Your SlideShare is downloading. ×
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Credit Card Processing Best Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Credit Card Processing Best Practices

1,693

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,693
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
133
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Credit Card Processing Best Practices Card-Present Transactions Card-present transactions are those in which both the card and cardholder are present at the point of sale. Merchants are required to take all reasonable steps to assure that the card, cardholder, and transaction are legitimate. Swiping the Card Always swipe credit cards when they are present. The magnetic stripe on the back contains the following information, which is sent electronically to the credit card issuer: • Cardholder name • Card account number • Expiration date • Sensitive authentication data • Security information designed to detect counterfeit cards Do not double swipe a customer’s card. Some merchants swipe the card once in the electronic funds transfer terminal and then in the point of sale system. However, some cashiers might swipe the card through another device, so it can be fraudulently duplicated (skimming). Cardholders should not get in the habit of allowing merchants to double swipe their credit card. Page 1 of 12
  • 2. Verifying the Account Number Most point-of-sale (POS) terminals allow merchants to verify the embossed account number on the front of the card matches the account number in the magnetic stripe in one of the following ways: • Magnetic stripe number appears on terminal and cashier compares to card number, • Last four digits of magnetic stripe number appears on receipt and cashier compares to last four digits on card, or • Cashier is prompted to enter the last four digits of the card number into the terminal and the terminal compares it with the last four digits in magnetic stripe. “No Match” message appears if they don’t match. If the magnetic stripe does not match the card number on the front, make a Code 10 call. When Cards Won’t Read When Swiped Usually means one of three things: • The terminal’s magnetic-stripe reader is not working properly, • The card is not being swiped through the reader correctly, or • The magnetic stripe on the card has been damaged or demagnetized. Merchants should take the following steps: • Check the terminal to make sure it is working and that you are swiping the card correctly. • If the terminal is okay, check the card’s security features to make sure it is not counterfeit (see Credit Card Security Features below). • If the problem appears to be the magnetic stripe, follow merchant procedures, which may include: □ Key-enter transaction data for authorization or □ Call voice-authorization center • For key-entered or voice-authorization transactions, make an imprint of the front of the card, which protects the merchant from chargebacks by the credit card issuer if the transaction turns out to be fraudulent. The imprint can be on the terminal sales receipt or a separate manual sales receipt. Either way, it should be signed by the customer. Page 2 of 12
  • 3. Key-entered and voice-authorization transactions are associated with higher fraud and chargeback rates because the Card Verification Value 2 (CVV2) and expiration date information from the magnetic stripe are not available. Minimizing Key-Entered Transactions Pinpoint areas of high key-entry rates: • Calculate the percentage of key-entered transactions once a month to pinpoint terminals or sales associates with high rates (exclude key-entered telephone and mail order transactions from the calculation below) Key-entered transactions / Total transactions = % of key-entered transactions • If the percentage of key-entered transactions is greater than 1%, investigate to find out why. Frequent causes and solutions for key-entered transactions are listed below. Verifying Credit Card Security Features during Transaction Processing Sales staff should keep the card in their possession during transaction processing and check the following items to verify the credit card is valid: Front of Card Page 3 of 12
  • 4. • Check the account number for evenness and clarity. On valid cards, the numbers will be even and straight. On altered cards, they may have fuzzy edges or you might see “ghost images” of the original numbers. • Check the “Good thru” or Valid thru” date. If the transaction date is after the “Good thru” date, call the authorization center to verify the card is still valid. • Visa o The small, printed four digit number should match the first four digits of the embossed account number, which should begin with a “4.” o The dove hologram should appear to “fly” when the card is tilted back and forth. Beginning in January 2006, new Visa cards will have a dove hologram on the back instead. • MasterCard o The interlocking globes hologram should appear to move when the card is tilted. o The account number should start with a “5.” Back of Card • Verify the signature panel is signed and check for signs of tampering (e.g., correction fluid, white tape, ghost images). • Verify the card contains a three digit Card Verification Value (CVV2), which is used primarily for card-not-present transactions. • Verify the magnetic stripe is smooth and straight and does not show signs of tampering. Page 4 of 12
  • 5. Dealing with Unsigned Cards If the signature panel is left blank... • Request a signature. Ask the cardholder to sign the card and provide current government identification, such as a driver's license or passport. • Check the signature. Be sure that the cardholder signature on the transaction receipt matches the one on the card and the additional identification. • Complete the transaction. If the signatures appear reasonably the same and the authorization request is approved, continue the transaction. If the cardholder refuses to sign the card, do not accept the card. If the card has a “See ID” in place of a signature… • Request a signature. Ask the cardholder to sign the card and provide current government identification, such as a driver's license or passport. • Check the signature. Be sure that the signature on the card matches the one on the transaction receipt and the additional identification. If any of the security features are missing or looks altered, keep the card in your possession and calmly make a Code 10 call to the authorization center. Page 5 of 12
