Archive for the ‘fraud protection’ Category

« Older Entries

Is it ever ok to copy front and back of credit card?

Thursday, April 18th, 2013

No, not if the goal is to defend against future disputes. Merchants can never store the security code on paper or electronically. It’s a violation of the both merchant card acceptance and PCI Compliance* rules. The penalties can be especially stiff, even reaching over one million dollars in fines and jail time, for merchants in industries covered by special identity theft rules. For example, automotive dealers and health care providers also collect sensitive personal data, increasing regulatory obligations for protecting consumers from identity theft.

First Data, a leading credit card processor, has this language in their PCI Rapid Comply 2013 questionairre:  “Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?”

If it’s never OK, how can card not present merchants protect against fraud and disputes?

  1. Increase capabilities to accept card present transactions. For example, a local business might add mobile card readers for delivery personnel to swipe credit cards.
  2. Require remote buyers to print the sales receipt, sign and send back. A signed sales receipt containing the authorization code and correct authorization language enhances the trail of evidence.
  3. Same as above, except for commercial accounts, require the cardholder forward the email receipt with their electronic signature from a company email address.
  4. Require cardholders to specifically approve any 3rd party delivery address or personnel. Maintain all email communication records related to the sales process.
  5. Switch to self-serve payments such as an online pay page or electronic bill presentment and payment, both of which create opportunities for trails of electronic evidence. Use a third party provider to reduce PCI Compliance burden.
  6. Use a third party service to electronically store sensitive payment information in a ‘vault’ for recurring customers. Ensure that no one can access the full card or ACH information.
  7. Have a set of policies that can be remotely managed, monitored and enforced. This is critical in a multi location environment.

* PCI Compliance: short for Payment Card Industry Data Security Standards, or PCI DSS. All merchants are subject to PCI Compliance and the requirements vary by a number of factors including how payments are accepted and business size.

About the author: Christine specializes in providing innovative card not present payment processing solutions for manufacturers, wholesale distributors and new car dealers to improve PCI Compliance and streamline the payment experience for both merchants and customers. It’s fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

Posted in data breach report, fraud protection, merchant account Q&A, Merchant Services, PCI Compliance, security | No Comments »

Credit card authorization form template

Thursday, February 21st, 2013

Most merchants have printable authorization forms that don’t comply with the basic requirements to protect against disputes or don’t comply with Payment Card Industry Data Security Standards (PCI Compliance) guidelines.
Download this Credit card authorization form template and modify as you wish.

USE AND DISTRIBUTION

This form contains language suitable for businesses where all of these elements apply:

  • business to business
  • card not present – phone, fax, email, or other order (not ecommerce)
  • repeat customers with sales of variable amounts; need to bill customers on an occasional or regular basis for varying purchases
  • sensitive card data is stored via a PCI compliant solution that replaces card data with a ‘token’ ; the token is linked used to charge the card

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from Visa.com

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Do you want to empower your customers to pay 24/7 via a secure pay online page? Would you like to reduce scope for PCI Compliance?

Would you to eliminate fax authorization forms that expose card data?   Contact Christine Speedy at 954-942-0483.

Tags: , , ,
Posted in fraud protection, security | No Comments »

Are we allowed to ask donors to provide their CVV number in a mailing?

Friday, November 18th, 2011

This is a great question. Should non-profits have a field on their mail order donor response cards? Reading the 2011 Visa Card Acceptance Guidelines for Visa Merchants, it’s still  open to interpretation as to whether to ask for CVV on mailings. Here’s the official excerpts:

General Card-Absent Transaction Procedures

Pg 46 “Always ensure that, at a minimum, you collect the following details from your customer:

  • The card account number
  • The name as it appears on the card
  • The card expiration date as it appears on the card
  • The cardholder’s statement address”

Pg 46 “If you are taking an order through the mail or via a fax:

  • Obtain a signature on the order form .
  •  Always retain a copy of the written order .
  • Get proof of delivery”

Pg 48  “A cardholder’s CVV2 may never be stored as a part of order information or customer data . The storage of CVV2 is strictly prohibited subsequent to authorization.”

