failure to eradicate fraud is that many merchants are either inexperienced or do not allocate enough resources for fraud prevention. But even well-funded e-commerce businesses that take the issue seriously and have equipped their well-trained fraud prevention staff with the latest tools find it hard to achieve a total victory over the criminals.

For a big-ticket merchant, anything less than a complete shutdown of fraud may well be unacceptable, but that is not the case for small-ticket ones. It’s a numbers game in both cases, but the lower your average sale’s amount is, the greater the number of fraudulent transactions you can live with. With that in mind, if you sell inexpensive merchandise, your goal should not be to eradicate, but to control fraud. Achieving total victory, even if it were possible, could turn out to be unaffordable.

How to Screen Small-Ticket Transactions

When devising your fraud screening procedures, you should account for the fact that it is not cost-effective to review each and every one of your transactions. Your system should be able to identify and set aside for review only transactions with potential fraud losses that are lower than the cost of a manual examination. In particular, consider the following factors:

• Dollar amount of the sale. Set a lower limit on transactions for manual reviews.
• Cardholder relationship. You would not want to review orders placed by returning customers.
• AVS result. You should not be reviewing transactions, for which you received a negative AVS result. These should be rejected.
• Card security code. As with the AVS, you should put a stop to transactions, for which the security code provided by the cardholder did not match the one on file with the issuer.
• Cardholder authentication result. If it makes financial sense to participate in Verified by Visa and MasterCard SecureCode, these two services will be doing some of the screening for you.

Once you have applied these fraud screening procedures, you can proceed to manually review the transactions that have survived the culling process or, again if it makes financial sense, you can run them through a third party fraud scoring service to further narrow the field.

The Takeaway

The victory over e-commerce fraud comes at a cost and the point of implementing fraud screening procedures is to ensure that we don’t spend more trying to prevent it than what makes sense. That means that we have to learn to live with risk and to accept fraud losses as a cost of doing business. Again, it is a numbers game and what counts is winning the war, not each individual battle. Moreover, if you process thousands of small-ticket transactions, individual losses don’t really matter all that much.

Image credit: Serglo.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

There is a wide range of risk management services that merchants and processors can choose from and implement into their fraud prevention strategies. Some of them are free, while others are paid for and some of them can be used in any type of credit card acceptance setting, while others are specifically designed for card-not-present or face-to-face environment.

In this article I will review eight risk management services developed by Visa to help your business and payment processor detect and prevent fraud.

Fraud Detection Services

1. Falcon Fraud Manager – a customizable platform that performs fraud scoring to capture relationships and patterns and detect and stop potentially fraudulent activity. The primary system components are:

• Falcon Debit – calculates a fraud score for each transaction based on individual cardholder and transaction data. If the score indicates a high probability of fraud, the transaction can be sent to a fraud analyst for review or be blocked. The fraud score can also be used for making real-time authorization decisions.
• Falcon Expert – enables users to define rules to automate fraud prevention procedures by allowing the use of other relevant transaction information, in addition to the fraud score.

2. Flash fraud rules – provide a parameter-based set of rules to help identify and block suspect transactions falling into pre-determined risk categories. The following data fields can be used to block suspicious transactions:

• Merchant country code.
• Merchant category code.
• Merchant ZIP code.
• Acquiring network ID.
• Personal account number (PAN) entry mode.
• Transaction amount range.
• CVV checked indicator.
• CVV result.
• BIN.
• Prior Falcon score.
• Visa Advanced Authorization Risk Score or Risk Condition Code.

Authorization Services

3. Authorization edit checks – can be set at the financial institution, card group, or individual cardholder level. Users can set limits separately for cash and point-of-sale (POS) activity, and timeframes can be set for single- or multiple-day periods. Authorization edit checks include:

• Daily spending limits – monitor amount spent and cash back.
• Velocity checks – monitor the frequency of card use.
• Expiration date checks – verifies if the card is expired and checks for an exact expiration date match.
• Name match – limits the risk of counterfeit cards by comparing the Track 1 names on incoming authorizations to names on file.
• PIN validation – matches entered PIN to the PIN on file (for ATM and select POS transactions).

