Visa Acquirer Risk Management Guide

Transcription

1 Visa Acquirer Risk Management Guide Tools and Best Practices for Acquirer Loss Prevention February 2003

2 CONFIDENTIAL Visa Acquirer Risk Management Guide

3 Table of Contents About This Guide Chapter 1 Acquirer Strategy and Organization Building a Strategic Framework Visa Center Organizational Structure Organizational Roles and Responsibilities Staff Training Third-Party Relationships Chapter 2 Merchant Underwriting Portfolio Development Making the Most of Your Merchant Application Merchant Site Inspections Merchant Approval Policies and Processes Chapter 3 Merchant Contracting and Setup Developing Merchant Agreements Mandatory Agreement Provisions Optional Agreement Provisions Agreement Requirements for Chip Migration New Merchant Start-Up and Preparation Chapter 4 Merchant Card Acceptance and Fraud Prevention Basic Visa Principles for All Merchants Card-Present Transaction Procedures Chip Acceptance Procedural Differences Using Visa Electron Cards in the Card-Present Environment Card-Not-Present Transaction Procedures Merchant Education Supporting Merchant Code 10 Efforts Visa Acquirer Risk Management Guide CONFIDENTIAL i

4 Chapter 5 Merchant Fraud and How to Recognize It Merchant Fraud Defined Bust-Out Merchants Laundering Telemarketing Fraud Credit and Cash Advance Schemes Skimming Account Testing Understanding Key-Entered Fraud Managing Inactive Merchant Accounts Chapter 6 Merchant Activity Monitoring and Follow-Up New Merchant Monitoring Ongoing Merchant Monitoring Periodic Merchant Reviews Identifying and Following Up on Suspicious Activity Chapter 7 Account Information Security What is the Visa Account Information Security Program? Acquirer Account Information Security Responsibilities Implementing Information Security Standards Acquirer Resources Chapter 8 Personal Identification Number (PIN) Security About Visa PIN Security Compliance PIN Security (From the Attacker s Point of View) PIN Security Program Overview Chapter 9 Merchant Fraud Investigation Elements of a Careful Investigation Visa Fraud Investigations Performance Standards Examining the Merchant Profile Analyzing Transaction Data and Exception Items Data Security When a Scam is Confirmed When a Merchant Agreement is Terminated Merchant Communication During and After an Investigation ii CONFIDENTIAL Visa Acquirer Risk Management Guide

5 Chapter 10 Visa Risk Control Programs Risk Identification Service (RIS) Acquirer Monitoring Program (AMP) Global Merchant Chargeback Monitoring Program Visa Fraud Reporting System (FRS) Chapter 11 Management Information Tracking Performance Fundamental Risk Reports Chapter 12 E-Commerce Merchant Fraud Management Understanding E-Commerce Risk Exposures E-Commerce Transactions Defined Merchant Marketing and Sales Merchant Underwriting New Merchant Setup Regional E-Commerce Registration Programs Merchant Portfolio Risk Management Merchant Operations Merchant Monitoring Terminated Internet Merchant File (Asia-Pacific Region Only) Merchant Procedures A Closer Look at Verified by Visa (3-D Secure) Acquirer Best Practices Checklist Glossary Appendix A Sample Merchant Application Sample Site Inspection Form Appendix B Sample Merchant Training Program Appendix C Sample Merchant Letters Appendix D Visa Acquirer Risk Management Guide Evaluation Visa Acquirer Risk Management Guide CONFIDENTIAL iii

6 iv CONFIDENTIAL Visa Acquirer Risk Management Guide

7 About This Guide Introduction Globally, credit and debit card fraud are billion-dollar problems affecting banks, merchants, and individual consumers, all of whom feel the fraudster s pinch in increased operating expenses and higher prices for goods and services. Chargebacks alone cost Acquirers and merchants hundreds of millions of dollars each year. A single undetected scam can result in losses of hundreds of thousands, or even millions, of dollars. Equally important, the continually changing nature of the bankcard fraud environment means today s Acquirers are faced with a landscape of growing risks, where the need for acute awareness and vigilance is constant. Current evidence also suggests that fraudsters scams have grown more sophisticated and harder to detect. Fraud schemes that used to involve individuals or local gangs are now being run by national or international crime organizations that specialize in what is called merchant or, more commonly, entrepreneurial fraud. These fraud rings have the resources to set up seemingly legitimate retail storefronts or purchase established businesses and then obtain merchant accounts for the sole purpose of skimming account numbers from valid cards or running laundered or other fraudulent transactions. They have also shown themselves capable of stealing account data at almost any point in the authorization or settlement process, from a merchant s point-of-sale (POS) terminal to an Issuer s or Acquirer s host system or third-party processor. The message for Acquirers is clear and unmistakable. The unpredictability of fraud leaves each organization vulnerable, and consequently, loss reduction awareness must be incorporated into every aspect of merchant relationships and daily business operations. Fraud prevention must be a central concern in portfolio development policies, profitability analysis, underwriting standards and procedures, Merchant Agreements, and ongoing merchant education and monitoring programs. Similarly, an organizational commitment to consistent and rigorous implementation of loss reduction policies must be instituted, and communicated to all personnel, from management on down. Visa Acquirer Risk Management Guide CONFIDENTIAL 1

8 Guide Purpose The Visa Acquirer Risk Management Guide is intended to provide acquiring Members with up-to-date information and resources for improving portfolio profitability by reducing and preventing fraud losses. The guide combines plain-language versions of Acquirer and merchant standards from the Visa International Operating Regulations with vital information on current fraud scams and how to recognize them. Best practices from Acquirers with successful fraud prevention policies and systems are also included, along with descriptions of Visa s loss reduction programs and other resources currently available. The information contained in the Visa Acquirer Risk Management Guide should be useful to all employees new and experienced involved in an Acquirer s merchant operations, such as underwriters, portfolio managers, fraud and credit risk investigators, credit analysts, and internal auditors. The guide can also be used as a tool to support merchant communication and education efforts. What s Inside The Visa Acquirer Risk Management Guide has been divided into twelve chapters, each with a different main focus. You can work through this guide in its entirety, or move directly to any of the topics listed here. Chapter 1: Acquirer Strategy and Organization provides an overview of the primary components of an Acquirer s strategic business plan. It also covers the different organizational functions and positions at a Visa Merchant Operations Center, with an emphasis on staff training. Chapter 2: Merchant Underwriting contains detailed guidelines for evaluating and approving new merchant accounts and establishing clear, realistic portfolio development policies to minimize risk and losses. Chapter 3: Merchant Contracting and Setup reviews mandatory and optional merchant agreement provisions. It also describes key considerations for setting up new merchants to accept Visa cards and properly process transactions. Chapter 4: Merchant Card Acceptance and Fraud Prevention contains Visa s recommended card acceptance procedures for merchants. Requirements for checking card security features and the cardholder s signature are outlined, as well as what to do if a fraudulent card or transaction is suspected. Information on merchant education materials is also included, plus a description of Code 10 call and card recovery actions. 2 CONFIDENTIAL Visa Acquirer Risk Management Guide

9 Chapter 5: Merchant Fraud and How to Recognize It provides an overview of current merchant fraud scenarios and how to recognize them. The information here on new scams and emerging fraud trends, such as skimming and bust-out merchants, may be of particular interest to Acquirer risk analysts and investigators. Chapter 6: Merchant Activity Monitoring and Follow-Up focuses on regular, ongoing monitoring of merchant deposit and authorization activity. The chapter includes a list of key reports and routine monitoring actions that can help an Acquirer spot any unusual or sudden change in normal deposit activity. Chapter 7: Account Information Security offers background information about the Visa International Account Information Security program and outlines guidelines for implementing organizational polices and procedures to maximize information security and minimize risk. Chapter 8: Personal Identification Number (PIN) Security discusses the need for vigilant PIN security efforts in the payment industry and provides a brief overview of the Visa PIN Security Program. Chapter 9: Merchant Fraud Investigation contains helpful standards and practices for initiating and conducting a successful merchant fraud investigation. Chapter 10: Visa Risk Control Programs look at the risk control standards and programs developed by Visa to help Acquirers reduce fraud losses. Chapter 11: Management Information reviews the types of reports needed to help evaluate overall business performance and identify early warnings of possible risk exposure. Chapter 12: E-Commerce Merchant Fraud Management offers industry-specific practices for Acquirers on how to establish and manage e-commerce programs. At the end of this guide, you will find: An Acquirer Best Practices Checklist that summarizes the key actions and decisions covered in Chapters 1 through 12. A Glossary that defines key terms most commonly used in the payment card industry. Appendices that include the supplemental tools, forms, and materials that are referenced throughout this guide. Guide Usage and Customization The Visa Acquirer Risk Management Guide has been designed to be user-friendly and adaptable. The individual sections can be reproduced or modified for use as training materials or desk references. To help you in this effort, all of the information contained in this guide is available online or electronically on CD-ROM. Contact your Regional Risk Representative or Visa Account Executive for online access or for a CD. Visa Acquirer Risk Management Guide CONFIDENTIAL 3

10 4 CONFIDENTIAL Visa Acquirer Risk Management Guide

11 Chapter 1 Acquirer Strategy and Organization WHAT S COVERED Building a Strategic Framework Visa Center Organizational Structure Organizational Roles and Responsibilities Staff Training Third-Party Relationships Many risk management issues associated with the acquiring side of the payment card industry are, for the most part, preventable when a strategic business approach is in place. A sound, comprehensive plan sets forth specific goals and objectives by which profitability, growth, operational efficiencies, service levels, and most importantly, risk reduction can be measured. But even the best-laid plans can fall short without the proper resources. To be effective, an acquiring institution s business strategies must have a strong organizational structure to support it. This chapter reviews the major components of an Acquirer s strategic business plan with an emphasis on key risk management considerations. It also includes suggestions for building and maintaining a risk-responsible Visa Center. Visa Acquirer Risk Management Guide CONFIDENTIAL 5

12 Building a Strategic Framework Developing a Strategic Business Plan The effects of fraudulent activity must be accounted for in the Acquirer's strategic business plan and functional costs. All acquiring institutions should have a documented, approved strategic plan one that focuses on the future direction of the organization and establishes specific business goals and objectives to be met over a defined period of time. Acquirers will gain the greatest benefit from developing a plan that addresses the following areas: Effect of competition on strategy Impact on other banking relationships Management information Market segments Excluded or unacceptable merchant types Monitoring performance against strategy Pricing Products Profitability Relationship with branch network (if applicable) Risk management parameters and guidelines Service levels Technology at point of sale Third-party relationships Volume of growth Merchant portfolio credit risk 6 CONFIDENTIAL Visa Acquirer Risk Management Guide

13 Key Acquiring Success Factors The secret to acquiring high quality and profitable merchant business is to ensure that all key factors concerning the prospective merchant are fully understood and analyzed. These factors, which determine whether the merchant will deliver profits and benefits to the Acquirer, include the following: Merchant service charge. Merchants pay for their ability to accept bankcards through a fee. The charge rate varies depending on transaction volume, average transaction amount, type of merchant, processing methods and costs, the interchange fee for which the merchant qualifies, and Acquirer profitability. Interchange rate. The interchange fee, which passes from Acquirer to Issuer on purchase transactions, provides a balance designed to both promote card issuance and usage, as well as maximize merchant acceptance opportunities. Interchange rates are set based on the merchant category, authorization and processing methods used, whether or not additional information is provided in the transaction record, and the type of card used at the point of sale. Credit and fraud risk. Fraudulent merchant activity prevention is a critical function because Acquirers are responsible for all the transactions accepted by their merchants. Merchant fraud includes knowingly accepting counterfeit or stolen cards, laundering sales transaction receipts, and fraudulent use of valid cards or cardholder data. Merchant business profiles can range significantly from high-volume, Card-Present transactions that carry low risk to merchants who supply specialized products having high-ticket values, but a low volume of sales. Operational cost to service the merchant. Merchant servicing costs vary from Acquirer to Acquirer based on the organization s business strategy, overall relationship with the merchant base, and service quality objectives. For example, the business strategy of targeting specific merchant types or segments (i.e., small, local merchants, or a specialized new merchant segment) can drive operating costs up. Higher merchant service fee income, however, generally offsets the higher costs. In looking at another example quality service through extended customer support hours, quick phone and letter inquiry responses, and branch support may elevate costs. On the other hand, cost savings produced through cutbacks in service can result in higher merchant attrition. This ultimately has adverse effects on not only costs, but on profitability as well. Visa Acquirer Risk Management Guide CONFIDENTIAL 7

14 Visa Center Organizational Structure Setting Up a Risk-Responsible Merchant Operation Successful merchant operations management requires the right people in the right positions throughout the organization. Defining the key organizational roles and responsibilities is an essential part of the process. All too often, the people responsible for security and risk management are not correctly positioned in the organization. Many organizations don t even have a dedicated risk management group. While it is not the intention of this guide to show how a Visa Merchant Operations Center should be structured, the following diagram is offered as an example of a risk-responsible organization. Visa Center Manager Visa Center Manager Visa Center Manager Visa Center Manager Visa Center Manager Account Setup Authorizations Settlement System Ops Merchant Approval Fraud Management Collections & Investigations In the ideal Merchant Operation Center structure, the group that is responsible for approving and monitoring merchants (Risk Management) is a peer of the group that signs up new merchants (Sales and Marketing) and the groups responsible for day-to-day operations (Operations and Information Systems). This helps keep the monitoring process objective and makes it easier for departments to take decisive action when a merchant fails to comply with Visa standards. In setting up a risk-responsible merchant operation structure, an acquiring institution should consider these practices: Make sure ongoing management of the Acquirer program is clearly assigned to individuals or organizational units. Separate sales operations and risk management functions to ensure built-in checks and balances. Place sales, operations, and risk management at the same level making them peers to provide an independent risk assessment environment. Ensure that the risk management group is responsible for reviewing new merchants and monitoring all merchants in the Member s portfolio for signs of financial difficulty and possible fraud. Set up a Risk Management Committee (RMC) to discuss and agree upon specific risk issues and sign off on the overall business strategy. The RMC is typically chaired by Risk Management and includes representatives from Fraud Management. 8 CONFIDENTIAL Visa Acquirer Risk Management Guide

15 Organizational Roles and Responsibilities There are a number of different positions found in the Visa Merchant Operations Center. Some of the more common ones are listed and described on the following pages. As you review the charts, please note that the titles may differ among Acquirers, but the functions and responsibilities are fairly standard. The charts have been included to help you evaluate how your organization is staffed to meet Visa Center operational requirements. Title / Function Visa Center Manager Ensures an efficient, effective, and profitable Visa card operation. Credit Manager Coordinates all activities related to credit granting through the issuance of Visa merchant accounts. Duties Supervise and monitor the work of the managers in all operating areas. Conduct meetings, set policies within assigned limits, delegate responsibilities, and recommend changes in operating procedures. Answer correspondence and inquiries from important customers. Attend card and other industry meetings to keep current on developments, legislation affecting the card industry. Submit reports to bank management and Visa regarding the activities and statistics of the Visa card operation. Hire and review performance of managers. Make recommendations for promotion, termination, and salary increases. Develop, review, and ensure adherence to center budget. Ensure that the Credit Department is properly staffed with personnel capable of assuming the authority, responsibility, and duties required to make credit decisions. Includes advising and training supervisors, ensuring compliance with all legislation affecting credit granting, coordinating work flow and schedules, recommending placement of new employees, general personnel administration, and making recommendations for salary adjustments, transfers, promotions and terminations. Conduct meetings with employees to educate them in proper methods and procedures and discuss changes in policies and procedures. Maintain control of credit standards to ensure the quality of credit extended; recommend and implement changes in systems and procedures. Approve or decline applications within assigned guidelines referred by supervisors and applications from corporations and partnerships for business cards. Prepare informative reports for the Center Manager and senior management. Attend various credit organization meetings, meetings with branch personnel, the Center Manager, and senior management. Visa Acquirer Risk Management Guide CONFIDENTIAL 9

16 Title / Function Customer Service Manager Supervises customer service staff to ensure the efficient, prompt, and courteous handling of merchant inquiries. Marketing Manager Develops and implements programs for the acquisition of new merchants. Risk Management and Security Manager Supervises activities in the operations areas of the center. Duties Coordinate work received by customer service personnel daily. Delegate authority, responsibilities, and duties to supervisors and personnel. Recommend and implement new systems and procedures, as needed. Assist personnel in resolving difficult customer service problems. Telephone and correspond with customers regarding inquires or problems. Hire and review performance of personnel. Make recommendations for promotion, termination, and salary increases. Monitor work of customer service staff to ensure that customer contact is efficient and courteous and that customer s goodwill is maintained. Evaluate the pending workload and see that problems are resolved within legal time frames. Prepare reports for Center Manager and senior management on problems and inquiries handled. Establish marketing policies. Approve advertising and promotional campaigns. Visit branches, sponsored Members, and major merchants to promote Visa card business. Attend sales meetings and conventions. Participate in charitable and civic activities to promote goodwill for the Visa merchant program and the bank. Supervise preparation of statistical reports for the information and evaluation of the Center Manager and senior management. Establish procedures, prepare reports for management, maintain safeguards, and administer personnel policies. Improve awareness of risk within the bankcard center. Manage bankcard and branch staff training on fraud awareness. Set guidelines for merchant approval and terminal placement policies. Manage production of and communicate risk and fraud information to senior management on a regular basis. 10 CONFIDENTIAL Visa Acquirer Risk Management Guide

17 Title / Function Operations Manager Supervises activities in the operations areas of the center. Establishes procedures, prepares reports for management, maintains safeguards, and administers personnel policies. Duties Develop procedures for effective operations. Set up operating schedules and coordinate workflow through the center. Maintain accounting records, compile reports. Train, counsel, and inform staff members on policies, goals, practices, and procedures through individual meetings, staff meetings, and training programs. Supervise personnel and delegate work assignments. Hire employees, recommend promotions, transfers, terminations, and salary adjustments. Merchant Risk Detection Manager Oversees merchant deposit monitoring and risk detection team. Identify potential fraud and credit losses. Manage fraud and risk reduction initiatives. Develop systems to monitor merchant deposits and authorization activity. Manage operational follow-up of cases identified by risk detection team. Implement actions to reduce fraud in merchants. Accounting Supervisor Supervises employees engaged in servicing and maintaining Visa merchant accounts. Report to operations manager, supervise employees involved in data entry, tabulating, accounting. Organize and coordinate workflow, delegate work assignments, hire employees, recommend promotions, transfers, terminations, and salary adjustments. Train and instruct employees in procedures and use of equipment. Recommend procedural and equipment changes. Supervise balancing, reporting, aging of general ledger accounts, process sales transaction receipts and remittances. Answer mail and telephone inquiries from merchants and bank regarding servicing or operating problems. Coordinate computer use. Visa Acquirer Risk Management Guide CONFIDENTIAL 11

18 Title / Function Authorization Supervisor Supervises activities of authorizers engaged in approving or declining authorization requests from merchants for transactions over floor limits, and from branches for cash advances. Approves or declines over-line or problem transactions referred by authorizers. Refers cases to investigators. Ensures afterhours merchant authorization monitoring and staff training in Code 10 procedures. Duties Assign employee duties and arrange work schedules. Answer employee questions regarding problems encountered, resolve operating problems, and instruct and train employees in correct procedures. Approve or decline authorization request from merchants and branches when transaction brings balance over line, for transactions when customer is using an expired card or is purchasing without a card, and for other questionable transactions. Discuss large transactions with cardholder or merchant to obtain further purchase or credit information and, if necessary, verify employment and credit references before calling merchant back to give authorization decision. Recommend the increase or decrease of credit lines, if warranted. Discuss reasons for declination of authorization with cardholder or branch and recommend corrective action. Answer correspondence regarding declination transactions. Make recommendations regarding employee requirements, salary adjustments, transfers, promotions, and terminations. 12 CONFIDENTIAL Visa Acquirer Risk Management Guide

19 Title / Function Authorizer Approves or declines telephone requests from Visa merchants for sales transactions in excess of floor limits. Duties Approve or decline authorization requests based on established guidelines. For manual systems, maintain records of authorizations given, including account number, name of cardholder, card expiration date, amount of transaction, confirmation of identity of cardholder, merchant name, merchant type, and type of merchandise purchased. For cash advances authorized, the name of the Member or branch and the officer s name is recorded. Give authorization numbers to merchants, branches, or other Members. Refer over line or questionable requests to Authorization Supervisor for further review and decision. Discuss reasons for declination of authorizations with customer or branch and recommend corrective action to clear account status. Receive telephone calls regarding lost, stolen, or destroyed cards and refer pertinent information to appropriate areas (Security Department) for action. Credit Analyst Reviews and analyzes applications for new Visa merchant accounts to approve or decline applications. Review applications received in accordance with required procedures and regulations. Call branch officers to discuss application if branch has recommended or rejected it and the reason is not clear. Evaluate credit information obtained by credit investigator, considering such factors as merchant s length and type of business, outstanding obligations, ability to pay, and payment record provided by references. Approve or decline applications for assignment of account numbers, issuance of equipment, and customer notification. Forward approved applications for assignment of account numbers, issuance of equipment, and customer notification. Note reasons for rejection on declined applications and have letter of declination typed and sent to applicant. Handle telephone inquiries and correspondence regarding credit policies and decisions. Visa Acquirer Risk Management Guide CONFIDENTIAL 13

20 Title / Function Customer Service Representative Answers merchant inquiries and resolves complaints. Duties Communicate with merchants by telephone and/or letters to answer questions and resolve problems. Analyze problems, make decisions, and implement adjustments to merchant accounts. Refer difficult or complex problems to customer service manager for assistance and/or decision. Maintain records of problems and inquiries handled. Suggest means of improving service based upon customer inquiries and complaints. Investigator Performs investigative functions as necessary to gather data for law enforcement or attorneys to prosecute cases of merchant fraud. Review transaction and merchant data to determine if there is evidence to prosecute. Work with law enforcement, card associations and other sources to gather information about suspected fraud cases. Testify in court (if necessary) regarding fraudulent bankcard merchants. Coordinate with other bank staff to gain information about suspect accounts. Merchant Sales Representative Promotes and sells Visa to qualified merchants. Call upon prospective merchants to demonstrate how Visa acceptance can increase sales. Explain merchant discount, floor limits, depository arrangements, and service. Sign new merchants, complete sales agreements, and set up deposit accounts. Refer merchants to other officers or departments for additional finance services. 14 CONFIDENTIAL Visa Acquirer Risk Management Guide

21 Title / Function Merchant Service Representative Provides service to existing Visa merchants and serves as a liaison between merchants and the Member. Duties Visit assigned merchants regularly. Provide supplies, advertising, and point-of-sale material. Answer questions and assist in solving problems concerning discounts, customer disputes, and procedures. Keep the merchant informed of new, revised, or expanded services. Maintain merchant records. Customer Service Research Clerk Obtains customer files and other information required by customer service personnel to answer merchant inquiries. Retrieve customer files, copies of sales transaction receipts, statements, etc., for customer service representatives. Prepare input for requested adjustments to merchant s accounts. Investigation Clerk Provides back-office investigative support. Receive/prioritize cases identified by merchant deposit monitoring clerks. Conduct an in-depth desktop analysis of suspect merchants. Freeze funds. Provide support to external field investigations. Prepare documentation for court. Coordinate follow-up of cases and termination. Complete Visa RIS questionnaires and coordinate initiatives to reduce point-of-sale fraud. Merchant Activity Monitoring Clerk Provides back-office examination of suspicious merchant deposit activity. Examine merchants identified by monitoring systems. Conduct initial screening of merchant deposits and authorizations. Contact branches and card Issuers regarding suspect activity. Visa Acquirer Risk Management Guide CONFIDENTIAL 15

22 Title / Function Data Security Manager Ensures systems, controls, and procedures are properly in place to protect cardholder and account information and prevent compromise. Duties Set up policies and controls to protect internal systems. Review the design and implementation of connections with external connections and networks. Conduct regular monitoring of sensitive internal systems and networks. Consult with internal Information Technology staff to ensure systems are configured and maintained securely. Provide subject matter expertise to Merchant Monitoring Activity Clerk and Merchant Service Representative to support secure operations at merchant locations. 16 CONFIDENTIAL Visa Acquirer Risk Management Guide

23 Staff Training Acquirers can implement all the controls they need to prevent fraud and minimize risk, but most of these measures really don t mean much without proper staff training. The majority of employees who expose an organization to risk usually do so through error and lack of knowledge. To be truly effective, Visa Merchant Operations Center staff should: Have a thorough understanding of merchant fraud risk and security issues. Know the Visa card chargeback rules and regulations. Be well versed in your organization s risk management policies and procedures. As a risk containment measure, Visa Merchant Operations Center staff training can be carried out in a number of ways: For new staff members. Formal training in risk management and fraud prevention should be incorporated as part of their orientation to the organization and work group. For existing staff members. Educational materials can be produced and distributed on an as-needed or refresher basis. Materials can include graphically illustrated instructional posters, monthly newsletters, brochures, and videos. When developing risk management training programs, consideration should be given to the specific needs of Visa Merchant Operations Center staff members. Generally, it is not enough to give internal staff the same kind of training presented to merchants. The Center staff members need to have a greater understanding of the Acquirer s best practices in order to effectively spot and handle fraudulent activity. Visa Acquirer Risk Management Guide CONFIDENTIAL 17

24 Third-Party Relationships O Under the Visa International Operating Regulations, Acquirers are responsible for ensuring that thirdparty agents abide by specific operating rules. As Acquirers become increasingly focused on strategic planning, competitive market positioning, pricing, and payment processing technologies, they are putting more emphasis on credit and fraud controls. In addition, some are making use of third-party agents for a range of services, including account solicitation, transaction processing, and customer support. For acquiring Members, this may result in new opportunities for increased profitability. It also, however, adds another level of exposure to fraud. Close monitoring of third parties and their bankcard-related activities is essential to ensure that the security of the cardholder information they process is properly protected throughout the lifecycle. For Acquirers, third-party agent controls may include the following actions: Document procedures that require a written contract between the Acquirer and the agent. The contract should define Acquirer Program responsibilities, requirements, and standards. Develop agent activity procedures to ensure that third-party controls are in place to adequately protect the Acquirer from excessive risk and loss. Build in and conduct periodic reviews of third-party activities based on agent type and level of exposure. 18 CONFIDENTIAL Visa Acquirer Risk Management Guide

25 Chapter 2 Merchant Underwriting WHAT S COVERED Portfolio Development Making the Most of Your Merchant Application Merchant Site Inspections Merchant Approval Policies and Processes By signing a merchant, an Acquirer is agreeing to underwrite that merchant s bankcard transactions. In other words, the Acquirer is granting an unsecured, unlimited line of credit to the business and its owners. Thus, the task of determining whether or not the merchant is a good risk primarily through the application review and approval process is crucial. This chapter contains requirements and best practices for defining portfolio development policies, conducting a merchant application review, inspecting merchant locations, and making final application approval or decline decisions. It walks through the actions needed to conduct a thorough, efficient evaluation of all merchants, and in doing so spot any signs of potential risk before an agreement is signed. Visa Acquirer Risk Management Guide CONFIDENTIAL 19

26 Portfolio Development Critical Issues that Affect Portfolio Profitability Effective underwriting begins with carefully defined portfolio development policies that specify the markets, merchant categories, and levels of risk an Acquirer is, and is not, willing to accept when approving new accounts. An Acquirer policy should also spell out minimum financial and credit requirements for new merchants, as well as the level of management approval that will be needed for specific kinds of businesses. Acquirers that use agents or nonmember agents for account solicitation are also responsible for ensuring that these entities comply with all of Visa s merchant underwriting requirements. However rigorous or trustworthy an agent s or nonmember agent's investigation, final review of merchant applications and the decision to approve or decline a new account must be made by Acquirers themselves. When establishing or reviewing portfolio development policies, Acquirers should take into account a range of critical issues that may affect portfolio profitability, including: Current portfolio size and sales volumes. Geographic location relative to the Acquirer s location. Short- and long-term financial goals. Level of risk an Acquirer is willing to accept in their portfolio. Human and systems resources. Merchant Diversification Merchant diversification helps acquiring institutions build more profitable portfolios by ensuring a sufficient percentage of Card-Present merchants to balance the higher risks often associated with Card-Not-Present merchants. Acquirers are free to determine the specific types of companies they wish to sign; however, Visa strongly recommends that a new Acquirer portfolio contain at least 50 percent Card-Present merchants. Understanding the Types of Risks Underwriting policies for specific markets or categories of merchants depend on the level of risk they represent to an Acquirer. In general, there are two kinds of risk exposure: Fraud risk is usually associated with certain kinds of merchandise and/or the nature of the business activity of the merchant. Merchants are often considered a high risk for fraud losses because of the type of merchandise they offer. Such merchants can include travel agents, jewelry stores, and computer outlets. Other merchants with higher risk business activity include telemarketing businesses, escort services, catalog sales, massage parlors, audio-text and videotext businesses, door-to-door sales organizations, and businesses that sell goods at flea markets, swap meets, and street markets. Core fraud risks include the following: Prepayment. This is a payment made now for something to be delivered in the future. This includes deposits (often made for holidays or possibly for furniture) or full payments for such things as airline tickets, theater reservations, or sporting events. If the final goods or services aren t provided, then full chargeback rights are available. Guarantees. By providing a guarantee, the merchant can advise that goods purchased today will still work for weeks, months, or years into the future. Dependent upon how this guarantee is presented in the contract, this can radically increase a merchant/acquirer liability. 20 CONFIDENTIAL Visa Acquirer Risk Management Guide

27 Ongoing services. Similar in effect to a guarantee, these transactions are usually in payment of a service which continues for a significant period of time. Examples would include golf or health club memberships and even a timeshare where risk can continue for a large number of years. Card-Not-Present transactions. Currently, the most obvious high-risk transaction is one that occurs in the Card-Not-Present environment, where in return for a merchant being allowed to transact by mail, phone or Internet, chargebacks generally exist for all transactions where fraud occurs or when goods and services are not delivered. Both these risks are significant because Card-Not-Present merchants may be targeted by fraudsters, if they are not taking action to mitigate their risks. Also, in the event that the Card-Not-Present merchant fails, there is a high probability that any orders taken by the failed merchant within the last month will not have been fulfilled. Chip-based infrastructure compliance. Many Visa regions are moving from a magnetic stripe to a chip-based infrastructure and are imposing liability shifts for transactions which continue to be taken using magnetic stripe, key entry, or paper. Acquirers operating in a chip-based region must be aware of the liabilities that occur as a result of such transactions. A list of High-risk Merchants should be communicated within the Acquirer's sales plan as a guide to help sales staff to avoid Highrisk Merchants or recommend further evaluation before signing. Business failure risk is determined by looking at the merchant s sales volume and the time frame for the delivery of goods or services. The greater the sales volume and the longer the time between credit transactions and product/service delivery, the greater the risk. For example, when a local restaurant closes its doors, an Acquirer will have minimal exposure to chargebacks for undelivered goods and services. On the other had, exposure could be considerable for an airline or travel agent, where business failure could leave an Acquirer liable for millions of dollars in future reservations. This type of risk can be the greatest area of loss to the Acquirer. When it comes to business failure risk, Acquirers should also pay particular attention to the issue of prepayment, especially in situations where prepayment options are not obvious at first glance (e.g., insurance, goods with service contracts attached, low-value phone cards, sporting event tickets, etc.). Visa Transactions and the Law By submitting transactions into interchange, an Acquirer warrants that no applicable laws have been violated. Visa urges that Acquirers understand the following: Lottery ticket sales. Acquirers must adhere to country, regional, and/or local laws prohibiting the sale of lottery tickets by mail, telephone, or electronic commerce. Internet gambling. the issue of gambling over the Internet is not clear in some markets. However, Acquirers are advised that complaints from Visa Members, cardholders, and law enforcement about this type of activity are increasing. Child pornography. Acquirers must ensure that Visa payment products are not accepted for purchase or trade in child pornography by any merchant. Any violations to this provision should be reported to Visa for proper investigation. Audits are routinely conducted to ensure Acquirers are in complete compliance. Acquirers found in violation of this provision are penalized in accordance with the Visa International Operating Regulations. Visa Acquirer Risk Management Guide CONFIDENTIAL 21

