Security in connection with card payments. Non-face-to-face transactions (e-commerce/mail and telephone order)

Transcription

1 Security in connection with card payments Non-face-to-face transactions (e-commerce/mail and telephone order)

2 Most people are honest luckily Every year, millions of transactions are carried out with payment cards and fortunately most of them go well. But in situations where the merchant and the customer do not meet, it can be tempting for a fraudster to use stolen card details to pay with. You cannot always be sure that the card belongs to the person using it, and it is not possible for Teller to verify the customer. Therefore, it is extremely important that you and your employees are alert when you receive card payments because you can do a lot to reduce the risk of fraud. You can avoid many situations of fraud by following the recommendations in this document. Make sure that your employees have been clearly informed of what can be done to reduce the risk of fraud, and what must be done if you suspect any attempts at fraud. How fraud happens Criminals may have stolen the card details (card number, expiry date and CVC/CVV) from a cardholder; the criminal may have seen the card or tricked the cardholder to disclose the information e.g. by or fraudulent websites using phishing. The criminals then use the card details to shop online. When cards are stolen, the card details can be used in ecommerce and for mail and telephone orders before the card is blocked. Which cards can you accept? You can accept the following cards in e-commerce and for mail and telephone orders: Dankort, including Visa/Dankort (merchants located in Denmark and transactions in DKK only) MasterCard Visa Visa Electron (if the issuer permits it) JCB American Express (merchants located in Denmark and transactions in DKK only) The following cards can also be used in e-commerce: edankort (merchants located in Denmark and transactions in DKK only) Maestro (in combination with MasterCard SecureCode). See the business procedures for more information. Your responsibility for non-face-to-face transactions You must use payment software which has been tested and approved by Teller. Your web site must as a minimum meet the requirements indicated in the general rules and business procedures with regard to information etc. The cardholder has the option to dispute the transaction if, for example, the product has not been delivered. Therefore, you must ensure you have documentation stating that the customer has received the product. If you are unable to provide such documentation, Teller may charge back the amount from your account. It is your responsibility to implement the security measures described in this document. The more monitoring parameters/security checks you use, the better your chances of avoiding fraud. What you should be aware of Check the customer s information Request a telephone number which you can compare with the delivery address. If a different delivery address is used, check that the tele phone number provided matches the payment address and not the delivery address. A c/o delivery address makes any follow-up more difficult. You should therefore always request additional information. Where there is insufficient information for an order, you should always contact the customer to obtain more details. Beware of orders from senders with a free address, as you cannot trace the sender. In this case ask for the customer s private address. Avoid all forms of customer anonymity. The more anonymity, the greater the risk of fraud! Use your common sense if it sounds all too good to be true, it often is. Reject the sale if you are in doubt. Pay attention to the customer s behaviour Is it a very large order? It is a very expensive item? Is the same product being ordered several times? Are the products being ordered at night? Has express delivery been ordered regardless of the cost? Is the same customer ordering many items within a relatively short time frame? Is the customer requesting that the payment be divided between several card numbers? (this is not allowed and often means that it is a case of fraud) Are the letters Æ, Ø and Å omitted from names/ delivery addresses in Denmark? 2

3 Check the IP address being used (if you cannot fi nd the IP address, contact your payment solution provider) You can check the geographical location of IP addresses on the internet (e.g. at When checking IP addresses you should consider the following: Does the geographical location of the IP address match that of the delivery address? Do the IP addresses used match? (For example, an increasing number of orders from diff erent customers with almost identical IP addresses) We recommend that you block IP addresses connected to fraud (contact your payment solution provider for more details on blocking IP addresses) Sales in Denmark What can you do yourself to minimise the risk of payment card fraud in Denmark? The delivery of products to countries abroad is not the only risk scenario you need to consider. It is also important that you check deliveries to Denmark that are suspected of being related to card fraud. In connection with fraud at a national level, it is not uncommon for individuals to be employed to receive and forward packages. In most of these cases the individuals do this in good faith and have no idea that they have been employed by a bogus firm with card fraud in mind. This is why the customers in such situations will also confirm that they want the product to be delivered. We therefore recommend that you contact the customer and ask them the following questions when you suspect card fraud in Denmark: Did the customer place the order themselves? Was the order in question made with the customer s own card? Does the customer have to forward the package? Has the customer been employed to receive/forward packages? Sales abroad Payment card fraud in e-commerce is a global issue. You should be particularly careful when sending goods to high-risk countries. There is no fixed definition of the term high-risk countries as fraud patterns change all the time. Therefore, you should check whether the orders seem realistic. For example, mobile phones sent from Denmark to Ghana or bicycles sent to Singapore do not really seem realistic! Rejected authorisations Where technically possible, you should have information on all authorisation requests, including those that have been rejected. The information contributes to your overall perception of the customers behaviour. An approved payment preceded by several declined authorisation requests is usually a sign of attempted fraud. Your payment solution can be set up to limit how many transactions/declined authorisation requests are permitted on an individual card number within a certain period. PCI DSS (Payment Card Industry Data Security Standard) You must ensure that your payment solution provider complies with the PCI Data Security Standard which was developed by the international card companies (Visa, MasterCard, American Express, JCB and Discover). Teller is naturally also part of this, which means that Dankort is also covered. The PCI-DSS focuses on complying with the six points below. Find out more at Have a secure network Protect card data Address vulnerabilities using fi xed procedures Implement strong access control Regularly monitor and test your network Maintain a security policy You must be able to produce evidence that you are fulfilling the requirements of the PCI DSS. MasterCard SecureCode, Verifi ed by Visa and J/Secure (3-D Secure) If you decide to apply the security standard developed by MasterCard, Visa and JCB when receiving payment cards in e-commerce (incl. Maestro), you must ensure that the payment solution you are using supports the standard. The advantage of using 3-D Secure is that in addition to providing the card number, expiry date and CVC/CVV, the cardholder must identify him/herself by using a password which he/she chooses. The card issuer automatically checks that the password and card match. When you comply with this security standard you will significantly reduce your fi nancial risks. It is important to note, however, that this does not exempt you from further checks of the customer and the order. 3

