• No results found

Guide to Safeguarding Card Transactions

Your secure, easy-to-use, always available, online resource for account information.

Introduction

It is important that your business minimises fraud risk, therefore; training and on-going education efforts are vital to ensure that your employees understand and continue to follow appropriate card acceptance and data security procedures for all transactions.

1. It is important to thoroughly check the card details presented to you to help guard against card fraud.

2. It is important that you only accept and process cards that have been authorised by the cardholder’s issuing bank.

If you fail to comply with any verbal or written instructions from your bank, your submission may be rejected and individual transactions may be charged back to your business. If your business is unfortunate and is targeted by fraudulent activity, your account may suffer a financial loss. Ultimately your agreement may be terminated if it is deemed that you did not comply with correct practice.

Remember, authorisation does not guarantee payment – it does not prove that the legitimate cardholder is presenting the card details. BE SAFE, BE VIGILANT!

Card Acceptance

There are two main categories of card acceptance:

• Card Present Transactions: Where the cardholder presents their card at the point of sale for payment.

You are required to take all reasonable steps in order to ensure that the card, the cardholder, and the transaction are legitimate. A Chip and PIN verified sale is the safest method of accepting payment in a card present environment. If the card is not Chip and PIN enabled then it is acceptable to swipe the card through the terminal and obtain a signature, making sure the signature on the back of the card matches that on the receipt. There is an option to fall back to signature on a Chip Card (if there is an issue with the chip), however; by bypassing Chip and PIN, you may open yourself up to chargeback liability, so this should be implemented sparingly and only in situations when you know the customer.

If a card is swiped, please ensure that the card number on the printed receipt matches the number on the card, which may be embossed.

• Card Not Present Transactions: Where the card or cardholder is not present when the transaction is being completed.

Card Not Present transactions represent the highest risk in payment processing; validation can be tricky and in all cases of chargebacks your business is 100% liable. The onus therefore is always on you/your staff to ensure that the transaction is genuine and the customers are who they claim to be.

There are two main types of card not present processing:

• Mail Order/Telephone Orders (MO/TO)

This is the riskiest area of card not present processing as there is virtually no way of 100% validating that the customers are who they claim to be.

The best way to explain the pitfalls of MO/TO is as follows: if a newly issued card has been intercepted in the post by a fraudster, they will have full Card Number & CVV2 number as well as the registered name and address. This information is sufficient to get past most security checks available. The sale appears genuine, but is fraudulent, and the genuine cardholder is entitled to their money back with your business footing the bill.

While we would still advocate completing AVS (UK only) and CVV2 checks as well as ensuring the items are being delivered to the cardholders registered address, the risk is significant and orders should be properly assessed before proceeding.

MO/TO transactions should be taken in the knowledge that the sale cannot be validated easily and that ultimately the liability lies with your business.

MO/TO Processing Tips

1. Be vigilant with orders, is there something strange about what the customer is asking for? Fraudsters are looking to maximise profit from a stolen card so are less likely to care about price or availability.

2. Question the contents of an order, does the quantity of items appear excessive for one person?

3. With international orders, question whether the product they are ordering may be available cheaper to the customer in the country they live. Customers always

• Ecommerce (Trading via the internet)

There is one major advantage to this method of card processing – fraud prevention tools that significantly reduce the risk in processing, namely Verified By Visa for Visa transactions and Secure Code for MasterCard

transactions, both of which can be purchased via your Internet Payment Service Provider (IPSP).

VBV/Secure Code require the customer to input their unique password (or random digits from the password in the case of Visa cards) in order to complete a sale. You/your staff receive information confirming the transaction is valid and proceed with the sale.

Once set up and used correctly VBV/Secure Code will provide liability cover against the vast majority of transactions attempted (though it should be noted that not all card types are covered).

IPSPs may also provide other tools (IP Address Checker/Fraud Scoring tools etc.) which will supplement VBV/Secure Code and reduce the potential fraud close to zero.

It is against scheme rules to take card details via e-mail or a shopping cart and process them through a physical terminal. This type of make-shift ecommerce processing is not PCI Compliant and can result in significant fines for your business if it is discovered doing so.

3. Ensure that the country of origin of the card is checked against the country of the billing/shipping address.

4. Ensure your website and servers are PCI Compliant at all times to avoid fines from the schemes, and if possible outsource the handling of card data to a fully PCI compliant IPSP. This gives you

Refunds

If you wish to make a refund:

• The card transaction refund must be completed using the same card as was used for the original sale.

• The refund should be equal to or less than the original sale.

• You must never make a refund to a card if the original sale was made by cash or cheque.

• You must never make a refund to a card where there has been no sale transaction.

You must never make a refund to your own, or a family member’s personal cards through your business facility. Failure to observe this could lead to your funds being withheld pending further investigation. You should sign the Terminal Sales Receipt and make a note of the exchange and/or return of any items.

Elavon actively monitors refunds which have no corresponding debit sale(s) and when necessary we reject refunds that contravene scheme rules. It could be a staff member refunding their own card without the business owner’s knowledge, or it might be a fraudster transferring funds from stolen cards. In light of these risks, Elavon operates a zero tolerance policy on refunds-no-sales, and repeat offences may result in the removal of the refund facility or termination of the account.

Further Notes on Safer Processing Force/Offline Sales

• From time to time you may receive a referral message on your terminal when attempting to process a transaction. While it may just be the issuing bank performing a random spot check on a customer’s card, it may also be a suggestion that the card does not have enough funds available to complete the sale. If you

take it upon yourself to use an invalid authorisation code, i.e. a code you made up and did not receive from the issuing bank, you are opening yourself up to chargebacks. The issuing bank is no longer required to

honour a sale (regardless if it is Chip and Pin verified) in this instance.

• It is essential that in these cases you call our authorisation line 0845 850 0197 (UK) or 1850 30 31 30 (IRL) where you can obtain a valid auth code from the issuing bank and therefore cover yourself from chargeback liability.

If you are unsure how to process a FORCE sale please contact our Customer Service Department who can organise training to guide you through the process.

Processing Outside Setup

• All new businesses are boarded under the understanding that the information supplied in the application form is an accurate representation of your business set up. Any variations between your application figures and actual processing will require a review to be completed by our Credit team. This may result in a change to your terms or in cases of increased risk it may result in termination of the account. It is also against terms and conditions to use your terminal to process transactions in a manner other than that approved by Elavon. For example, you cannot take payment for the sale of your family car through your terminal.

• Particularly, any change of your business purpose requires you to inform Elavon immediately.

• It is against terms and conditions to use your terminal as a personal banking facility; you cannot fund your business using your personal card through the terminal or pay yourself, or your staff, wages using the refund facility.

In any of the cases mentioned above Elavon reserves the right to reject any attempted transactions that are outside your set up parameters.

Third Party Processing

• If you are approached by another business to process transactions on their behalf, you are in breach of your Terms of Service with Elavon. If transactions are disputed; you, as Elavon’s customer will be held liable for these disputed amounts regardless of the agreement held with the other business, and your business could therefore suffer financial loss.

• If such an event occurs, there is normally a reason why they cannot avail of a terminal themselves, therefore in order to protect your business from potential financial loss and reputational damage decline the request – no matter how attractive.

• Processing transactions on behalf of others may carry large fines.

Related documents