28 Making the Most of Your Merchant Application The Merchant Application An Essential Tool The most important way Acquirers can control fraud-related losses and the possibility of merchant business failure is to thoroughly evaluate prospective merchant business. Before entering into a formal relationship with a prospective merchant, an Acquirer must verify the merchant s credit qualifications and assess its potential risk for fraud, high chargeback rates, or business failure. This is why the merchant application is such a critical part of the merchant approval process. It is an essential tool that can be used to obtain detailed information about all aspects of a merchant s business. In fact, it is probably the most extensive contact that an Acquirer has with a merchant client and is the best opportunity to obtain pertinent information. Key Merchant Details As part of the initial merchant review, the merchant application should gather all relevant information on the business background, business operations, location, and principals who are running the business. To obtain these details, the merchant application form should request the following: Merchant Business Background Merchant history. Obtain the merchant s authorization to research its background, including credit, banking, financial history, and how long the merchant has been in business. New businesses frequently fail within the first few years of operation. Doing-Business-As (DBA) or trade name. Compare the merchant s doing-business-as name to its legal name. Some merchants may conduct their daily business activities under one name and apply for legal registration under a different name. If the names are different, it is important to know both names. Legal form of business. Inquire about the legal form of the merchant s business. For example, is the merchant a corporation, partnership, or sole proprietorship? Business license, registration numbers. Obtain and verify the merchant s business license number or any other license or registration numbers that may be required to own and/or operate a business. Perform a search with the appropriate business bureaus to verify that the merchant owns or operates a legitimate business. Credit history. Ask whether the merchant or its principals have previously filed for bankruptcy, or have been registered as having any other credit difficulties now or in the past. If so, find out when. This may provide a good indication of the financial stability of the merchant. Prior merchant agreement. Ask if the merchant has had a prior merchant relationship with acquiring banks. If yes, request bankcard statements for several months activity. If another Acquirer previously terminated the merchant, the reason for termination should be noted on the merchant s application. Other businesses. Ask the merchant to supply information for any other businesses it currently owns or operates, or has owned in the past. Business references. Ask the merchant for other business references that can support its financial responsibility. For example, invoices or billing statements from suppliers and customers can provide evidence of the merchant s ability to meet financial payments. 22 CONFIDENTIAL Visa Acquirer Risk Management Guide

29 O Under the Visa International Operating Regulations, all Acquirers must evaluate a potential merchant s financial condition. A list of high-risk merchants should be communicated within the Acquirer s sales plan as a guide to help sales staff avoid High-risk Merchants or recommend further evaluation before signing. Merchant Business Operations Operating statistics. Ask the merchant for the following operating statistics to gain knowledge of the merchant s expected business revenue: Projected total sales volume Projected credit and debit volume Projected chargeback volume Percentage of sales by mail order, telephone order, or Internet Period between the purchase and actual delivery of goods Guarantees and ongoing services (copies of consumer contracts may be required) Cards honored. Determine what other (if any) bank or travel and entertainment cards the merchant honors and the name of the acquiring institution(s). Billing terms. Ask the merchant for its billing terms. For example, does the merchant allow its customers to pay for purchases in monthly installments? Credit and return polices. Ask the merchant for details of its credit and return policy procedures to ensure the merchant is properly handling exchanges and credits. It is important for the Acquirer to obtain a copy of the merchant s standard contract. Inventory. Determine whether the merchant owns or finances its inventory. Contracts. Determine if the merchant has any significant contractual relationships, such as a manufacturer s agent or exclusive supplier that may impact the merchant s ability to meet its financial obligations if a contract is canceled. Acquirers must conduct a physical site inspection of all new merchant and Card-Not-Present merchant locations to obtain a detailed description of the business. Merchant Business Location Type of location. Determine the type of location of the merchant, such as storefront, indoor shopping mall, or office. Is the merchant location suitable for the type of merchant? Is the merchant location in a geographic area that has demonstrated excessive levels of fraudulent activity? Own/lease. Ask whether the merchant owns or leases the location. If the merchant owns the location, ask the merchant for the name and address of the mortgage holder. If the merchant leases the location, ask the merchant for the name and address of the landlord. Time at location. Ask the merchant how long the business has operated at the present location. Merchant Principal(s) Information Principal name, address, identification number. Ask the merchant for the name, address, Social Security Number or similar identification number, and telephone number of each principal involved in the business. Ownership information. Obtain the percentage of ownership held by each principal. Also find out how long each of the current principals have owned the business. Percentage of time. Ask the merchant for the percentage of time spent at the business by each principal. Visa Acquirer Risk Management Guide CONFIDENTIAL 23

30 Special Application Considerations for Card-Not-Present Merchants For information about specific Internet merchant application considerations, see Chapter 12: E-Commerce Merchant Fraud Management. 4 Merchants whose business involves Card-Not-Present sales mail order/telephone order (MO/TO) and Internet businesses can present special risks for Acquirers. If a cardholder denies ordering or receiving the merchandise, and the chargeback amount cannot be covered by the merchant s account, an Acquirer could end up liable for the losses. To reduce exposure, extra precautions should be taken when investigating and signing cardnot-present businesses. These include: Applications. Application forms for Card-Not-Present merchants should request detailed business plans, samples of merchandise, and copies of all relevant marketing materials, including catalogs, brochures, telemarketing scripts, and print and broadcast advertisements. Chargeback risks. Application information should be carefully evaluated to determine potential risk for chargebacks. Low cost, high price. Acquirers should beware of any merchant selling services, or a product with a low manufacturing cost, but a high price. A thorough review is also recommended for any merchant using selling methods associated with high chargeback rates specifically, sales pitches involving gifts, cash prizes, sweepstakes, installment payments, and multi-level marketing. Principals. All business principals should undergo a thorough background check. Personal credit reports should be scrutinized, and addresses verified. If appropriate, a criminal background check should also be performed. A sample Merchant Application has been included in Appendix A of this guide. 24 CONFIDENTIAL Visa Acquirer Risk Management Guide

31 Merchant Site Inspections Why Conduct a Thorough Merchant Site Inspection? Acquirers must visit a prospective merchant s physical location to verify first-hand the legitimacy of the business and its ability to generate projected sales volumes. A thorough site inspection can also give Acquirers a chance to see if there is anything suspicious about a merchant or its operation. Aspects of a Good Inspection Acquirers should always conduct the site inspection during normal business hours. A rigorous site inspection covers all relevant aspects of a merchant s business operations, including: O The Visa International Operating Regulations contain specific provisions for conducting merchant site inspections. Visa International Operating Regulations outline the criteria for determining a remote Card-Not- Present merchant outlet. For further clarification of the conditions that define an Internet, telephone, or mail order merchant location, refer to the current Merchant Outlet rules. Location. Is the merchant s location consistent with its business plan and projected sales volume? For example, if a retail outlet depends mostly on walk-in business, is it located in an area with good foot traffic? Premises and physical layout. Are the merchant s signage and sales fixtures consistent with an established legitimate business? Business documentation. Does the merchant have all necessary licenses, permits, and other legal documents related to the business? Inventory. Does the quality and quantity of current inventory support projected figures for average ticket prices and sales volume? Employees. Are staffing levels sufficient to support projected sales? Do employees seem knowledgeable about the merchant s goods and services and customer service policies? Return policy. Does the merchant have a return policy? Is it clearly disclosed on the cardholder s transaction receipt and in close proximity to the cardholder s signature? Data security. Are transaction records or other confidential customer information kept on the premises; and if so, are they stored in a secure area? Is access to this information limited to authorized personnel? What steps have been taken to ensure the security of computer and phone lines, and electronic customer data? How long is confidential customer information retained? It is recommended that a photograph of the interior and exterior of the business be taken during the site inspection and filed with the merchant application and agreement upon completion of application approval process. Site Inspection Considerations for Card-Not-Present Merchants Site inspections of Card-Not-Present merchants should include warehouse, as well as office facilities. Shipping, billing, and return policies should be carefully reviewed, and Acquirers should ensure that no customer is billed before merchandise is shipped. It is also recommended that Acquirers shop prospective merchants by having one of their own employees place and then return an order. If shipment and delivery are handled by a fulfillment house or other third-party agent, complete information on this firm should be requested and a site inspection performed. All investigations of new Card-Not-Present merchants must be well documented, and complete records kept on file at the Acquirer s place of business for a minimum of two years following the termination of the company s merchant agreement. Visa Acquirer Risk Management Guide CONFIDENTIAL 25

32 Signs of Suspicious Activity For information about Internet merchant Website inspection criteria, see Chapter 12: E-Commerce Merchant Fraud Management. 4 Experience has shown that merchant facilities can be set up for the express purposes of laundering of sales transaction receipts or key-entered transactions where there is no intent to supply goods to customers. In these situations, the merchant facility is purely a front to import illegal transactions into the Acquirer s processing and generate fraudulent credits. During a site inspection, suspicions may be aroused when the: Merchant claims to have been trading for some time, but there is little or no stock to be sold. This could indicate financial difficulties or potential fraud. Trading address is determined to be a private residence rather than being in a recognized business area. This could indicate that the business is of ill repute or lacks financial substance. Principals appear to lack a clear understanding of the business. A sample Site Inspection Form is contained in Appendix A of this guide. 26 CONFIDENTIAL Visa Acquirer Risk Management Guide

33 Merchant Approval Policies and Processes The Acquirer s decision to sign a merchant is based on a favorable outcome in each of the merchant review actions described so far in this chapter. Guidelines for Merchant Approvals For information about Internet merchant Website inspection criteria, see Chapter 12: E-Commerce Merchant Fraud Management. For further information about conducting periodic reviews of a merchant s financial status and business operations, see Chapter 6: Merchant Activity Monitoring and Follow-Up. As mentioned earlier, certain factors such as length of time in business, type of business, or previous business history add more risk to signing an otherwise acceptable merchant. To reduce risk exposure, Acquirers should establish guidelines for reviewing and approving merchant applications. Key considerations include the following: Setting levels of authority for approval based on the merchant s projected sales volume. For example, the application for a merchant with US$1 million projected sales would require approval by a high-level executive of the institution. Accepting ONLY complete applications. All required documentation must be enclosed. Developing a policy for: Approval sign-off. For example, requiring approval by two high-level officers of the institution for merchant applications from High-risk Merchant types, or implementing some other appropriate signature requirement guideline. Approval of previously declined merchant applications. For example, in order to approve an application which has been previously declined, the signature of two highlevel officers of the institution would be required, rather than the individual signature which is usually required. Declining merchant types that are not acceptable. This might include, for example, massage parlors, casinos. Approval of merchants offering prepaid goods or services. Increasing monitoring and liability for Card-Not-Present transactions. At a minimum, consider daily authorization and settlement monitoring, delayed funds access and reserve requirements. Evaluating terminal placement. Consideration should be given to risky Merchant Category Codes (MCCs), geographic locations, high-ticket values, and volume. Visa Acquirer Risk Management Guide CONFIDENTIAL 27

34 Merchant Approval Processes The merchant approval process varies from Acquirer to Acquirer. It typically depends on the level of risk the organization is willing to accept, its existing financial position, and future merchant program goals. The following diagrams have been included to help illustrate a basic merchant approval process and a process for higher-risk merchants. Basic Merchant Approval Process Receive and log completed new merchant application and information file. Perform credit evaluation including bank references, personal credit history, suppliers. Check against negative file (where present). Check National Merchant Alert Service (NMAS) or similar database. Conduct merchant site visit. Approve Decline Notify Merchant Sales of approval. Send merchant notification letters. Notify Merchant Sales of decision and reason. Send merchant notification letters. File materials. Complete Merchant Agreement. Update internal merchant negative file. Set up merchant files and make appropriate financial arrangements for crediting deposit funds. 28 CONFIDENTIAL Visa Acquirer Risk Management Guide

35 Approval Process for High-Risk Merchants Receive and log completed new merchant application and information file. Perform credit evaluation including bank references, personal credit history, suppliers. Check against negative file (where present). Review financial statement of merchant and owners. Require update of financial statement on an annual basis. Contact previous processing bank to determine chargeback levels, and performance of merchant. Obtain samples of goods/product merchant is selling. Contact local community organizations to determine if merchant has received excessive number of customer complaints. Determine level of settlement risk when signing merchants that provide future services (i.e., goods or services that must be pre-paid by cardholder). Conduct merchant site visit. Approve Decline Notify Merchant Sales of approval. Send merchant notification letters. Notify Merchant Sales of decision and reason. Send merchant notification letters. File materials. Complete Merchant Agreement. Update internal merchant negative file. Set up merchant files and make appropriate financial arrangements for crediting deposit funds. Visa Acquirer Risk Management Guide CONFIDENTIAL 29

36 30 CONFIDENTIAL Visa Acquirer Risk Management Guide

37 Chapter 3 Merchant Contracting and Setup WHAT S COVERED Developing Merchant Agreements Mandatory Agreement Provisions Optional Agreement Provisions Agreement Requirements for Chip Migration New Merchant Start-up and Preparation Upon acceptance of a new merchant account, an Acquirer and merchant must sign an agreement specifying the terms and conditions under which Visa transactions will be processed. This agreement is the contract between the Acquirer and the merchant that specifies pricing, procedures, and rules of the acquiring service provided. Visa International Operating Regulations define certain mandatory provisions that must be included in all Merchant Agreements. In addition, Visa offers recommendations for optional provisions that can help Acquirers reduce fraud exposure and associated losses. Once a Merchant Agreement has been signed, the business must be properly set up with the proper equipment for card acceptance. This chapter outlines Visa requirements and recommendations for developing Merchant Agreements. It also offers a few practical suggestions on how to ensure transaction data security and reduced fraud exposure through proper merchant setup. Visa Acquirer Risk Management Guide CONFIDENTIAL 31

38 Developing Merchant Agreements O The Visa International Operating Regulations state that an Acquirer must have a signed Merchant Agreement for each merchant account, and that all Merchant Agreements must be kept on file at the Acquirer s place of business. The Merchant Agreement is a legal document that binds the merchant to operate under the rules and regulations established by Visa and the Acquirer. This agreement should be thorough enough to protect the Acquirer from improper card processing and include certain minimum provisions contained in the Visa International Operating Regulations. Acquirers, however, may determine and as appropriate vary, the agreement form appearance, as well as the wording of these contracts. An Acquirer s Merchant Agreement should be designed from a risk perspective to: Reduce the institution s exposure to fraud and business failure losses to the greatest extent allowable by law. Reflect a thorough understanding of an individual merchant s business type, level of risk, and projected sales and chargeback rates. The agreement must make clear the circumstances under which the Acquirer has the right of termination. These can include changes in turnover, changes in ownership, or any activity that (in the Acquirer s opinion) might indicate increased risk of credit/fraud loss. The agreement should specify for both sides a maximum of 30 days notice of termination, but indicate the Acquirer s right to terminate in the event of breach of contract. Confirm the right to seize funds. Ensure the safe and sound operation of merchant activities. Include provisions that add protection against fraud and credit losses beyond the minimum requirements stated in the Visa International Operating Regulations. Outline all regulatory issues. 32 CONFIDENTIAL Visa Acquirer Risk Management Guide

39 Mandatory Agreement Provisions A Merchant Agreement must include some form of the following provisions. For a full list of mandatory provisions, see the Visa International Operating Regulations. Area Data Security Financial Responsibility Split sales Transaction Receipts Laundering of Sales Transaction Receipts Provisions Merchants shall not disclose cardholder account information to third-parties, except when needed to complete a transaction or when required by law. Merchants must store all material containing account numbers including sales transaction receipts, credit vouchers, vehicle leasing agreements, and carbons in a secure area accessible only to selected personnel. The business disposal procedures must also ensure security; materials containing account information must be made unreadable before they are discarded. The merchant must not retain or store Card Verification Value 2 (CVV2) data subsequent to the authorization of a transaction. The merchant s liability for chargebacks, credits, fees, and fines should be clearly stated. The merchant is liable to the bank for any losses that arise from the merchant s failure to comply with the Merchant Agreement. The merchant will be liable for any sales transaction receipt charged back to the Acquirer because: The transaction was not performed in accordance with the Merchant Agreement. Goods or services were purchased with an altered card. Chargebacks will be directly debited from the merchant s account, and the merchant may be required to maintain account reserves to cover these payments. Reserve amounts may be based on a percentage of sales to be determined by the Acquirer. Split sales transaction receipts are not allowed. Specifically, merchants may not use two or more sales transaction receipts for a single transaction to avoid or circumvent authorization limits. Laundering of sales transaction receipts is specifically prohibited by the Visa International Operating Regulations. Violation of this provision may result in automatic termination of the Merchant Agreement. To ensure new merchants understand the anti-laundering provisions of your agreement, you should review this section with them and have them initial it. (See Laundering in Chapter 5 of this guide.) Visa Acquirer Risk Management Guide CONFIDENTIAL 33

40 Area Minimum or Maximum Surcharges Visa Marks Credit Vouchers Previous Transactions Cash Disbursements Scrip Authorization Requirements Uncertain Cardholder Identification Provisions Merchants are not allowed to set minimum or maximum transaction amounts as a condition of honoring Visa cards. Merchants may not impose surcharges on transactions, unless local law expressly requires that a merchant be permitted to impose a surcharge. The Visa logo or mark may only be used on a merchant s promotional materials to indicate that Visa cards are accepted as payment for the business goods and services. The logo and mark may not be used, either directly or indirectly, to imply that Visa endorses a merchant s goods or services; nor may a merchant refer to Visa when stating eligibility requirements for purchasing its products, services, or memberships. Credit vouchers may not be submitted for noncredit transactions. Specifically, merchants may not accept money from a cardholder and then prepare and deposit a credit voucher for the purpose of crediting the cardholder s account. Cardholder payments for previous Visa transactions are prohibited. Cash disbursements to cardholders are prohibited except if made by the following categories of merchants: Lodging merchants participating in Visa Hotel Services, or cruise line merchants. These merchants may make cash disbursements to Visa Gold cardholders under the specific circumstances defined in the Visa International Operating Regulations. Merchants who sell travelers cheques or foreign currency. Disbursements made by these merchants are limited to the value of cheques, travel money, or currency sold in a single transaction, plus any applicable commissions. Under no circumstances may the transaction represent collection of a dishonored cheque. Merchants may not accept Visa cards for the purchase of scrip. Merchants must obtain authorization: For transaction amounts above the specified maximum floor limits required by the Acquirer, or In the event of a chip transaction when so requested by the card, if the terminal is chip-capable. If cardholder identification or the card s validity is uncertain, the merchant must contact its Acquirer for instructions. If the Acquirer asks the merchant to recover the card, the merchant must comply according to established procedures. 34 CONFIDENTIAL Visa Acquirer Risk Management Guide

41 Optional Agreement Provisions Visa does not purport to provide legal advice to its acquiring Members. While the optional provisions listed here are intended as only a partial checklist of terms that an Acquirer should consider including in a Merchant Agreement, Acquirers are encouraged to seek legal advice with respect to their specific business and legal circumstances. While not required by the Visa International Operating Regulations, the following provisions can help Acquirers reduce their exposure to fraud and credit risk losses. In all cases, local law should be observed. Area Termination of Agreement Right-to-Hold Funds Change in Ownership Provisions The Acquirer reserves the right to terminate the Merchant Agreement for any reason at any time. Payment of funds to the merchant is provisional. The Acquirer has the right to freeze or hold deposits whenever fraudulent activity is suspected. Merchants must notify the Acquirer of any changes in ownership, such as limited partnership agreements, or any other changes in business practices or sales method including expected changes in average draft or deposit amount. Specifically, a merchant must notify the Acquirer (and agree in writing) before adding and performing mail order, telephone order, or Internet sales activity and/or making changes to the products or services being sold. Secured Interest Use of Personal Accounts The merchant must grant the Acquirer a secured interest in all its assets. This means the Acquirer will be recognized as a legal creditor in case the merchant declares bankruptcy. Merchants may not use their own merchant accounts for personal Visa card transactions. For example, merchants cannot use their personal Visa cards to purchase goods and services from their own business. Visa Acquirer Risk Management Guide CONFIDENTIAL 35

42 Agreement Requirements for Chip Migration An existing Merchant Agreement may need to be updated to reflect the migration to chip processing. It is important to review changes to the merchant relationship relative to chip processing and then update the Merchant Agreement to include the following: Terminal costs and installation, as well as any pricing changes Support for additional data for authorization and clearing messages Receipt of new information on reports Cost and competitive factors Merchant expectations for conversion to chip card acceptance, including chargeback liability review Procedural changes to card acceptance processes Acceptance of Visa Electron cards at online-capable terminals for both chip-initiated and magnetic-stripe transactions Acceptance of Visa Horizon cards at online PIN-capable terminals, if appropriate In updating the Merchant Agreement, be sure to obtain legal advice on regulatory and business requirements and have your institution s legal counsel review the revised agreement. 36 CONFIDENTIAL Visa Acquirer Risk Management Guide

43 New Merchant Start-Up and Preparation The setting up of a new merchant account should be viewed as an opportunity to establish strong fraud prevention practices with the businesses you have just signed. Card-Present Merchant Setup CVV (Card Verification Value) is a unique threedigit code on the chip and magnetic stripe of all valid cards. The CVV is based on the account number, expiration date, and service code. It is calculated by applying an algorithm a mathematical formula to the encoded account information. The CVV is verified online at the time a transaction is authorized. It is used to detect a counterfeit card in cases where a chip or magnetic stripe has been encoded or reencoded with valid account information from other sources (e.g., a discarded transaction receipt, or illegally obtained merchant record). Point-of-sale (POS) devices have become a major tool and point of vulnerability in many fraud scams, so Acquirers should pay close attention to the kinds of terminals hardware and software a business will be using. The following guidelines are recommended to ensure terminal and transaction data security, as well as reduce overall fraud exposure: Make sure all POS devices are fully Card Verification Value (CVV) and chip-capable. Wherever possible, ensure terminals: Read/transmit full chip or magnetic-stripe Track 1 or 2 data; but not display the full track data (i.e., CVV) at any point. Prompt the user to enter the last four digits of the embossed account number ( read and compare ). This is an effective deterrent to counterfeiting. If the cardholder name is displayed on the terminal or the POS receipt, train the merchant to verify it against the name on the card. This is another effective deterrent to counterfeiting. Review data security issues and requirements with the merchant. Instruct merchants to limit access to transaction data and payment system software should be limited to authorized personnel. Payment systems may be particularly vulnerable in situations where a vendor or independent contractor can dial in or otherwise gain access to transactionprocessing software from an off-site location. Educate merchant on bankcard security features, card acceptance, key-entered transaction Code 10 call, and card recovery procedures. Equip merchants with reference materials to aid with card acceptance and fraud prevention. Conduct terminal/authorization testing prior to your merchant launch. Ensure control of supervisor cards and make sure they are always kept in a secure environment. Ensure data quality, including merchant name, location, and Merchant Category Code (MCC). Card-Not-Present Merchant Setup For information on how to set up a new Internet merchant, see Chapter 12: E-Commerce Merchant Fraud Management. When setting up new Card-Not-Present merchants, apply these guidelines to ensure effective data security and avoid fraud/chargeback losses: Establish a clear merchant description for cardholder statements to help facilitate easier merchant name recognition. Add a suffix to the MCC to indicate the transaction type, such as Card-Present, mail order/telephone order (MO/TO), or Internet. Review cardholder data security issues and requirements with the merchant. Visa Acquirer Risk Management Guide CONFIDENTIAL 37

44 Card Verification Value 2 (CVV2) is a 3-digit number imprinted on the signature panel of Visa cards that helps Card-Not-Present merchants validate that the customer has a genuine card in his or her possession and that the card account is legitimate. Educate the merchant about the risk exposure and liability associated with accepting Visa cards in the Card-Not-Present environment. Offer Address Verification Service (AVS), Card Verification Value 2 (CVV2), and Verified by Visa support. Offer solutions to enable merchant to block high-risk transactions for review. Ensure merchants are aware of fraud detection, screening, and monitoring tools. Clarify and support dynamic currency conversion/multi-currency support activities. Ensure data quality, including merchant names, location, and MCC. Ensure merchant name, telephone number, or URL address appears on the cardholder statement. Visa s Address Verification Service (AVS) is an automated fraud prevention system that allows Card-Not- Present merchants to check a cardholder s billing address as part of the electronic authorization process. Verified by Visa lets Internet merchants validate a cardholder's ownership of an account in real time during an online Visa card transaction. 38 CONFIDENTIAL Visa Acquirer Risk Management Guide

45 Chapter 4 Merchant Card Acceptance and Fraud Prevention WHAT S COVERED Basic Visa Principles for All Merchants Card-Present Transaction Procedures Chip Acceptance Procedural Differences Using Visa Electron Cards in the Card-Present Environment Card-Not-Present Transaction Procedures To increase profitability and reduce fraud losses, Acquirers must ensure that proper card acceptance procedures are being followed by all merchants in their daily business. Collectively, these procedures, outlined in the Visa International Operating Regulations, serve as a critical tool for loss reduction at the point of sale. Routine fraud prevention practices, like checking card security features or a cardholder s signature, can lead to tangible benefits for merchants and Acquirers. Chargeback rates can be minimized, even in cases where fraudulent or other unauthorized transactions do occur. All Acquirers are responsible for providing merchants and their employees with appropriate card acceptance and fraud prevention education. This chapter is intended to help you in this effort. It covers basic information and procedures for Card-Present and Card-Not-Present merchants and can be customized for use in merchant communication materials and training sessions. Merchant Education Supporting Merchant Code 10 Efforts Visa Acquirer Risk Management Guide CONFIDENTIAL 39

46 Basic Visa Principles for All Merchants Visa operating rules and basic principles promote consumer confidence in the Visa mark by providing cardholders with a familiar and consistently high standard of service. Customers know what to expect whenever they present their Visa card to a merchant, and acceptance of the card is guaranteed without special requirements or other limits. Visa operating rules apply to all merchants and appointed agents who accept Visa cards. In following these principles, all parties are ensured optimum protection and enhanced customer satisfaction. Basic principles that apply to all merchants include the following. Merchants must: Honor all Visa cards. All valid Visa cards must be accepted when properly presented as payment for transactions. Include tax in the total transaction amount. Any tax that the merchant is required to collect should be included in the total transaction amount. Taxes must never be collected separately in cash. Merchants are NOT allowed to: Impose minimum or maximum dollar amounts as a condition of honoring the card. Merchants must honor a valid Visa card, regardless of the charge amount, unless different market legal regulations apply. Refer to your Regional Risk Representative or Visa Account Executive for further assistance in the area, if needed. Impose any surcharge on the Visa transaction (unless local law expressly allows it). Visa transactions should always be treated like any other form of payment. Use the Visa card/account number to collect other debts or dishonored checks. 40 CONFIDENTIAL Visa Acquirer Risk Management Guide

47 Card-Present Transaction Procedures Whenever a Visa card is present at the time of a transaction, merchants are required to take all reasonable steps to ensure that the card, cardholder, and transaction are legitimate. Basic card acceptance and fraud control for Card-Present transactions include the following actions: Merchants should keep the card in their possession until they have checked the cardholder s signature and the transaction is complete. ➊ Check the Visa card security features to make sure the card is valid and has not been visibly altered in any way. ➋ Obtain an authorization for transactions over the floor limit. In most Card-Present transactions, a request for authorization is submitted by inserting a chip card into a reader, or swiping the card s magnetic stripe through a point-of-sale (POS) terminal. Preference must be given to the chip before attempting to swipe the stripe. If a card cannot be read or swiped, key-enter the account number into the POS terminal and get a card imprint. ➌ Compare card information (i.e., account number or cardholder name) to the POS terminal or sales transaction receipt. ➍ Check the cardholder s signature on the imprinted sales transaction receipt against the signature on the card. ➎ Be on the lookout for suspicious behaviors. ➏ If you receive an authorization approval, but still suspect fraud, make a Code 10 call. These actions are explained in more detail on the following pages. Visa Acquirer Risk Management Guide CONFIDENTIAL 41

48 Visa Card Security Features Every Visa card contains a set of unique design elements and security features developed by Visa to help merchants verify a card s legitimacy. A visual check of these features should be the first step in all Card-Present transactions. Any sign that a card design element or security feature is not genuine or has been tampered with may mean that the merchant has been given a counterfeit or invalid card. Merchant Procedure Examining the Visa Card On the Front of the Card Compare the printed and embossed numbers. A four-digit number is printed below the first four digits of the embossed account number on all valid cards. These numbers should be identical, and both should begin with a 4. If the numbers are not identical or the printed number is missing, the card is not valid and should not be accepted. Place card under an ultraviolet light to see ultraviolet dove. It will be visible on the face of the card. Look at the dove design hologram. It should appear three-dimensional, and the dove should seem to fly when the card is tilted back and forth. If the dove looks flat or doesn t move, the card may be counterfeit. Check the Visa acceptance mark. It should have micro-printing around the border. The fine print is barely readable without magnification. Check the embossed account number for evenness and clarity. Look closely at the embossed account number for any signs that the card has been flattened and re-embossed. On valid cards, the numbers will be crisp and even; on altered cards, they may have fuzzy edges, or you may be able to see ghost images of the original numbers. The last grouping of numbers is embossed into the hologram. Pay special attention to that area, where ghost images are easiest to spot. Look at the flying V. The flying V Is a stylized, embossed V located to the right of the Good Thru date on all valid cards. If this character is missing or is not a flying V, the card should not be accepted. Check the Good Thru or Expires End date. Make sure the date of the transaction is no later than the date on the card. If the transaction date is after the Good Thru date, the card has expired. In such instances, an authorization request can be called in to your authorization center, or you can ask the customer for a Visa card that is currently valid. 42 CONFIDENTIAL Visa Acquirer Risk Management Guide

49 On the Back of the Card Look at the signature panel. An altered signature panel is one of the most common signs of a fraudulent card, and the easiest to spot. On valid cards, the panel contains a pattern of the repeated word Visa printed at an angle in blue-and-gold lettering on a white background. Possible indicators that a card has been altered include: Signs of scratching or erasure, and the word Void. White tape or white-out. Ghost images or other evidence that a criminal has written over or tampered with the original signature. The account number and a three-digit code, the Card Verification Value 2 (CVV2), may also be indent printed on the signature panel in reverse italics. Visa Acquirer Risk Management Guide CONFIDENTIAL 43

50 Processing Authorizations Above the Floor Limit O Manual transaction data requirements may differ for various transaction types including hotels and manual cash disbursements. For further details, Acquirers should refer to the Visa International Operating Regulations. How a merchant proceeds with an authorization depends on the point-of-sale equipment available and the built-in security features of the Visa card being used to purchase the goods or services. Electronic authorization using chip or magnetic stripe. For merchants with card readers, preference must be given to the processing of a chip before attempting to swipe the magnetic stripe. Electronic authorization occurs in seconds, and the printed sales transaction receipt generated by the terminal will contain an authorization code for the transaction. Voice Authorization. For authorization requests made by telephone to the voice authorization center, the merchant must make a manual imprint of the card and write the authorization approval code on the sales transaction receipt. Other data relating to the transaction must be handwritten onto the sales transaction receipt, including the legend Retain This Copy for Statement verification. Data requirements include: Embossed card data. Merchant name. Merchant city and country (and state/province, if applicable). Transaction amount indicated in transaction currency. Identification of transaction currency. Transaction date. Description of goods or services (optional). Space for cardholder signature. Authorization code, if applicable. Transaction type (purchase). When a Card Won t Read or Swipe Visa policies state that chip cards must be read as chip at all times unless the card, chip reader, or terminal is malfunctioning. In the event that a chip cannot be read, the merchant should fall back to swiping the card s magnetic stripe to complete the authorization. In some instances, the terminal will not be able to read the magnetic stripe in order to perform an authorization. When this occurs, it usually means one of two things: either the terminal is not working, or the magnetic stripe on the card has been damaged. Card damage can happen accidentally, but it may also be a sign that the card is counterfeit or has been altered. When a card won t swipe, merchants should first check the terminal to make sure it is working properly. If the terminal is okay and the problem appears to be with the magnetic stripe, the merchant should follow proper procedures for key-entered transactions and check the card security features and match signatures (as outlined here). 44 CONFIDENTIAL Visa Acquirer Risk Management Guide

51 Merchant Procedure Handling Key-Entered Transactions If you must key-enter a Visa card transaction: Match the embossed account number on the front of the card to the number indentprinted on the back. Check the card s Good Thru or Expires End date to be sure the card hasn t expired. If the card has a valid from date, be sure the card isn t being used before it is valid. Get a manual imprint of the card. Ask the customer to sign the imprinted sales transaction receipt. Compare the signature on the card with the signature on the sales transaction receipt to be sure they match. Do not accept an unsigned card. The Card Recovery Bulletin (CRB) is an international printed list of lost/stolen, counterfeit, and other cards that Issuers have listed for pickup. The Card Recovery Bulletin is only printed in countries outside the United States. Processing Authorizations Below the Floor Limit For below-floor-limit transactions, the merchant has the option to: Seek authorization (unless a chip card is involved), or Not seek the authorization, but compare the card number to the current Card Recovery Bulletin (CRB). If the merchant is presented with a card that is listed on the CRB, the merchant must: Not complete the transaction. Hold the card by reasonable, peaceful means (if safe to do so). Call their authorization center, state that the card number is on the bulletin, give the account number and ask for instructions. If the card number is not on the bulletin and the transaction amount is below the merchant floor limit, it is not mandatory for the merchant to obtain an authorization (except for chipinitiated transactions that cannot be completed via the chip). The merchant may proceed with the transaction. Responding to Authorization Messages An authorization is an indication that the account funds are available and a card has not been reported lost or stolen. It is a process in which the card Issuer approves or declines a transaction. An authorization is not proof that the true cardholder or that a legitimate card is involved. Most sales are authorized quickly. There are times, however, when a merchant may receive an authorization message indicating a potential problem with a card or cardholder. Negative or alert messages include the following: Decline. The transaction has been refused by the Issuer (e.g., the credit limit on the account has been exceeded). Call or Call Center Referral. The Issuer needs more information before approving the sale. Pickup. The Issuer wants to recover the card. Visa Acquirer Risk Management Guide CONFIDENTIAL 45

