Credit Card Processing Best Practices
Card-present transactions are those in which both the card and cardholder are present at the point
of sale. Merchants are required to take all reasonable steps to assure that the card, cardholder,
and transaction are legitimate.
Swiping the Card
Always swipe credit cards when they are present. The magnetic stripe on the back contains the
following information, which is sent electronically to the credit card issuer:
• Cardholder name
• Card account number
• Expiration date
• Sensitive authentication data
• Security information designed to detect counterfeit cards
Do not double swipe a customer’s card. Some merchants swipe the card once in the electronic
funds transfer terminal and then in the point of sale system. However, some cashiers might swipe
the card through another device, so it can be fraudulently duplicated (skimming). Cardholders
should not get in the habit of allowing merchants to double swipe their credit card.
Page 1 of 12
Verifying the Account Number
Most point-of-sale (POS) terminals allow merchants to verify the embossed account number on
the front of the card matches the account number in the magnetic stripe in one of the following
• Magnetic stripe number appears on terminal and cashier compares to card number,
• Last four digits of magnetic stripe number appears on receipt and cashier compares to last
four digits on card, or
• Cashier is prompted to enter the last four digits of the card number into the terminal and
the terminal compares it with the last four digits in magnetic stripe. “No Match” message
appears if they don’t match.
If the magnetic stripe does not match the card number on the front, make a Code 10 call.
When Cards Won’t Read When Swiped
Usually means one of three things:
• The terminal’s magnetic-stripe reader is not working properly,
• The card is not being swiped through the reader correctly, or
• The magnetic stripe on the card has been damaged or demagnetized.
Merchants should take the following steps:
• Check the terminal to make sure it is working and that you are swiping the card correctly.
• If the terminal is okay, check the card’s security features to make sure it is not counterfeit
(see Credit Card Security Features below).
• If the problem appears to be the magnetic stripe, follow merchant procedures, which may
□ Key-enter transaction data for authorization or
□ Call voice-authorization center
• For key-entered or voice-authorization transactions, make an imprint of the front of the
card, which protects the merchant from chargebacks by the credit card issuer if the
transaction turns out to be fraudulent. The imprint can be on the terminal sales receipt or
a separate manual sales receipt. Either way, it should be signed by the customer.
Page 2 of 12
Key-entered and voice-authorization transactions are associated with higher fraud and
chargeback rates because the Card Verification Value 2 (CVV2) and expiration date information
from the magnetic stripe are not available.
Minimizing Key-Entered Transactions
Pinpoint areas of high key-entry rates:
• Calculate the percentage of key-entered transactions once a month to pinpoint terminals
or sales associates with high rates (exclude key-entered telephone and mail order
transactions from the calculation below)
Key-entered transactions / Total transactions = % of key-entered transactions
• If the percentage of key-entered transactions is greater than 1%, investigate to find out
Frequent causes and solutions for key-entered transactions are listed below.
Verifying Credit Card Security Features during Transaction Processing
Sales staff should keep the card in their possession during transaction processing and check the
following items to verify the credit card is valid:
Front of Card
Page 3 of 12
• Check the account number for evenness and clarity. On valid cards, the numbers will be
even and straight. On altered cards, they may have fuzzy edges or you might see “ghost
images” of the original numbers.
• Check the “Good thru” or Valid thru” date. If the transaction date is after the “Good thru”
date, call the authorization center to verify the card is still valid.
o The small, printed four digit number should match the first four digits of the
embossed account number, which should begin with a “4.”
o The dove hologram should appear to “fly” when the card is tilted back and forth.
Beginning in January 2006, new Visa cards will have a dove hologram on the
o The interlocking globes hologram should appear to move when the card is tilted.
o The account number should start with a “5.”
Back of Card
• Verify the signature panel is signed and check for signs of tampering (e.g., correction
fluid, white tape, ghost images).
• Verify the card contains a three digit Card Verification Value (CVV2), which is used
primarily for card-not-present transactions.
• Verify the magnetic stripe is smooth and straight and does not show signs of tampering.
Page 4 of 12
Dealing with Unsigned Cards
If the signature panel is left blank...
• Request a signature. Ask the cardholder to sign the card and provide current government
identification, such as a driver's license or passport.
• Check the signature. Be sure that the cardholder signature on the transaction receipt
matches the one on the card and the additional identification.
• Complete the transaction. If the signatures appear reasonably the same and the
authorization request is approved, continue the transaction. If the cardholder refuses to
sign the card, do not accept the card.
If the card has a “See ID” in place of a signature…
• Request a signature. Ask the cardholder to sign the card and provide current government
identification, such as a driver's license or passport.
• Check the signature. Be sure that the signature on the card matches the one on the
transaction receipt and the additional identification.
If any of the security features are missing or looks altered, keep the card in your possession and
calmly make a Code 10 call to the authorization center.
Page 5 of 12
The authorization process allows the card issuer to approve or decline a transaction. The sales
associate will receive one of the following messages or one that is similarly worded.
Approved Card issuer approves the transaction. Approval indicates that funds
are available and the card has not been reported as lost or stolen,
but is not proof that the customer is the cardholder or the card is
the valid credit card.