“An initial, or set-up, recurring transaction should be processed the same as any MO/TO or Internet transaction . If set up by mail or telephone, you should submit both AVS* and CVV2** queries with the authorization.

The sales receipt for an initial recurring transaction must include the following information:

  • The phrase “recurring transaction.
  • The frequency of the charges.
  • The period of time the cardholder has agreed to for the charges.”

cvv authorize indicator table

* In certain markets, CVV2 is required to be present for all card-absent transactions . ** In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.

In summary, the merchant can leave the CVV off and reduce risk, but should use the correct indicator for authorizations, “You have chosen not to submit CVV2.”

If the merchant has a history of mail order fraud, then the merchant may want to collect the CVV2 using a lockbox service to reduce risk. If the merchant is retaining response cards, then the response card should be designed so that the CVV can easily be detached after the initial authorization, and securely shredded. If the response card is scanned, the fields with sensitive data cannot be scanned.

Please note PCI DSS compliance rules always take precedence over individual card network rules.

See also, new 2011 card absent receipt requirements.

 

Tags: , , , ,
Posted in fraud protection, merchant account Q&A, PCI Compliance | 1 Comment »

CenPOS update leverages new CVV rule for magnetic stripe failures

Tuesday, November 1st, 2011

CenPOS, a fast-growing payment processing technology, released a new feature for merchants to enable the automatic collection of CVV at the point of sale for key entered transactions including a failed magnetic stripe read.  The update supports the new Visa rule for card present transactions.

Effective October 15, 2011, merchants that prompt for and validate the Card Verification Value 2 (CVV) on any Visa CPS Key entry transaction (not to be confused with CPS Card-not-present) will no longer be required to take an imprint of the card to prove that the consumer was present at the time of the transaction. More importantly, merchants that implement this new procedure will no longer be liable for charge-back reason code 81 (Fraud Card-Present Environment).

 

cvv prompt for key entered face to faceThe CenPOS privilege in the Virtual terminal can be dynamically enabled or disabled by the merchant administrator. When enabled, the Virtual Terminal will automatically prompt for the CVV on any and ALL manually entered transactions. If in a retail environment with an attached signature capture terminal, the customer will still be prompted for their signature as usual.

cvv prompt for key entered face to face

About CenPOS
“Creating efficiencies through payment innovation”

Founded in 2009, Miami-based CenPOS is a payment technology provider. CenPOS is committed to providing its customers and partners with innovative solutions for today’s rapidly evolving consumer payment choices.

CenPOS is an intelligent payment-processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems. The network reflects the core values that drive the experienced and innovative CenPOS team: Simplicity, Scalability, Security and a holistic approach to payment processing strategies.

CenPOS provides solutions to a range of organizations including but not limited to retail, card not present merchants, automotive dealers, professional services and academic institutions; special programs are also available for non-profits.

Christine Speedy direct (954) 942-0483

Tags: , , ,
Posted in CenPOS, chargebacks, fraud protection | 1 Comment »

New Card Acceptance Process for Magnetic-Stripe Failures at the Point of Sale

Tuesday, November 1st, 2011

Currently when the magnetic stripe fails during a face-to-face transaction, the merchant key enters the account number and must manually imprint the card to prove the card was present during the transaction for protection against fraud chargebacks. Effective for new transactions processed on or after October 15, 2011, merchants may include Card Verification Value 2 (CVV2) in the authorization request for Visa U.S. Domestic key entered face-to-face transactions when the magnetic stripe cannot be read by the terminal.
In order to qualify for chargeback protection against reason code 81 “Fraud-Card Present” the transaction must meet the following criteria:

  • Authorization Approval
  • U.S. Domestic Transaction
  • Card Present with magnetic stripe failure only
  • Transaction was keyed entered
  • CVV2 was included in the authorization request
  • Signature obtained on the sales draft and retrieval request properly fulfilled

The following transaction types are excluded from the chargeback protection:

  • Quasi Cash
  • Cash Back
  • Manual Cash Disbursement
  • Betting, including lottery tickets
  • Casino Gaming Chips
  • Off-Track Betting and Wagers at a Race Track
  • Visa International transactions

These merchants must continue to obtain an imprint of the card when the magnetic stripe cannot be read by the terminal for the protection against fraud chargebacks.