52 Whenever a negative or alert message is received, the response is displayed on the POS terminal. A sales transaction receipt, however, is never printed. Merchant Procedure Responding to Authorization Messages Check the authorization message and take appropriate action. Whatever the message, continue to treat the customer courteously so as not to arouse alarm or suspicion. Response Decline Call or Call Center (Referral) Pick Up Action(s) Do not complete the transaction. Return the card to the cardholder and instruct him or her to call the card Issuer if there are any questions about the status of the account. Retain the card and goods while you call your authorization center and follow whatever instructions you are given. In most cases, an authorization agent will ask to speak directly to the customer or will instruct you to check the cardholder s identification. Do not complete the transaction. Inform the customer you have been instructed to retain the card, and ask for an alternative form of payment. If it is safe to do so, retain the card. You may be eligible for a reward if you retain the card when requested to do so. Comparing Card and Terminal/Receipt Information Most POS terminals also allow merchants to verify that the cardholder account number embossed on the front of the card is the same as the account number encoded on the card s chip or magnetic stripe. How the merchant checks these numbers will depend on their POS terminal. In some cases, the number will be displayed on the terminal or printed on the sales transaction receipt; in others, the terminal may be programmed to check this information electronically. In such instances, the merchant will be prompted to enter the last four digits of the embossed account number, which will then be matched against the last four digits of the account number encoded on the chip or magnetic stripe. Merchant Procedure Matching Numbers and Name Match the last four numbers embossed on the card to the last four numbers displayed on the terminal or receipt. If the cardholder name is printed on the receipt, match the embossed name on the Visa card to the name printed on the receipt. If the numbers and/or names do not match, make a Code 10 call. 46 CONFIDENTIAL Visa Acquirer Risk Management Guide

53 Obtaining and Comparing Signatures The final step in the card acceptance process is to ensure the customer signs the sales transaction receipt and to compare that signature with the signature on the back of the card. The customer should be within the merchant s full view when signing the receipt, and the merchant should check the two signatures closely for any obvious inconsistencies in spelling or handwriting. If the signatures on the receipt and card do not match, the transaction should not be completed. If the transaction is accepted and it turns out to be fraudulent, the merchant may be liable for the chargeback, even if an authorization was received for the sale. Merchant Procedure Handling Signature Mismatch If the signature on the sales transaction receipt and Visa card do not match: Ask for additional identification (e.g., driver s license, passport, etc.) and compare signatures. If the signatures do not match, make a Code 10 call. Handling Unsigned Cards Some cardholders believe that it is safer to carry an unsigned card, or instead write See ID in place of a signature. Nothing can be further from the truth. Merchant Procedure Handling Unsigned Cards If no signature: Check the cardholder s ID. Ask the cardholder for some form of official government identification, such as a driver s license or passport. Where permissible by law, the ID serial number and expiration date should be written on the sales transaction receipt before you complete the transaction. Ask the customer to sign the card. The card should be signed within your full view, and the signature checked against the customer s signature on the ID. A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed Visa card. Compare the signature on the card to the signature on the ID. Note: The words Not Valid Without Signature appear above, below, or beside the signature panel on all Visa cards. If See ID in signature panel: Politely explain that See ID is not a valid substitute for a signature. Ask the cardholder to sign the card (over the See ID ) in your presence. Visa Acquirer Risk Management Guide CONFIDENTIAL 47

54 Looking for Warning Signs of Fraud In addition to following all standard card acceptance procedures, merchants should always: Be on the lookout for any customer behavior that may appear suspicious or out of the ordinary. Be made fully aware that peculiar customer behavior should not be taken as automatic proof of criminal activity. Use common sense and appropriate caution when evaluating any customer behavior or other irregular situation that may occur during a transaction. Merchant Procedure Looking for Suspicious Behaviors at the Point-of-Sale Watch out for customers who: Purchase a lot of merchandise without regard to size, style, color, or price. Ask no questions on major purchases. Try to distract or rush you during the sale. Make purchases, leave the store, and return to make more purchases. Make large purchases right at opening or at the last minute when the store is closing. Refuse free delivery for large items. If you see signs that make you suspicious: Hold on to the customer s card if you think you can do so safely. Call your voice authorization center and request a Code 10 authorization using a normal tone of voice. An operator will tell you what to do. Merchant Procedure Looking for Suspicious Behaviors at Service Stations At the counter, watch out for customers who: Buy more than $50 worth of items at service station convenience store. Buy large amounts of beer and cigarettes. Buy tires and do not need them mounted. Attempt to bribe a cashier. Ask for cash back with a credit card. At the pump, watch out for customers who: Activate multiple pumps. Buy gas several times a day. Fill multiple cars on the same pump. Fill large containers. Test cards. Loiter at the pumps. 48 CONFIDENTIAL Visa Acquirer Risk Management Guide

55 What Card-Present Merchants Should Do If Suspicious Sometimes a merchant will not feel comfortable making a Code 10 call while the cardholder is around, or the merchant may become suspicious of a cardholder after he or she has already left the store. Emphasize to merchants that they can still make a Code 10 call after a cardholder leaves. A Code 10 alert even after a cardholder is gone may still help stop fraudulent card use at another location, or perhaps during another visit to the store. Merchant education materials and training should emphasize the importance of personal discretion and safety when deciding whether or not to attempt a card pickup There may be times during the transaction authorization process when a merchant is suspicious of a card or a cardholder. In these kinds of situations, the merchant needs to make a Code 10 authorization request call to let the card Issuer know there is suspicious activity without alerting the customer. During a Code 10 call, the merchant receives instructions on what, if any, action to take. In this case, the merchant actually speaks with the card Issuer s special operator. Merchant Procedure Making a Code 10 (When Card is Present) If you receive an electronic authorization, but still suspect fraud: Keep the card in hand to quickly respond to questions. Call your voice authorization center. The call will first be received by your merchant bank who may need to ask you for some merchant and/or transaction details. You will then be transferred to the card Issuer and immediately connected to a special operator. A series of yes/no questions will be asked to determine whether you are suspicious of the card or cardholder. When connected to the special operator, answer all questions calmly and in a normal tone of voice. Follow all operator instructions. If the operator asks you to retain the card, comply with this request only if it is safe to do so. Recovering Visa Cards When reviewing card acceptance procedures, Acquirers should pay special attention to how and under what circumstances a card should be recovered. No matter how certain a merchant may be that a card is fraudulent, recovery should only be attempted if it can be done by reasonable and peaceful means. The following procedures apply to the recovery of all Visa credit, debit, and Electron cards, and should also be used for cards inadvertently left at a merchant location. Merchant Procedure Handling Visa Card Recovery If you receive a pick-up response or are instructed to recover the card during a Code 10 call: Comply if you can do so safely never take unnecessary risks. Tell the cardholder you have been instructed to keep the card and that he or she may call the Issuer for more information. Remain calm and courteous. If the cardholder becomes threatening, return the card immediately. After a card has been recovered: Notify your merchant bank that you have recovered a card and ask for further instructions. Cut the card horizontally, being careful not to damage the dove hologram, the embossed account number, or magnetic stripe. Send the card pieces directly to your merchant bank. Visa Acquirer Risk Management Guide CONFIDENTIAL 49

56 Acquirer Actions After Card Recovery Once a recovered card has been received, the Acquirer must: Notify the Issuer of the recovery situation. Mail the card to the Issuer s security contact within five calendar days. Complete a Recovered Card Advice and send it with the card, along with any other pertinent information about the recovery. Acquirers are also allowed to charge Issuers a $15 handling fee for each returned card. Acquirer Reward Payment Requirements Cash awards are available to merchants and their employees for recovering counterfeit or other fraudulent cards. Using the guidelines below, an Acquirer must ensure that the minimum reward is paid to the merchant or teller/disbursing Member that made the recovery. Rewards for Recovered Cards Paid To: Merchant Teller/Disbursing Member Amount: US$25 $150 US$0 $150 The Acquirer does not need to pay a reward for Visa cards or Visa Electron Cards that are: Expired. Recovered at an ATM or Cardholder-Activated Terminal. Inadvertently left at a Merchant Outlet. If an Acquirer pays rewards for the recovery of Visa Cards or Visa Electron Cards as specified above, it may collect the reward amount from the Issuer. Handling Cash Disbursements Generally, cash disbursements by merchants are prohibited by the Visa International Operating Regulations. Financial institutions (e.g., bank branches) may disburse cash, and lodging or cruise line merchants may make cash disbursements to Visa Gold, Platinum, and Signature cardholders. For these transactions, merchants must ask for an official government ID, and where permitted by law, also write the ID serial number and expiration date on the sales transaction receipt. The printed four-digit number from the front of the card must also be recorded. 50 CONFIDENTIAL Visa Acquirer Risk Management Guide

57 Chip Acceptance Procedural Differences Merchant Conversion Training Acquirers offering chip access to Visa credit and debit products can help minimize problems and any areas of confusion during the merchant conversion by ensuring proper training. Because chip cards introduce new functionality at the point-of-sale, merchants must be trained in chip-capable terminal operation and on the basic procedural differences between chip card and magnetic-stripe acceptance. The following information should be included as part of the merchant training plan: To help ease cardholder transition to chip, Acquirers should evaluate the need to make a cardholder pamphlet available to merchants. Chip cards are inserted into the chip reader and remain inserted for the duration of the transaction. This differs from the magnetic-stripe method where the merchant swipes the card and immediately removes it, all in a single motion. The chip card must remain in the terminal during the transaction and should not be removed until the transaction has been completed. Early removal of the chip card from the reader will terminate the transaction. As terminal messages vary, you need to clearly identify the message supported by your terminals that will signal when a transaction is finished. Merchants, or where appropriate, their customers, should be instructed to remove the card from the terminal only after seeing this message. Merchants need to educate cardholders about chip-acceptance procedures in environments where customers insert their own cards in the chip reader. With the introduction of multiple applications on a single card, cardholders may be prompted to select which application should be used for a given transaction (if supported by the terminal). Merchants need to be aware of this new activity and be trained on how to explain the application selection process to their customers. They should also learn to guide their customers in pressing the appropriate button or buttons to select the application or account they want to use. In addition, at unattended devices, such as ATMs or Cardholder- Activated Terminals, the terminal should have instructional prompts and signage to support cardholders through each phase of the transaction. Cardholder Application Selection The cardholder application selection process is typically dependent on Issuer requirements specified in the chip. The card and terminal will either automatically agree on the preferred application to be used or the chip card may request that the cardholder select or confirm the use of a given application. When requested by the card and made available by the terminal, the cardholder should be allowed to select their preference. Merchants need to be aware that application selection will not occur on every transaction. It will only take place when the card and terminal support more than one application in common. For example, when both the card and terminal support Visa Credit and Visa Cash, the cardholder will be asked to select one of these applications for the transaction. Cardholder Verification Merchants and cardholders typically understand the methods of verifying a transaction in attended environments through cardholder signature or Personal Identification Number (PIN) entry. In unattended environments, the cardholder is also familiar with not having to sign and whether or not to enter a PIN. Visa Acquirer Risk Management Guide CONFIDENTIAL 51

58 In the chip environment, merchants and cardholders will rely on the chip-reading terminal and the chip card to agree on which Cardholder Verification Method (CVM) is required to complete the transaction. Merchants must not be able to preempt the option that will be selected. The terminal/card interactive-decision process and final selection is based on a mixture of elements that are specific to that particular transaction, such as amount, domestic or international transaction, offline or online authorized, other transaction parameters, whether the issuer s CVM preference can be met, and the other CVM options available. Some countries may require offline PIN verification and a cardholder signature for domestic card transactions over a certain amount. Please contact your Regional Risk Representative or Visa Account Executive to understand your market requirements. CVM Options Signature. Visa card programs bearing a chip are required to carry a magnetic stripe and a signature panel on the card. Signature still remains the international default for cardholder verification and is also the default for many domestic card transactions. Requirements for checking signature-verified transactions in the chip environment remain the same as they are today in the magneticstripe environment. PIN. The convenience and additional security of PIN entry to verify cardholder identity will become more prevalent for both domestic and international Visa card transactions. Where PIN pads are deployed, training should include these points: The card and terminal interaction will determine the appropriate cardholder verification method and whether to prompt for a PIN. Because the card determines whether PIN entry is required on each transaction, lack of a terminal PIN prompt should not be considered an error. The terminal will prompt for PIN when the chip card requires a PIN. The merchant should not request PIN entry from the cardholder, unless the terminal issues this prompt. Where a cardholder is required to enter a PIN, the secrecy of the PIN entry must be maintained. When a transaction is PIN-based, Visa s best practice is to not print a signature line on the receipt. Merchants need to be aware that they should not request a signature from the cardholder when a signature line is not present on the receipt. No Cardholder Verification Required A chip card Issuer has the ability to specify that a transaction may be completed subject to other processing checks without the need for the cardholder to provide a signature or enter a PIN. No CVM required is a valid cardholder verification option where both the terminal and card agree on this as the CVM option. This option would typically be used in unattended terminal environments. An Issuer, however, may select this option in the event that fast processing of offline-authorized transactions is required. However, even when a card indicates No CVM Required for a particular type of terminal, the terminal may choose to default to the cardholder verification method as specified for a magnetic-stripe transaction to protect the transaction liability (e.g., signature at a POS or online PIN at an ATM). 52 CONFIDENTIAL Visa Acquirer Risk Management Guide

59 Offline versus Online Authorized Transactions O Fallback requirements are governed by the Visa International Operating Regulations relating to the Visa and Visa Electron programs. For international and most domestic transactions, fallback on Visa Electron cards beyond the magnetic stripe is not permitted and may not be possible (the full account number may not be printed on the face of the card). Please contact your Regional Risk Representative or Visa Account Executive for marketspecific information or recommendations. Certain regions or countries do not allow fallback to key entry due to counterfeit risk. You may wish to consider whether particular merchants should be permitted to key enter transactions in a face-to-face environment where the magnetic stripe could not be read. Please contact your Regional Risk Representative or Visa Account Executive for regional or marketspecific rules. In merchant locations where terminals with both offline and online authorization capability are deployed, merchants must be trained to understand that some transactions will be processed offline, while some will require online authorization. They should not view these differences as errors or treat the transactions or customers differently. Merchants, however, should be aware that offline transactions may be faster than online transactions. Fallback Transactions The term fallback is defined as the acceptance of chip cards via magnetic-stripe processing, key entry, or paper, at chip-capable terminals. This occurs in situations where a normal chip transaction cannot be completed at a chip-capable terminal. Visa policies state that chip cards must be read as chip cards at all times unless the card, chip reader, or terminal is malfunctioning. This means that chip cards may only be accepted via the magnetic stripe when the chip cannot be read. An Acquirer may have more stringent policies than this for their domestic transactions based on market decisions related to fallback. For example, some markets may not allow fallback under any circumstances. In the event that a chip card or chip reader is not functioning and the magnetic stripe of the card is read in the magnetic-stripe reader of the terminal, the terminal will read the service code from the magnetic stripe and prompt the merchant to read the card as a chip card. It is essential that merchants be trained on the activities they should perform and the sequence of events they should follow when they are processing fallback transactions. Typically, the sales staff member will be given a number of chances to read the card as chip before the terminal prompts for fallback to be performed using the magnetic stripe, if permitted. If the magnetic-stripe functionality of the card or terminal is also not working, the merchant may then fall back to key-entered or paper-based transactions. Depending on the fallback procedures in place, an Acquirer may need to restate its market s procedures on fallback related to key-entered and paper-based transactions. Merchants must understand that a declined chip transaction is not a candidate for fallback. A declined chip transaction cannot be reinitiated using the magnetic stripe or any other means. Current procedures should then be followed for declines and failures, such as asking the customer for another form of payment. Other Transactions Suspicious transactions, reversals, and voids must be completed in the same way they are performed today, but via the chip subject to individual Acquirer requirements. Other card security features may need checking at the point of transaction, as appropriate. Visa Acquirer Risk Management Guide CONFIDENTIAL 53

60 Using Visa Electron Cards in the Card-Present Environment Visa Member financial institutions issue Visa Electron in Africa, Asia, the Caribbean, Europe, the Middle East, and South America. Neither U.S. nor Canadian financial institutions issue Visa Electron, but Visa Electron cards are accepted at electronic merchants and ATMs in the U.S. and Canada. Visa Electron was launched in the 1980 s as a consumer debit product for use at electronic merchants. Today, it is issued in different parts of the world as a consumer debit, credit, or prepaid card, with or without chip, although it is usually issued as a debit product. The Visa Electron card can be used for payment at more than 12 million electronic merchants around the world, on the Internet, and for cash withdrawals at more than 600,000 ATMs. The Visa Electron card s security features and acceptance procedures, however, are slightly different than the Visa flag card, as described below. The Visa Electron card is often unembossed, and the account number is laser-engraved or indent-printed. To deter key entry, the Issuer may print only the first 4 digits of the BIN and the last 4 digits of the account number, instead of the entire 16-digit account number. The cardholder name and expiration date may not be displayed if the card was instantly issued at a bank branch. The dove hologram and ultraviolet dove are optional. The words Electronic Use Only must be printed on the front of the card. The signature panel may be on the front or back of the card. Electronic authorization is required for all Visa Electron transactions. This means the merchant must be able to perform the authorization by running the card through a POS terminal. Key-entered authorizations are not allowed. If the card is damaged or cannot be read by the terminal, the card should not be used. Key-entered authorizations are also not allowed for mail order and telephone orders involving Visa Electron, unless otherwise directed by the region. 54 CONFIDENTIAL Visa Acquirer Risk Management Guide

61 Merchant Procedure Examining the Visa Electron Card Unlike other Visa cards, almost all Visa Electron cards feel flat; account information is laser engraved or indentprinted, not embossed. On some cards, only the last four digits of the cardholder's account number will appear on the front of the card; most cards will display the entire account number. The Visa Electron acceptance mark is prominently displayed, usually on the front of the card. If the first four digits of the account number are present, they should match the number printed below it. Julie Warren Every Visa Electron card has a signature panel, either on the front or the back. Always compare the signature on the panel to the signature on the sales draft. Visa Acquirer Risk Management Guide CONFIDENTIAL 55

62 Card-Not-Present Transaction Procedures MO/TO and Internet merchants should also be encouraged to develop in-house fraud control policies and provide appropriate training to their employees. Because Card-Not- Present merchants are at greater risk for stolen account number schemes, they need to be diligent in their fraud control efforts. CVV2 can help merchants differentiate between good customers and fraudsters who operate anonymously. It allows them to make a more informed decision before completing a nonface-to-face transaction. The growth of the mail order/telephone order (MO/TO) and Internet markets mean an increasing number of merchants are now processing transactions in situations where the card and cardholder are not present and fraud may be especially difficult to detect. Card acceptance procedures for these transactions will of necessity be different, but must still allow merchants to verify to the greatest extent possible the cardholder s identity and the validity of the transaction. Basic card acceptance and fraud control for Card-Not-Present transactions include the following actions: ➊ Ask the customer for the card expiration date and include it in your authorization request. An invalid or missing expiration date can be an indicator that the person on the other end does not have the actual card in hand. ➋ Ask for Card Verification Value 2 (CVV2) as part of the authorization request to confirm that the customer has a genuine Visa card in hand. ➌ If available, use the Visa Address Verification Service (AVS) to verify the cardholder s billing address. ➍ Be on the lookout for suspicious orders. Has the customer used your services in the past? Is the billing and delivery address the same? If not, is there a justifiable reason? Is the delivery address a known pick-up address for stolen goods? Will delivered goods be signed for by someone in the household and not be given to someone outside the delivery address? ➎ If you suspect fraud, ask for additional information and verify the order. Validate telephone numbers with addresses and check lists related to previous chargeback problems, etc. These actions are explained in more detail on the following pages. Asking for the Card Expiration Date When possible, Card-Not-Present merchants should ask customers for the card expiration, or Good Thru, date. Including the date in your authorization request helps to verify that the card and transaction are legitimate. A MO/TO or Internet order containing an invalid or missing expiration date can be an indicator that the person on the other end does not have the actual card in hand. Asking for CVV2 CVV2 is an important security feature for Card-Not-Present merchants. Located on the back of all Visa cards, the CVV2 consists of the last three digits printed on the signature panel. 16-digit Account # XXX Ù CVV2 4-digit Account # XXX Ù CVV2 56 CONFIDENTIAL Visa Acquirer Risk Management Guide

63 In the Card-Not-Present sales environment, CVV2 is an excellent tool for verifying that the customer has a legitimate Visa card in hand at the time of the order. Merchant Procedure Processing CVV2 Ask the customer for the account number and expiration date on the front of the card. Instruct the customer to turn the card over and read or enter the last three numbers printed in the signature panel on back of the card. Submit the CVV2 information with other transaction data (card expiration date and account number) for electronic authorization. The card Issuer checks the CVV2 code to determine its validity, then sends a CVV2 result (generally Match or No Match ) back along with the authorization decision. After receiving the authorization response, evaluate the CVV2 result code and take appropriate action. If the Result is: M Match N No Match Then: Complete the transaction (taking into account all transaction characteristics and any questionable data). View the No Match as a sign of potential fraud and take it into account along with the authorization response, as well as any other questionable data. Potentially hold the order for further verification. To prevent CVV2 from being compromised, NEVER keep or store a Visa card s CVV2 code once a transaction has been completed. Such action is prohibited and could result in fines. Using AVS AVS is an effective risk management tool for Card-Not-Present merchants. It increases authorization effectiveness by allowing an Issuer to verify the billing address of a customer presenting a Visa card for payment. The merchant submits the address with the transaction authorization request and receives a result code indicating whether the address given by the cardholder matches exactly, partially, or not at all with the address in the Issuer s file. A partial or no-match response may indicate fraud risk. Visa Acquirer Risk Management Guide CONFIDENTIAL 57

64 Merchant Procedure Verifying with AVS Ask the customer for the billing address as it appears on the monthly statement. Submit the required alpha/numeric portions of the address with the authorization request. The Issuer will return an AVS result with the authorization response. Research all AVS partial matches. A partial match indicates that the compared billing addresses have the same zip code or the same numeric values in the street address, but not both. Evaluate an AVS no match carefully. An AVS no match is typically a strong indicator of fraud. However, a no match may be legitimate if a customer has recently moved and not given an updated address to the Issuer: Call the customer to verify that the given telephone number belongs to the individual who placed the order, the address given is the correct billing address, and whether the cardholder has recently moved. Contact the Issuer to determine whether the name, address, and telephone number given by the customer matches the corresponding elements for the cardholder in the Issuer s file. Use directory assistance or Internet search tools to contact the individual at the billing address and confirm that he or she initiated the transaction. Looking Out for Suspicious Orders Card-Not-Present merchants should put into place in-house policies and procedures for handling irregular or suspicious transactions (e.g., unusually large orders). Sales staff should be trained to recognize suspicious orders and given clear instructions on the steps to take to verify these transactions. Experience suggests that there are certain characteristics that can be tip-offs to possible fraud. Each of these characteristics by itself is very seldom cause for alarm; rather, it s when several of these factors characterize a purchase that there may be suspicion that may indicate a fraud scheme. 58 CONFIDENTIAL Visa Acquirer Risk Management Guide

65 Telephone Order Merchant Procedure Looking for Suspicious Behaviors Be on the lookout for any of the following signs of suspicious customer behavior: Hesitation. Beware of customers who hesitate or seem uncertain when giving you personal information, such as a zip code, the spelling of a street, or family name. This is often a sign that the person is using a false identity. Rush orders. Urgent requests for quick or overnight delivery the customer who needs it yesterday should be another red flag for possible fraud. While often perfectly valid, rush orders are one of the common characteristics of hit and run fraud schemes aimed at obtaining merchandise for quick resale. Random orders. Watch out also for customers who don t seem to care if a particular item is out of stock You don t have it in red? What colors do you have? or who order haphazardly I ll take one of everything! Again, orders of this kind may be intended for resale rather than personal use. Suspicious shipping address. Scrutinize and flag any order with a ship-to address that is different from the billing address on the cardholder s account. Requests to ship merchandise to post office boxes or an office address are often associated with fraud. In addition, merchants should keep lists of zip codes where high fraud rates are common and verify any order that has a ship-to address in these areas. If your business does not typically service foreign customers, use caution when shipping to international addresses particularly if you are dealing with a new customer or a very large order. Also be on the lookout for orders with requests for delivery outside your own market, unless this is typical for the type of goods being sold. Multiple cards. Pay attention to order situations in which the customer wants to pay with multiple cards. More than one or two cards would well indicate a fraud scheme. Keep in mind none of these by itself means you re being scammed but several of them together might. Check everything. Visa Acquirer Risk Management Guide CONFIDENTIAL 59

66 Internet Merchant Procedure Looking for Suspicious Behaviors Be alert for transactions with several of these characteristics: First-time shopper. Criminals usually hit a merchant once, and don t go back a second or third time. Larger-than-normal orders. (This requires knowledge of what a normal-sized order is.) Because they may be using stolen cards or bogus account numbers that have a limited life span, criminals need to maximize the size of their purchase. Orders consisting of several of the same item. As these items are intended for resale, having more of them increases the criminal s profits. Orders made up of big-ticket items. These items have maximum resale value and therefore, maximum profit potential. Orders shipped rush or overnight. Perpetrators want these fraudulently obtained items in their hands as soon as possible for the quickest possible resale, and aren t concerned about extra delivery charges. Orders from Internet addresses making use of free services. For these services, there s no billing relationship and often no audit trail or verification that a legitimate cardholder has opened the account. Orders shipped to an international address. Telephone order employees who request additional information to verify orders must do so in a conversational tone so as not to arouse the customer s suspicions. If the customer balks or asks why the information is needed, simply say that you are trying to protect cardholders from the high cost of fraud. Develop/maintain customer database or account history files to track buying patterns. Compare/evaluate individual sales for signs of possible fraud: Transactions on similar account numbers. Orders shipped to a single address, but made on multiple cards. These could also be characteristic of a scheme based on CreditMaster-generated account numbers or a batch of stolen cards. Multiple transactions on one card over a very short period of time. This could be an attempt to run a card until the account is closed. Multiple transactions on one card or similar cards with a single billing address, but multiple shipping addresses. This could represent some organized activity, rather than one individual at work. Multiple cards used from a single IP (Internet Protocol) address. More than one or two cards would well indicate a fraud scheme. Keep in mind none of these by itself means you re being scammed but several of them together might. Check everything. Order Verification Procedures If a merchant staff member becomes suspicious about a Card-Not-Present order, they should first try to verify the transaction by obtaining additional customer information. The following steps may help to verify Card-Not-Present transactions: Ask the customer for the name of the issuing bank shown on the card or for the printed 4-digit number on the face of the card. 60 CONFIDENTIAL Visa Acquirer Risk Management Guide

67 Check the customer s personal information. Request day and evening telephone numbers and verify them through directory assistance or by calling the customer directly. If possible, you should also compare the billing and ship-to address on the order with the address you used for mailing the customer any catalogs or other marketing materials. Separately confirm the order with the customer. Send a note to the customer via his/her billing address, rather than the ship to address. What Card-Not-Present Merchants Should Do If They are Suspicious Card-Not-Present merchant staff members who suspect fraud should contact their merchant bank as soon as possible. Visa Acquirer Risk Management Guide CONFIDENTIAL 61

68 Merchant Education Merchants are important partners in minimizing fraud risk. As such, merchant training and ongoing education efforts are vital to ensure that merchant employees understand and continue to follow appropriate card acceptance and data security procedures for all transactions. With this in mind, Acquirers should: Provide card acceptance, fraud prevention and data security training as soon as a new merchant account is opened. Ensure that merchants conduct periodic training refresher courses for all sales staff. Fraud awareness sessions should be especially encouraged prior to any seasonal highs in a merchant s business, when sales volumes and fraud risks are likely to increase. 4 As part of merchant training and on-the-job support, Acquirers should provide merchant employees with quick reference aids and other materials covering key steps and decisions. A hard copy merchant training program has been included in Appendix B of this guide. The program materials, which consist of PowerPoint slides and presenter s notes, are available online or electronically on CD-ROM. 62 CONFIDENTIAL Visa Acquirer Risk Management Guide

69 Supporting Merchant Code 10 Efforts Internal and Merchant Staff Setup Code 10 Process in Brief CARDHOLDER The cardholder uses a bankcard to make a purchase. MERCHANT A merchant receives electronic authorization approval, but suspects that the customer is attempting bankcard fraud. The merchant makes a Code 10 authorization request call. ACQUIRER The Acquirer receives the Code 10 call and collects the merchant transaction information. The Acquirer then contacts the Issuer and passes the information electronically or verbally. It is up to the Acquirer to make sure that Code 10 call procedures are clearly defined and communicated to internal staff members and merchants. Best practices in this area include the following: Develop and provide quick reference aids and other educational materials for merchants such as: POS stickers that provide contact telephone numbers. Merchant procedures for making Code 10 calls. Provide up-to-date educational material to authorization center staff who handle Code 10 calls to make sure they are familiar with the latest card security features, changes in policy, etc. Consider implementing a speed dial service to make the Code 10 (and referral) call process more efficient, particularly for overseas transactions. Code 10 Call Processing In the event of a Code 10 call being received, the Acquirer should: If possible, find out why the merchant is suspicious of the transaction by obtaining these details: Cardholder name and account number Purchase amount Card expiration date Merchant name Merchant location/address Sales associate name Remind the merchant to tell the cardholder (if it is safe for them to so do) that a routine security check is being undertaken which should only take a few moments. Attempt to contact the Issuer electronically or by phone to pass on the Code 10 information. Try to wait for the Issuer to reply, if at all possible. Follow the Issuer s special operator instructions or transfer the call to the Issuer. ISSUER The Issuer takes the Code 10 call, then asks the merchant a series of questions to assess the situation and determine how to proceed. Visa Acquirer Risk Management Guide CONFIDENTIAL 63

70 64 CONFIDENTIAL Visa Acquirer Risk Management Guide

71 Chapter 5 Merchant Fraud and How to Recognize It WHAT S COVERED Merchant Fraud Defined Bust-Out Merchants Laundering Telemarketing Fraud Credit and Cash Advance Schemes Skimming Account Testing To protect profitability and reduce fraud losses in today s fast-changing and unpredictable merchant environment, Acquirers must be able to identify and investigate potentially risky business at the earliest possible moment. Where a single scam can mean losses of hundreds of thousands or even millions of dollars, close monitoring coupled with up-to-date information on the most recent fraud schemes is essential. This chapter describes the most current schemes and scams involving merchant locations. It offers an insider s view to the telltale signs that can help Acquirers spot merchant fraud activity. Guidelines for investigating potential fraud at a merchant location are also discussed, as well as recommendations for ways to reduce losses when a scam is confirmed or strongly suspected. Understanding Key-Entered Fraud Managing Inactive Merchant Accounts Visa Acquirer Risk Management Guide CONFIDENTIAL 65

72 Merchant Fraud Defined The Situation Today In the past few years, bankcard fraud globally has undergone a gradual, very significant transformation for Acquirers. Systems to detect cardholder fraud the types of fraud that primarily affect Issuers have become more effective and harder for criminals to circumvent. As a result, fraud involving merchant locations with and without a merchant s knowledge or active participation has become more prevalent, and the scams and perpetrators committing them are more sophisticated and elusive. Old-fashioned laundering schemes targeting smaller retail merchant outlets still occur, but they are being steadily overshadowed by hi-tech scams run by international crime organizations who often work in cooperation. Underestimating the ingenuity or capabilities of these modern-day bandits is a risk few Acquirers can afford to take. While certain scams may be associated with a specific sales environment Card-Present, mail order/telephone order (MO/TO), or Internet, current evidence suggests that criminals can and will quickly exploit any market where merchants or Acquirers seem vulnerable. Types of Merchant Fraud Here is a snapshot of the most common types of merchant fraud that Acquirers are currently encountering. Each of these merchant fraud classifications is explained in more detail on the following pages. Bust-out Merchants. A criminal opens what appears to be a legitimate merchant account with an Acquirer, and after a brief period of seemingly normal sales activity, suddenly processes a large volume of fraudulent transactions using fake or stolen account information. The merchant receives payment and then disappears. A bust-out merchant is just as likely to be found operating online as out of a traditional storefront location. Laundering. A business with a valid Merchant Agreement with an Acquirer deposits transactions for a company without a merchant account. The unsigned business offers the valid merchant a percentage of the sales amount (from 1 percent to 20 percent) to process the unsigned company s transactions. Usually these transactions are fraudulent and involve stolen account information. The unsigned business abruptly disappears, leaving the legitimate business to contend with chargebacks it may not be able to cover. Telemarketing Fraud. Criminals make mail or telephone solicitations to either obtain valid cardholder account information or to charge unauthorized sales to a valid account. Credit Advance Schemes. Merchants or collusive employees deposit apparently legitimate transactions often charged to friends or family members accounts, and then issue one or more credits to their personal Visa accounts. The credits zero out the deposits, making such scams more difficult to detect. Cash Advance Schemes. Merchants process a transaction against their own bankcard account, then remove an equal amount in cash from the register. This cash advance appears to be a legitimate transaction. In most cases, the merchant intends to re-deposit the cash and issue a credit to the account later when cash is available. 66 CONFIDENTIAL Visa Acquirer Risk Management Guide