Declined or Card Not Card issuer does not approve the transaction. Do not complete the
Accepted transaction. Return the card and ask the cardholder to call the card
issuer for more information on the status of the account.
Call, Call Center, or Card issuer needs more information before approving the sale.
Referrals Call your authorization center and follow whatever instructions
you are given. In most cases, the authorization agent will ask to
speak to the cardholder or will instruct you to check the
Pick Up Card issuer wants to recover the card. Do not complete the
transaction. Inform the cardholder that you have been instructed to
keep the card, and ask for an alternative form of payment. If you
feel uncomfortable, simply return the card to the cardholder.
No Match The embossed number on the front of the card does not match the
number encoded in the magnetic stripe. Swipe the card again and
re-key the last four digits at the prompt. If “No Match” appears
again, the card is probably counterfeit. If you can do so safely,
keep the card and make a Code 10 call.
When a transaction is approved, the POS terminal automatically prints a sales receipt. When a
negative or alert message is received, the response is delayed on the POS terminal, and no sales
receipt is printed. Whatever the message, you should continue to treat the customer courteously
so as not to arouse alarm or suspicion.
Zero-Percent Tip Authorization
Merchants should not add estimated tips to the transaction amount. Restaurants and other
merchants that normally receive tips should take the following steps:
• Instruct staff to authorize only for the check amount.
• Ensure your authorization system is setup for zero-percent authorization.
Restaurant authorizations are automatically valid for the transaction amount plus 20% to protect
merchants from chargeback liability for an incorrect or disputed transaction amount.
Page 6 of 12
Split Sales and Split-Tender Transactions
Split sales are prohibited. A merchant may not split the cost of a single transaction between two
or more sales receipts using a single cardholder account to avoid transaction limits.
Split-tender transactions are okay, if the merchant allows them. A customer may pay part of the
transaction with a credit card and the rest with cash or another credit card, if the merchant’s
policies allow it.
Signature and Identification
The sales associate should take the following steps to complete the transaction after receiving
authorization from the card issuer:
• Match the name and last four digits of the account number on the card to those printed on
• Match the signature on the back of the card to the signature on the receipt. The first initial
and spelling of the surname must match. Embossed name and signature do not need to be
• For suspicious or non-matching signatures, make a Code 10 call and ask for further
If the transaction is accepted with a non-matching signature and it turns out to be fraudulent,
your business may be liable, even if all other procedures were followed.
Though peculiar behavior does not automatically indicate criminal activity, merchants should be
aware of it and use common sense to determine whether to make a Code 10 call to report it.
Examples of suspicious behavior include:
• Purchasing large amounts of merchandise with seemingly no concern for size, style,
color, or price.
• Asking no questions or refusing free delivery on large items or high-dollar purchases.
• Trying to distract or rush sales associates during a transaction.
• Making purchases, leaving the store, and then returning to make more purchases.
• Making purchases either right when the store opens or just before it closes.
Page 7 of 12
Skimming is a fraud scam in which a cardholder’s account information is electronically copied,
or “skimmed,” off the card’s magnetic stripe, often in the process of an otherwise valid
transaction. The skimmed information is used to produce counterfeit payment cards that are, in
turn, used for fraudulent transactions.
Skimming often occurs in card-present environments, such as restaurants and service stations,
where transaction processing may occur out of sight of the cardholder. To skim a card, fraudsters
typically use a small portable device that may not be bigger than a pager. They swipe the card
through the device to copy the magnetic stripe.
To prevent skimming, you should be on the lookout for:
• Anyone operating an electronic device not normally used in your day-to-day business
• Anyone offering you money to record account information.
If you suspect skimming activity, notify the campus police immediately.
Code 10 Calls
You should make a Code 10 call to your voice authorization center whenever you are suspicious
about a card, cardholder, or transaction. To make a Code 10 call:
• Keep the card in your possession during the call.
• Call your voice authorization center, and say, “I have a Code 10 authorization request.”
• The call may first be routed to a representative at your merchant bank who may need to
ask you for some merchant or transaction details. You will then be transferred to the card
issuer and connected to a special operator who will ask you a series of questions that can
be answered with a simple yes or no.
• When connected to the special operator, answer all questions calmly and in a normal tone
of voice. Your answers will be used to determine whether the card is valid.
• Follow all operator instructions.
• If the operator tells you to pick up the card, do so only if recovery is possible by
reasonable and peaceful means.
If you don’t feel comfortable making a Code 10 call while the customer is present, do so after the
Page 8 of 12
In general, you should recover a card if you have reasonable grounds for believing the card is
being used fraudulently or is altered or counterfeit. The following situations are considered
reasonable grounds for recovery:
• Card security features are missing or irregular, or appear to have been tampered with.
• The account number on the magnetic stripe does not match the number embossed on the
front of the card.
• You receive a pick-up response when a card has been swiped for electronic authorization,
or you are instructed to recover the card during a Code 10 call.
Card Recovery Procedures
• Recover the card only if you can do so safely. Never take unnecessary risks.
• Tell the cardholder you have been instructed to keep the card, and that he or she may call
the card issuer for more information.