  • 6. Authorization The authorization process allows the card issuer to approve or decline a transaction. The sales associate will receive one of the following messages or one that is similarly worded. Response Meaning Approved Card issuer approves the transaction. Approval indicates that funds are available and the card has not been reported as lost or stolen, but is not proof that the customer is the cardholder or the card is the valid credit card. Declined or Card Not Card issuer does not approve the transaction. Do not complete the Accepted transaction. Return the card and ask the cardholder to call the card issuer for more information on the status of the account. Call, Call Center, or Card issuer needs more information before approving the sale. Referrals Call your authorization center and follow whatever instructions you are given. In most cases, the authorization agent will ask to speak to the cardholder or will instruct you to check the cardholder’s identification. Pick Up Card issuer wants to recover the card. Do not complete the transaction. Inform the cardholder that you have been instructed to keep the card, and ask for an alternative form of payment. If you feel uncomfortable, simply return the card to the cardholder. No Match The embossed number on the front of the card does not match the number encoded in the magnetic stripe. Swipe the card again and re-key the last four digits at the prompt. If “No Match” appears again, the card is probably counterfeit. If you can do so safely, keep the card and make a Code 10 call. When a transaction is approved, the POS terminal automatically prints a sales receipt. When a negative or alert message is received, the response is delayed on the POS terminal, and no sales receipt is printed. Whatever the message, you should continue to treat the customer courteously so as not to arouse alarm or suspicion. Zero-Percent Tip Authorization Merchants should not add estimated tips to the transaction amount. Restaurants and other merchants that normally receive tips should take the following steps: • Instruct staff to authorize only for the check amount. • Ensure your authorization system is setup for zero-percent authorization. Restaurant authorizations are automatically valid for the transaction amount plus 20% to protect merchants from chargeback liability for an incorrect or disputed transaction amount. Page 6 of 12
  • 7. Split Sales and Split-Tender Transactions Split sales are prohibited. A merchant may not split the cost of a single transaction between two or more sales receipts using a single cardholder account to avoid transaction limits. Split-tender transactions are okay, if the merchant allows them. A customer may pay part of the transaction with a credit card and the rest with cash or another credit card, if the merchant’s policies allow it. Signature and Identification The sales associate should take the following steps to complete the transaction after receiving authorization from the card issuer: • Match the name and last four digits of the account number on the card to those printed on the receipt. • Match the signature on the back of the card to the signature on the receipt. The first initial and spelling of the surname must match. Embossed name and signature do not need to be the same. • For suspicious or non-matching signatures, make a Code 10 call and ask for further instructions. If the transaction is accepted with a non-matching signature and it turns out to be fraudulent, your business may be liable, even if all other procedures were followed. Suspicious Behavior Though peculiar behavior does not automatically indicate criminal activity, merchants should be aware of it and use common sense to determine whether to make a Code 10 call to report it. Examples of suspicious behavior include: • Purchasing large amounts of merchandise with seemingly no concern for size, style, color, or price. • Asking no questions or refusing free delivery on large items or high-dollar purchases. • Trying to distract or rush sales associates during a transaction. • Making purchases, leaving the store, and then returning to make more purchases. • Making purchases either right when the store opens or just before it closes. Page 7 of 12
  • 8. Skimming Skimming is a fraud scam in which a cardholder’s account information is electronically copied, or “skimmed,” off the card’s magnetic stripe, often in the process of an otherwise valid transaction. The skimmed information is used to produce counterfeit payment cards that are, in turn, used for fraudulent transactions. Skimming often occurs in card-present environments, such as restaurants and service stations, where transaction processing may occur out of sight of the cardholder. To skim a card, fraudsters typically use a small portable device that may not be bigger than a pager. They swipe the card through the device to copy the magnetic stripe. To prevent skimming, you should be on the lookout for: • Anyone operating an electronic device not normally used in your day-to-day business activities. • Anyone offering you money to record account information. If you suspect skimming activity, notify the campus police immediately. Code 10 Calls You should make a Code 10 call to your voice authorization center whenever you are suspicious about a card, cardholder, or transaction. To make a Code 10 call: • Keep the card in your possession during the call. • Call your voice authorization center, and say, “I have a Code 10 authorization request.” • The call may first be routed to a representative at your merchant bank who may need to ask you for some merchant or transaction details. You will then be transferred to the card issuer and connected to a special operator who will ask you a series of questions that can be answered with a simple yes or no. • When connected to the special operator, answer all questions calmly and in a normal tone of voice. Your answers will be used to determine whether the card is valid. • Follow all operator instructions. • If the operator tells you to pick up the card, do so only if recovery is possible by reasonable and peaceful means. If you don’t feel comfortable making a Code 10 call while the customer is present, do so after the customer leaves. Page 8 of 12