73 Skimming. This is the act of stealing critical data contained on the magnetic stripe of all credit, debit, and ATM cards. Using various new techniques, criminals capture the information from a valid card, and then use it to encode either counterfeit, lost, or stolen cards. (Any card that has a magnetic stripe can be re-encoded with new information obtained by skimming.) Account Testing. Criminals make a small purchase or submit an authorization request on a stolen, skimmed, or computer-generated account number to verify that the number can be used for fraudulent or other unauthorized purposes. It often involves a merchant s collusive employees. Visa Acquirer Risk Management Guide CONFIDENTIAL 67

74 Bust-Out Merchants What is a Bust-Out Scam? In a bust-out merchant scam, a criminal opens what appears to be a legitimate merchant account with an Acquirer. Following a brief period of seemingly normal sales activity, the business then processes a large volume of fraudulent transactions, receives payment, and closes down, or simply disappears. These scams are often extremely sophisticated and complex, involving stolen identities, false storefronts, and fraudulent applications submitted to several Acquirers at the same time. How a Bust-Out Works A Typical Scenario In a typical scam, criminals open a storefront, sales office, or Website, and submit applications to several different Acquirers in a one- to two-week period. The fraudulent applications present the merchant as a newly-formed business with small to moderate sales and conveniently, no financial or credit history. To ensure credit bureau reports on business principals also look legitimate, the criminals use the names of creditworthy accomplices or stolen credit information from valid cardholders or other unsuspecting individuals. Once an agreement is signed, the merchant account deposits will correspond with anticipated sales volumes for a few weeks, or even months. This is then followed by a sudden spike of large deposits of fraudulent transactions. The criminals then empty the account leaving the Acquirer liable for chargebacks on the transactions. They typically disappear, usually moving on and repeating the scam with other Acquirers. A Spoof Shop Scam A variation on the bust-out merchant scam, a spoof shop is a fraudulent merchant location set up for the sole purpose of stealing or replicating account information from legitimate cardholders. A spoof shop may or may not have a valid Merchant Agreement, but it will act as if it does. Merchandise or services will be sold to customers and in some cases, card transactions may be put through for authorization, but few or no transactions will be entered for settlement. Spoof shops are frequently associated with skimming and account testing scams. A typical spoof location might be a small storefront selling T-shirts or souvenirs, or a Web page which is set up to mimic or capture business intended for a legitimate site. A criminal might put up a Web page for a fake Internet server using a name similar to, but slightly different from, a known business and then steal account information from consumers who mistakenly sign up for the service, thinking it s the legitimate business. Account numbers obtained in this way can then be turned over to bust-out merchants or other criminals who may use them in laundering, telemarketing, or other merchant fraud scams. 68 CONFIDENTIAL Visa Acquirer Risk Management Guide

75 Laundering What is Laundering? Businesses caught in laundering scams may lose their Merchant Agreements and face prosecution under federal and state laws. The term laundering refers to any situation where a business that has a valid Merchant Agreement with an Acquirer deposits transactions for a company without a merchant account. These scams are used to process fraudulent or other high-risk transactions through a legitimate business location and are often targeted at small, less sophisticated merchants who may be truly unaware of the financial and legal exposure they are facing. The unsigned merchant may be a fraudulent business fronting for a criminal organization, or a company which, for a variety of reasons, may be unable or unwilling to get a valid agreement for example, a high-risk telemarketer operating on the edge of legality. How Laundering Works A laundering scam begins when the legitimate merchant is approached by the merchant without an agreement or by a so-called broker representing the unsigned company. The legitimate merchant is then presented with what appears to be a lucrative and tempting business proposition. In return for processing the unsigned company s transactions, the signed merchant will receive a percentage of the deposited sales. The amount offered may be anywhere from 1 percent to 20 percent, or more. The signed merchant then begins processing transactions for the unsigned business by keyentering the sales on a POS terminal. In many cases, the laundered transactions will be counterfeit or unauthorized, using account numbers that have been illegally obtained through data theft from an account number-generating software program. In a typical scam, deposit activity continues for several weeks and then stops abruptly. The unsigned merchant disappears usually moving on to victimize yet another legitimate merchant while the signed business is left to contend with a growing stack of chargebacks it may not be able to cover. Laundering schemes are associated with chargeback rates as high as 60 percent to 100 percent, and an inability to pay can easily force legitimate merchants out of business. Visa Acquirer Risk Management Guide CONFIDENTIAL 69

76 Telemarketing Fraud What is Telemarketing Fraud? Internet telemarketing fraud is a classic scam in which mail, telephone, or order solicitations are used for fraudulent purposes either to obtain valid cardholder information for fraudulent transactions, or to charge unauthorized sales to a valid account. The businesses involved in these schemes may be run by outright criminals, or the perpetrators may simply be unethical merchants who are pushing the limits of legality. How Telemarketing Scams Work There are many different kinds of telemarketing scams related to bankcard fraud. Some of the more common scams include the following: Recent evidence indicates that fraudulent telemarketing is tapering off in the United States, but on the rise in overseas markets. Predictably, scams are surfacing in regions where Acquirers and cardholders are less sophisticated and knowledgeable about bankcard fraud, or where laws are inadequate or not well enforced. Phony Contests or Too Good To Be True Product Offers. In a typical scam, consumers receive mail, phone calls, or messages announcing that they have won a vacation to Hawaii, Acapulco, or some other exotic location. In other cases, vitamins, water purifiers, or travel packages are sold at fantastic discounts. There is, however, always a catch. The contest or product is available for a limited time only, and another small purchase or handling fee which must be paid by credit card is required immediately. Using highpressure sales tactics or trickery, the telemarketers persuade consumers to give them their Visa account numbers and other personal information. The cardholder is then billed for merchandise which is never delivered or turns out to be shoddy and substandard. Lottery Ticket Sales. Generally these scams target the elderly, and often the telemarketers don t even purchase lottery tickets with the money they collect. Internet Gaming. As mentioned in Chapter 1, laws governing Internet gaming differ from country to country. Nevertheless, Visa has received many complaints from merchants, cardholders, and law enforcement regarding this type of activity. Credit Card Protection. While many firms offering credit card protection are legitimate, there are criminals who will contact and misrepresent themselves to cardholders as employees of Visa or a Visa Member. The perpetrators use deceptive practices to get cardholders to buy a protection package and often make it difficult to cancel the sale. Pyramid Schemes. These plans purport to offer products or even Visa cards in exchange for a membership fee and participation in a multilevel-marketing plan. The new member must recruit others to the plan; often no products exchange hands, however, and the Acquirer is left with chargebacks once consumers discover they have been defrauded. Advance Fee Schemes. Here, a consumer is asked to pay an up-front fee in exchange for a service or information. It may be that: It is illegal to collect a fee for that particular service or information. The information or service is readily available elsewhere at no or little cost. The merchant has no intention of providing the information or service offered. One of the most common scenarios involves the Internet offering of a Visa card or merchant processing account when in fact all the buyer will receive is a list of banks that will issue such accounts to high-risk customers. 70 CONFIDENTIAL Visa Acquirer Risk Management Guide

77 Handling Telemarketing Fraud Dispute When the transaction is disputed with the cardholder s issuing bank, the result is usually a chargeback to the Acquirer. Chargeback categories associated with these scams include Unauthorized Transaction Exceeds Floor Limit, Mail/Telephone Order Unauthorized Purchaser, Non-Receipt of Merchandise, and Merchandise Not As Described. Of course, by the time the Acquirer receives the chargebacks, the fraudulent telemarketers may have emptied their account and disappeared. The valid account numbers they obtained will turn up weeks or months later in other fraud scams. Visa Acquirer Risk Management Guide CONFIDENTIAL 71

78 Credit and Cash Advance Schemes What is a Credit or Cash Advance Scheme? A cash advance scheme may be the first sign of a merchant at risk for bankruptcy or other financial difficulties. In such cases, the cash advance might be used to cover the perpetrator s payroll or other business and personal expenses. Credit or cash advance schemes involve improper use of personal bankcards to obtain money from merchants Direct Deposit Accounts (DDAs) for personal use or to provide temporary cash flow. These schemes can be perpetrated with or without the merchant s (or an employee s) direct involvement. Schemes With Direct Merchant Involvement Cash Advance Scheme. A merchant will process a transaction against his or her own bankcard account, removing an equal amount in cash from the register. The cash advance appears to be a legitimate transaction, and the merchant or owner generally intends to re-deposit the cash and issue a credit to the account later, when the cash is available. Credit Scheme. A merchant or employee deposits credits to his or her own bankcard account, often in amounts that would not raise suspicion. Credit schemes are often the work of employees who are simply out to embezzle funds from the business by issuing credits to themselves without entering corresponding sales. Merchants are prohibited from issuing a credit to any account number unless they have first deposited a legitimate transaction against that account. Credit Schemes Without Merchant Involvement The latest fraud attack on Acquirers involves scams where the perpetrator uses a legitimate merchant s account information to issue the credits. The perpetrator then uses the credits to make large purchases or cash advances or in the case of debit cards closes his or her checking account once the credits are posted and the funds are withdrawn. In both cases, the Acquirer is left with potential liability for the fraud. Three methods are being used to effect this fraud scheme: The perpetrator takes over a merchant account by either obtaining a new or additional terminal through misrepresentation to the Acquirer, or convincing the Acquirer to reprogram a phantom terminal over the telephone. The individual then uses the terminal to deposit credits into his or her own, or a co-conspirator s personal Visa account, along with enough fraudulent transactions using other account numbers to offset the credit amount. This ensures against deposit spikes appearing in the Acquirer s monitoring system. The perpetrator clones or emulates a legitimate merchant by surreptitiously obtaining the merchant and terminal ID numbers, then deposits credits to his or her personal account. The perpetrator breaks into the merchant s place of business and either steals the POS terminal, or the pervious day s transaction receipts from the register drawer. 72 CONFIDENTIAL Visa Acquirer Risk Management Guide

79 How to Protect Merchant Accounts From Credit Schemes Without Their Involvement To safeguard merchant accounts from credit scheme fraud exposure, the following actions are recommended: Verify any requested change to a merchant account with the known business owner or an authorized merchant manager. Generate a call to the known business owner(s) to confirm the requests for terminal service e.g., adding, replacing, or reprogramming terminals. Conduct a site inspection when there is a merchant address change or the addition of new locations. Conduct a new credit review and a call to the known business owner(s) when there are changes to the merchant s Direct Deposit Account. In addition to fraud, these changes can signal an ownership change, bankruptcy, or other credit-related issue. In today s financial services environment, where payments are made by wire, unauthorized changes to a merchant Direct Deposit Account is an easy way to quickly and thoroughly defraud a legitimate merchant. When confirming merchant ownership, make sure the information gathered includes the current business tax ID, as well as the current financial institution name and account number of the Direct Deposit Account. All changes should be confirmed in writing on an original document that includes a signature from the person currently authorized to sign for any change request. Visa Acquirer Risk Management Guide CONFIDENTIAL 73

80 Skimming To circumvent the Card Verification Value (CVV) protection, criminals have migrated to skimming counterfeit. Through new, easy-to-use technology, criminals are now capturing full Track 1 and 2 data contained on the magnetic stripe of a legitimate card, and using it to either encode a counterfeit card or re-encode a lost or stolen card. When an electronic authorization attempt is made with the encoded or re-encoded card, it can result in an Issuer approval of a fraudulent transaction. Different Skimming Scenarios Merchant outlets considered high-risk for skimming are those businesses where the card is temporarily out of the cardholder s sight, such as restaurants and gas stations. As both criminals and transaction-processing systems become more sophisticated, the opportunities for gaining access to valuable account information have multiplied. Skimming scenarios now range from spoof shops false storefronts set up for the express purpose of obtaining valid magnetic-stripe data to telephone taps aimed at capturing account information during authorization or terminal downloads. Any point from a merchant s POS terminal to an Acquirer s or Issuer s host system may be vulnerable, and a valid card need not even be present. While the details of individual scams may vary, skimming scenarios generally fall into three basic categories (differentiated by where track data is stolen or copied): At a Merchant Location. The most common skimming scenario involves track data compromised at a merchant location where the owner or a collusive employee skims full track data during a legitimate transaction. Data theft occurs either at the time a legitimate card is swiped for authorization a laptop or other electronic device is linked to the point-ofsale terminal to capture magnetic-stripe information or just after, with a second swipe of the card through a separate, palm-size, stand-alone device. Full track data obtained in this way can then be downloaded and re-encoded on a counterfeit or stolen card. While Transmitting Data From One Organization to Another. In this scenario, track data is compromised after it leaves a merchant location and is passing between the various entities associated with the authorization process, including: A merchant s host system. An Issuer s or Acquirer s host system. An Issuer s or Acquirer s third-party processor. Account information is obtained by tapping into telephone lines or by capturing satellite transmissions from the airwaves. Collusive employees at these locations may, but need not, be involved, and management personnel may be entirely unaware of any breach of security. When in Storage. Other potential points of compromise for skimming include anywhere account information is stored either on a short- or long-term basis. This includes POS terminals, personal computers, and mainframes. As in the other skimming scenarios, criminals hack into these data storage systems to retrieve and copy valid account data. 74 CONFIDENTIAL Visa Acquirer Risk Management Guide

81 This information is subsequently encoded on counterfeit cards or re-encoded on stolen cards. Potential points of compromise in these scams include the following: Cardholder-Activated Terminals (CATs) or other POS devices prior to downloading Merchant host systems Issuer or Acquirer host systems Issuer or Acquirer third-party systems Backup systems for any of the above The very nature of skimming can make this type of counterfeit fraud especially hard to identify. Authorization records for valid and skimmed counterfeit transactions can be indistinguishable, and neither Issuers nor Acquirers may know what to look for. As in the previous scenario, collusive merchants and employees may, but need not, be involved. Identifying Skimmed Counterfeit Transactions From the Issuer perspective. Issuers are usually the first to detect the signs of suspicious activity associated with skimming, but Acquirers should also be familiar with the basic characteristics of potentially skimmed transactions. A transaction should be considered potentially skimmed if all of the following conditions exist: Authorization data includes a POS Entry Mode Code 90. The CVV in the authorization message matches the code on file with the Issuer. The cardholder is in possession of all valid cards and can verify that the suspect transaction was not made by him- or herself, or by anyone else with access to valid cards, such as a family member or friend. From the Acquirer perspective. On the acquiring side, it is important to investigate Common Purchase Points (CPPs). These are the merchant locations (or other sites) where data has been stolen or replicated through skimming. Visa Fraud Control coordinates the identification of CPPs and advises Acquirers accordingly. When notified of an identified CPP, it is the Acquirer s responsibility to: Conduct a thorough investigation of the alleged skimming activity at the identified CPP merchant. Summarize the investigation and findings. Report results to Visa. Visa Acquirer Risk Management Guide CONFIDENTIAL 75

82 Account Testing What is Account Testing? Account testing is an increasingly common and widespread scam used by criminals to check the validity of lost, stolen, counterfeit, or other illegally obtained account numbers. A criminal simply makes a small purchase or submits an authorization request on a number they wish to test. If the transaction is authorized, the account number will then be used for additional, larger fraud transactions. How Does Account Testing Work? Like skimming, account testing often occurs at merchant locations, but may not involve a business principals or collusive employees. In a common scenario, a criminal will test a stolen or counterfeit card on an Internet site to determine whether the account is blocked and in the case of counterfeit whether the Issuer checks expiration dates in the authorization process. Then to determine whether the CVV is checked, he/she will use a re-encoded card to buy a few dollars worth of gas at a cardholder-activated pump. In other cases, lists of account numbers may be run through a bust-out merchant or spoof site. In these schemes, the accounts being tested will be submitted for authorization only; few, if any, completed transactions will be processed from the site. Criminals may also test accounts by gaining access to a merchant s transaction-processing system in other ways, for example, by getting a business s merchant account number and the phone number for its authorization center. This information is often posted near POS terminals and is relatively easy to copy down, or it may be provided by a collusive employee. Fake transactions can then be called into the authorization center from a public pay phone, stolen cell phone, or any other hard-to-trace location. At many authorization centers today, calls are answered by automated voice-response units, which makes early detection and prevention of these scams even more difficult. The lack of human interface means less chance for authorization agents to speak directly with customers and identify account testing or other potentially suspicious calls. CreditMaster: Fraud You Can Download CreditMaster is a computer program used by criminals, or renegade computer hackers, to generate lists of valid or potentially valid bankcard account numbers for fraudulent use. The program first appeared in the mid-1990s, and since that time, similar account numbergenerating software has become widely available and easy to download from the Internet. In general, these programs work by running a single, currently valid account number through a mathematical formula called a check-digit algorithm. The result is a list of valid or potentially valid numbers that could belong to legitimate cardholders. The lists are then sold or provided to bust-out merchants or other perpetrators who test the numbers and use them for fraudulent transactions. At this time, CreditMaster and other account number-generating software are not, in and of themselves, illegal; neither is the act of generating account numbers. Perpetrators can only be arrested and charged with a crime if the account numbers generated by these programs have been used in counterfeit or other fraudulent transactions. 76 CONFIDENTIAL Visa Acquirer Risk Management Guide

83 Understanding Key-Entered Fraud Key-entered transactions are prohibited in some markets due to the high fraud losses associated with this method of payment processing. Key-entered fraud, a method for processing fraudulent or unauthorized transactions, is a frequently used component of many merchant fraud scenarios, such as bust-out schemes, laundering, or telemarketing fraud. In these scams: Cards are not present. The merchant or perpetrator may be working off a list of counterfeit or fraudulently obtained account numbers. Transactions are key-entered by using the manual override function, which is a standard feature on all POS terminals. The merchant then deposits the transactions normally, and payment is generally received within 48 hours. Key-entry is not, in and of itself, a sign of potential fraud; however, Acquirers do need to be aware of how current transaction-processing technology can be exploited by criminals and collusive merchants. In boiler room scams, multiple terminals are located in a single room or small office, allowing criminals to key-enter and receive payment for hundreds or even thousands of fraudulent transactions in a very short time, often without immediate detection. Working on rows of terminals, criminals can process a large volume of transactions one day, receive payment and empty their account the next, and then disappear before an Acquirer is even able to review daily Exception reports for signs of suspicious activity. Visa Acquirer Risk Management Guide CONFIDENTIAL 77

84 Managing Inactive Merchant Accounts Maintaining an inactive merchant account on file can result in unnecessary operating costs, but of greater concern is the fact that it can represent potentially significant exposure to fraud. If an account has been inactive for two to three months, it could simply mean the merchant is seasonal, went out of business or signed with another Acquirer nevertheless, keeping the account open creates expense to the Acquirer. On the other hand, an inactive account can signal one of two fraud schemes: A bust-out scam. Where a fraudulent merchant signs with several Acquirers simultaneously, moving from one to the next as the scam is perpetrated or detected. The fraudulent diversion of the merchant s deposits to a bogus merchant account with another Acquirer. In this scheme, an individual claiming to represent the Acquirer tells the merchant that he or she needs to replace or reprogram the POS terminals. The funds are then routed to an account that individual has set up elsewhere, and neither the merchant nor the legitimate Acquirer sees the deposit. Acquirers should have exception monitoring in place to flag inactive accounts, and follow up on all such exceptions with the known business owner (as described in the next chapter). 78 CONFIDENTIAL Visa Acquirer Risk Management Guide

85 Chapter 6 Merchant Activity Monitoring and Follow-Up WHAT S COVERED New Merchant Monitoring Ongoing Merchant Monitoring Periodic Merchant Reviews Identifying and Following Up on Suspicious Activity Merchant activity monitoring is an essential part of managing merchant portfolios. Daily monitoring of a merchant s deposit and authorization activity can help an acquiring institution recognize any unusual or sudden change in normal merchant deposit activity levels. Acquirers should also conduct periodic reviews of merchant accounts to re-evaluate financial status and business operations. As merchant fraud scenarios, and the losses they can cause, seem to multiply, Acquirers must expand their monitoring efforts to identify these scams at the earliest possible moment. This chapter recommends monitoring reports and practices to help Acquirers identify merchant fraud and keep losses to a minimum. Visa Acquirer Risk Management Guide CONFIDENTIAL 79

86 New Merchant Monitoring However thoroughly an Acquirer may investigate prospective merchants, the first few months after signing a new account should be a time of heightened vigilance. Acquirers need to be on the lookout for any evidence of suspicious activity associated with bust-out or other merchant fraud scams or any activity that is out of line with the merchant application and may indicate higher risks. Criminals who set up merchant facilities will often make normal deposits for a month or two before there is a sudden spike in the deposit of a large number of counterfeit or laundered transactions, which result in a large number of chargebacks. To ensure careful monitoring of new merchants, a daily review of all transactions from new merchant locations is recommended for a two- to three-month period. During this time, any variations or deviations in sales activity should be flagged and promptly investigated. Suspicious activity may include any of the following: Deposit Variations. Check for any variations in deposit amount, frequency, or type. Has a merchant suddenly changed from weekly to daily deposits? In the case of manual deposits, are they being made at a branch office where the merchant normally doesn t do business? Are paper drafts handwritten or imprinted with another merchant s name a sign of possible laundering? Do the deposit totals and average transaction size coincide with projections on the merchant s application? Large Deposits. Unusually large bankcard deposits should be treated the same as any large deposit to a checking or savings account; that is, they should be reviewed by bank personnel, and funds held when appropriate. Acquirers should pay particular attention to deposits containing large, even-monetary amounts or excessive credits, which may indicate that a merchant is making cash advances or other improper payments. Similarly, look for multiple drafts with the same account number on them or any sudden increase or decrease in a merchant s average ticket amount. Suspicious Authorization Activity. Like deposits, authorization records should be monitored for any signs of fraudulent activity. For example, is a merchant submitting a large number of authorization requests during non-business hours? Is the authorization decline rate unusually high? Look for discrepancies between the number of authorizations and transactions specifically, a high number of authorizations with few or no corresponding transactions. Acquirers should also scrutinize any sales where the transaction has been approved only after a merchant has made repeated authorization requests for declining dollar amounts. Attempts to circumvent authorization limits may indicate split sales or other improper transaction processing. All other significant aspects of the merchant s business should be monitored as well. Acquirers should look for sudden changes in ownership, location, phone number, product line, or selling methods. Other signs of suspicious activity may include requests for new accounts or for additional sales equipment such as terminals, imprinting machines, or sales transaction receipts at new or additional locations. 80 CONFIDENTIAL Visa Acquirer Risk Management Guide

87 Ongoing Merchant Monitoring Merchant monitoring should be used as part of a regular, ongoing program to identify potentially fraudulent activities. O Most Acquirers have their own monitoring programs in place to regularly monitor merchant activity. To enhance these programs, Visa established the Merchant Deposit Monitoring Standards to help Acquirers set up a warning system to detect fraudulent activity at an early stage. The minimum requirements of this program are described in the Visa International Operating Regulations. Experience has shown that an effective merchant monitoring program needs to go beyond the minimum requirements outlined in the Visa International Operating Regulations. The following charts provide an overview of a recommended set of reports and data review actions that make up a comprehensive merchant activity monitoring program. Keep in mind these reports are likely to be manually intensive and probably ineffective for all but the smallest Acquirers. There are, however, a number of vendors who can provide sophisticated merchant monitoring solutions. It is also possible for Acquirers to develop their own effective in-house solutions. It is up to the Acquirer to assess its ongoing merchant monitoring needs and determine the reporting capabilities that will work given the institution s size and level of sophistication. Acquirers must also be realistic when it comes to the types of reports that will actually be reviewed and used by staff members. Deposit Report Monitoring Normal Weekly Activity Reporting (Required) Acquirers must gather on a weekly basis each merchant s: Gross sales volume. Average transaction amount. Number of transaction receipts. Average elapsed time between the transaction date of the sales transaction receipt and the endorsement date (date a transaction receipt is prepared for clearing through interchange). Number of chargebacks. Normal Daily Activity Reporting (Required for High-Risk Telemarketing Merchants) Acquirer must gather on a daily basis each merchant s: Gross sales volume. Average transaction amount.* Number of transaction receipts. Average elapsed time between the transaction date of the sales transaction receipt and the endorsement date (date a transaction receipt is prepared for clearing through interchange). Number of chargebacks. * An average transaction amount is usually the single most obvious predictor of a significant change in merchant activity. While not necessarily an indicator of risk, a radical change is a sign that something has happened and should be explored. Visa Acquirer Risk Management Guide CONFIDENTIAL 81

88 Exception Reporting (Required) Acquirers must compare merchant activity to the Normal Weekly Activity established for each merchant at least once a week and generate reports for merchants who meet the following criteria. Weekly gross sales volume equals or exceeds US$5,000 and/or any of the following exceeds 150 percent of the Normal Weekly Activity: Number of transaction receipts deposited. Gross sales volume. Average transaction amount. Number of chargebacks. Average elapsed time between the transaction date and the endorsement date for a transaction (counting each as one day respectively) exceeds 15 calendar days. Chargebacks (Required) Acquirers should monitor for the following chargebacks: High percentage of chargebacks month-to-date Total number by merchant type Dollar volume by merchant type, compared to merchant s sales volumes Types of chargebacks Credit/Returns (Recommended) Acquirers should monitor the following credit return information: Total daily credit return amount Daily credit return-to-debit ratio Deposit Monitoring Acquirers should monitor the following deposit information: Daily deposit amount over maximum limit (defined by average daily volume for merchant) First deposit in six months or more Total turnover changes for paper merchants (chip-liability shift) Total turnover changes for magnetic-stripe merchants (chip-liability shift) Draft Retrievals Acquirers should monitor the following draft retrieval information: Number of copy/original requests by merchant Variations in weekly total by merchant 82 CONFIDENTIAL Visa Acquirer Risk Management Guide

89 Sales Transaction Receipts Acquirers should monitor the following sales transaction receipt information: Average ticket amount (ATA) over maximum limit (defined by average daily volume for merchant) High percentage of tickets below the floor limit or ATA Excessive key-entered transactions for a POS merchant Non-electronic Data Capture items from a merchant who has Electronic Data Capture terminals Multiple sales transaction receipts with the same amount Multiple transactions on the same card Chip cards falling back Excessive non-domestic transactions/authorizations Heavy proportion of transactions on single BIN Sequential Card Numbers (if they can be spotted) Authorization Report Monitoring Exception Reporting Acquirers should monitor for the following authorization activities: Daily authorized amount over the maximum limit (defined by average daily volume for merchant) Multiple authorizations for the same cardholder account number Total daily authorized count over the maximum limit Declined daily authorization percentage over the maximum limit Daily approval percentage over the maximum limit Descending amounts for the same cardholder account number Daily transactions that are manually or key-entered on an Electronic Data Capture terminal Visa Acquirer Risk Management Guide CONFIDENTIAL 83

90 Periodic Merchant Reviews In addition to routine daily or weekly transaction monitoring, Acquirers should conduct periodic reviews of a merchant s financial status and business operations. The number and timing of these reviews should be based on the merchant type and market practices. Reviews should, however, be conducted annually for a merchant who runs an intrinsic credit or fraud risk. Again, any sudden or unexpected change in sales volumes, merchandise, or profitability could be a sign of financial instability or potential fraud. Acquirers should also be on the lookout for any change in a merchant s ownership, business principals, bank accounts, or sales method or market. For example, a legitimate merchant might unknowingly sell a business to a criminal, who will then request a new or different Direct Deposit Account as part of a bust-out merchant scheme. Similarly, a sudden change from Card-Present to Card-Not-Present sales could be the first indication of a telemarketing scam. In this area, Acquirers should consider applying the following practices: Re-evaluate the merchant s financial condition, such as notable changes in the merchant s sales volume, products, operations, or business practices. Conduct another on-site inspection to confirm that the merchant is complying with the provisions of the Merchant Agreement and the Visa International Operating Regulations. Verify that the merchant s financial statements and references are current. Look for and address immediately problems such as: Imminent merchant failure. Own card usage. Change of goods sold or laundering. Refund fraud. Supplier/fulfillment problems. 84 CONFIDENTIAL Visa Acquirer Risk Management Guide

91 Identifying and Following Up on Suspicious Activity Recognizing the Signs of Suspicious Merchant Activity In many, if not most cases, merchant fraud will result in a sudden, dramatic change in sales activity. To catch these unexpected shifts and fluctuations, Exception reports must be monitored daily and if possible, before any payments for the day s transactions are deposited in a merchant s account. In addition, all transactions from new merchant locations should be reviewed on a daily basis for a one- to three-month period. Signs of suspicious activity may include any of the following: An unusual or unexpected increase in the number or dollar amount of transactions. Likewise, a sudden re-activation of a previously inactive account. A dramatic shift, up or down, in the average transaction size. A high or disproportionate amount of key-entered sales. A large number of high or even-dollar transactions, especially if they are key-entered. A sudden drop or stop in sales deposits. Discrepancies between a merchant s authorization and transaction activity, specifically a high volume of authorizations with few or no corresponding transactions. This may be a sign of skimming or account testing. Account numbers in a numerical sequence or within the same BIN. Acquirers should also track deposits over periods of a few days or weeks to check for transactions or authorizations with account numbers in a single BIN. A string of account numbers may be the first sign of fraud associated with CreditMaster or other account number-generating software. An unusual proportion of declined transactions. This could be another indication of account testing. Authorization or transaction activity that takes place after hours, when the business should be closed. After-hours sales are associated with several types of fraud, including bust-out merchants and account testing. Excessive credits, or discrepancies between sales and credits. Acquirers should check transaction records for any discrepancies between the number and dollar amount of sales and credits often the first sign of a merchant credit scam. For example, a business might issue a credit without a corresponding sale, or it could deposit several small- or mediumsized sales and then issue a single large credit to the merchant s personal account. Transactions charged against a merchant s personal account. At service stations with Cardholder-Activated Terminals (CATs), monitor for a sudden reduction in the proportion of transactions that occur at the pumps. Service stations are often a common purchase point in skimming scenarios in which criminals disable the CATs, forcing the customers to take their cards into the kiosk. While the customers pump gas, their cards are skimmed. Visa Acquirer Risk Management Guide CONFIDENTIAL 85

92 Investigating Suspect Merchant Activities Acquirers should establish and document procedures for investigating suspect activity, including provisions such as: Requesting transaction documentation from the merchant. Validating the transaction with the Issuer. Holding settlement funds until the merchant explains the reasons for the activity. Contacting the merchant s branch bank if the merchant is involved in fraudulent activity. Visiting the merchant s site, if necessary, to perform an investigation. Escalating cases to senior bank management if fraud is more than a specific value or involves High-risk Merchants. Notifying the merchant underwriting or approval departments of the suspicious activity. Performing ongoing monitoring and investigations of identified merchants. 86 CONFIDENTIAL Visa Acquirer Risk Management Guide

93 Chapter 7 Account Information Security WHAT S COVERED What is the Visa Account Information Security Program? Acquirer Account Information Security Responsibilities Implementing Information Security Standards Acquirer Resources When customers offer their bankcard number to a merchant at the point-of-sale, on the telephone, through the mail, or on the Internet they want assurance that their account number and personal information are being properly guarded. To minimize the threats and risks to which account and transaction information is exposed, Visa International has developed a comprehensive set of Account Information Security requirements that must be implemented by Visa Members, merchants, and their agents. These requirements represent the minimum standards acceptable for participation in the Visa payment infrastructure. Once in place, these controls provide a well-armed defense against unauthorized modification, disclosure, or destruction of account and transaction information, whether intentional or accidental. This chapter introduces the Visa International Account Information Security requirements for Acquirers, merchants, and their agents. Visa Acquirer Risk Management Guide CONFIDENTIAL 87

94 What is the Visa Account Information Security Program? Information Security Who, What, and Why Cardholders expect merchants to safeguard any personal or financial information given during the course of a transaction. Keeping that trust is essential to fraud prevention and good customer service. Acquirers, merchants, and their agents have always been accountable for putting into place effective controls to protect account and transaction information. Because maintaining the confidentiality, integrity, availability, and authenticity of this information has always been the highest priority of the payment industry, these assets must be protected from unauthorized modification, disclosure, and destruction. For Visa. It means identifying the requirements and tools that encourage Members, merchants, and their agents to establish appropriate cardholder and transaction information security and privacy controls and measures. For Acquirers, merchants, and their agents. Data security should be a key component of all policies and practices related to the acceptance and processing of transactions. For Visa cardholders. It is a matter of selecting and doing business with a reliable, reputable entity. They want assurance that their account information is being guarded and that their personal data is safe. The Visa International Account Information Security program provides Acquirers, merchants, and their agents with requirements for handling, storing, and protecting Visa account and transaction data. Properly implemented, these requirements help Visa Members, merchants, and agents protect their valuable information assets, while at the same time meeting their obligations to the Visa payment infrastructure. Potential Costs and Risk Exposure Without proper information security controls, threats to account and transaction information can expose an organization to several different types of risk. Financial Exposure. Direct theft, destruction, or other loss of assets. Reputation Exposure. The loss of brand equity, customer relationships, or competitive position in the market due to weakened trust, and customer relationships, resulting from an enterprise s vulnerability to threats. Regulatory and/or Legislative Exposure. Loss, or loss potential based on unresolved or unmitigated exposures, may result in an enterprise being penalized, depending on local laws. Many countries and regional jurisdictions have introduced legislation dictating how organizations must protect sensitive information. 88 CONFIDENTIAL Visa Acquirer Risk Management Guide