4. Visa fraud protection services. The following programs verify additional information in the authorization message:

• Cardholder Verification Value (CVV) – validates verifies a unique three-digit code on the magnetic stripe of all Visa cards to detect counterfeit cards.
• Cardholder Verification Value 2 (CVV2) – validates a unique three-digit number, printed on the back side of the card, to limit fraudulent card-not-present transactions.
• Dynamic Cardholder Verification Value (dCVV) – verifies a dynamic three-digit value provided by the chip on a contactless card to detect fraud.
• Address Verification Service (AVS) – enables merchants to validate a cardholder’s billing address by matching it to the one on file with the issuer.

5. Verified by Visa (VbV) – used to authenticate a cardholder’s identity by asking them to enter a password during the authorization process of an online Visa transaction.

6. Visa Advanced Authorization – a risk evaluation system that provides risk information for all authorizations initiated with a U.S.-issued Visa card. Visa has developed fraud rules to stop activity based on pre-defined Visa Advanced Authorization scores. Risk information is provided in the form of:

• Risk scores – indicate the probability that an authorization is fraudulent.
• Risk condition codes – provides information for compromised accounts or ones associated with an account-generation scheme, as identified across the Visa payments system.

7. Stand-in processing – Visa authorizes transactions when the issuer’s host system is unavailable or when the issuer has chosen Visa to process certain transactions on their behalf.

8. Suspect activity reporting – it helps identify excessive or abnormal cardholder activity levels. Reports can be configured to monitor transaction counts and dollar limits.

The Takeaway

Not all of the above services are designed to be implemented on a merchant level. Perhaps you don’t really need to be all that familiar with some of them. Yet, it doesn’t hurt to know what’s being done to fight fraud, especially if you are operating in a high-risk industry. Educating yourself on risk management is the surest way to improve your business’ fraud prevention capabilities.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Fraud is generally a lesser concern for merchants accepting credit cards in a face-to-face setting than it is for their mail order, telephone order, and e-commerce counterparts. The presence of the card during a transaction allows merchants to physically inspect it and verify its validity. The same can and should be done to authenticate the cardholder when in doubt.

In this post I will offer a seven-step process for preventing fraud in face-to-face MasterCard transactions.

7 Steps to Preventing MasterCard Fraud

Every time a customer presents a MasterCard card for payment, you should go through the following checklist:

1. Check the card number. All MasterCard account numbers are located on the front of the card and begin with the number “5.” If the account number is embossed (raised), the numbers should be clear and uniform in size and spacing and extend into the hologram (if placed on the face of the card). The last four digits of the account number on the face of the card should be identical with the four digits printed on the signature panel on the back of the card.
2. Examine the hologram. The three-dimensional MasterCard hologram with interlocking globes should reflect light and appear to move when the card is rotated. It is typically located on the front of the card, either above or below the logo. However, on some new card designs, the hologram may be placed on the back of the card or integrated into the magnetic stripe.
3. Compare signatures. The signature panel on the back of the card must be signed and the signature should match the one on the transaction receipt. Inspect the panel to ensure that it has not been erased or altered in any other way. If you see the word “Void” there, that is an indication that the signature panel has been tampered with.
4. Inspect the magnetic stripe. The mag-stripe on the back of the card should appear smooth and straight, with no signs of tampering.
5. Stay up-to-date on new card designs. Since 2009 MasterCard member banks have been issuing unembossed cards, in addition to embossed ones. Unembossed cards look and feel different – they have a flat surface, with no raised (embossed) numbers – so a manual imprint cannot be taken. You can only accept such cards with a point-of-sale (POS) terminal.
6. Check the expiration date. You can only accept cards before the last day of their “valid through” date.
7. Ensure that your customer is an authorized user of the card. If it appears that the signatures don’t match or your customer behaves in a suspicious or unusual manner, you should verify that he or she is an authorized user of the card, before completing the transaction.

If at any point you become suspicious either about the card or your customer, you should make a Code 10 call to your processor’s authorization center. You will then be transferred to the card’s issuer and instructed how to proceed with the transaction.

The Takeaway

Accepting cards face-to-face should be a safe and straightforward process. Going through the above checklist should take a trained person a few seconds, which is about the time it takes to receive a response to your authorization request. Do it every time and you will have no fraud-related issues to deal with.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).