Tags: , , ,
Posted in chargebacks, fraud protection, industry news | No Comments »

How can a merchant perform a Zero Dollar Authorization on a credit card to validate if it’s good?

Wednesday, September 21st, 2011

Have you ever needed to check if a credit or debit card is valid, but you don’t want to authorize or charge yet? We’ve added a new feature for our CenPOS Virtual Terminal called Positive Card. CenPOS will go out to the networks with a zero authorization amount to validate the card with the issuer prior to being stored.

REVIEW OF ENCRYPTED PAYMENT STORAGE OPTIONS NOW AVAILABLE:
Positive Card- validates card. Merchant validate CVV, address and zip code passes fraud check and decide whether the answers are acceptable before storing. Why would you accept a card if it doesn’t pass everything? Only Canada and the UK participate in AVS check; If you know your customer, you may wish to allow the card anyway. This feature allows you to enter a card, then make an educated decision as to whether you want to store it for recurring billing.
Repeat Sale- Offered for check/ACH and credit/debit. Process a transaction and it creates a new token to use for future sales transactions. CVV not allowed per PCI Compliance. Later, check the Token Box, enter the Token ID, amount and invoice #. That’s it.
Recurring Payments Module: Offered for check/ACH and credit/debit. Set up client contracts and store multiple cards, payors, and payment methods for a single account. Regardless of where a token was issued (resale, recurring, positive etc) the token is the same for all.
Securely store any payment type for variable amount token billing or fixed recurring billing.

FAQ:
How do I get this feature? Administrators login to the Virtual Terminal and turn on for each user you want to have access. (This also applies to the other options.)
Will this also validate checks? No, It resides in the credit/debit. If you have a need, let us know.
Are there fees? Yes. 6/14/11 MasterCard charges $.03 for this service, effective with their announcement to support zero auth address verification (AVS), card verification code 2 (CVC 2) validation or both. Expect similar fees on all networks now or in the future. Standard CenPOS per transaction fees apply.
Can we use tokens for the EBPP/ E-invoice service? Not yet, but it’s in development. Currently customers will click the email and enter payment information for each invoice.

The tools are in place for you to eliminate faxed authorization forms that expose payment data and reduce PCI Compliance scope. If you need help using the features or how to deliver the token approval form for signature to your clients, please do not hesitate to call.

 

Tags: , ,
Posted in CenPOS, fraud protection, merchant account Q&A, PCI Compliance, video blog, virtual terminal | No Comments »

Visa Announces U.S. Participation in Global Point- of-Sale Counterfeit Liability Shift

Tuesday, August 9th, 2011

Visa is announcing plans to accelerate the migration to contact chip and contactless EMV chip technology in
the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the
arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to
accept and process chip transactions.

Not only will chip technology accelerate mobile innovations, it is also expected to enhance payment security
through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen
payment card data by introducing dynamic values for each transaction. Even if payment card data is
compromised, a counterfeit card would be unusable at the point of sale (POS) without the presence of the
card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data,
benefiting all stakeholders.

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer
processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation
requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will
also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and
will institute a domestic and cross-border counterfeit liability shift.

Visa’s Counterfeit Liability Shift Policies

Visa intends to institute a liability shift in the U.S. for domestic and cross-border counterfeit transactions
effective 1 October 2015. Visa’s global POS counterfeit liability shift policies are designed to encourage EMV
chip card issuance and acceptance in participating geographical regions, effectively creating a more secure
environment for transactions within and between each participating Visa region. Note: The liability shift
encourages chip transactions because any chip-on-chip transaction (i.e., a chip card read by a chip terminal)
provides dynamic authentication data, which helps to better protect all parties.