95 Acquirer Account Information Security Responsibilities All Visa Acquirers are required to: Members may also choose to have monitoring and inspections performed by Visaqualified Security Assessors. Monitor their agents and merchants to ensure that they maintain appropriate security requirements and procedures to prevent unauthorized disclosure of account and transaction information, according to regional implementation requirements. Annually inspect or revalidate corrective plans for organizations classified as high-risk (until they are no longer considered as such). Perform regular Account Information Security self-audits. The corporate officer responsible for the Member s auditing function is upon request from Visa required to provide attestation certifying that the Member has conducted the self-audit and is in compliance with Visa requirements. This includes proper enforcement of its agents and merchants compliance with applicable Visa requirements. For access to regional implementation plans, please refer to Provide in their certification to Visa a list of all agents and merchants that are not in compliance with Visa Account Information Security requirements and their respective status. The listing should also include a summary of corrective actions taken or planned for any agent or merchant that is not in compliance. The Member accepts complete liability for all of its agents and merchants. Protect and indemnify Visa and its Members from all liability that may arise through or by the actions or omission of any of its agents or merchants. Visa Acquirer Risk Management Guide CONFIDENTIAL 89

96 Implementing Information Security Standards To effectively secure Visa account and transaction information, Acquirer, merchant, and agent organizations should develop and implement an account and transaction information security policy that: Contains a statement that the organization understands that account and transaction information requires protection, regardless of the form or media in which it is held. Identifies risks and specifies the implementation of controls to provide reasonable assurance that account and transaction information is protected. Defines information security responsibilities for each position (e.g., manager, employee, and contractor). Establishes one or more officers responsible for the information security program. Designates individuals who will be responsible for protecting information assets and specifying appropriate levels of security. Includes an awareness or education program to ensure that employees and contractors are aware of their information security responsibilities. Provides for resolving and reporting information security incidents. Addresses exceptions or deviations from the Guide to Visa Account Information Security Standards. Encourages coordination with appropriate parties, such as audit and regulatory compliance officers. Establishes responsibility to measure compliance with, and soundness of, the security program. Includes options for reviewing and updating the program when encountering new threats and technology. Requires Members to certify that all agents and merchants meet the Visa Account Information Security Standards. 90 CONFIDENTIAL Visa Acquirer Risk Management Guide

97 Acquirer Resources To assist acquiring Members, merchants, and agents in achieving full compliance with Visa account and transaction information requirements, Visa International has developed two key resources: The Guide to Visa Account Information Security Standards is a comprehensive tool that provides a detailed overview of specific Visa security requirements related to the handling and storage of Visa account and transaction information. Acquirer adherence to these security requirements helps ensure a safe environment in which to do business, as well as smoother transaction processing. Ultimately, that means more revenue, fewer headaches, and a better bottom line. The Account Information Security Best Practices Guide covers other security practices that many organizations have found to be effective in protecting confidential information. These Visa resources can be downloaded by accessing Regional site links are also available for region-specific implementation information. Visa Acquirer Risk Management Guide CONFIDENTIAL 91

98 92 CONFIDENTIAL Visa Acquirer Risk Management Guide

99 Chapter 8 Personal Identification Number (PIN) Security WHAT S COVERED About Visa PIN Security Compliance PIN Security (from the Attacker s Point of View) PIN Security Program Overview Since the early 1980 s, the financial services industry has used the Data Encryption Algorithm (DEA) to protect the confidentiality of cardholder Personal Identification Numbers (PINs). When the Data Encryption Standard (DES) was originally adopted, it seemed infeasible that any individual could successfully determine the value of a PIN given the time, hardware/software, systems, and financial resources required to carry out a key exhaustion attack. Over the years, however, advances in computer technology and other threats have opened new doors to cardholder PIN exposure and abuse. This chapter offers a general overview of the security measures needed in order to protect cardholder PINs and prevent the possibility of compromise in the acquiring environment. Visa Acquirer Risk Management Guide CONFIDENTIAL 93

100 About Visa PIN Security Compliance The security of PINs assigned to Visa-branded products such as Visa, Electron, Plus, and Interlink has always been of great importance to Visa and its Members. Technical staff from Visa have worked with many Member banks to formulate the standards under which PINs and cryptographic keys are managed and processed by participants in the worldwide payment system. Visa s efforts, however, have extended well beyond the development of standards and regulations. Since the mid-1990s, Visa has had a comprehensive PIN Security Compliance program in place. The program includes: Publication of documents such as the Consolidated PIN Security Standards Requirements and the forthcoming Payment Card Industry PIN Security manuals. An annual compliance reporting requirement for entities involved in the acceptance or processing of interchange PINs. On-site PIN Security Field Review to verify compliance. Visa places tremendous importance on PIN security. It is considered to be a matter of collective security, rather than an area for competition. As such, everyone involved in the payment industry is encouraged to share information and knowledge freely and openly. 94 CONFIDENTIAL Visa Acquirer Risk Management Guide

101 PIN Security (From the Attacker s Point of View) Sophisticated adversaries with increasingly powerful tools are attacking the Visa payment system everyday. No matter how complex and robust the defense systems, given enough time, money, and most importantly, incentive, these defenses can be defeated by a determined attacker. Defense, by its very nature, consists of the processes of forecasting what the enemy will do and setting barriers and/or traps to frustrate his efforts. So, what constitutes an attractive target? Ideally, the attacker is looking for the maximum score for the minimum degree of effort and risk. The perfect target would have some or all of the following attributes: Production keys used in the test environment, allowing the technical support staff to attack the key structure. PINs not protected by a secure PIN block, allowing dictionary attacks. Cryptographic keys would be non-random, non-unique and never change. Hardcopy keys that are in the clear or in cleartext halves. Few, if any, documented procedures. No audit trails or logs maintained. Every one of these weaknesses that is corrected reduces the size of the window of opportunity for an attacker. Correct all of them and a rational attacker will likely decide that the potential reward is far too small for the effort and risk involved. Visa Acquirer Risk Management Guide CONFIDENTIAL 95

102 PIN Security Program Overview Visa PIN Security Requirements Visa requires its Members to complete a PIN Security Self-Audit before commencing operations and in subsequent years. While filling out this document, an internal auditor usually identifies some areas of non-compliance. For each of these, an Exception report must be completed and filed with Visa. All entities that accept or process PIN-based transactions for Visa-branded products are subject to these requirements. Following the receipt of the Member s self-audit documents, Visa may call to arrange the schedule for a PIN Security Field Review and site inspection. This PIN Security Field Review usually requires the best part of two days to complete. During the review, the information that was submitted on the Self-Audit Questionnaire and Exception forms is verified and a determination is made as to whether the entity is in compliance with each of the PIN security control objectives examined. Documented PIN Security Policies and Procedures To ensure the security and integrity of PIN-processing equipment that is placed into service, initialized, deployed, utilized, and decommissioned, Acquirers must develop the following policies. Area Administrative Key Management Equipment-Related Operating Policies Key Custodian Selection Equipment Selection External Service Provider Selection Key Creation Key/Key Component Transmittal Key/Key Component Receipt Key Loading Key Storage Key Destruction Key Replacement ATM/HSM/PIN Pad Receipt and Commissioning/Decommissioning Equipment Theft Periodic Equipment Inspection Key Substitution Key Compromise 96 CONFIDENTIAL Visa Acquirer Risk Management Guide

103 For each of the policies listed here, as well as any additional policies, one or more procedures need to be in place. These procedures should be clearly communicated and instruct personnel to deal with specific situations and/or issues. As far as possible, these procedures should be self-documenting. For example, a script that lists the steps necessary to install an ATM could also contain spaces for the person who performed the install to initial after the completion of each step. For those procedures where self-documentation is not practical, external logs or audit trails are required in order to verify that the procedures have been followed. Visa Acquirer Risk Management Guide CONFIDENTIAL 97

104 98 CONFIDENTIAL Visa Acquirer Risk Management Guide

105 Chapter 9 Merchant Fraud Investigation WHAT S COVERED Elements of a Careful Investigation Visa Fraud Investigation Performance Standards Examining the Merchant Profile Analyzing Transaction Data and Exception Items When signs of potential merchant fraud are discovered, or a scam is confirmed, Acquirers should initiate a prompt and rigorous investigation. The primary purpose of an investigation is to develop sufficient evidence and information to stop fraudulent activity and recover losses. Evidence and information collected during the course of an investigation should be carefully documented to provide legal counsel and law enforcement authorities with sufficient data to arrest and prosecute. A successful fraud investigation requires a planned, systematic search for facts and other supporting evidence. This chapter includes guidelines on how to obtain all relevant information about a potential or confirmed merchant scam. Data Security When a Scam Is Confirmed When a Merchant Agreement Is Terminated Merchant Communication During and After an Investigation Visa Acquirer Risk Management Guide CONFIDENTIAL 99

106 Elements of a Careful Investigation A thorough merchant fraud investigation should accomplish three goals and help determine: How the fraud was committed. Who was involved. What can be done to minimize losses and prevent similar risks in the future. Each fraud investigation should follow four basic steps: ➊ Analysis. Review available documentation, such as the lost/stolen card report, cardholder affidavit, and sales transaction receipts. ➋ Planning. Design a plan to facilitate the acquisition of information and evidence that will support an arrest and subsequent conviction and/or recovery of funds. ➌ Fact-Finding. Collect information and evidence according to plan. Fact-finding usually involves telephone and field interviews with witnesses and where possible, verification and corroboration of evidence. ➍ Resolution. Following the collection of evidence, determine what action will be necessary to resolve the case. Resolution may be achieved by: Turning over available evidence to law enforcement personnel. Cooperative efforts with local law enforcement may result in the arrest and prosecution of suspected fraud perpetrators, as well as restitution. Seeking resolution. Where evidence is not sufficient for criminal prosecution, efforts to obtain financial resolution from suspected perpetrators may be successful and should be pursued. Closing the case due to lack of sufficient evidence to prosecute. During a merchant fraud investigation, it may be necessary to involve the Issuer if a subpoena is sought, since the Issuer is typically the injured party. Where possible, Acquirer investigators should contact the merchant directly and request all available information about the fraud. Most merchants will be cooperative and truly surprised that fraud has been discovered at their business location. If a merchant seems reluctant or refuses to answer your questions, an Acquirer may want to seek assistance from local law enforcement or, in extreme cases, go to court for a subpoena. A careful investigation may, but need not, include an on-site inspection. In fact, most investigations can be based on information derived from an Acquirer s routine merchant monitoring and transaction records, such as regularly updated merchant profiles, authorization records, Exception reports, and chargeback monitoring. 100 CONFIDENTIAL Visa Acquirer Risk Management Guide

107 Visa Fraud Investigations Performance Standards O Visa may take appropriate actions to ensure that a Member complies with these performance standards and the Visa International Operating Regulations. Such actions may include, but not be limited to, assigning appropriate resources to bring the Member into compliance at the Member's expense. Compliance with the following standards can help ensure timely and effective fraud investigations. Specifically, Acquirers and/or assigned risk management personnel should do the following: Establish a 24-hour contact telephone, fax, or telex number to support investigative inquiries from other Visa Members, law enforcement, or criminal justice personnel. During off-hours, contact can be accomplished through the use of pagers for on-call fraud control personnel. Provide a substantive response to all investigative inquiries from other Members or law enforcement within 72 hours of receiving the initial request. When requested, document all inquiries and responses. Notify the designated Visa Fraud Control contact if another Member fails to comply with investigative support performance requirements. Ensure access to cardholder and merchant transaction data for at least the prior six months activity. Maintain documented investigative procedures governing all phases of a fraud investigation. Maintain all documentation relating to each investigation initiated by or on behalf of the fraud control department or other personnel. Documentation should be kept for at least three years following the last update to the respective case file. Visa Acquirer Risk Management Guide CONFIDENTIAL 101

108 Examining the Merchant Profile Acquirers should maintain and review merchant profiles to detect irregularities that could point to a problem. Regularly updated merchant profiles contain a wealth of information about a business operations and its relationship with the Acquirer, such as: Account history. This includes basic information on how long the account has been open, the business track record, and any previous incidents of fraud, excessive chargebacks, or other suspicious activity. Business type. Look for any signs of risk a high-risk business category, location, or sales method. For example, a shift from Card-Present to Card-Not-Ppresent selling may be the first sign of telemarketing fraud. Terminal type. Find out the type of POS devices and software the merchant uses, and the account information these terminals read and display. Make an inventory of the number of terminals, their locations, and their serial numbers. This information may be vital when investigating a counterfeit skimming scam or any other merchant fraud where account data theft occurs. Transaction-processing procedures and infrastructure. Look for other potential points of compromise in a merchant s transaction-processing system. Are cards ever out of customers sight during transactions? How many other systems or entities are involved in transaction processing the merchant s host system, a third-party processor, Acquirer systems, etc.? Who has access to account data at the different locations involved in transaction processing? Number of terminals and employees. A merchant s size can be a key element in how fraud is committed and concealed. Fraud often occurs after a business opens a new location, expands its workforce, or takes on a new partner. Similarly, criminals may attempt to conceal a scam for example, laundering by processing transactions through different terminals or different locations in a large business. Average sales volumes. Tracking changes in a merchant s gross sales volume, average ticket amount, and number of transactions can help an Acquirer determine the dimensions of a scam: when it began, the type of fraud involved, and potential losses. 102 CONFIDENTIAL Visa Acquirer Risk Management Guide

109 Analyzing Transaction Data and Exception Items Looking at Records Authorization and sales records for fraudulent transactions should be closely scrutinized for common characteristics. Additional details may also be obtained by having the merchant review these records. Acquirer investigators should look for: Time of Transaction. Did the fraud occur during or outside of regular business hours? What shift? Who was working? Department and Terminal ID. This information can help you pinpoint a potentially collusive employee, or faulty card acceptance procedures in a particular area. Entry Mode. Was the card swiped, or was the transaction key-entered? Other Characteristics. Any potential similarities on authorization and sales records may help you document the basic details of a scam and identify the perpetrators. Check sales amounts, types of merchandise purchased, and the account numbers used. Exception Items and Signs of Fraud A sudden, dramatic rise in the number of chargebacks or Requests for Copy is often the first sign of a laundering or telemarketing scam, or a change in the way a merchant is doing business. When reviewing chargeback records, staff investigators should always be on the lookout for chargeback codes that indicate customer disputes, such as Non-Receipt of Merchandise, Merchandise Not As Described, and Defective Merchandise. Visa Acquirer Risk Management Guide CONFIDENTIAL 103

110 Data Security A comprehensive merchant fraud investigation should also include an examination of a business data security practices. Since most counterfeit schemes will, at some point, involve the theft of valid account information, the investigation should also: Involve an examination of a business data security practices. Document what account information is stored, where, how, and who has access to it. Determine if any merchant employees have recently brought a laptop computer to work. Laptops are often used in skimming or other scams where data theft occurs. 104 CONFIDENTIAL Visa Acquirer Risk Management Guide

111 When a Scam is Confirmed Minimizing Fraud Losses If a fraud scam is confirmed or seriously suspected, Acquirers should consult with their legal counsel about how to minimize losses. Loss reduction strategies may include any or all of the following actions: Freeze the merchant s Direct Deposit Account or other accounts. Immediately terminate the business Merchant Agreement. File a civil suit to recover losses, and, if appropriate, freeze other assets of the business or its principals. Alert local and federal law enforcement agencies about the scam, and cooperate in their efforts to prosecute the perpetrators. Notify the National Merchant Alert Service (NMAS), if applicable in your market. Acquirers should also contact the Issuers of any account numbers stolen, copied, or used for fraudulent transactions in a confirmed scam. This will allow the Issuers to conduct their own investigations, and monitor or close the accounts if necessary. In cases where a merchant is truly unaware that a scam has occurred, or where collusive employees were involved, Acquirers should work with the business to develop a comprehensive fraud prevention plan. Additional training should be provided if necessary. Employees should be aware of proper card acceptance procedures, card security features, and what to do if suspicious about a card or a transaction. In addition, Acquirers should ensure terminals and equipment are set to ensure optimum data security. Visa Acquirer Risk Management Guide CONFIDENTIAL 105

112 When a Merchant Agreement is Terminated Whether a Merchant Agreement is terminated for simple business reasons, fraud, or credit risk issues, there are steps that should be taken to protect the organization and the payment system from losses: If owned by the Acquirer, remove POS terminals from the merchant location. To preclude the processing of further transactions, suspend settlement to the merchant s account. Authorization processing should be blocked as well. If a processor is used for authorizations or settlement, notify the processor and request that the merchant account be blocked to prevent account testing and any further deposits. Add merchant name to the Terminated Merchant File (TMF) when the merchant account has been closed for cause. Attention to these details will preclude time spent investigating account testing and prevent fraud in the long run. 106 CONFIDENTIAL Visa Acquirer Risk Management Guide

113 Merchant Communication During and After an Investigation Merchant fraud investigation efforts can be reinforced through written communications that alert the merchant to any deviations from standard operating procedures, or of any actions taken by the Acquirer in response to merchant investigation findings. Acquirer investigators should use merchant letters as part of a regular program to advise the business of: Actions they can take to reduce losses due to fraud. Advices are also used to notify merchants of upcoming changes in polices or procedures. Some anomaly noted or action taken regarding the handling of a transaction. Improper or excessive fraudulent activity has been noted and that corrective action needs to be taken immediately. A cancelled membership. Merchant letters provide a record of merchant notification. 4 For sample letters advising the merchant of suspicious activity or termination, refer to Appendix C of the guide. Visa Acquirer Risk Management Guide CONFIDENTIAL 107

114 108 CONFIDENTIAL Visa Acquirer Risk Management Guide

115 Chapter 10 Visa Risk Control Programs WHAT S COVERED Risk Identification Service (RIS) Acquirer Monitoring Program (AMP) Global Merchant Chargeback Monitoring Program The ingenuity of today s criminals means that even the most conscientious and careful Acquirer may at times miss crucial evidence of a scam and suffer the resulting losses. To fight fraud more effectively, system-wide support is needed. In response, Visa has implemented a range of services and programs aimed at helping Acquirers identify risky transactions. This chapter provides an overview of Visa International s services and programs developed specifically for Acquirers. Visa Fraud Reporting System (FRS) Visa Acquirer Risk Management Guide CONFIDENTIAL 109

116 Risk Identification Service (RIS) The Risk Identification Service (RIS) is a monitoring program that: Helps Acquirers to identify concentrations of fraud and suspect activity at merchant locations and to take appropriate action to reduce losses. Provides Acquirers and merchants with education and technical support to improve business practices and minimize fraud exposure. How RIS Works RIS is intended primarily as a safety net, to supplement Acquirers deposit monitoring and merchant education efforts. The program compiles data from Issuers on fraud, chargebacks, and other suspect activity, and then uses this information to identify merchant locations where risk-related activities equal or exceed parameters set by Visa. RIS defines suspect activity as any transaction charged against an account that has already been blocked or terminated by the Issuer. Fraud activity comprises all fraudulent transactions reported via the Fraud Reporting System (FRS). RIS monitoring is ongoing and automatic Acquirers do not have to enroll. The program generates an Identification Report when unacceptable levels of fraud or suspect activity are found at a merchant location. Reports are sent to Acquirers by mail or fax, and remedial action may be required, depending on the kind and number of reports received. Identification Reports RIS issues four types of identification reports. Each report is associated with increasingly severe fraud risk and strong response to prevent future losses. The four types of identification reports (listed in order of fraud risk severity) are: Advices. Notifications. Alerts. Warnings. Remedial action is mandatory for RIS Notifications, Alerts, and Warnings. 4 For more information about the Risk Identification Service, contact your Regional Risk Representative or Visa Account Executive. 110 CONFIDENTIAL Visa Acquirer Risk Management Guide

117 Acquirer Monitoring Program (AMP) The Acquirer Monitoring Program (AMP) identifies Acquirers whose merchants contribute a disproportionate amount of fraud to the system. The program s goal is to reduce fraud and the cost of fraud to Visa Members. Each month, the AMP identifies and notifies Acquirers of merchants with excessive fraud activity. Reports on merchants over program thresholds are sent to Acquirers. Acquirers are then required to take remedial action. Failure to bring fraud rates below program thresholds within specific time frames could result in fines. 4 To support Acquirers that receive notifications, Visa staff provide fraud transaction detail and then monitor remedial actions and the impact of these actions. Acquirers that have initiated an action plan immediately after receiving a notification have seen encouraging results, with their overall average fraud rate dropping fifteen percent. For more information about the Acquirer Monitoring Program, contact your Regional Risk Representative or Visa Account Executive. Visa Acquirer Risk Management Guide CONFIDENTIAL 111

118 Global Merchant Chargeback Monitoring Program The Global Merchant Chargeback Monitoring Program measures international chargebacks relative to international sales. The program defines a critical level of monthly chargeback activity. If a merchant s activity rises above this level, Visa has determined that the merchant is causing undue damage to the Visa payment system both economically and in terms of goodwill. The Acquirer is then assessed a significant fee per chargeback. 4 The Global Merchant Chargeback Monitoring Program has been implemented since September 1999 to reduce the number of excessive international chargebacks and compensate Issuers for chargeback handling costs. Each month the ratio of a merchant s international chargebacks is compared to their international sales. A merchant must have a minimum of 100 chargebacks to be eligible for the program. If the merchant s ratio of international chargebacks to international sales in any month exceeds 2.5 percent, a fee of US$100 will be applied per chargeback in the month. All fees are assessed to the Acquirer of the violating merchant. For more information about the Global Merchant Chargeback Monitoring Program, contact your Regional Risk Representative or Visa Account Executive. 112 CONFIDENTIAL Visa Acquirer Risk Management Guide

119 Visa Fraud Reporting System (FRS) In the field of risk management, the importance of timely and accurate information gathering can never be underestimated. Being able to pinpoint sources of risk and develop effective ways to reduce it are often essential keys to successful fraud prevention. This is why Visa has made fraud reporting a continuing priority in Member education efforts. The Visa Fraud Reporting System (FRS) has been designed specifically to help Members report, track, and analyze fraud activity. The system operates in this manner: ➊ Visa-issuing Members use VisaNet to report their fraudulent transactions to Visa. ➋ The FRS consolidates the information and uses it to generate various status and performance reports, which are then sent to issuing and acquiring Visa Members. ➌ The reports enable all Visa Members to track their organization s fraud activity, analyze risk potential, and take specific action. Reports Available to Acquirers The following reports are available to all acquiring Members. Title ID # Description Acquirers may request customized analysis of fraud activity that is tailored to meet their risk management needs. For example, reports can be designed to pinpoint specific sources of risk by geographic area (city, state, or country), merchant, or Fraud Type. Bi-Weekly Acquirer Merchant Activity Report Bi-Weekly Acquirer Merchant Summary FRDBMC51 FRDBMS52 Provides a detailed listing of all Issuer-reported confirmed fraud transactions occurring on the Acquirer s merchant base. A separate report is produced for each BIN used by an Acquirer. This report should be used in conjunction with the Risk Identification Service (RIS) reports. If a merchant s fraud activity is higher than average, the merchant s procedures should be reviewed. Continued high-fraud activity can result in RIS-related chargebacks. Provides a summary of all Issuer-reported confirmed fraud transactions for the Acquirer s merchant base. A separate report is produced for each BIN used by an Acquirer. The report summarizes the fraud transaction amounts (expressed in the Acquirer s currency) and fraud transaction counts on the Acquirer s merchant base by Fraud Type and for each of the top 15 Merchant Category Codes. Quarterly Acquirer Merchant Summary FRDQMS53 Provides a summary of all Issuer-reported confirmed fraud transactions for the Acquirer s merchant base. A separate report is produced for each BIN used by an Acquirer. This report summarizes the fraud transaction amounts (expressed in the Acquirer s currency) and fraud transaction counts on the Acquirer s merchant base by Fraud Type and for each of the top 15 Merchant Category Codes. Visa Acquirer Risk Management Guide CONFIDENTIAL 113

120 4 Visa FRS can help Acquirers identify sources of high-risk transactions and develop merchant fraud control systems and programs tailored to meet their specific needs. For more information about the Visa FRS, refer to the Visa Fraud Reporting System User Guide and/or contact your Regional Risk Representative or Visa Account Executive. 114 CONFIDENTIAL Visa Acquirer Risk Management Guide

121 Chapter 11 Management Information WHAT S COVERED Tracking Performance Fundamental Risk Reports Acquirers need ongoing information to run a profitable merchant program. Key performance indicators can help management pinpoint early warnings of possible risk exposure. This chapter includes a listing of the different types of risk reports that can be used to track the Acquirer organization s overall business performance and merchant fraud prevention effectiveness. Visa Acquirer Risk Management Guide CONFIDENTIAL 115

122 Tracking Performance In order to properly control the acquiring business and identify the early warning of such issues as fraud losses, poor profitability, or interchange margins, management needs information to track and measure key performance indicators. Communication between the Merchant Operations Center functional areas, as well as to senior management is absolutely fundamental in running a profitable acquiring business because it allows managers to: Make informed decisions. Focus on the risk issues that affect the whole acquiring business. Commit to necessary resources to address issues. To track the overall performance of the acquiring business: Produce key operational indicators on a regular basis showing data such as: Exposure to High-risk Merchants and industries. Number of merchant leads by source. Merchant approval rate. Merchant service charge income. Terminal income. Interchange expenditure. Number of merchant exceptions. Profit or loss by merchant sector. Specific provisions raised against merchant losses. New fraud cases. Number of terminations. Merchant attrition rate by reason. Use chargeback reporting as a leading indicator for fraud control and investigations activity. Incorporate this information in your merchant acquisition strategy (e.g., consider chargeback rate and investigations caseload by merchant type to determine low- and High-risk Merchant types). Use this information to help set policies regarding marketing and authorizations. 116 CONFIDENTIAL Visa Acquirer Risk Management Guide

123 Fundamental Risk Reports Keeping in mind that there is no limit to how Acquirer performance data can be sorted and reported, management should at minimum receive the following fundamental risk reports on a monthly basis. Reports Key Operational and Leading Indicators Acquired Risk Merchant Inactivity Data Elements Request-for-Copy transactions by merchant type Request-for-Copy transactions by merchant Chargeback volume by merchant type Chargeback volume by merchant Fraud-related chargebacks by merchant Alteration of amount Declined authorization Fraudulent multiple transactions Magnetic-stripe counterfeit transaction Missing imprint Non-matching account number Risk Identification Service (RIS) Split sale Unauthorized signature Consumer-disputed chargebacks by merchant Defective merchandise Not as described Services not rendered Fraud-to-sales rate by merchant type Fraud-to-sales rate by merchant Fraud by type for example, card not received, counterfeit Fraud above versus below floor limit Investigations by merchant type Investigations by merchant Development of trend analysis on acquired fraud data to manage point-of-sale fraud Merchants inactive for 3 months or more Visa Acquirer Risk Management Guide CONFIDENTIAL 117

124 118 CONFIDENTIAL Visa Acquirer Risk Management Guide

125 Chapter 12 E-Commerce Merchant Fraud Management WHAT S COVERED Understanding E-Commerce Risk Exposures E-Commerce Transactions Defined Merchant Marketing and Sales Merchant Underwriting New Merchant Setup For years, Acquirers have been differentiating the risks associated in the Card- Present and Card-Not-Present merchant environments. Member and Visa business practices have been adapted to accommodate and compensate for the different levels of risk according to transaction type. Until recently, Card-Not-Present transactions meant mail and telephone orders (MO/TO). With the emergence of e-commerce, many cases have been treated like any other Card-Not-Present event; when in fact, there are distinct characteristics of this payment channel that demand Internet merchant evaluation and management. This chapter focuses on the specific operational standards, practices, and requirements that Acquirers should apply to control fraud in the virtual world. Regional E-Commerce Registration Programs Merchant Portfolio Risk Management Merchant Operations Merchant Monitoring Terminated Internet Merchant File (Asia-Pacific Region Only) Merchant Procedures A Closer Look at Verified by Visa (3-D Secure) Visa Acquirer Risk Management Guide CONFIDENTIAL 119

126 Understanding E-Commerce Risk Exposures Given the unique exposures presented by the e-commerce payment channel, Acquirers must develop a specific strategy to ensure their Internet merchant portfolio is one that reflects the organization s tolerance for risk and meets profitability expectations. To minimize the potential for accepting a fraudulent transaction, or one that is later denied by the cardholder, Acquirers should consider all of the key issues that must be addressed in order to successfully adapt to the e-commerce environment. New Opportunities New Fraud Exposures E-Commerce is surrounded by circumstances that create a new set of fraud exposures for payment card systems. Global audience. The Internet allows merchants to offer products and services internationally. While this opens the door to legitimate buyers worldwide, it also offers global opportunities to criminals who are intent on taking advantage of security weaknesses in a merchant system. Powerful, cheap tools and reduced time needed to complete transactions. There is a relatively low start-up investment for Internet merchants. Most businesses can open their virtual storefront quickly. If a merchant does not take the time upfront to adequately protect its systems, serious security and fraud exposure damage can also occur very quickly. Constant availability. Internet merchants are available for business 365 days a year, 24 hours a day. This accessibility heightens their vulnerability to fraud and denial-of-service attacks. No centralized standards or legal authority. Because the Internet is global and there is no central authority that dictates security or operational standards, Acquirers and merchants must be extremely careful in their business dealings. High-risk Merchants intending to commit fraud tend to target Acquirers in countries with criminal justice systems that do not have the legislation to convict credit card crimes, or a police force that does not give priority to these types of financial crimes. Merchants are more likely to see fraudulent transactions originating from countries without these protections and with weak extradition treaties. Even for countries with seemingly mature payment card legislation, the Internet adds a complex element when determining jurisdiction. Critical information is more vulnerable to compromise. Interception of account data is simpler during an e-commerce transaction compared to mail or telephone orders. Computer technology makes it possible for criminals to collect massive quantities of credit card numbers and other account information in a quick, automated fashion. This technology can also inflict viruses upon merchant systems. Hackers intrigued by the challenges of new technology. For many hackers, the challenge of infiltrating new technology is one of the chief motivators for their malicious actions. Once a weakness is identified, it is often quickly exposed to others worldwide through Internet communications channels. Merchant system developers must proactively work to implement site security and data protection. 120 CONFIDENTIAL Visa Acquirer Risk Management Guide

127 Visa has developed a global authentication solution known as Verified by Visa that provides Issuers with the ability to validate cardholders during an online purchase. Cardholder authentication reduces the likelihood of fraudulent usage, benefiting all participants in the online payment process. Personal information provided might be false. In many parts of the world, it is difficult to verify whether the information provided by the customer is valid, particularly if the merchant and customer are in different countries. Customers are reluctant to provide accurate information because they: Do not trust that their information will be responsibly stored and/or used. Do not want to be contacted. Wish to mislead the merchant for fraudulent reasons. Weak identification mechanisms. The Internet offers its users an anonymous platform where it is difficult to trace messages back to their original source. This in turn makes fraud investigation extremely difficult. The ability to launch anonymous Internet attacks encourages the use of automated techniques with a low probability of tracking success. The expected payoff associated with such attacks is attractive because the downside risk to the attacker is very low. Selling virtual goods. Where digital content is being delivered to the buyer, the transaction occurs very quickly. If the buyer is using a fraudulent identification or payment method, it may not be detected until after the transaction is completed and the buyer is untraceable. Digital content sites (particularly adult Websites) can also become the target of criminals who want to test whether the account number(s) they have in their possession are valid. Merchant ability to cross borders quickly. As with traditional payment channels, Acquirers must always guard against High-risk Merchants that initiate the relationship for the purpose of committing fraud. This is especially important with Internet merchants because such businesses can be easily established in new locations practically overnight. In some cases, this is done simply by moving a Website server. This typically occurs when a merchant is terminated for excessive fraud behavior in one market and is then immediately picked up in another, less experienced market that does not adequately assess the risk or background of its merchants. Acquirers that sign new merchants without a thorough application review process and effective screening control can suffer losses. Cardholder fraud and disputes. The ability of a cardholder to successfully dispute an Internet transaction is dependent upon the Issuer s investigation process and the merchant s ability to provide supporting documentation for the transaction. Typical cardholder fraud and dispute risks associated with e-commerce transactions are outlined below. Visa Acquirer Risk Management Guide CONFIDENTIAL 121

128 Area Fraud Customer Disputes Risk Possibilities Customer uses a stolen card or account number to fraudulently purchase goods or services online. Family member uses a bankcard to order goods or services online, but has not been authorized to do so. Customer falsely claims that he or she did not receive a shipment. Hackers find their way into an Internet merchant s payment processing system and then issue credits to hacker card account numbers. Goods or services are not as described on the Website. Customer is billed before goods or services are shipped or delivered. Confusion and disagreement between customer and merchant over return and refund. Customer is billed twice for the same order and/or billed for an incorrect amount. Customer doesn t recognize the merchant name on his statement because merchant uses a service provider to handle billing. 122 CONFIDENTIAL Visa Acquirer Risk Management Guide

129 E-Commerce Transactions Defined A transaction is considered e-commerce when the buyer and seller exchange payment information remotely (not face-to-face) over an electronic data network. An electronic data network connects the computing devices of buyers and sellers. Examples include the following: Internet Industry intranets Mobile phone networks Cable TV networks for set-top boxes Open or closed networks Private or public networks Public phone networks used for modem-to-modem connections Leased lines The next two pages illustrate the types of transactions that are considered e-commerce in the Visa payment system. Visa Acquirer Risk Management Guide CONFIDENTIAL 123

