Security is everyone’s business: retail credit card processing

A brief security note for customers using one of our retail solutions.

Do not store passwords and login information on your desk or in any unlocked area.

What if the machine does not recognize the magnetic strip?  If the machine says “re-swipe”, then

  • Check to make sure terminal is swiping properly (test any card by swiping without charging)
  • Try swiping at a different rate of speed.
  • Check for valid card security features (hologram etc, imprinted security code etc)
  • If the card appears to be OK, and you have permission to key enter, enter the transaction information and then have the customer sign the printed receipt as usual.
  • Verify the signature and card data on the receipt match the actual card.

Note: if the 4 digits do not match- it is ALWAYS a fraudulent card.

If suspicious, hold onto the card and call your Voice Auth phone number. “I have a code 10 authorization request”. Cash rewards up to $1000 are available to merchants and employees for recovered cards, including $100 from Visa for a last 4 digit mismatch, if this procedure is followed.

Do not store card data outside the system for any reason. Use the Repeat Sale button if you need to securely store card data to re-bill at a later date. The encrypted card data is stored on PCI Compliant servers, never at the merchant location, and you can charge the account again with the token that will be issued.

How can a merchant block cloned credit cards?

What can a merchant do to prevent losses resulting from the booming black market of identity theft rings buying and selling personal credit card information? The retail card present and ecommerce or MOTO transactions require different preventative measures to block cloned cards.

In the retail environment, the top method is for the cashier to re-enter the last 4 digits. This is a check to make sure the magnetic strip data matches the imprint on the front of the card. Scammers don’t make thousands of unique cards each with matching customer data. They typically are programming the magnetic strip data only.

A skilled con artist may try to get a cashier to key enter the transaction with some story about a problem with the mag strip, before the cashier even swipes the card. Don’t be fooled. Cashiers should never take the customers word for it. They should always swipe first. If the strip is bad, the machine will prompt to re-swipe. This is a critical decision point! If the strip really is bad, what preventative measures do you have in place to protect your company?

  • This is a key entered face to face transaction. The signed receipt must be presented to prevent a future chargeback. Can you find them when you need them?
  • Do you allow all cashiers to key enter any transactions? How would you know if someone key entered a $5000 transaction? Are you comfortable with that?

In the card not present environment, the top method is to verify CVV also known as the security code. Cloned cards do not have matching security codes because that is not data they can obtain. Address verification may be required to prevent chargeback’s. MOTO and ecommerce requirements do have some variances.

Do you want an alert if a transaction over a certain dollar amount, say $500, is key entered? Do you want to check for address, but only require it for transactions over a certain amount? With our universal hosted payment processing solution, there are hundreds of ways for merchants to manage risk parameters, including setting automated alerts.

A critical difference in our system for retailers is LOGICAL INTELLIGENCE. If the cashier has been given privileges to key enter transactions, then the system will automatically switch from prompting for the last 4 digits to prompting for the zip code. The merchant can control the maximum amount the cashier is allowed to key enter, and whether they want email alerts sent to management. If signature capture terminals are in place, the customer is prompted for the signature, which can be readily retrieved in the event of a chargeback dispute. (Note- all these parameters are controlled by the merchant. For example, if you don’t want to prompt for the last 4 digits, you don’t have to.)

Want to find out more? Read the CenPOS overview and request information.

Visa new web site for credit card security fraud protection

Visa Marks National Cyber Security Awareness Month with Launch of New Website to Help Consumers Fight Payment Card Fraud

San Francisco, October 4, 2010

Visa Inc. (NYSE: V) marks National Cyber Security Awareness Month with the launch of a new website to help cardholders and small businesses protect payment card account information, avoid payment card scams and resolve unauthorized use of their cards.

Visa is providing cardholders tips with practical know-how for protecting account information, avoiding payment card scams, and resolving unauthorized card use. Visa’s new website, at www.visasecuritysense.com, is available in English and Spanish. Visa also joins the National Cyber Security Alliance’s “Stop. Think. Connect.” campaign to educate consumers about protecting themselves and their personal information online.

“While cardholders using Visa debit and credit cards are protected by Visa’s zero liability policy(1) , many consumers believe that security is a shared responsibility and want to take an active role in managing and protecting their Visa accounts,” said Jennifer Fischer, head of U.S. Payment System Risk, Visa Inc. “Visa’s site is intended to empower cardholders with information to prevent fraud, avoid deceptive marketing practices and learn about important protections and resources available to them.”

A study by Javelin Strategy & Research found more than half of consumers view the responsibility for protecting financial accounts from fraud as shared between themselves and their financial institution(2).

Consumer Tips on How to Stay Safe Online

While the vast majority of Internet shopping purchases go through safely, consumers face hazards ranging from spyware to deceptive marketing practices. Consumers can learn basic tips about navigating the internet safely by visiting the National Cyber Security Alliance’s website at http://www.staysafeonline.org. When it comes to protecting financial information online, Visa offers a few additional tips. More information is available at http://www.visasecuritysense.com.

* Keep current with anti-virus and anti-spyware software, download only from trusted sites, and don’t click pop-up windows or suspicious links in emails, even from people you know. These can all be tricks to install spyware and steal financial information.
* When using a website’s checkout, look for the safety symbols such as the padlock icon in the browser’s status bar and “s” after “http” in the URL, or the words “Secure Sockets Layer (SSL).” These are signs that the merchant is using a secure page for transmitting personal information.
* Activate Verified by Visa to add an extra layer of password protection during online checkout.
* Remember that Visa never calls or writes cardholders for personal account information.
* Do not provide sensitive information unless you initiated the communication. Report requests for personal information to your card issuer by calling the number on the back of your card
* Be wary of “free trial” offers. Take time to read and understand all terms and conditions. Pay particular attention to any pre-checked boxes before you submit your payment card information for an order. Failing to un-check the boxes may bind you to terms and conditions you’re not interested in.
* Finally, monitor card statements or account activity regularly and report any suspicious or unauthorized charges to the financial institution that issued the card. When fraud does occur, Visa cardholders are protected from unauthorized purchases with a “zero liability” policy.

In addition to educational resources for consumers, Visa makes its transaction alerts and notification service available through participating financial institutions. Alerts are sent on behalf of issuers to cardholders directly from Visa’s global processing network, typically within seconds of a transaction occurring. Alerts are triggered when the transaction meets certain criteria the account holder has selected and are delivered directly to the account holder via email or SMS text message. Visa’s transaction alerts let consumers monitor their accounts for unusual activity and take immediate action if they believe a potentially fraudulent transaction is taking place.

“Criminals can be quite resourceful in their attempts to steal cardholder information, but equipped with the right information and tools, consumers can be very effective in preventing fraud,” Fischer concluded.”

For more information, visit www.visasecuritysense.com.

(1)Visa’s Zero Liability policy covers U.S.-issued cards only and does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. Cardholder must notify issuer promptly of any unauthorized use. Consult issuer for additional details or click here
(2)Javelin Strategy & Research, Gen Y Security Backlash, “Figure 2: Primary Responsibility for Security – by Generation,” April 2009.