With this type of liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either
the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud
losses. When a transaction occurs using chip technology, any liability for counterfeit fraud, though unlikely,
would follow current Visa Operating Regulations.

The policy assigns liability for counterfeit fraud to the party that has not made the investment in EMV chip cards
(issuers) or terminals (merchants’ acquirers). The policy encourages wider deployment of EMV cards and
terminals.

EMV chip implementation is accelerating globally. Today, excluding the U.S., 44 percent of all cards are EMV
chip cards, and 74 percent of all terminals are EMV chip-capable, with 62 percent of cross-border transactions
conducted with a chip card at a chip terminal.

U.S. Participation Introduced in Global Counterfeit Liability Shift Policy

Visa plans that effective 1 October 2015, the U.S. will be included in the Global POS Liability Shift Policy, which
will apply to all issuers and merchants’ acquirers in the U.S., with the exception of transactions at Automated
Fuel Dispensers (AFDs). Transactions made at AFDs will be excluded from the liability shift for a period of two
(2) years due to the challenges faced by the petroleum industry in upgrading terminals to accept EMV chip
cards. Similarly, effective 1 October 2017, transactions made at AFD terminals will be included in the Global
POS Liability Shift Policy.

Note: This liability shift policy change excludes counterfeit fraud at U.S. ATMs. Visa will continue to evaluate
the potential for an expansion to include ATMs.

Preparing for Payment Technology Evolution

As the U.S. point-of-sale payment infrastructure continues to evolve from the static magnetic stripe to intelligent
devices such as EMV chip cards and Near Field Communication (NFC) mobile phones, this liability shift policy
change will help ensure that the acceptance infrastructure is ready. It will also allow acquirers, merchants and
issuers to invest in new technology to ensure that cardholders can continue to make secure and frictionless
transactions across all channels.

Tags: , , , ,
Posted in fraud protection, industry news, mobile payments, PCI Compliance | 1 Comment »

Fraud Risks and methods to identify and prevent credit card fraud

Thursday, May 5th, 2011

Results from the 2010 LexisNexis True Cost of Fraud study show that 20% of merchant fraud losses are attributed to friendly fraud, 42% to lost or stolen merchandise, 18% to identity fraud, and 20% to  fraudulent requests for a return/refund. Friendly fraud occurs when a consumer purchases an item online and receives the product but claims not to have received it, requesting a refund
or chargeback from the merchant or delivery of a duplicate item.

Prevention holds the greatest impact in minimizing fraud losses.

Fraud Loss by Company Size, Product Type, Channel and Industry, 2010 Company Size

Small Company avg <$1M revenues Medium Company Avg $5M revenues Large Company Avg >$50M revenues
Average annual fraud 

amount ($)

 $2,145 $104,000 $6,767,000

For the complete study, get it free by registering at the Lexis Nexus web site:  2010 LexisNexis True Cost of Fraud.

Comments:

Friendly fraud- A small business owner was able to successfully defend against consumer claim that box was delivered empty by showing Fedex records of the weight. The difficulty with this going forward is that new rules have a 180 day chargeback period. Make sure your shipping company keeps those records for as long as you need them.

Identity fraud- Unless there is an issue of verifying ownership, such as when a customer is picking up a car left for repair, merchants cannot ask for a drivers license or other identification for a standard transaction. However, there are many other ways to prevent this type of crime. In the brick and mortar world, a mandatory check for the last 4 digits is a simple and effective way to block cloned credit cards. Due to the global nature of our society, requiring the zip code would frequently result in too many declines. However, you can add additional filters with our payment processing platform that sits in front of your existing processor. Essentially it is your fraud protection dashboard where you control in real-time the level of risk you’re will to accept either by blocking specific transactions entirely, or by sending automated email alerts to managers who then can assess the situation. This works very similar for online transactions.

 

Tags: , ,
Posted in fraud protection, identity theft | No Comments »

« Older Entries