130 What s An E-Commerce Transaction? Payment is submitted over the Internet, but the merchant-acquirer data transfer is not over the Internet. A cardholder enters his/her card data into a merchant Website order form. After receiving the order, the merchant obtains authorization and settlement by entering the data into a dial-up point-of-sale terminal or some other batch/leased-line process, perhaps even creating a paper ticket. Authorization is obtained over the Internet and a signature is received at delivery. A cardholder shops online and sends their payment data over the Internet. The merchant uses this data to obtain an authorization and delivers the goods. At the time of delivery, the cardholder is asked to sign a payment card receipt. Since the cardholder sent their payment data over the Internet, this is an e-commerce transaction. In addition, the merchant may have obtained proof that the cardholder participated in the transaction and that the goods were delivered and accepted. Payment data is sent by . A cardholder sends an order request and the card data to the merchant in an message via the Internet. The merchant receives the data, and then obtains authorization and settlement by entering the data into a dial-up point-of-sale terminal, PC, or some other batch/leased-line process, perhaps even creating a paper ticket. This is an e-commerce transaction because the cardholder initiated the transaction by entering card data and transmitting it to the merchant over the Internet. How the merchant obtains authorization and effects settlement is not relevant to the definition. Cardholder shops on the Internet and pays by mobile phone with card reader. A consumer browses a catalog on the Internet (or from a menu appearing on the mobile phone), orders an item, and selects to be invoiced on their mobile phone immediately. The mobile phone rings, the consumer enters their payment data using a chip card and submits the transaction without talking to a human over the telephone. This is an e-commerce transaction. Regardless of how the consumer browsed the catalog, the payment information was transmitted remotely over the electronic data network that connects the mobile phone to the merchant s computer. Cardholder uses cable TV shopping mall with set-top box for payment data entry. A consumer initiates a transaction with a merchant featured as part of a cable network s shopping mall that is attached to a cable operator. Though the consumer is using a special device and the TV network, as opposed to the Internet or any open network, this is an e-commerce transaction. (The cable network is considered a closed network.) This applies in cases where the cardholder used a keyboard to type their account information and to the case of a chip-card reader available to the cardholder. General Motors (GM) buys tires from Michelin over an automobile industry extranet. A GM purchasing agent is browsing from a menu of Michelin tires and submits Visa Commercial card data over a closed, private Extranet. In this case, there is a pre-existing relationship between GM and Michelin. This is an e-commerce transaction. The car industry and others have used Electronic Data Interchange (EDI) and now extranets (and the Internet) to conduct business-to-business commerce. The fact that the electronic data network is private and this is business-to-business is not relevant to the definition. 124 CONFIDENTIAL Visa Acquirer Risk Management Guide

131 What s Not? Payment is not submitted over the Internet, but the merchant-acquirer data transfer is over the Internet. A cardholder browses a catalog on the Internet and then makes a telephone call to place an order. This is a telephone order transaction because the cardholder initiated the transaction via telephone. Cardholder shops on the Internet and pays by phone. A cardholder accesses a merchant s Website to obtain product information, but does not transmit an order form over the Internet. Instead, the cardholder sends the order and card data to the merchant via fax (or telephone conversation or mail). This is a traditional mail or telephone transaction because the cardholder did not transmit the information over the Internet. Cardholder shops on the Internet and faxes payment details from the PC. A cardholder s personal computer has the capability to initiate a fax. After browsing a catalog on the Internet, the cardholder uses this capability to initiate a transaction by sending a fax to the merchant. This is a mail or telephone transaction, rather than e-commerce. Although a Cardholder Access Device was used to initiate the transaction, the order was not conducted over the Internet. Local, no-contact transfer of payment data. The cardholder uses a pass or transponder to automatically pay their tolls at a tollbooth. Each time the pass or transponder passes a toll-booth, the toll is authorized and settled to the cardholder s account. The transaction seems to be conducted using a Cardholder Access Device. This scenario also plays out with the Mobil SpeedPass transponder, as well as several different varieties of ski resorts that use passes or transponders for their lift ticket systems. This is not an e-commerce transaction. The transponder is simply a wireless way for a payment mechanism to communicate with a point-of-sale (POS) terminal. Visa Acquirer Risk Management Guide CONFIDENTIAL 125

132 Merchant Marketing and Sales Effective merchant acquisition includes clearly-defined marketing strategies to: Attract current merchants to the e-commerce program. Create alliances with Internet gateway vendors, Internet Payment Service Providers (IPSPs) and Commerce Service Providers (CSPs) offering secure merchant solutions and merchant referrals. Build a sales force to spur program growth and ensure signing policies that help direct this sales force. The practices discussed here address many of the risk controls an Acquirer needs to have in place when implementing an e-commerce marketing strategy and maintaining third-party alliances. Merchant Marketing Strategies An Acquirer should have a documented strategic plan that addresses the future of its e-commerce business. If Internet merchants are already accepted or are a desired market segment, the marketing strategy should specifically address goals and objectives in acquiring this group. Suggested best practices include the following: Target existing merchants that are potential and appropriate e-commerce program candidates. Unlike new merchants, current merchants already have an established track record. This makes it easier to evaluate their applications and minimize risk exposure. By targeting those already in the merchant base who are most likely to respond and be approved, an Acquirer can increase its marketing effectiveness and keeps costs down. Carefully evaluate the security capabilities of all potential third-party vendors that may handle cardholder account information. This should be done to prevent card numbers from being revealed while in transit and while stored. Acquirers should conduct rigorous and well-documented due diligence inspections to ensure that transaction security standards are in place. Establish alliances with Internet gateway vendors that offer secure transaction processing. If an Acquirer elects to partner with third-party agents, the Acquirer is liable for the action of those agents. Acquirers can reduce this risk exposure by partnering only with Internet gateway vendors that provide appropriate levels of transaction and data security. This approach also reinforces the importance of transaction security to the merchant community. Merchant Signing Policies As with mail and telephone orders, the Acquirer and merchant assume the majority of the risk in accepting e-commerce transactions. While most traditional products and services are available through the Internet, new types of unproven technologies and virtual products arrive on the Internet daily. Acquirers must manage the risks associated with the existing Internet merchant base, as well as the emerging merchant types by carefully choosing what type of Internet merchant profile they will support. To help manage the risks, Acquirers must maintain formal merchant signing policies that specify the following conditions: 126 CONFIDENTIAL Visa Acquirer Risk Management Guide

133 High-risk Internet Merchants warrant risk controls such as delayed funding, more frequent, and stringent merchant monitoring and collateral. There may be substantial risk in signing Internet Service Providers (ISPs) that accept credit card payments for lifetime Internet access. Acquirers and merchants remain at risk for a chargeback 180 days from the date services were expected. For lifetime services, this could mean chargebacks well beyond the typical 180-day chargeback limitation. Cancelled Recurring Services is another potential chargeback risk. The cardholder need only claim that they cancelled the service for the Issuer to successfully charge back the transaction. Define accept or do not accept policies for Internet merchants. Such policies could consider whether to exclude certain industries and High-risk Merchants from a program because of high volumes of customer disputes or greater probability of fraudulent transactions (e.g., merchants that offer adult content, gambling and lottery merchants, merchants that delay the delivery of goods or services, particularly subscription and travelrelated services, merchants that offer digital content, such as software, which is fulfilled via the Internet at the time of purchase). The implementation of a solid accept or do not accept policy can help support an Acquirer s business strategy and optimize their portfolio. Authenticate the merchant applicant by requiring application data. This allows an acquiring institution to: Verify the merchant s IP address (a numbering system that uniquely identifies a computer on the Internet). Test the validity of the merchant s addresses. Identify and explore the links on the merchant s Website. Establish separate standards for High-risk Merchants. Acquirers can lower risk of high chargeback rates and fraud exposures by developing more stringent underwriting criteria for high-risk Internet merchants (e.g., merchants selling travel packages, subscription services, or digital content). In some regions, high-risk Internet merchants are required to provide additional collateral. Require Internet merchants to secure cardholder data. This includes stating transaction encryption requirements and other security measures that will prevent merchants from storing unprotected cardholder data on the merchant server or Internet Payment Service Provider (IPSP). Sign only IPSPs with monthly billing practices in place. Many Acquirers feel IPSPs represent one of the highest-risk Internet merchant categories. This is primarily due to an industry history of business failures, high chargeback rates due to signing practices, and the nature of the product or services for future delivery. An Acquirer that signs with an IPSP to provide merchant acquisition, authorization, payment processing, or monitoring functions for sponsored merchants must ensure that the IPSP: Performs all functions in accordance with the Visa International Operating Regulations. Includes the Merchant Agreement requirements in its sponsored merchant contracts. Merchant Sales Strategies Given the extensive strategies, policies and procedures being created for the e-commerce marketplace, it makes sense to craft a dedicated sales strategy to support the effort. This can be done by: Establishing a dedicated e-commerce sales force. This can be accomplished by effectively training sales staff to adhere to the organization s signing policies and generate lower-risk merchant applications. Establishing and certifying merchant referral relationships with CSPs. These are thirdparty vendors that supply services to a merchant to support its ability to accept business. For example, a CSP may supply a packaged solution for accepting online Visa card transactions, risk management services, or distribution control services. Visa Acquirer Risk Management Guide CONFIDENTIAL 127

134 Considering incentives and disincentives for signing good and poor accounts, respectively. This action can promote the acquisition of high-quality merchants and account longevity. It can also lead to higher profitability and lower risk exposure for an acquiring institution. 128 CONFIDENTIAL Visa Acquirer Risk Management Guide

135 Merchant Underwriting Visa has special underwriting requirements for Internet Payment Service Providers (IPSPs). See the Visa International Operating Regulations for more information. To effectively manage fraud during the Internet merchant underwriting process, an Acquirer must develop appropriate merchant application requirements, underwriting and credit review procedures, and approval criteria. This process is especially important for the Internet merchant portfolio because of the additional risks assumed by the Acquirer. For the three primary reasons listed below, underwriting procedures for an Internet merchant portfolio must be carefully and deliberately managed to maximize the Acquirer s profitability, while minimizing risk to the entire Visa membership. The merchant is open-for-business 24-hours a day, 365 days a year. Transactions can occur quickly and simultaneously. During this time, the merchant is also open and vulnerable to fraud and denial-of-service attacks. If a merchant has not adequately invested in protecting its systems (i.e., cardholder account information database), an extensive account compromise or other serious damage can occur quickly. In many parts of the world, it is difficult to verify the accuracy of cardholder data or the origination of an Internet message. This weakness creates an exposure that criminals can exploit to commit fraud. In many countries, local laws make it difficult to complete a detailed enough background search to adequately assess the risk of a potential merchant. The nature of many Internet businesses makes it easy for merchants to change their country of residence overnight by relocating their Website server. Merchants terminated in one market for excessive fraud behavior can exploit this and quickly move to a less experienced market that does not adequately assess the risks or backgrounds of its Internet merchants. Once a Member is known to have relaxed merchant underwriting and monitoring procedures, it becomes a location targeted for high-risk or criminally-minded merchants. Merchant Application Requirements In addition to merchant application requirements outlined in Chapter 2 of this guide, the following actions should be incorporated into an Acquirer s Internet merchant application procedures. Require a separate application for all merchants establishing an e-commerce presence. Whether the applicant is an existing merchant that wants to add a Website, or a new merchant that wants to join the program, the Acquirer must use a separate application or addendum for e-commerce services. For example, this practice can help facilitate the special risk assessment actions related to Card-Not-Present volume. It can also allow for merchant business name and site content verification, as well as ensure that the correct business name is displayed on cardholder statements. In addition, a separate application form provides an easier way to track and report e-commerce application volume. Transactions can be flagged and tracked by acceptance mode. Collect and verify additional application data and financial documents for Internet merchants. Risk exposure can be lowered by taking a few extra steps during the application process to obtain additional information from questionable merchants. Required data might include: Visa Acquirer Risk Management Guide CONFIDENTIAL 129

136 Universal Resource Locator (URL), also known as the Website address (i.e., and Internet Protocol (IP) server address for the merchant Website. By collecting this information, an Acquirer is able to confirm that the merchant is actually conducting the business as described on its application. Contact details for the Website hosting service. This information can be used to contact the hosting service and verify that the merchant maintains a legitimate business. addresses and phone numbers for merchant customer service. Acquirers can verify that a merchant s address is valid by sending a message to that address. An alert should be triggered if the message is returned as undeliverable or bounced. In addition, the Acquirer should check the merchant s customer service for its quality response and timeliness, as this will decrease customer disputes and chargebacks. Descriptions of any links on the merchant s Website to other sites to which they may or may not be affiliated. This should raise a flag if the linkages do not make sense or represent merchant types that you do not sign. Approval Criteria Establish specific approval criteria for low-risk merchants and High-risk Merchants. By using more stringent criteria for High-risk Merchants, an Acquirer can factor into its approval decisions any risks associated with the merchant s products or way of doing business. These criteria can also help ensure that the merchant has the financial capability to handle returns and chargebacks. Clearly designate merchant approval responsibilities and authorities based upon risk. Requiring higher levels of authority based on a calculated risk-exposure amount is an excellent risk management practice. In addition, authority policies should be documented to ensure compliance. Establish merchant approval signature requirements. Internal signature requirements should be consistent with the approval authority policies, and clearly documented to ensure compliance. Establish formal rejection override policies and procedures. This ensures that employees do not approve a previously declined merchant unless a legitimate override authority is exercised, new information has been obtained to warrant approval, or additional risk control measures are being used. Maintain a database of all declined merchant applications. Acquirers should compare all applications against this database to help quickly identify applicants that they have previously declined. Underwriting Process and Credit Review Proper financial checks, using credit reports, income tax returns, and other lawfully available information must be performed on all potential merchants. To comply with this requirement, consider the practices outlined below: Use accept or do not accept criteria to determine whether a merchant applicant is eligible for the e-commerce program. This quick check helps ensure that the merchant s products and marketing methods comply with an organization s signing policies. 130 CONFIDENTIAL Visa Acquirer Risk Management Guide

137 In the Asia-Pacific Region, Acquirers must check the merchant against the Terminated Internet Merchant File for information on whether the merchant has been terminated previously within the region. Establish separate application verification processes: one for low-risk merchants and a more stringent process for High-risk Merchants. This can protect the organization from potential losses by: Requiring High-risk Merchants to provide additional references. Verifying these references carefully. Performing a more detailed evaluation of business financials and physical site inspections. Use automated tools and government agency databases to verify business owner application name. Automated tools can help confirm the merchant s business name, address, and telephone number, and validate that the business is operating in the location indicated on the application. Use consumer credit bureau reports, application data, and business bureau reports to evaluate applicants. Valuable background information on larger-scale merchants can be obtained by requesting credit bureau reports. Use Internet merchant rating services, like TRUSTe ( CNET ( and Bizrate.com ( to obtain additional information about existing Internet merchants. Review the merchant Website to ensure it complies with minimum requirements. This can help avoid unnecessary operational expenses and risk exposure after the merchant is established in the program. See Merchant Procedures on page 150 for Website requirements. Inspect the merchant s physical business and fulfillment sites as specified in Chapter 2 of this guide. Copy and retain the merchant Website source code for periodic reviews. By retaining prints or saving the merchant s original Website content for its primary pages (e.g., the original HTML code), an Acquirer can periodically make comparisons between it and the current Website. This offers an easy way to identify significant changes in the merchant s business, such as changes in the types of products being sold or key affiliations or links to other Websites. Assess risk exposure quantitatively and determine potential Acquirer liability. The Acquirer is liable for consumer refunds if the merchant ceases operations. Such assessments typically use actual or projected sales volume, estimated shipping delays, and refund and chargeback rates. Define policies and standards for collecting and holding reserves on High-risk Internet Merchants. To substantially reduce financial exposure, maintain merchant reserves that are outside the merchant s control. If the merchant ceases business, the reserve amounts should be sufficient to cover any future chargebacks. Develop a Merchant Agreement clause that states that the Acquirer can hold the merchant reserves, even if the merchant declares bankruptcy. If working with an IPSP, establish procedures to ensure that terminated merchants are not signed as sponsored merchants. Visa Acquirer Risk Management Guide CONFIDENTIAL 131

138 New Merchant Setup Many new Internet merchants do not learn about their risk exposure and liability until they receive their first chargeback. By encouraging authentication and educating merchants during the set-up process, an Acquirer can help avoid merchant confusion and promote efficient and secure merchant operations. An Acquirer must provide the appropriate POS condition code Electronic Commerce Indicator (ECI) for all e-commerce transactions in both authorization and clearing records. The ECI value indicates the level of security used in the transaction and makes it easy for an organization to track and manage e-commerce sales volume and chargebacks. When setting up new Internet merchants, the following actions can be taken to pave the way for operational efficiency and effective risk controls: Educate the merchant about the risk exposure and liability associated with accepting payment cards via the Internet. Review cardholder data security issues and requirements with the merchant. Include a review of data security issues and requirements that will increase risk awareness on the part of the merchant, particularly for those that do not thoroughly review the agreement. Document that the merchant has received the training, understands the issues, and accepts liability. Consider implementing a self-audit process in which the merchant certifies and signs documentation to show compliance with secure data storage requirements. Assign a clear merchant description to avoid cardholder disputes. This will help avoid consumer confusion by ensuring that merchant s doing-business-as name matches the merchant description that will be printed on cardholder statements. Ensure that the Merchant Category Code (MCC) reflects the merchant s principal line of business, rather than placing all Internet merchants into a designated e-commerce MCC. Use the MCC to reveal the type of business being transacted and the Electronic Commerce Indicator (ECI) to indicate that a transaction was conducted on the Internet. The merchant will need to indicate the ECI and the Cardholder Authentication Verification Value (CAVV) for Verified by Visa transactions in order to qualify for chargeback protection against fraudulent transactions. Do not place Internet merchants in the high-risk telemarketing MCCs unless they meet the definition for High-risk Telemarketing Merchants as defined in the Visa International or Regional Operating Regulations. Add a suffix to the MCC to indicate the transaction method or product delivery (e.g., card present, mail, or telephone order, Internet, etc.) for internal tracking purposes. In addition to the ECI, identify online gambling merchants using these mandatory data elements: Betting MCC This MCC is applicable to any type of transaction that facilitates online gambling activities including, but not limited to, the purchase of virtual gaming chips or the funding of an account held by the merchant to be subsequently used by the cardholder for gambling. The use of MCC 7995 is required for all online gambling transactions, even if gambling is not the merchant s primary business activity. If necessary, the merchant can be assigned more than one MCC to accommodate its non-gambling activities. Quasi-Cash or Online Gambling Transaction indicator. Formerly known as the Quasi- Cash Indicator, this flag must be used in authorization and clearing messages. Encourage gaming merchants to adopt online gaming industry best business practices and codes of conduct. 132 CONFIDENTIAL Visa Acquirer Risk Management Guide

139 Regional E-Commerce Registration Programs In some Visa regions, Acquirers with e-commerce programs (or their Internet merchants) must register with Visa to ensure regulation compliance and allow for monitoring of High-risk Merchants to help reduce dispute and fraud activity. The following is a summary of regulations in place for applicable regions. Region Asia-Pacific (AP) Effective November 15, 2000 European Union (EU) Effective October 1, 2000 Regulations An Acquirer must register with Visa International and qualify under either one of the following conditions before entering into the e-commerce business. The Member has a Visa Member risk rating of A or B, and must either: Have a minimum Tier 1 capital of US$250 million, or Post collateral equivalent to 10 percent of the difference between the Member s Tier 1 capital and US$250 million. The Member has a Visa Member Risk rating of C, and must post collateral of US$25 million, in addition to any other required risk control measures required. AP Region management may waive the above capital requirements in return for the imposition of risk control measures on the acquiring program (to be determined by management on a case-bycase basis). All Acquirers processing e-commerce transactions (including traditional merchants who also handle e-commerce transactions) must comply with the Visa Internet Acquiring Program requirements. An Acquirer must complete and submit a Visa Internet Acquirer Self-Certification Form to Visa for approval prior to entering into agreements with Internet merchants. Acquirers must use this form to self-certify that they are meeting the requirements fully specified in the E-Commerce Acquiring Member Guide, including the following: Compliance to the Visa International Operating Regulations for e-commerce transactions (including zero-floor limit, correct use of the Electronic Commerce Indicator, etc.). Acknowledgment of responsibility for all agencies and processors used by the Acquirer. Wide communication of best practices for e-commerce within the bank and to merchants. Provision of additional information on the Operating Certificate, including number of Internet merchants acquired and their sales volume. Visa Acquirer Risk Management Guide CONFIDENTIAL 133

140 Central Europe, Middle East, and Africa (CEMEA) Acquiring Members must demonstrate compliance with the following criteria if they wish to contract with Internet merchants: The first set of criteria is a pre-condition for e-commerce acquiring: Members must be physical Acquirers before they can sign with Internet merchants. This is to ensure that Members have the appropriate acquiring risk experience before dealing with e-commerce, which is typically the higher-risk end of the acquiring business. Members must conform with all Visa acquiring risk management policies, as defined in the Visa International Operating Regulations (Chapter 2) and the CEMEA Regional Operating Regulations (Chapter 2). Members must comply with the existing minimum Acquirer Merchant Monitoring Standards (CEMEA Regional Operating Regulations, Section 2.5). This is important so that Members can minimize potential financial losses by identifying problem situations in a timely manner. Compliance can be demonstrated either by running a risk monitoring system that is known to comply with these standards, or by sending to Visa samples of the monitoring reports used to comply with these standards. Members must provide a letter to Visa, signed by the President, Chief Executive Officer, or Chairman, or endorsed by the bank s Credit Committee, where appropriate, confirming their understanding of the risks related to e-commerce acquiring and agreeing to operate within Visa s e-commerce acquiring standards. Sample wording for this letter will be provided by Visa. Due to the potential size of the financial risk involved, it is important for Visa to know that the risks are understood at the highest levels within the bank. The second set of criteria contains additional and ongoing requirements: Acquirers and merchants must comply with the relevant conditions in the Account Information Security Standards documentation, in order to safeguard the security of cardholder account information. Acquirers must send the appropriate Electronic Commerce Indicator value in all authorization and clearing messages for e-commerce transactions to permit Issuers to make informed authorization decisions. Acquirers who wish to contract with merchant aggregators must: Obtain from the aggregator on a regular basis details of all submerchants for whom they process. Ensure the aggregator identifies each sub-merchant separately in the Merchant Name field of the transaction record, so that the Acquirer can perform meaningful merchant monitoring. Have the right contractually to terminate any sub-merchant for good cause. 134 CONFIDENTIAL Visa Acquirer Risk Management Guide

141 Without such controls in place, aggregators can mask the performance of individual merchants who generate high levels of disputes by consolidating the data. Acquirers must provide any reporting on e-commerce transactions that Visa may request. LAC Member Letter 12/01 Effective April 30, 2001 LAC Regional Operating Regulations Section 2.8 Effective September 1, 1999 Before an Acquirer affiliates a High-risk Merchant the following requirements must be met: Maintain an above standard institutional risk rating (better than C ). Maintain at least US$25 million in Tier 1 capital. If Tier 1 capital is not reported, then tangible shareholder s equity will be used. Submit to Visa International ( Visa ), a letter signed by the Member s Chief Executive Officer (i) acknowledging the business activity of High-risk Merchant acquiring and the high level of chargebacks and credits which require adequate reserves, and (ii) providing assurances of timely payment of all chargebacks, penalties, and other administration fees that accompany this activity. Maintain monthly volume of acquiring of High-risk Merchants below a maximum 50% of Tier 1 capital. Implement the most recent E-Commerce Risk Management, Best Practices as published by Visa and confirmed in quarterly field audits performed by Visa at the Member s expense. Acquirers must receive written approval prior to processing Highrisk Merchant transactions. Acquirers contracting with High-risk Merchants as defined in the LAC Regional Operating Regulations must do all of the following: Register the High-risk Merchant with Visa using the High-Risk Merchant Registration (LA-2) Form. In addition to the LA-2, provide the documentation listed below: Merchant Business Plan Merchant s Incorporation Documents Certification of Good Standing Certification or License to Operate in home country Merchant s most recent quarterly statements Acquirer s Contract with the merchant Evidence of Compliance with Account Information Security program The LAC Region Office will approve or decline a High-risk Merchant registration, and may require additional collateral from the Acquirer. Visa Acquirer Risk Management Guide CONFIDENTIAL 135

142 Have an exclusive BIN and Clearing Account for the acquisition of regional High-risk Merchants. A regional database of all registered merchants is maintained for monitoring purposes, periodic monitoring of merchant activity including volume for sales, credits, and chargebacks is performed. Required Fees: A one-time registration fee of US$5,000 per merchant. A US$0.35 administrative fee per sales transaction. An annual monitoring fee of US$1,000 per merchant. Penalties due to non-compliance: In the event of non-compliance to section 2.8 of the Regional Operating Regulations, a penalty of US$10,000 will be accessed. Non-compliance includes, but is not limited to: Failing to include transaction indicators such as the E-Commerce Indicator, the proper Merchant Category Code, the Internet gambling indicators, or the Quasi-Cash Indicator. Failing to comply with different Internet Website requirements established by Visa International. In the event of non-compliance of section 2.8.A, a penalty of US$100,000 will be accessed. Failing to receive registration approval of a High-risk Merchant prior to processing merchant transactions. An Internet merchant, such as an Online Gambling or Adult Entertainment business designated as a High-risk Merchant, must comply with the following security measures: Use at least secure socket layer (SSL) encryption to process all transactions. Recommend the use of digital wallets with a Cardholder Certificate on its Website. Use Visa approved authentication technologies. 136 CONFIDENTIAL Visa Acquirer Risk Management Guide

143 Merchant Portfolio Risk Management Portfolio Reviews Acquirers should periodically review their merchant portfolio and evaluate any significant changes that have occurred in the merchant s business operations or product offerings. An organization can prepare for this effort by determining how and when merchants will be selected for review and the depth of these periodic evaluations. Selecting Accounts for Periodic Merchant Review Shopper programs can: Provide assurance that a merchant s products are of reasonable quality and will not result in excessive chargebacks. Let an Acquirer test the adequacy of merchant refund practices. Help an Acquirer provide feedback to the merchant on the entire shopping and return process, and help them identify areas for improvement. Establish risk-based criteria to select merchants for review and determine the frequency of these reviews. Risk-based criteria are typically a combination of merchant volume, projected credits and chargebacks, and merchant credit-worthiness. Assign a scoring system to each criterion based on risk, then measure the merchant s performance against what is defined as acceptable. This is known as developing riskweighted criteria. After evaluating a merchant against all criteria, add all of the individual scores together for a relative risk exposure calculation that can be used in identifying potential problems and scheduling periodic reviews accordingly. To prioritize merchants for review: Develop systematic methods to compare the merchant s original Website content to current content to determine whether merchant has changed the product being offered or is doing business as agreed. An automated check can quickly identify merchants with enough changes made to their site to warrant a more detailed review to determine whether the merchant is still operating under the terms of its contract with your institution. Develop automated, intelligent comparison routines to find significant changes in business name or products. Use merchant shopper programs, particularly in the first three months after signing. These types of programs use anonymous individuals who shop with merchants to evaluate customer service and validate whether the merchant offers the products it has claimed to the Acquirer that it sells. The shopper then reports his or her findings back to the Acquirer. Both Bizrate.com ( and CNET ( are merchant shopper programs that the merchant can enlist to question actual consumers about their shopping experience directly after they complete a transaction. These services also conduct a follow-up with the consumer after a period of time to ensure the products were received as expected. Data from this relationship may be useful for determining whether a merchant should be reviewed more closely. Understand your merchants transaction behavior. Target inactive merchants for review on a monthly basis, and take action accordingly to reduce fraud exposure. In some cases, inactive merchants are fronts for criminals in need of a merchant account to deposit fraudulent transactions. Visa Acquirer Risk Management Guide CONFIDENTIAL 137

144 Periodic Merchant Review A reliable indicator of data encryption is the presence of a closed lock or complete key symbol on the screen during the purchasing process, or the addition of an s to the http: web address, as in Microsoft Internet Explorer uses the lock symbol and Netscape Communicator uses the key symbol. Periodic merchant review practices range from conducting a full underwriting review for new or High-risk Merchants to performing only a cursory review (e.g., Website verification and chargeback or credit rate check) for established merchants with a good performance history. In this area, practices typically include the following: Review the adequacy of the merchant s collateral on a regular basis. Maintain collateral for at least six months after the merchant is terminated. Review the merchant s Website to identify changes in products, delivery methods, or return policies, and check the site to ensure proper functionality. If business or product changes have occurred, the risk exposures associated with the merchant may have changed as well. Assess merchant compliance with data security and encryption requirements. Both the Acquirer and the merchant are subject to a Visa audit to ensure compliance with security requirements. Establish a system where the merchant certifies that they are in compliance with the requirements. Conduct periodic testing against the merchant Website to test its security. Software is commercially available for this purpose. Purchasing an item via a shopper program is the simplest approach to identify merchants that are not encrypting cardholder transaction data in transmission. Assess compliance with secure data storage requirements. Both the Acquirer and the merchant are subject to a Visa audit to ensure compliance with security requirements. Consider implementing a self-audit process in which the merchant certifies that it is in compliance with secure data storage requirements. 138 CONFIDENTIAL Visa Acquirer Risk Management Guide

145 Merchant Operations There are a number of ways to mitigate risk and keep operating expenses low when providing Internet merchants with processing, customer service, and technical support. Recommended practices include the following: Merchant Processing Several regional Visa Risk Management offices have developed merchant education materials for e-commerce. Contact your Regional Risk Representative or Visa Account Executive to inquire about materials applicable to your region. The settlement process is a critical area for managing risk. E-Commerce can generate large sales volume, as well as large chargeback and fraud volumes for High-risk Merchants. Settlement policies and procedures will determine who will carry resulting losses the merchant or the Acquire and thus significantly impact an acquiring organization s ability to make a profit on their Internet merchant portfolio. Use internal system designations for Internet merchants to track and report e-commerce portfolio sales, chargebacks, and losses. In addition to using the ECI to identify e-commerce transactions, some Acquirers use internal codes to identify Internet merchants and facilitate management reporting. Partner with Internet gateway vendors that have security measures in place for processing authorizations and capturing transactions. This enables an Acquirer to offer secure transaction options to its merchants while decreasing risk exposure to account information compromise. Merchant Customer Service and Technical Support Use secure to communicate with and deliver statements to merchants. This service is typically available to all merchants in the portfolio, and not limited to Internet merchants. Use secure to send chargeback information to merchants. This presents a secure, cost-savings tool for merchants, as well as Acquirers. Give merchants secure, password-protected Internet access to transaction, statement, and processing information. This service can reduce its customer service expense and provide benefit to your merchants. Include fraud awareness information in monthly merchant statements. Monthly paper statements provide a low cost means of distributing fraud awareness materials. Post merchant fraud awareness information on the Acquirer Website or create links to other sites that provide this information. This is another cost-effective way to alert your merchants about ongoing fraud issues and solutions. Acquirers should be careful not to disclose sensitive information that could be exploited by criminals. Settlement Delay merchant funds availability to allow sufficient time to review transactions and deposits. Based on the market climate, an Acquirer should establish a funding delay that allows enough time to ensure that transaction activity is legitimate before funds are made available. For High-risk Merchants, longer delays should be used to allow time for additional scrutiny. Establish a maximum monthly and daily funding limit for each merchant account and hold funds for review when either limit is exceeded. This protects your organization from potential losses without affecting merchant acceptance of transactions. Withhold individual transactions or entire deposits from outgoing interchange, if fraud is deemed certain or highly likely. This reduces risk exposure and helps to avoid the expense associated with processing cardholder disputes and chargebacks. Visa Acquirer Risk Management Guide CONFIDENTIAL 139

146 Merchant Monitoring The ongoing success of an Acquirer s risk management effort depends greatly on the types of controls established for e-commerce transactions and the types of methods used to monitor Internet merchant activity. With this point in mind, Acquirers should consider the following actions: Merchant Transaction Controls Establish automated velocity controls over high-risk transactions and deposits. Depending on needs and resources, elect to use any of these options: Set an authorization limit for monthly volume or single transaction amount to avoid the risk of large-scale fraud. This approach protects both the Acquirer and the merchant, but may have an adverse impact on the merchant s business and generate negative merchant reaction. For best results, clearly communicate the authorization velocity controls to the merchant at the time of signing. Then, monitor authorization activity. If the merchant comes close to the limit, conduct a review to determine whether a limit increase is warranted. Prevent high-risk transactions or batches of settlement activity from entering interchange until they have been reviewed. This second option offers protection from the risk of chargeback and losses, but unlike authorization controls would not protect an innocent merchant from accepting fraudulent transactions. Withhold funding from suspect batches. This third option also offers protection from risk exposure, but would not prevent future chargebacks since these transactions will have been submitted into interchange. Automatically suspend large credit transactions that do not have a preceding debit transaction. In some cases, merchants try to reduce discount fees or commit fraud by submitting credit transactions to their own or an accomplice s account. In this fraud scenario, the merchant submits a large credit batch without sufficient funds in its account to cover the credit. Automatically suspend large forced transactions. A transaction is forced if it is submitted with no matching authorization. While this type of transaction is rare in the e- Commerce environment, it warrants careful review since it subjects both the Acquirer and merchant to chargeback risk. Merchant Activity Monitoring Merchant activity monitoring is essential to a well-managed acquiring program. The practices outlined here can help identify out-of-pattern and suspicious activity that must typically be acted upon immediately. Develop effective criteria for monitoring and reporting suspicious activity. In addition to standard merchant monitoring parameters, the following criteria should be applied: Unusual authorization activity. To mitigate risk, look for descending authorization amounts or excessively high decline or referral rates. 140 CONFIDENTIAL Visa Acquirer Risk Management Guide