4 Remember that although you are using 3-D Secure you must be able to provide documentation for the transaction stating that the customer has received the product. Contact your payment service provider if your payment solution does not support 3-D Secure. CVC/CVV When you accept a payment card in e-commerce or for mail or telephone orders, the CVC/CVV must be included in the transaction. This means that when making a card payment in e-commerce, the cardholder must provide the payment card s CVC/CVV in addition to the card number and expiry date. The CVC/CVV is three digits, usually the last three in a sequence printed on the back of the payment card (however, four digits on the front of American Express cards). Remember it is not permitted to store or otherwise save the CVC/CVV number once the payment transaction has been completed. It is your responsibility to ensure that this does not happen. With mail and telephone orders you must, for instance, ensure that the CVC/CVV is destroyed or deleted once the payment transaction is complete. Merchant risk related to non-face-to-face transactions When conducting non-face-to-face transactions, you bear the risk of card fraud. In other words, if the actual cardholder solemnly declares that he/she did not carry out the transaction, the whole amount including a dispute fee (find out more in general rules and price list) will be charged back from your merchant account. Therefore you must always take the security measures described here in order to reduce your risk of loss. It is not enough to get an authorisation on the card. However, the use of 3-D Secure significantly reduces your risk of disputes due card fraud in e-commerce. You bear the risk if the product is damaged, stolen, etc. before it is delivered to the customer, regardless of whether you or a diff erent company is in charge of the freight. The product must not be left in a garage, delivered to the neighbours, etc., unless this has been agreed with the customer. The general rule is that the customer has 14 days right of return, and he/she can refuse to receive or pick up the ordered product. You must then refund the customer immediately and no later than 30 days after receipt of the returned product. Just like in face-to-face transactions, there is a limited payment guarantee for Dankort and Visa/Dankort transactions. For more information, see General Rules for Dankort, clause 5. The payment guarantee does not apply in the case of third party fraud. Additionally, a payment guarantee has been defined for edankort, see below. Authorisation of international payment cards For cards covered by the merchant agreement for international cards, an approval response to an authorisation request means that the card is valid and that it will be reserved for the amount stated in the authorisation request. In order to avoid problems for the cardholder, if for instance you cannot deliver the product, it is very important that you ensure you do not authorise and reserve the same amount several times. An authorisation code does not mean the correct cardholder is using the card. Therefore you must always take the security measures we have described in this document. If you are unable to deliver the products ordered by the card holder within seven days of the order, or if you doubt you will be able to deliver, you must not send an authorisation request to Teller for the whole order amount. You can choose to send an authorisation request of e.g. DKK 1.00 to make sure that the card has not been blocked. You can then authorise when you are ready to deliver the product. You can also divide the delivery into several part deliveries. This means you must simply send an authorisation request for the relevant amount with each part delivery. If you have already requested an authorisation and received an approval response but are unable to deliver anyway, or the customer cancels his/her order, you must cancel the authorisation immediately. This also applies if you are using MasterCard SecureCode, Verifi ed by Visa and J/Secure. You must then keep the authentication response until you are ready to carry out authorisation. The requirements set by Teller for payment service providers/payment gateways fulfill the functions described above. However, it is your responsibility that your provider handles your transactions correctly. 4

5 Status check for Dankort When you receive payments with Dankort, you must ensure that the system performs a status check of the card, including card number, expiry date and CVC/CVV number. Naturally, if you receive a decline response, you must not complete the transaction. An approval response means that the card has not been blocked, however, you must still take the security measures we have described in this document. Remember that CVC/CVV must never be stored and that you must delete CVC/CVV numbers received with a cardholder s order once the card payment has been controlled. With late deliveries, part deliveries and subscriptions, CVC/ CVV will only be sent with the first status check. For more information, see the Dankort Business Procedures. Status check for edankort When the customer is using edankort, the customer and payment transaction will be approved in the cardholder s online banking system. This means you will not risk any disputes about third party fraud and that you have a payment guarantee of DKK 4,000 for an edankort transaction. With edankort you have 31 calendar days to deliver the product and forward a payment transaction to Teller. Remember that you must be able to provide documentation of the order, stating that the customer has received the product. 5

6 TEL Bohemian.dk Teller A/S Lautrupbjerg 10 P.O 500, DK-2750 Ballerup Customer Service Telefax CVR-nr