• Remain calm and courteous. If the cardholder behaves in a threatening manner, return the
• Following a successful recovery, call your merchant bank and ask for further instructions.
Card-not-present (CNP) transactions are those in which the card and cardholder are not present at
the point of sale, which may include orders placed by internet, phone, mail, or fax.
Take these steps to accept CNP payments (some only apply to Visa credit cards):
1. Obtain an authorization.
2. Verify the card’s legitimacy:
o Ask the customer for the card expiration date, and include it in your authorization
request. An invalid or missing expiration date might indicate that the customer does
not have the actual card in hand.
o Use fraud prevention tools such as Visa’s Address Verification Service (AVS), Card
Verification Value 2 (CVV2), and Verified by Visa (see below).
3. Look for general warning signs of fraud (listed below).
4. If you receive an authorization, but still suspect fraud:
o Ask for additional information during the transaction (e.g., request the financial
institution name on the front of the card).
o Contact the cardholder with any questions.
Page 9 of 12
o Confirm the order separately by sending a note via the customer's billing address
rather than the “ship to” address.
CNP fraud prevention tools (some only apply to Visa credit cards)
Address Allows card-not-present merchants to check a Visa cardholder’s billing
Verification address with the card issuer. The merchant includes an AVS request as part of
Service (AVS) the authorization and receives a result code indicating whether the address
given by the cardholder matches the address on file with the issuer.
Card Verification Is a three-digit number imprinted on the signature panel to help card-not-
Value 2 (CVV2) present merchants verify that the customer has a legitimate card in hand at the
time of the order? The merchant asks the customer for the CVV2 code and
then sends it to the card issuer as part of the authorization request. The card
issuer checks the CVV2 code to determine its validity, then sends a CVV2
result back to the merchant along with the authorization. CVV2 is required on
all Visa cards.
To protect CVV2 data from being compromised, merchants are prohibited
from keeping or storing CVV2 numbers once a transaction has been
Verified by Visa Enables e-commerce merchants validate a cardholder's ownership of an
(VbV) account in real-time during an online Visa card transaction. When the
cardholder clicks "buy" at the checkout of a participating merchant, the
merchant server recognizes the registered Visa card and the “Verified by
Visa” screen automatically appears on the cardholder’s desktop. The
cardholder enters a password to verify his or her identity and the Visa card.
The issuer then confirms the cardholder’s identity.
12 potential signs of CNP fraud
Keep your eyes open for the following fraud indicators. When more than one is true during a
card-not-present transaction, fraud might be involved. Follow up, just in case.
1. First-time shopper: Criminals are always looking for new victims.
2. Larger-than-normal orders: Because stolen cards or account numbers have a limited life
span, crooks need to maximize the size of their purchase.
3. Orders that include several of the same item: Having multiples of the same item increases
a criminal's profits.
4. Orders made up of “big-ticket” items: These items have maximum resale value and
therefore maximum profit potential.
Page 10 of 12
5. “Rush” or “overnight” shipping: Crooks want these fraudulently obtained items as soon
as possible for the quickest possible resale, and aren’t concerned about extra delivery
6. Shipping to an international address: A significant number of fraudulent transactions are
shipped to fraudulent cardholders outside of the U.S. Visa AVS can't validate non-U.S.,
except in Canada and the United Kingdom.
7. Transactions with similar account numbers: Particularly useful if the account numbers
used have been generated using software available on the Internet (e.g., CreditMaster).
8. Shipping to a single address, but transactions placed on multiple cards: Could involve an
account number generated using special software, or even a batch of stolen cards.
9. Multiple transactions on one card over a very short period of time: Could be an attempt to
"run a card" until the account is closed.
10. Multiple transactions on one card or a similar card with a single billing address, but
multiple shipping addresses: Could represent organized activity, rather than one
individual at work.
11. In online transactions, multiple cards used from a single IP (Internet Protocol) address:
More than one or two cards could definitely indicate a fraud scheme.
12. Orders from Internet addresses that make use of free e-mail services: These e-mail
services involve no billing relationships, and often neither an audit trail nor verification
that a legitimate cardholder has opened the account.
There are two potential frauds from reversals: (1) an insider pushing money from the
organization's account to a third party, and (2) an outsider who has successfully figured out how
to use an automated reversal process to "refund" money which is not owed, for example by using
Best practices to prevent fraud from reversals include:
• Reversals should always be performed by hand, signed off by two distinct employees,
and logged. This reduces the risk from internal and external fraud.
• Money is not negative. Force zero or positive numbers, and prevent negative numbers
from being entered by a customer online.
• There should be no code on your web site for reversals or charge backs.
• Don't ship or release goods to the customer until you have an authorization receipt from
the payment gateway.
• For high value items, consider making the reversal an over-the-phone or fax authority
only (not web only).
Page 11 of 12
• Keep track of customers who chargeback, and decide if they present excessive risk.
• Always ask for the customer's e-mail and phone number that the issuing credit card
institution has for the customer. This helps if other red flags pop up.
• Make it known on your website that you prosecute fraud to the fullest extent of the law
and all transactions are fully logged.
Page 12 of 12