147 Unusual activity on other payment products. While Discover, American Express, Diners Club, and other card products do not necessarily expose an acquiring institution to risk, unusual activity on these card products could indicate the likelihood of future merchant fraud on the Acquirer s Visa or MasterCard products. Reduction in sales credits. This can be a sign of cash flow problems or business failure for the merchant, leading to excessive chargebacks for your institution. Increases in draft retrieval requests. Growing draft retrieval request rates can be indicative of fraud and provide an early warning of future chargebacks. International transactions from countries with a high fraud experience. High rates of international activity may subject merchants to risk. When such activity is detected, contact the merchant to ensure they understand the risk exposure and have appropriate fraud screening tools in place. Tighter exception parameters for new merchants. This will result in a greater number of reviews for these new accounts and is a prudent risk management practice for the first three to six months of a merchant relationship. Credit transaction activity of gambling merchants. Acquirers must ensure that online gambling merchants do not use the credit function (Transaction Code 06) to pay cardholders winnings; they must be paid by alternate mechanisms, such as wire transfers. Rules for credit transactions to correct merchant error or reimburse the cardholder for a canceled transaction remain unchanged. Monitor the chargeback-to-sales ratios of all merchants. This helps identify any merchant that receives more than 100 chargebacks per month and exceeds a chargebackto-transaction volume ratio of three percent. It also validates compliance with Visa requirements and confirms the existence of risk control procedures. Chargeback-to-sales ratios can be monitored by conducting: Physical inspection of the merchant premises to ascertain the existence of adequate risk control procedures. Audit of the merchant Website, if applicable. For information about the Global Merchant Chargeback Monitoring Program, see Chapter 10, Visa Risk Control Programs. Follow up on merchants reaching chargeback-to-transaction volumes. This enables the Acquirer to identify and minimize high-risk behavior to reduce losses suffered by the Visa membership and prevent the merchant from entering into the Global Merchant Chargeback Monitoring Program. Utilize online exception report queues that consolidate multiple alerts for a single merchant into one exception listing. Develop a scoring system to prioritize merchant alerts for review. Merchant exception reporting systems typically prioritize accounts based on gross deposit amount. Another effective approach is to create a scoring system that considers the multiple alerts received by a merchant in prioritizing the accounts for review. Implement automated controls to ensure merchant alerts are properly worked. Sophisticated merchant monitoring systems can distinguish between queues that had been reviewed and queues that have not. This capability helps ensure that no merchant alert is overlooked. Establish an ongoing closed loop feedback process to assess the effectiveness of suspect activity reports. This practice can help refine review criteria, prioritize exception reviews, and develop weighting factors for scoring systems. Visa Acquirer Risk Management Guide CONFIDENTIAL 141

148 Managing Merchants that Support Face-to-Face and E-Commerce Transactions See the Regional E-Commerce Registration Programs section starting on page 133 of this guide to determine if your region requires registration into an e-commerce monitoring program. In many cases, a merchant may conduct business in both Card-Present and Card-Not-Present environments. A merchant may begin its business through a traditional physical storefront and then further expand its business through the Internet. Visa Members have indicated that their inability to identify e-commerce transactions under these circumstances is a major problem. The following practices are recommended to identify a merchant s changing business model and manage increased risk accordingly: Ensure that the Merchant Agreement clearly states that the merchant must notify the Acquirer if it changes the way it does business or the products that it sells. There are, however, disincentives for merchants to share this information since it can have an impact on discount rates, chargeback rights, the use of the ECI and possibly require registration in a regional Visa High-risk Merchant program. Thus, Acquirers need incentives or penalties in place for non-compliance with this requirement. Merchants should be continually reminded of their responsibility in this area. A periodic review of merchants will also help to identify merchants not in compliance with this requirement. Monitor merchant Card-Present versus Card-Not-Present transaction volume over time to identify significant changes in business patterns. Processing channels are likely to change gradually, thus the practice of comparing Card-Present versus Card-Not-Present transaction volume against the previous week, month, and year aids in the identification of emerging transaction trends. Results of this monitoring should factor into the criteria for determining periodic merchant reviews. Merchant Support for Fraud Monitoring An institution s risk exposure can be significantly reduced by ensuring that Internet merchants have the tools they need to monitor fraud and are fully aware of how these tools work. Practices in this area include the following: Offer solutions that enable a merchant to effectively monitor high-risk transactions. For example, merchants should be able to review transactions prior to submitting them to the Acquirer, especially if under these circumstances: Internet Protocol (IP) address has been associated with fraud. Cardholder account number has been associated with fraud. Transaction request originates from countries with excessive fraud experience. Ensure that merchants have the tools in place to monitor fraud. Since there is no faceto-face contact in an e-commerce transaction, merchants may face a higher risk of fraud, especially if they offer digital products that are fulfilled through the Internet at the time of purchase. To offer effective merchant support in this area: Develop or partner with a third-party vendor to provide fraud-screening tools for merchants. Help merchants define their fraud monitoring criteria. It is important to develop criteria that can control risk without negatively affecting the merchant s profitability. Be sure that criteria are not so restrictive that the merchant loses more in sales revenue than it gains in fraud prevention. 142 CONFIDENTIAL Visa Acquirer Risk Management Guide

149 Participate in Visa Address Verification Service (AVS) and require Internet merchants to use it. AVS is an automated fraud prevention program that allows Card-Not-Present merchants to check a cardholder s billing address as part of the electronic authorization process. Develop systems to support Card Verification Value 2 (CVV2) and work with the Internet merchant to implement this fraud detection tool. CVV2 is a 3-digit value that is printed on the back of a Visa card. It provides a cryptographic check of the information embossed on a card, and assures the merchant, Acquirer, and Issuer that the card is valid. Participate in the Verified by Visa service and make it available to all Internet merchants. Suspect Activity Investigation Suspect activity investigation policies help prepare an Acquirer to handle exceptions and manage their associated risks as effectively as possible. O Visa International Operating Regulations require that a loss of account information must be reported to Visa and that a reasonable investigation must be conducted. When suspicious activity is detected, an Acquirer must be ready to investigate and resolve the matter in an efficient and timely manner. Establish sound policies for investigating suspect activity. Define the exception criteria that must be reviewed. Designate specific responsibilities and authority levels for reviewing cases and taking action to resolve them. Establish strict timelines to ensure timely resolution. Develop an effective investigation and resolution process. To mitigate risk, this process should enable an Acquirer to: Record suspect activity in a merchant history database and review previous exception conditions. Develop appropriate investigative steps, such as contacting Issuers to verify the transactions in question. Partner with Issuers to handle calls related to questionable transactions. Pre-define steps to bring rapid closure to investigations. Establish the internal and external notifications that will be necessary to document the completion of an investigation. Loss Control In addition to having a sound Merchant Agreement, an Acquirer needs to ensure that merchant termination policies and procedures are in place by taking these recommended actions: Establish pre-defined authorities to suspend merchant processing and hold funds, as well as formal internal responsibilities, policies, and procedures for terminating merchants. This formal approach will minimize indecision in terminating merchants. Develop an effective and timely merchant termination process that protects the acquiring institution s interests. Ensure that credits cannot be submitted during workout or probationary periods without prior review. Credits are of particular concern during situations where the merchant may try to reduce reserve amounts by submitting credit transactions to personal accounts. Visa Acquirer Risk Management Guide CONFIDENTIAL 143

150 Debit the merchant Direct Deposit Account via automated clearinghouse (ACH) transfers to obtain required funds in cases where the institution lacks adequate merchant reserves to cover the risk exposure. A good practice is to enter a series of smaller debits, rather than the full amount required in a single ACH debit to increase the likelihood that some portion of the required funds would be obtained. Establish a post-mortem analysis to evaluate causes of loss and determine whether the loss could have been prevented. Provide feedback to the entire merchant operations staff for performance assessment and improvement action(s). 144 CONFIDENTIAL Visa Acquirer Risk Management Guide

151 Terminated Internet Merchant File (Asia-Pacific Region Only) All Internet Merchant Agreements must provide the Acquirer the right to disclose information related to the merchant relationship to thirdparty agents. To enable Acquirers to check if any Internet merchant has been previously terminated for poor card acceptance practices, a Terminated Internet Merchant File (TIMF) has been established in Asia-Pacific. Under the program, an Acquirer must do the following: Terminate an Internet merchant for poor card acceptance practices and list that merchant in the TIMF. Before signing an Internet merchant, inquire against the TIMF to determine if there is a match. If there is a match, investigate to ensure that the merchant is not the same as the one listed. List in the TIMF within one business day, an Internet merchant that has been terminated for poor card acceptance practices. This includes: Depositing counterfeit transactions. Depositing transactions disputed by cardholders. Having excessive number of chargebacks due to the merchant s business practices (excessive is defined as being higher than a 5 percent ratio of international chargebacks to international transactions). Having been identified through audit, investigation, or reporting systems such as the Risk Identification Service (RIS), as being involved in fraudulent or counterfeit activity. When listing a merchant on the TIMF, include these merchant details: Merchant Name Merchant Trading Name/DBA Merchant Street Address Merchant City Merchant Country Merchant Telephone Number Principal/Owner Name Principal/Owner National ID Manager/Key Employee Name Manager/Key Employee National ID Business Registration Number Bank Account Number Listing Reason Uniform Resource Locator (URL) Visa Acquirer Risk Management Guide CONFIDENTIAL 145

152 TIMF Fees and Fines The fee for making TIMF inquiries is presented below. An Acquirer signing an Internet merchant with a match on the TIMF shall be assessed the applicable fine if the merchant is subsequently identified by the Global Merchant Chargeback Monitoring Program. Task Listing terminated Internet Merchant Inquiry against TIMF Failure to list a terminated Internet Merchant on the TIMF, or to inquire against the TIMF before signing an Internet Merchant US$ Free $25 fee $25,000 fine All local laws supercede a Member s required use of the TIMF. 146 CONFIDENTIAL Visa Acquirer Risk Management Guide

153 Merchant Procedures Clear Website explanations promote benefits for Visa cardholders, merchants, and acquiring Members alike. It is essential that Acquirers communicate to Internet merchants the fraud control procedures specific to their payment channel. The following information should be shared during the initial setup process and in ongoing merchant training. Website Requirements Acquirers should establish minimum Internet merchant site content requirements for Visa card payments. This can help ensure a satisfactory shopping experience for consumers, as well as minimize cardholder copy requests, disputes, and chargebacks. Website content must include: Complete description of goods or services. For example, if selling electrical goods, the merchant must state voltage requirements, which vary around the world. Customer service contact information, including address or telephone number. Since communication with a merchant is not always possible using the merchant Website, merchants must display a customer service contact telephone number or address. Cardholders can, therefore, contact the merchant to ask questions about their transaction. Return, refund, and cancellation policy. This policy must be clearly posted to inform cardholders of their rights and responsibilities (e.g., if the merchant has a limited or no refund policy, this must be communicated to cardholders before the purchase decision is made to prevent misunderstandings and disputes). Delivery policy. Not all merchants are able to support the delivery of goods worldwide and may instead restrict sales to within their own country or to a limited number of countries, based on delivery experience or import and export regulations. Because merchants may sustain a loss when shipped goods fail to arrive, they are entitled to establish their own policies regarding the delivery of goods. However, when a merchant does have restrictions or other special conditions in place, those special conditions must be clearly stated on its Website. Country of merchant domicile. Acquirers should check with their representative and with local laws to determine how a merchant location is legally defined. Export restrictions (if known). Transaction currency or currencies. Since the Internet merchant s customer base is worldwide, it is important that the cardholder be made aware of the transaction currency before proceeding with a purchase. The currency should be clearly stated, including the country name when the name of the unit of currency is not unique. For example, a dollar can be an Australian dollar, a New Zealand dollar, a Hong Kong dollar, a U.S. dollar, or one of many more. The Acquirer must enter transactions into VisaNet for clearing and settlement in the exact amount and in the exact transaction currency authorized by the cardholder. Therefore, neither the merchant nor the Acquirer can convert the agreed transaction amount into a different currency. Merchants can display equivalents of the transaction amount in different currencies, but they must clearly indicate that the equivalents listed are for information only. Visa Acquirer Risk Management Guide CONFIDENTIAL 147

154 Additional items that ideally should be included on a merchant s Website include: Privacy statements. Identifiers that easily match the Website to the doing business as name. Statements that address when credit cards are charged. A best practice is to wait until the merchandise has been shipped or service completed before billing the cardholder. Commitments to process orders promptly and send an confirmation and order summary within one business day of the initial order. Provide up-to-date stock information if item is back-ordered. Commitment to respond to all customer service s and phone calls within two business days. A statement explaining the security controls in place to protect customers. A statement encouraging cardholders to retain a copy of the transaction record. In addition to these requirements, an online gambling Website must: Advise cardholders of their responsibility to know if their national or local laws prohibit gambling on the Internet. Include a complete description of rules of play, cancellation policies, and pay-out policies. Include a statement recommending that cardholders retain a copy of transaction records. Indicate that online gambling is for adults only and use best efforts to restrict participation by minors. This can include using commercial self-rating software to designate the site as inappropriate for minors. Display an identifier that consists of the 8-digit Visa-assigned Acquirer Business Identification number (BID) combined with a merchant identification number. Example: XXXXXXXX/YYYYYYYYY* Acquirer BID = X and Merchant Identification = Y There are no restrictions on the number of digits that may be used for the merchant identification. All Acquirers are responsible for ensuring that Internet merchants and their agents maintain appropriate security standards as specified in the Visa International Account Information Security program. Acquirer Information Security Internet merchants: Frequently store cardholder information in a database for the purpose of facilitating future Visa transactions. Have members of the general public accessing their computer systems. May be accessed by someone where jurisdictional challenges and the costs of enforcing criminal and civil penalties may make prosecution or other legal action unfeasible. Given their unique business environment, Internet merchants must place a high priority on protecting cardholder account information to ensure that they are not providing criminals with an easy access portal to customer data. Common security issues overlooked by Internet merchants that can compromise the payment card system are listed below. 148 CONFIDENTIAL Visa Acquirer Risk Management Guide

155 The Visa International Account Information Security Program defines the standards and requirements for handling and storing Visa cardholder and account data. For more information, see Chapter 7, Account Information Security. Exposures in firewalls, operating system, networks, and standard applications Incomplete knowledge of all entry points to the network from the outside world Unidentified machines or applications in the network Unnecessary open ports in firewalls The existence of unnecessary data sharing on file systems The use of weak default setups when installing applications that lead to known default user IDs and passwords being valid No protection from interception of internal and external network traffic No recognition of the security risks posed by employees (up to 70 percent of security breaches are internal) No change management or tracking of altered Web page content or system configurations No recognition of the weakness of various authentication methods such as USERID or passwords for strong security No post-implementation reviews following environment changes such as new applications and machines installed Machines in the network that are not running the latest versions of software Incomplete credential cleanup, default user IDs and mishandled credentials Insufficient identification requirements for someone to change INTERNIC records (effectively meaning that someone could remove an entire Internet presence with one telephone call) The existence of unnecessary services and applications on machines requiring high levels of security Transaction Receipt Requirements An Internet merchant must provide the cardholder with a transaction receipt. Acquirers, however, need to be aware of the following unique data requirements for transaction receipts and copy fulfillments for e-commerce transactions: Concealed cardholder account number. For e-commerce transactions, the cardholder account number must not appear on the transaction receipt. Unique identification number. To assist in dispute resolution between the cardholder and merchant, the merchant must assign a unique identification number to the transaction and display it clearly on the transaction receipt. Website address. The merchant must always include its Website address. In addition to these requirements, it is suggested that the transaction receipt include wording to indicate that the cardholder should print or save the receipt for his records. Visa Acquirer Risk Management Guide CONFIDENTIAL 149

156 The table below summarizes the data requirements for e-commerce transaction receipts. To minimize cardholder inquiries, merchants are encouraged to send an online acknowledgment of the transaction in addition to the transaction receipt. Field Code Unique Transaction Identifier Purchaser Name Transaction Date Transaction Amount Transaction Currency Authorization Code Merchant Name Merchant Online Address Description of Goods and Services Return and Refund Policy, if Restricted Transaction (Purchase or Credit) Description To minimize the potential for fraud, particularly if a non-secure transaction occurs, the merchant must not return the account number to the customer, but instead assign a number that uniquely identifies the transaction in question. No change to existing rules. No change to existing rules. No change to existing rules. No change to existing rules. No change to existing rules. No change to existing rules. Replaces location. The purpose is to enable the cardholder to recognize and contact the merchant if there are any queries. No change to existing rules. No change to existing rules. No change to existing rules. The Internet merchant can choose to send a separate message to the cardholder containing this required information, or as with mail and telephone order transactions send a physical receipt in the mail, or both. To minimize cardholder inquiries, merchants are encouraged to send an online acknowledgment of the transaction in addition to the transaction receipt. 150 CONFIDENTIAL Visa Acquirer Risk Management Guide

157 Recurring Payments O Existing requirements in the Visa International Operating Regulations for a recurring-services merchant have been modified to enable an Internet merchant to accept an electronic record (such as ) with cardholder permission to periodically charge for recurring services. This record can be retained for the duration of the services. A copy of the record can be provided to the Issuer upon request. The phrase recurring transaction, the frequency of debits, and the period for which debits are agreed to must be included on the transaction receipt. To address some of the more common causes of cardholder and Issuer complaints related to recurring payments, an Internet merchant should take the following actions: Make sure that the first transaction in a series of recurring transactions contains the appropriate ECI values in the transaction data; subsequent transactions should be processed as recurring transactions as specified in the Visa International Operating Regulations and VisaNet manuals. If offering an online sign-up for recurring services, provide easy online cancellation procedures to the cardholder. Such procedures must be as simple and as accessible as those of the original sign-up process. Request only a Visa account number as payment for goods or services. The merchant must not request or use the account number for age verification or any purpose other than payment. Visa Acquirer Risk Management Guide CONFIDENTIAL 151

158 A Closer Look at Verified by Visa (3-D Secure) Background Verified by Visa is a global service and is being implemented worldwide by Visa Members and merchants. It is a new online system designed to make Internet purchase transactions safer by authenticating a cardholder s identity at the time of purchase. The service software installed at the merchant s site activates the cardholder interface during the authentication process. How Verified by Visa Works Verified by Visa enables Issuers to validate the identity of their registered Visa cardholders during online payment transactions. ➊ At a participating merchant site, the Visa cardholder clicks buy at the checkout. Software installed on the merchant server recognizes registered Visa cards, initiating the next steps. ➋ A Verified by Visa window appears. The cardholder is prompted to enter the password he or she created when registering for the service. ➌ The Issuer validates the cardholder s identity and sends a response to the merchant to proceed with the payment authorization. ➍ When the identity verification is complete, the Verified by Visa window disappears and the consumer is returned to the merchant purchase confirmation screen. Verified by Visa is the brand name used to communicate the online authentication service to consumers. The Three-Domain (3-D) Secure Authenticated Payment Program is the technology platform for Verified by Visa. The 3-D Secure technical specifications and protocol uses Secure Sockets Layer (SSL) encryption that is currently supported by the majority of online merchants. The 3-D Secure framework divides the authentication process according to the participants involved: Issuer Domain Issuer and cardholder Acquirer Domain Acquirer and Internet merchant Interoperability Domain Visa-operated systems that connect the Issuer and Acquirer domains In 2001, Visa International Operating Regulations were implemented to support the Visa 3-D Secure Authenticated Payment Program. The program, based on the Visa 3-D Secure protocol, provides Acquirers with protection against unauthorized usage chargebacks when: An Issuer authenticates a cardholder s identity through a password the cardholder provides when making an online purchase. 152 CONFIDENTIAL Visa Acquirer Risk Management Guide

159 An Internet merchant, under certain conditions, attempts a 3-D Secure Authentication, but the Issuer or cardholder is not participating in the service (effective April 1, 2003). This change shifts responsibility for the transaction from the Acquirer to the Issuer when the merchant submits proof that it authenticated, or attempted to authenticate, the cardholder during the purchase. General Rules To participate in offering 3-D Secure services to cardholders and/or merchants, Visa Acquirers and Issuers must complete the service registration process for 3-D Secure. This ensures that information regarding participating Member BINs can be loaded into the 3-D Secure Visa Directory Server. Verified by Visa must only be completed in conjunction with a Visa card purchase transaction. Acquirer Operating Requirements Effective April 1, 2003, an Acquirer is required to: Notify its electronic commerce merchants of the availability of the Visa 3-D Secure Program (Verified by Visa). Ensure that its participating Internet merchants comply with all Visa International Operating Regulations pertaining to 3-D Secure, and that the substance of these requirements is included in the Merchant Agreement. Include in an authorization request the valid Cardholder Authentication Verification Value (CAVV), when supplied by the Issuer or by Visa, as a condition of using a 5 (Secure Electronic Commerce Transaction) or 6 (merchant attempted 3-D Secure authentication) in the Electronic Commerce Indicator (ECI) field of the authorization and clearing records. Ensure that their participating merchants and any third-party processing entities that process 3-D Secure transactions comply with 3-D Secure operating requirements and the Visa International Account Information Security program. Issuer Operating Requirements Effective April 1, 2003, an Issuer is required to: Respond to a 3-D Secure Authentication Request with a 3-D Secure Authentication Confirmation or Attempt Response and a CAVV. Validate the CAVV during authorization. Provide Visa with its CAVV keys for stand-in processing. In addition to retaining authentication records, an Issuer must: Retain a log of attempted authentications when generated by the Issuer Access Control Server. Provide the log to Visa upon request during the arbitration or compliance process. Visa Acquirer Risk Management Guide CONFIDENTIAL 153

160 It is important to note that an Issuer must also provide proof of an authentication attempt by sending a CAVV to the merchant, regardless of whether or not the cardholder is participating. If the Issuer Does not support authentication attempts Does not implement support for authentication attempts Does support authentications Then Visa will provide Attempt Responses that include a CAVV, and subsequently validate the CAVV at authorization. A one-time fee of US$100 per BIN will be assessed, in addition to a fee of US$0.023 per Attempt Response. A fee of US$0.003 will be assessed for each transaction that an Issuer Access Control Server forwards to the Authentication History Server (a central log maintained by Visa of all 3-D Secure authentication and authentication attempt records). Transaction Types Excluded from Chargeback Liability Shift Effective April 1, 2003, the Visa International Operating Regulations exclude the following types of transactions from the chargeback liability shift related to 3-D Secure attempted authentications: Commercial card Anonymous prepaid card Transactions conducted in new channels (e.g., mobile phone or other access device that does not use a standard HTML browser to process a 3-D Secure Authentication Request) Transactions by merchants identified through the Global Merchant Chargeback Monitoring Program for the period of time the merchant remains on the monitoring program report, plus three additional months If an Acquirer attempts to authenticate any of these noted transaction types, and the Issuer or cardholder is not participating in 3-D Secure, the Issuer will retain chargeback rights for disputed unauthorized transactions. 154 CONFIDENTIAL Visa Acquirer Risk Management Guide

161 Acquirer Best Practices Checklist Acquirer Strategy and Organization Acquirer Business Plan and Organizational Structure o Develop a strategic business plan that addresses merchant portfolio risks and the effects of fraudulent activity on the Acquirer organization. o Make sure ongoing Acquirer program management is clearly assigned to individuals or organizational units. o Separate sales operations and risk management functions to ensure built-in checks and balances. Place sales, operations, and risk management at the same organizational level to provide an independent risk assessment environment. o Ensure that the risk management group is responsible for reviewing new merchants and monitoring all merchants for signs of financial difficulty and possible fraud. o Set up a Risk Management Committee (RMC) to discuss and agree upon specific risk issues and sign off on the overall business strategy. Staff Training o Train new and existing staff members on merchant fraud risk and security issues, chargeback regulations, and risk management policies and procedures. Third-Party Relationships o Require a written contract between the Acquirer and the thirdparty agent. o Make sure all third-party agent contracts define Acquirer program responsibilities, requirements, and standards. o Develop procedures that ensure third-party controls and adequate protection from excessive risk and loss. o Conduct periodic third-party activity reviews based on agent type and level of exposure. Visa Acquirer Risk Management Guide CONFIDENTIAL 155

162 Merchant Underwriting Portfolio Development Merchant Application Site Inspections o Define portfolio development policies that: o Specify the markets, merchant categories, and levels of risk the Acquirer organization is, and is not, willing to accept when approving new accounts. o Spell out minimum financial and credit requirements for new merchants, as well as the level of management approval needed for specific kinds of businesses. o Take into account a range of critical issues that may affect portfolio profitability. o Ensure agents or non-member agents comply with all Visa merchant underwriting requirements. o Understand and adhere to laws and operating regulations related to lottery ticket sales, Internet gambling, and child pornography. o Use the merchant application to gather relevant information on the merchant s business background, operations, location, and principals. o As part of the application process, request detailed business plans, samples of merchandise, and copies of all relevant marketing materials. o Carefully evaluate application information to determine potential risk for chargebacks. o Ensure that all business principals undergo a thorough background check. o Conduct a rigorous site inspection that covers all aspects of the merchant s business operations, including: o Location. o Premises and physical layout. o Business documentation. o Inventory. o Employees. o Return policy. o Data security. 156 CONFIDENTIAL Visa Acquirer Risk Management Guide

163 o Make sure Card-Not-Present merchant site inspections include a: o Warehouse and office facility visit. o Shipping, billing, and return policy review. o Shop of prospective merchant business. o Fulfillment house or third-party agent evaluation. o Document all new Card-Not-Present merchant investigations and keep records on file for a minimum of two years. Merchant Approval o Set levels of authority for approval based on the merchant s projected sales volume. o Accept only complete applications. o Develop a policy for approval sign-off, approval of previously declined merchant applications, and declining unacceptable merchant types. o Increase monitoring and liability for Card-Not-Present transactions. o Evaluate point-of-sale (POS) terminal placement for risky Merchant Category Codes (MCCs). Merchant Contracting and Setup Merchant Agreement o Create a Merchant Agreement that: o Reduces the institution s exposure to fraud and credit risk losses to the greatest extent allowable by law. o Reflects a thorough understanding of an individual merchant s business type, level of risk, and projected sales and chargeback rates. o Ensures the safe and sound operation of merchant activities. o Confirms the right to sieze funds. o Outlines all regulatory issues. o Include Merchant Agreement provisions that help protect against fraud losses beyond the minimum requirements stated in the Visa International Operating Regulations. o If migrating to chip processing, update existing Merchant Agreements to include the following: o Terminal costs and installation, as well as any pricing changes. o Support for additional data for authorization and clearing messages. o Receipt of new information on reports. Visa Acquirer Risk Management Guide CONFIDENTIAL 157

164 o Cost and competitive factors. o Merchant expectations for conversion to chip-card acceptance, including chargeback liability review. o Procedural changes to card acceptance processes. o Acceptance of Visa Electron cards at online-capable terminals for both chip-initiated and magnetic-stripe transactions. o Acceptance of Visa Horizon cards at online PIN-capable terminals, if appropriate. Card-Present Merchant Setup o Make sure all POS devices are fully Card Verification Value (CVV) and chip-capable. o Wherever possible, ensure terminals: o Read and transmit full-chip or magnetic-stripe Track 1 or 2 data, but not display the full-track data at any point. o Prompt the user to enter the last four digits of the embossed account number ( read and compare ). o Review data security issues and requirements with the merchant. o Equip merchants with reference materials to aid with card acceptance and fraud prevention. o Conduct terminal and authorization testing prior to the merchant launch. o Ensure data quality, including merchant name, location, and Merchant Category Code (MCC). o Educate merchant on bankcard security features, card acceptance, key-entered transaction Code 10 call, and card recovery procedures. o Ensure control of supervisor cards and make sure they are always kept in a secure environment. Card-Not-Present Merchant Setup o Establish a clear merchant description for cardholder statements to help facilitate easier merchant name recognition. o Add a suffix to the MCC to indicate the transaction type, such as Card-Present, mail order or telephone order (MO/TO), or Internet. o Review cardholder data security issues and requirements with the merchant. o Educate the merchant about the risk exposure and liability associated with accepting Visa cards in the Card-Not-Present environment. 158 CONFIDENTIAL Visa Acquirer Risk Management Guide

165 o Offer Address Verification Service (AVS), Card Verification Value 2 (CVV2), and Verified by Visa support. o Offer solutions to enable merchant to block high-risk transactions for review. o Ensure merchants are aware of fraud-detection, screening, and monitoring tools. o Clarify and support dynamic currency conversion and multicurrency support activities. o Ensure data quality, including merchant names, location, and MCC. o Ensure merchant name, telephone number, or URL address appears on the cardholder statement. Card Acceptance Procedures and Merchant Education o Require that merchants follow basic Visa card acceptance procedures and take all reasonable steps to ensure card, cardholder, and transaction are legitimate. o Ensure that merchants conduct periodic training refresher courses for all sales staff. Card Recovery and Code 10 Support o Take appropriate action as soon as a recovered card is received from a merchant. o Notify the Issuer of the recovery situation. o Mail the card to the Issuer s security contact within five calendar days. o Complete a Recovered Card Advice and send it with the card, along with any other pertinent information about the recovery. o Follow Visa guidelines to ensure the minimum reward is paid to the merchant or disbursing Member that made a card recovery. o Develop and provide Code 10 educational materials and aids to merchants and authorization center staff. o Consider implementing a speed-dial service to make the Code 10 (and referral) call process more efficient, particularly for overseas transactions. Visa Acquirer Risk Management Guide CONFIDENTIAL 159

166 Merchant Activity Monitoring New Merchant Monitoring o Conduct a daily review of all transactions from new merchant locations for a two- to three-month period. o When monitoring a new merchant, flag and promptly investigate any variations or deviations in sales activity, including: o Deposit variations. o Large deposits. o Suspicious authorization activity. o Monitor other significant aspects of a new merchant s business, such as sudden changes in ownership, location, telephone number, product line, or selling methods. Ongoing Merchant Monitoring o Use a regular, ongoing merchant monitoring program to identify potentially fraudulent activities. o Implement ongoing merchant monitoring standards that go beyond the minimum requirements established for Visa s Merchant Deposit Monitoring program. o Set up a warning system to detect fraudulent merchant activity at an early stage. Periodic Merchant Review o Re-evaluate the merchant s financial condition, such as notable changes in the merchant s sales volume, products, operations, or business practices. o Conduct another on-site inspection to confirm merchant compliance with the Merchant Agreement and the Visa International Operating Regulations. o Verify that the merchant s financial statements and references are current. Suspect Merchant Activity Investigation o Request transaction documentation from the merchant. o Validate the transaction with the Issuer. o Hold settlement funds until the merchant explains the reasons for the activity. o Contact the merchant s branch bank, if the merchant is involved in fraudulent activity. o Visit the merchant s site, if necessary, to perform an investigation. 160 CONFIDENTIAL Visa Acquirer Risk Management Guide

167 o Escalate cases to senior bank management if fraud exceeds a specific value or involves High-risk Merchants. o Notify the merchant underwriting or approval department of the suspicious activity. o Perform ongoing monitoring and investigations of identified suspect merchants. Account Information Security o Ensure that merchants and their agents maintain appropriate security standards as specified in the Visa International Account Information Security program. Personal Identification Number (PIN) Security o If accepting or processing PIN-based transactions for Visa-branded products, complete Visa s initial and annual PIN Security Self-Audit as required. Merchant Fraud Investigation Merchant Data Collection and Review o Contact the merchant directly and request all available information about the fraud. o Maintain and review merchant profiles to detect irregularities that could point to a problem. o Conduct a site inspection, if necessary. o Conduct an examination of a business data security practices. o Closely examine authorization and sales records for fraudulent transactions. Fraud Confirmation and Loss Reduction o If a fraud scam is confirmed or seriously suspected, consider any or all of the following actions: o Freeze the merchant s Direct Deposit Account or other accounts. o Immediately terminate the business Merchant Agreement. o File a civil suit to recover losses, and, if appropriate, freeze other assets of the business or its principals. o Alert local and federal law enforcement agencies about the scam, and cooperate in their efforts to prosecute the perpetrators. o Contact the Issuers of any account numbers stolen, copied, or used for fraudulent transactions in a confirmed scam. Visa Acquirer Risk Management Guide CONFIDENTIAL 161