  • 9. Recovered Cards In general, you should recover a card if you have reasonable grounds for believing the card is being used fraudulently or is altered or counterfeit. The following situations are considered reasonable grounds for recovery: • Card security features are missing or irregular, or appear to have been tampered with. • The account number on the magnetic stripe does not match the number embossed on the front of the card. • You receive a pick-up response when a card has been swiped for electronic authorization, or you are instructed to recover the card during a Code 10 call. Card Recovery Procedures • Recover the card only if you can do so safely. Never take unnecessary risks. • Tell the cardholder you have been instructed to keep the card, and that he or she may call the card issuer for more information. • Remain calm and courteous. If the cardholder behaves in a threatening manner, return the card immediately. • Following a successful recovery, call your merchant bank and ask for further instructions. Card-Not-Present Transactions Card-not-present (CNP) transactions are those in which the card and cardholder are not present at the point of sale, which may include orders placed by internet, phone, mail, or fax. Take these steps to accept CNP payments (some only apply to Visa credit cards): 1. Obtain an authorization. 2. Verify the card’s legitimacy: o Ask the customer for the card expiration date, and include it in your authorization request. An invalid or missing expiration date might indicate that the customer does not have the actual card in hand. o Use fraud prevention tools such as Visa’s Address Verification Service (AVS), Card Verification Value 2 (CVV2), and Verified by Visa (see below). 3. Look for general warning signs of fraud (listed below). 4. If you receive an authorization, but still suspect fraud: o Ask for additional information during the transaction (e.g., request the financial institution name on the front of the card). o Contact the cardholder with any questions. Page 9 of 12
  • 10. o Confirm the order separately by sending a note via the customer's billing address rather than the “ship to” address. CNP fraud prevention tools (some only apply to Visa credit cards) Tool Description Address Allows card-not-present merchants to check a Visa cardholder’s billing Verification address with the card issuer. The merchant includes an AVS request as part of Service (AVS) the authorization and receives a result code indicating whether the address given by the cardholder matches the address on file with the issuer. Card Verification Is a three-digit number imprinted on the signature panel to help card-not- Value 2 (CVV2) present merchants verify that the customer has a legitimate card in hand at the time of the order? The merchant asks the customer for the CVV2 code and then sends it to the card issuer as part of the authorization request. The card issuer checks the CVV2 code to determine its validity, then sends a CVV2 result back to the merchant along with the authorization. CVV2 is required on all Visa cards. To protect CVV2 data from being compromised, merchants are prohibited from keeping or storing CVV2 numbers once a transaction has been completed. Verified by Visa Enables e-commerce merchants validate a cardholder's ownership of an (VbV) account in real-time during an online Visa card transaction. When the cardholder clicks "buy" at the checkout of a participating merchant, the merchant server recognizes the registered Visa card and the “Verified by Visa” screen automatically appears on the cardholder’s desktop. The cardholder enters a password to verify his or her identity and the Visa card. The issuer then confirms the cardholder’s identity. 12 potential signs of CNP fraud Keep your eyes open for the following fraud indicators. When more than one is true during a card-not-present transaction, fraud might be involved. Follow up, just in case. 1. First-time shopper: Criminals are always looking for new victims. 2. Larger-than-normal orders: Because stolen cards or account numbers have a limited life span, crooks need to maximize the size of their purchase. 3. Orders that include several of the same item: Having multiples of the same item increases a criminal's profits. 4. Orders made up of “big-ticket” items: These items have maximum resale value and therefore maximum profit potential. Page 10 of 12
  • 11. 5. “Rush” or “overnight” shipping: Crooks want these fraudulently obtained items as soon as possible for the quickest possible resale, and aren’t concerned about extra delivery charges. 6. Shipping to an international address: A significant number of fraudulent transactions are shipped to fraudulent cardholders outside of the U.S. Visa AVS can't validate non-U.S., except in Canada and the United Kingdom. 7. Transactions with similar account numbers: Particularly useful if the account numbers used have been generated using software available on the Internet (e.g., CreditMaster). 8. Shipping to a single address, but transactions placed on multiple cards: Could involve an account number generated using special software, or even a batch of stolen cards. 9. Multiple transactions on one card over a very short period of time: Could be an attempt to "run a card" until the account is closed. 10. Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses: Could represent organized activity, rather than one individual at work. 11. In online transactions, multiple cards used from a single IP (Internet Protocol) address: More than one or two cards could definitely indicate a fraud scheme. 12. Orders from Internet addresses that make use of free e-mail services: These e-mail services involve no billing relationships, and often neither an audit trail nor verification that a legitimate cardholder has opened the account. Reversals There are two potential frauds from reversals: (1) an insider pushing money from the organization's account to a third party, and (2) an outsider who has successfully figured out how to use an automated reversal process to "refund" money which is not owed, for example by using negative numbers. Best practices to prevent fraud from reversals include: • Reversals should always be performed by hand, signed off by two distinct employees, and logged. This reduces the risk from internal and external fraud. • Money is not negative. Force zero or positive numbers, and prevent negative numbers from being entered by a customer online. • There should be no code on your web site for reversals or charge backs. • Don't ship or release goods to the customer until you have an authorization receipt from the payment gateway. • For high value items, consider making the reversal an over-the-phone or fax authority only (not web only). Page 11 of 12
  • 12. • Keep track of customers who chargeback, and decide if they present excessive risk. • Always ask for the customer's e-mail and phone number that the issuing credit card institution has for the customer. This helps if other red flags pop up. • Make it known on your website that you prosecute fraud to the fullest extent of the law and all transactions are fully logged. Page 12 of 12

×