Prevent theft with Visa tips on merchant security at the point of sale

Increasingly, criminals with sophisticated tools are actively targeting vulnerable merchant  point-of-sale (POS) terminals to steal payment card data and PINs for counterfeit fraud purposes. Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.

Visa has released an excellent bulletin all brick and mortar merchants should read.

Point-of-Sale Terminal Tampering (pdf download)
Is a Crime . . .
and You Can Stop It


Can I block prepaid American Express Cards?

A merchant asked if we can block prepaid American Express cards for card not present transactions. The logic is that customers are using regular credit cards for single purchase transactions, but using a prepaid card for recurring billing transactions.  This is a huge problem for membership clubs, infomercial companies and any time that a customer makes multiple payments for an item or service that they receive the benefits for upfront.

For service companies, it’s often months before they realize they can no longer charge the customers card. For informercials, the product goes out, but the merchant only has one payment. Both are getting ripped off by customers who don’t complete payments per their agreement because the prepaid card has no money left on it.

Currently we’re not aware of any service provider who can support prepaid Amex card blocking AT THIS WRITING because American Express will not release the BIN number details needed to effectively achieve this. There are ways to minimize prepaid card issues though. Using a scrubbing service or a hosted payment processing platform, merchants have choices for accepting and blocking specific payment types. Unlike post- sale solutions, we kill the sale immediately, forcing the customer to choose another card. Merchants can block the majority of other prepaid cards with this service.

For those seeking to buy a list of prepaid card bin numbers, no, we do not offer that and never will.

IP blocking to mitigate merchant risk

IP Blocking Overview

IP Blocking allows you to block individual IP addresses or a range of addresses. If you have this feature, you’ll generally see it in your admin under Risk or Fraud Prevention Tools. Otherwise you may need to purchase a 3rd party antifraud package. Choices will vary depending on the software and platform you are using. Generally your merchant gateway will have adequate tools available to you.

Look at the IP address for your suspect orders, and then do a DNS lookup. Merchants can then use the information to decide whether to add the IP address to the IP Block list.  While blocking an IP range can save time when you wish to block a network associated with a high-risk country or organization,  there is also a greater potential for blocking legitimate buyers if you make a mistake.

  • IP Blocking should be used as a tool to help minimize carding—the scripting of orders through a merchant store typically to validate credit card information.
  • IP addresses can be spoofed whereby fraudsters go through an anonymous proxy or falsify their IP address so blocking an IP may not block that particular fraudster.
  • IP addresses can be assigned dynamically so blocking a fraudulent order from one person may in turn block other possibly legitimate orders in the future for buyers assigned that particular IP address.

Merchants must use their judgment and business experience in using IP Blocking to balance the risks of fraudulent orders (cost of goods, cost of chargebacks, other fees) against the risk of potentially lost legitimate orders.

In addition to the problem caused by dynamic IP addresses, merchants should also exercise caution in blocking IP addresses for the following reasons:

  • Certain networks such as company networks, may group outbound requests into only a few IP addresses. If you block an IP address based on an order from one possible fraudster on such a network, you may block legitimate buyers on the same network.
  • Orders may originate from shared computers such as those found in libraries or Internet cafes. If you block an IP address based on a potentially fraudulent order placed by a fraudster, you would then be blocking any potential future orders from legitimate buyers using computers with the same IP address.

Here is a site to quickly generate IP addresses to block IP addresses by country for free

Note: I make no warranty as to the realiability of the link above.