168 o In cases where a merchant is truly unaware that a scam has occurred, or where collusive employees were involved: o Work with the business to develop a comprehensive fraud prevention plan. o Ensure POS terminals and equipment are set for optimum data security. Merchant Agreement Termination o If the Acquirer organization owns the POS terminals, remove them from the merchant location. o To avoid processing further transactions, suspend settlement to the merchant s account and block authorization processing. o If a processor is used for authorizations or settlement, notify the processor and request that the merchant account be blocked to prevent account testing and any further deposits. o Add merchant name to Terminated Merchant File (TMF) when the merchant account has been closed for cause. Management Information o Produce key operational indicator reports on a regular basis to show: o Exposure to High-risk Merchants and industries. o Number of merchant leads by source. o Merchant approval rate. o Merchant service-charge income. o Terminal income. o Interchange expenditure. o Number of merchant exceptions. o Profit or loss by merchant sector. o Specific provisions raised against merchant losses. o New fraud cases. o Number of terminations. o Merchant attrition rate by reason. o Use chargeback reporting as a leading indicator for fraud control and investigations activity. o Incorporate this information in your merchant acquisition strategy. o Use this information to help set policies regarding marketing and authorizations. 162 CONFIDENTIAL Visa Acquirer Risk Management Guide

169 E-Commerce Merchant Fraud Management Merchant Marketing Strategies o Target existing merchants that are potential and appropriate e-commerce program candidates. o Evaluate the security capabilities of all potential third-party vendors that may handle cardholder account data. o Establish alliances with Internet gateway vendors that offer secure transaction processing. Merchant Sales Strategies o Train your e-commerce sales staff to adhere to the Acquirer organization s signing policies and generate lower-risk merchant applications. o Establish and certify merchant referral relationships with Commerce Service Providers (CSPs). o Consider incentives and disincentives for signing good and poor accounts, respectively. Merchant Application Requirements o Require a separate application for all merchants establishing an e-commerce presence. o Collect and verify additional application data and financial documents for Internet merchants: o Universal Resource Locator (URL), also known as the Website address (i.e., and Internet Protocol (IP) server address for the merchant Website. o Contact details for the Website hosting service. o addresses and telephone numbers for merchant customer service. o Descriptions of any links on the merchant s Website to other sites to which they may, or may not be affiliated. Credit Review o Use accept and do not accept criteria to determine whether a merchant applicant is eligible for the e-commerce program. o Establish separate application verification processes: one for low-risk merchants and a more stringent process for High-risk Merchants. o Use automated tools and government agency databases to verify business owner application name. o Use consumer credit bureau reports, application data, and business bureau reports to evaluate applicants. Visa Acquirer Risk Management Guide CONFIDENTIAL 163

170 o Use Internet merchant rating services, like TRUSTe ( CNET ( and Bizrate.com ( to obtain additional information about existing Internet merchants. o Review the merchant Website to ensure it complies with minimum content requirements for Visa card payments. o Inspect the merchant s physical business and fulfillment sites. o Copy and retain the merchant Website source code for periodic reviews. o Assess risk exposure quantitatively and determine potential Acquirer liability. o Define policies and standards for collecting and holding reserves on high-risk Internet merchants. o If working with an Internet Payment Service Provider (IPSP), establish procedures to ensure that terminated merchants are not approved for sponsorship. Approval Criteria New Merchant Setup o Establish specific approval criteria for low-risk merchants and High-risk Merchants. o Clearly designate merchant approval responsibilities and authorities based upon risk. o Establish merchant approval signature requirements. o Establish formal rejection override policies and procedures. o Maintain a database of all declined merchant applications. o Educate the merchant about the risk exposure and liability associated with accepting payment cards via the Internet. o Review e-commerce data security issues and requirements with the merchant. o Assign a clear merchant description to avoid cardholder disputes. o Ensure that the Merchant Category Code (MCC) reflects the merchant s principal line of business, rather than placing all Internet merchants into a designated e-commerce MCC. o In addition to the ECI, identify online gambling merchants using the mandatory data elements. 164 CONFIDENTIAL Visa Acquirer Risk Management Guide

171 Merchant Portfolio Risk Management o Select and prioritize accounts for periodic merchant review. o Conduct periodic merchant reviews: o Evaluate the adequacy of the merchant s collateral on a regular basis. o Check the merchant s Website to identify changes in products, delivery methods, or return policies, and to ensure proper functionality. o Assess merchant compliance with data security and encryption requirements. Merchant Operations Merchant Monitoring o Use internal system designations for Internet merchants to track and report e-commerce portfolio sales, chargebacks, and losses. o Use secure to communicate with and deliver statements to merchants. o Use secure to send chargeback information to merchants. o Give merchants secure, password-protected Internet access to transaction, statement, and processing information. o Include fraud awareness information in monthly merchant statements. o Post merchant fraud awareness information on your organization s Website or create links to other sites that provide this information. o Delay merchant funds availability to allow sufficient time to review transactions and deposits. o Establish a maximum monthly and daily funding limit for each merchant account and hold funds for review when either limit is exceeded. o Withhold individual transactions or entire deposits from outgoing interchange, if fraud is deemed certain or highly likely. o Establish automated velocity controls over high-risk transactions and deposits. Depending on needs and resources, elect to use any of these options: o Set an authorization limit for monthly volume or single transaction amount to avoid the risk of large-scale fraud. o Prevent high-risk transactions or batches of settlement activity from entering interchange until they have been reviewed. o Withhold funding from suspect batches. o Automatically suspend large credit transactions that do not have a preceding debit transaction. Visa Acquirer Risk Management Guide CONFIDENTIAL 165

172 Merchant Fraud Monitoring Support o Automatically suspend large forced transactions. o Develop and apply effective criteria for monitoring and reporting suspicious activity, including the following: o Unusual authorization activity. o Unusual activity on other payment products. o Reduction in sales credits. o Increases in draft retrieval requests. o International transactions from countries with a high-fraud experience. o Tighter exception parameters for new merchants. o Credit transaction activity of gaming merchants. o Monitor the chargeback-to-sales ratios of all Internet merchants. o Enable a thorough follow-up on merchants reaching chargeback-totransaction volumes: o Utilize online Exception-report queues that consolidate multiple alerts for a single merchant into one exception listing. o Develop a scoring system to prioritize merchant alerts for review. o Implement automated controls to ensure merchant alerts are worked accordingly. o Establish an ongoing closed loop feedback process to assess the effectiveness of suspect activity reports. o Offer solutions that enable an Internet merchant to effectively monitor high-risk transactions. o Ensure that Internet merchants have the tools in place to monitor fraud: o Develop or partner with third-party vendors to provide fraudscreening tools for merchants. o Help merchants define their fraud-monitoring criteria. o Participate in Visa Address Verification Service (AVS) and require Internet merchants to use it. o Develop systems to support Card Verification Value 2 (CVV2), and work with the Internet merchant to implement this fraud detection tool. o Participate in the Verified by Visa service and make it available to all Internet merchants. 166 CONFIDENTIAL Visa Acquirer Risk Management Guide

173 Suspect Activity Investigation o Establish sound policies for investigating suspect Internet merchant activity. o Record suspect activity in a merchant history database and review previous exception conditions. o Develop appropriate investigative steps, such as contacting Issuers to verify the transactions in question. o Partner with Issuers to handle calls related to questionable transactions. o Pre-define steps to bring rapid closure to investigations. o Establish the internal and external notifications necessary to document the completion of an investigation. Loss Control o Establish pre-defined authorities to suspend merchant processing and hold funds, as well as formal internal responsibilities, policies, and procedures for terminating merchants. o Develop an effective and timely merchant termination process that protects the acquiring institution s interests. o Ensure that credits cannot be submitted during workout or probationary periods without prior review. o Debit the merchant Direct Deposit Account via automated clearinghouse (ACH) transfers to obtain required funds in cases where the institution lacks adequate merchant reserves to cover the risk exposure. o Establish a post-mortem analysis to evaluate causes of loss and determine whether the loss could have been prevented. Internet Merchant Procedures Website Requirements: o Establish and communicate minimum Internet merchant site content requirements for Visa card payments: o Complete description of goods or services. o Customer service contact information, including address or telephone number. o Return, refund, and cancellation policy. o Delivery policy. o Country of merchant domicile. o Export restrictions (if known). o Transaction currency or currencies. Visa Acquirer Risk Management Guide CONFIDENTIAL 167

174 o Communicate to Internet merchants additional items that ideally should be included on their Website. o Ensure that all online gambling Websites: o Advise cardholders of their responsibility to know if their national or local laws prohibit gambling on the Internet. o Include a complete description of rules of play, cancellation policies, and pay-out policies. o Include a statement recommending that cardholders retain a copy of transaction records. o Indicate that online gambling is for adults only and use best efforts to restrict participation by minors. Transaction Receipts o Ensure that Internet merchants meet unique requirements for transaction receipt data and copy fulfillments. o Recommend that Internet merchants print transaction receipts that suggest that the cardholder print or save the receipt for his or her records. o Encourage Internet merchants to send an online acknowledgment of the transaction, in addition to the transaction receipt. 168 CONFIDENTIAL Visa Acquirer Risk Management Guide

175 Glossary A Account Information Security A Visa International program that provides Acquirers, merchants, and their agents with requirements for handling, storing, and protecting Visa account and transaction data. Account Testing A fraud scam used by criminals to verify whether an account number is currently valid. To test an account, the perpetrators make a small purchase on it for example, a few dollars worth of gas or they will submit an authorization request but not a sales transaction receipt. If the account is valid, it will then be used for additional, larger fraudulent transactions. Acquirer Identifier A three-letter tag or label consisting of the letters ACQ used to identify financial institutions as Acquirers for credit bureau listings. For example, an Acquirer with the name First National Bank would be listed as Frst Natl Bnk-ACQ. The use of Acquirer identifiers is recommended by Visa to help acquiring institutions spot potential fraud scams involving multiple applications. Acquirer Monitoring Program (AMP) A Visa fraud reduction program that provides monthly monitoring of Acquirer fraud rates and notifies Acquirers when excessive fraud activity occurs. Reports are sent to Acquirers that exceed program thresholds, and remedial action is required. Failure to bring fraud rates below program thresholds within specific time frames results in fines. Address Verification Service (AVS) An automated fraud prevention system tool designed to reduce the risk of Card-Not-Present transactions. AVS helps minimize the risk of accepting fraudulent transactions by facilitating verification of the cardholder s billing address with the Issuer. Verification results help the merchant determine whether to accept a particular transaction or to take further follow-up action. Agent Any contractor, including third-party processors and servicers, or Independent Contractors, whether a Member or non-member, engaged by a Member to provide services or act on its behalf in connection with the Visa payment services. Authenticate To verify the identity of an Internet user, computer, or person. For example, some merchants will use advanced security systems to authenticate the consumer before accepting an online order. Authorization The process by which bankcard transactions are approved by Issuers. Authorizations occur at the point of sale before a transaction is completed. With POS and other electronic transaction-processing devices, authorization is automatic. Telephone authorizations are also available from authorization centers. Authorization Center A facility established by a Member, either in-house or through a third-party processor, to respond to merchants or other Members requests for authorizations for transactions or cash advances. Authorization centers also respond to referral and Code 10 calls. Visa Acquirer Risk Management Guide CONFIDENTIAL 169

176 Automated Voice-Response Units A computerized phone system used by voice authorization centers to respond to merchant phone calls requesting a transaction authorization. Authorization occurs without the caller speaking to an authorization agent, making it more difficult to identify potentially suspicious calls or transactions. B Bank Identification Number (BIN) The Bank Identification Number (BIN) is a unique 6-digit number Visa assigns to Members for identification purposes. BINs always begin with a 4 and are the first 6 digits in bankcard account numbers. BASE II The VisaNet system that provides clearing and settlement services to Members. Boiler Room A single room or small office used by criminals to enter fraudulent transactions on multiple POS terminals or similar transaction-processing devices. Boiler rooms are most frequently associated with telemarketing and account testing scams. Broker An individual who finds merchants with valid Merchant Agreements to launder sales transaction receipts for merchants without valid agreements. The broker receives a percentage of the value of the laundered drafts and may also seek out fraudulent telemarketers or other fraud perpetrators with sales transaction receipts to be laundered. Business Principal See Principal. Bust-Out Merchant A seemingly legitimate merchant, who opens a valid account with an Acquirer and after a brief period of normal sales activity, deposits a large number or high-dollar amount of fraudulent transactions. Once payment for the transactions is received, the merchant empties its Direct Deposit Account and disappears. Bust-out merchants often make applications to several Acquirers at the same time. C Card Acceptance Procedures The procedures a merchant or merchant employee must follow at the point of sale to ensure a card and cardholder are valid. Both Card-Present and Card-Not-Present merchants are required to take all reasonable means to ensure the validity of the transactions they process. Card Authentication Verification Value (CAVV) A unique value transmitted by an Issuer in response to an authorization request from a 3-D Secure merchant. 170 CONFIDENTIAL Visa Acquirer Risk Management Guide

177 Card Expiration Date See Good Thru Date. Card-Not-Present A merchant, market, or sales environment where transactions occur without a valid Visa card being present. Card-Not-Present is used to refer to mail order/telephone order merchants and sales environments, as well as the Internet. Card-Present A merchant, market, or sales environment where a transaction can be completed only if both a valid Visa card and cardholder are present and the sale is processed by an individual representing the merchant or Acquirer. Card-Present transactions include face-to-face retail sales and cash disbursements. Card Security Features The alphanumeric, pictorial, and other design elements that appear on the front and back of all bankcards. These features must be checked by merchants for all Card-Present sales to ensure the card is valid. The exact physical dimensions and placement of the card security features are specified by the Visa International Operating Regulations and are difficult to copy exactly. Card Verification Value (CVV) A unique three-digit code included on the magnetic stripe of all valid Visa cards. The CVV is checked during the authorization process for Card-Present sales to ensure that the card is valid. When setting up a new merchant account, an Acquirer should ensure that the point-ofsale (POS) terminals used by the business are CVV-capable. Card Verification Value 2 (CVV2) A unique three-digit code that appears on the signature panel of all Visa bankcards and is used to confirm the validity of the card during Card-Not-Present sales. Card-Not-Present merchants ask customers for the code as part of the order-taking process and submit it for verification with other authorization information. Cardholder-Activated Terminal (CAT) A point-of-sale terminal that can only be activated when a cardholder swipes a bankcard through it. CATs are commonly found in gas pumps and have been used by criminals for account testing scams. Cardholder Verification Method (CVM) Instructions encoded within a chip that define how the authenticity of a cardholder s identity is to be verified. Cash Disbursement A bankcard transaction involving the payment of cash or travelers cheques to a cardholder. In general, only financial institution branches are allowed to make cash disbursements. Chargeback A transaction returned by an Issuer to an Acquirer. A sudden increase in a merchant s chargeback rate is often the first sign of fraud or other high-risk sales activity. Visa Acquirer Risk Management Guide CONFIDENTIAL 171

178 Check-Digit Algorithm A mathematical formula used to create and verify the validity of Visa bankcard account numbers. These formulas can also be used by criminals to create counterfeit account numbers, for example, by running a valid number through an account number-generating computer program such as CreditMaster. Code 10 Call The telephone call merchants make to their authorization centers when they have reason to believe that a card or transaction is not valid, but do not wish to alert the customer of their suspicions. The merchant dials the center and requests a Code 10 authorization. In most cases, the call is then referred to the account Issuer for special handling. Collusive Merchant A merchant who conspires to perpetrate credit card fraud. Often, no merchandise is exchanged, and the fraud proceeds are shared with accomplices. Commerce Server Web software that runs some of the main functions of an online storefront such as product display, online ordering, and inventory management. The software works in conjunction with online payment systems to process payments. Commerce Service Providers Third-party vendors that supply services to a merchant to support its ability to accept electronic commerce transactions. For example, a Commerce Service Provider may supply a packaged solution for accepting credit card transactions on the Internet, risk management services, or distribution control services. Common Purchase Point (CPP) The merchant location or other site at which data theft or replication occurs in a skimming scam. Credit Scheme A fraud scam involving the improper use of bankcard credits to transfer money from a merchant s Direct Deposit Account to their personal Visa card account. Credit Voucher A transaction receipt for a refund or price adjustment to be credited to a cardholder s account. Credit vouchers can only be issued to an account for transactions previously charged to that account. Improper use of credit vouchers by merchants is a violation of the Visa International Operating Regulations and can result in the termination of the Merchant Agreement. CreditMaster A computer program used by criminals to generate lists of potentially valid bankcard account numbers for fraudulent use. CreditMaster is the most well-known of several account numbergenerating programs that can now be downloaded from the Internet. These programs are not illegal; however, criminals can be arrested for using computer-generated account numbers in counterfeit or other fraud scams. 172 CONFIDENTIAL Visa Acquirer Risk Management Guide

179 D DBA A DBA (Doing Business As) is a merchant s legal business name as differentiated from the names of a company s principals or other entity that owns or manages the business. If a merchant s DBA is different from the principal s or business name on a merchant application, both should be submitted to a credit bureau and matched during the application review process. Data Encryption Standard (DES) A commonly used standard method used for encrypting and decrypting data. Encryption is necessary as valuable and sensitive information is often sent from one computer to another via a network that technically can be accessed by anybody. It provides a degree of security should the information fall into the wrong hands. DES was developed by the U.S. National Institute of Standards & Technology. Digital Certificate An electronic document used to authenticate the participants in a Secure Electronic Transaction Specification-compliant transaction. Digital Signature A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgettable. There are a number of different encryption techniques to guarantee this level of security. Digital Wallet Encryption software that works like a physical wallet during electronic commerce transactions. A wallet can hold a user s payment information, a digital certificate to identify the user, and shipping information to speed transactions. Most wallets reside on the user s PC, but recent versions, called thin wallets, are placed on the credit card Issuer s server. Netscape and Microsoft now support wallet technology on their browsers. Direct Deposit Account (DDA) A business bank account that a merchant establishes with an Acquirer for the deposit of payments for bankcard transactions. Prospective merchants should open a Direct Deposit Account with an Acquirer before or at the time a Merchant Agreement is signed. Draft See Sales Transaction Receipt. Dove Hologram A three-dimensional hologram of a dove in flight that appears on all valid Visa cards. When the card is tilted back and forth, the dove should seem to fly. The dove hologram is one of the card security features that should be checked by merchants to ensure a Card-Present transaction is valid. Visa Acquirer Risk Management Guide CONFIDENTIAL 173

180 E Electronic Commerce Indicator (ECI) A transaction data field used by Internet merchants and Acquirers to differentiate Internet merchants from other merchant types. Use of the ECI in authorization and settlement messages helps Internet merchants meet Visa processing requirements, and enables Internet transactions to be distinguished from other transaction types. Visa requires all Internet merchants to use the ECI. Embossed Number The 16-digit account number that appears in raised print on the front of all valid Visa cards. The embossed number is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. Encryption The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption. Even-Monetary Transaction A bankcard transaction for an even-dollar amount, for example, $10.00 rather than $ A large number of even-dollar transactions deposited by a single merchant may be the first sign of a fraud scam. Exception Report Reports on unusual or suspicious sales activity such as a sudden change in the number or average dollar amount of transactions generated by an Acquirer s host system or third-party processor. Visa strongly recommends that Acquirers monitor all merchant deposits and review exception reports daily. F G Face-to-Face See Card-Present. Flying V A stylized, embossed V located to the right of the Good Thru Date on all valid Visa cards. The flying V is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. Full-Track Data A cardholder s complete account information, including CVV, encoded in one or two tracks on the magnetic stripe on the back of a valid bankcard. Acquirers should ensure that merchants POS terminals are set up so that full-track data can be read but not displayed during authorization and transaction processing. 174 CONFIDENTIAL Visa Acquirer Risk Management Guide

181 Global Merchant Chargeback Monitoring Program A loss reduction program intended to reduce the number of excessive International chargebacks and compensate Issuers for chargeback handling costs. Good Thru Date The date after which a bankcard is no longer valid, embossed on the front of all valid Visa cards. H I Hacker A person who deliberately logs on to other computers by circumventing the log-on security system. This is sometimes done to steal valuable information or to cause irreparable damage. High-Risk Merchant A merchant location where on going or unacceptably high levels of fraud have resulted in a Risk Identification Service (RIS) High-risk designation. High-risk Merchants are subject to special chargeback rules until fraud activity is reduced to acceptable levels for three consecutive months. High-Risk Telemarketing Merchant A merchant whose business includes telemarketing activity that presents a financial or goodwill risk to Visa and its Members. Businesses designated by Visa as High-risk Telemarketing Merchants include direct marketing travel-related arrangement services, inbound teleservices, and outbound telemarketing firms. Before signing a business of this type, Acquirers must submit a High-risk Telemarketing Merchant Registration and Certification Form to Visa. Identification Report An element of the Risk Identification Service (RIS); a report triggered by excessive fraud or suspect activity at a merchant location and sent to the merchant s Acquirer, who may then be required to take remedial action to help the merchant reduce fraud losses. RIS issues four types of identification reports: Advices, Notifications, Alerts, and Warnings. The remedial action an Acquirer takes will depend on the type and number of alerts received in a six-month period. Internet Gateway Vendors Third-party vendor that supplies a computer network to the merchant that forwards transaction activity to the Acquirer. Internet Payment Service Provider (IPSP) An online entity that contracts with an Acquirer to provide payment-related services to sponsored merchants. The IPSP interfaces with the Acquirer on behalf of its sponsored merchants, and must ensure that its sponsored merchants are contractually obligated to operate according to Visa requirements. IPSPs are responsible for the actions of their sponsored merchants, and bear ultimate liability for their actions. An IPSP is only permitted to sign sponsored merchants. Visa Acquirer Risk Management Guide CONFIDENTIAL 175

182 Internet Protocol (IP) Address A unique number that is used to represent every single computer in a network. All the computers on the Internet have a unique IP address, which is used to route messages to the correct destination within the Internet s worldwide web of computers and other related devices. The format of the IP Address is 4 sets of numbers separated by dots (e.g., ). J K L Key-Entered Fraud The use of key-entered transactions for depositing fraudulent sales transaction receipts. Key-entered fraud often occurs in bust-out scams, laundering, and telemarketing schemes. Key-Entered Transaction A bankcard transaction that is entered on the alphanumeric keys of a POS device by using the terminal s manual override feature. Key-entering is used for Card-Not-Present sales and for Card-Present sales where the terminal cannot read a card s magnetic stripe. Laundering Any situation where a business with a valid Merchant Agreement deposits transactions for a company without an agreement. Whether or not the transactions processed are actually fraudulent, laundering is a federal offense and a violation of the Visa International Operating Regulations. It can result in a business losing its merchant agreement and being liable for criminal prosecution. M Magnetic Stripe (Magstripe) A strip of magnetic tape on the back of all bankcards that is read when a card is swiped through a POS terminal. The stripe is encoded with identifying account information as specified in the Visa International Operating Regulations. On a valid card, the account number on the magnetic stripe matches the embossed number on the front of the card. Mail Order/Telephone Order (MO/TO) A merchant, market, or sales environment where mail or telephone sales are the primary or a major source of income. Such transactions are frequently charged to customers bankcard accounts. Member An organization that is a Member of Visa and which issues cards and/or signs merchants. Merchant Account Identification Number A unique number assigned to merchants by their bank. Merchant Agreement The contract between a merchant and an Acquirer permitting the merchant to accept Visa cards for payment of goods and services, and requiring that the merchant abide by certain rules governing the acceptance and processing of Visa transactions. 176 CONFIDENTIAL Visa Acquirer Risk Management Guide

183 Merchant Profile A report compiled and periodically updated by Acquirers on each of their merchants, which is used to evaluate ongoing risk exposure and to investigate suspected instances of fraud. The merchant profile should contain basic information on a company including its current financial health, number of employees, type of POS terminal used and document its account history, previous incidents of fraud, and any recent changes in ownership, sales methodology, and transaction volumes. Multiple Applications The practice, used by criminals in bust-out merchant and other fraud scams, of submitting applications for merchant accounts to several Acquirers at the same time. N O National Merchant Alert Service (NMAS) A database of merchants whose contracts have been terminated. Non-Face-to-Face See Card-Not-Present. Non-Member Agent A non-member agent is an organization or individual that is not a Member, has no direct connection to VisaNet, and provides Members with bankcard-related support services, such as: Merchant solicitation, sales, or services. Cardholder solicitation services. Point-of-transaction Terminal installation and service. Transaction receipt date capture and transmission. P Payment Gateway A system that provides e-commerce services to merchants for the authorization and clearing of Secure Electronic Transaction Specification-compliant transactions. Phone Scam A fraud scam in which criminals call a legitimate business and pose as bank or law enforcement personnel to trick the merchant into giving them valid account information over the telephone. Typically, merchants are told that the system went down and cardholders names and account numbers are needed to reprocess transactions, or the information is needed to verify account numbers found during a fraud investigation or arrest. Pick-Up Response An authorization response instructing a Card-Present merchant to refuse a transaction and recover the card. In all circumstances, card recovery should only be attempted if it can be done by reasonable and peaceful means. Point of Sale (POS) The physical location at which a bankcard transaction takes place. Visa Acquirer Risk Management Guide CONFIDENTIAL 177

184 Point-of-Sale Terminal (POS Terminal) The electronic device used for authorizing and processing bankcard transactions at the point of sale. Potentially Skimmed Transaction A counterfeit fraud transaction in which skimming is suspected as the source of the counterfeit account number. A potentially skimmed transaction can be identified by three characteristics: a POS Entry Mode Code 90, a verified CVV, and confirmation that the legitimate cardholder is still in possession of the valid card. Principal The individual or individuals who hold legal ownership and who manage and are financially responsible for a business with a merchant account with an Acquirer. When underwriting a new account, Acquirers should conduct a thorough financial investigation of the business principals. Printed Number A four-digit number that is printed either above or below the first four digits of the embossed number on all valid Visa cards. The printed number should begin with a 4 and be the same as the first four digits of the embossed number. The printed number is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. R Referral Messages A Call or Call Center response to a merchant s or Member s request for an authorization. A referral message indicates that the Issuer needs more information about the transaction or cardholder before an approval can be issued. Risk Identification Service (RIS) A Visa loss control program for Acquirers that compiles fraud data and identifies merchant locations where fraud or other risk-related activity exceeds parameters set by Visa. Acquirers receive identification reports on merchants with excessive fraud activity and are required to take remedial action to help the merchant reduce losses. S Sales Transaction Receipt A paper or electronic record of a bankcard transaction, which a merchant submits to an Acquirer for processing and payment. In most cases, paper drafts are now generated by a merchant s POS terminal. When a merchant fills out a draft manually, it must include an imprint of the front of the card. Scrip Paper currency or a token issued for temporary use. 178 CONFIDENTIAL Visa Acquirer Risk Management Guide

185 Secure Sockets Layer (SSL) A mechanism developed by Netscape Communications to allow secure bankcard transactions on the Internet. Security Module A physically and logically secure computer that performs cryptographic processes. Signature Panel The panel for cardholders signatures on the back of all valid Visa cards. Valid panels are white with a blue, or blue and gold, pattern of the repeated word Visa printed at an angle and may also contain the account number and a three-digit code, the Card Verification Value 2, printed in reverse italics. The words Not Valid Without Signature or authorized signature also appears below or to the side of the panel on most Visa cards. The signature panel is one of the card security features that should be checked by merchants to ensure that a Card-Present transaction is valid. Site Inspection A thorough, physical investigation of a prospective merchant s primary business location or locations. A site inspection is required prior to signing a new merchant, and if an Acquirer uses an ISO for account solicitation, the inspection should be conducted by an independent third-party agent. Site inspections are required for third-party agents as part of the Agent Registration Program and may also be appropriate when merchant fraud is strongly suspected or confirmed at a business location. Skimmed Counterfeit Fraud See Skimming. Skimming The replication of account information encoded on the magnetic stripe of a valid card and its subsequent use for fraudulent transactions in which a valid authorization occurs. Fulltrack data is captured from a valid card and then re-encoded on a counterfeit card. The term skimming is also used to refer to any situation in which electronically transmitted or stored account data is replicated, and then re-encoded on counterfeit cards or used in some other way for fraudulent transactions. Spike A sudden, dramatic increase in a merchant s daily sales activity usually an unexpected jump in the number or dollar amount of transactions which is often the first sign of a potential fraud scam. A spike will occur over a very brief period of time, 2 or 3 days or a week, after which the merchant will empty its Direct Deposit Account and disappear. Spikes are associated with a number of merchant fraud scams, including bust-out merchants, laundering, and telemarketing fraud. Split Sale The preparation of two or more sales transaction receipts for the purchase of a single item charged to a cardholder s single account, in order to avoid authorization limits. Split sales are a violation of the Visa International Operating Regulations. Visa Acquirer Risk Management Guide CONFIDENTIAL 179

186 Sponsored Merchant An online seller that contracts with an Internet Payment Service Provider (IPSP). The IPSP performs some or all of the sponsored merchant s payment-related operations on its behalf. The sponsored merchant must meet all card acceptance requirements in the Visa International Operating Regulations, with the single exception that it may have a contract with an IPSP, rather than an Acquirer. Spoof Shops A fraudulent merchant location such as a storefront or Website set up for the sole purpose of stealing or replicating account information from legitimate cardholders. A spoof shop may or may not have a valid Merchant Agreement, but will act as if it does; merchandise or services are sold to customers, but few or no transactions are entered for settlement. Spoof shops are most often associated with skimming and account testing scams. T Telemarketing Fraud A type of fraud in which false or inflated offers of merchandise or services, such as vacations, vitamins, or luggage, are sold over the telephone by high-pressure salespeople promising fabulous prizes. In many cases, the true goal of the scam is to get individuals to give out their bankcard account numbers, which are then used for fraudulent transactions. Third-Party Processor A non-member organization that performs transaction authorization and processing, account record keeping, and other day-to-day business and administrative functions for Issuers and Acquirers. Third-Party Servicer A non-member organization or individual who provides back-office services such as transaction processing, data capture, or response processing for merchant or cardholder solicitations. Third-party servicers are not connected to the VisaNet system and must be registered with the Visa Agent Registration Program. Track Data See Full-Track Data. Transaction The act between a cardholder and merchant or cardholder and financial institution which results in the sale of goods or services. Transaction Draft See Sales Transaction Receipt. Transaction Monitoring Regular review of a merchant s transaction records by an Acquirer to check for any sudden changes in sales activity. A pattern of unusual or suspicious transactions discovered by rigorous daily monitoring is often the first sign of a fraud scam. 180 CONFIDENTIAL Visa Acquirer Risk Management Guide

187 U V Unauthorized Use A fraudulent Card-Not-Present transaction charged to a bankcard account number by a perpetrator posing as a valid cardholder. In most cases, the account numbers used in these scams are valid, but have been illegally obtained by the perpetrators. Unsigned Card A seemingly valid Visa card that has not been duly signed by the legitimate cardholder. Merchants cannot accept an unsigned card until the cardholder has signed it, and the signature has been checked against valid government identification, such as a driver s license or passport. Unusual Activity Any sales activity that exceeds 150 percent of a merchant s Normal Weekly Activity parameters, or an elapsed time of over 15 days between a transaction s deposit and processing dates. Acquirers must process merchant deposits so that an Exception report is generated whenever unusual activity occurs. Verified by Visa Validates a cardholder s ownership of an account in real time during an online Visa card transaction. When the cardholder clicks buy at the checkout of a participating merchant, the merchant server recognizes the registered Visa card and the Verified by Visa screen automatically appears on the cardholder s desktop. The cardholder enters a password to verify his or her identity and the Visa card. The Issuer then confirms the cardholder s identity. Visa Electron Card A Visa International debit card that is currently accepted, but not issued in the United States and can only be used for Card-Present transactions. Electron cards have slightly different security features than other Visa cards: the front of the card contains an Electron rather than dove hologram, and the 16-digit account number is printed, not embossed. Visa Mark A Visa logo or other corporate symbol used to identify or market Visa products and services. VisaNet The systems and services, including BASE II, through which Visa delivers authorization and transaction processing services to its Members. VisaNet Access Point (VAP) Visa equipment and software used to access the VisaNet system. Voice Authorization An authorization obtained by telephoning an authorization center. Visa Acquirer Risk Management Guide CONFIDENTIAL 181

188 182 CONFIDENTIAL Visa Acquirer Risk Management Guide

189 Appendix A Sample Merchant Application Sample Site Inspection Form Visit your regional Visa OnLine Global Fraud Information Service to download soft copies. Sample Merchant Application MERCHANT BANK CARD SERVICES APPLICATION SAMPLE PART I PARTIES AND SERVICES A CQUIRER U SE O NLY MERCHANT # HIERARCHY ACQUIRER CODE MCC BATCH # ACCOUNT TYPE DATE INPUT BY VENDOR TYPE DATE PHONE SALES REPRESENTATIVE M ERCHANT I NFORMATION NAME OF CORPORATION OR PARTNERSHIP MAILING/BILLING ADDRESS MERCHANT DOING BUSINESS AS NAME LOCATION ADDRESS CITY, STATE, ZIP CITY, STATE, ZIP TELEPHONE # FAX # TELEPHONE # PRIMARY MERCHANT CONTACT YEARS IN BUSINESS HOW LONG AT THIS LOCATION TAX ID # # OF LOCATIONS TYPE OF BUSINESS RETAIL RESTAURANT CONVENIENCE STORE MAIL ORDER INTERNET ORDER WHOLESALE LODGING CONVENIENCE STORE WITH GAS TELEPHONE ORDER OTHER IF MAIL/TELEPHONE ORDER, WHAT PERCENTAGE % IF INTERNET ORDER, WHAT PERCENTAGE % DESCRIBE THE MERCHANDISE SOLD OR SERVICE PROVIDED CHECK METHOD OF ADVERTISING AND INCLUDE ANY MATERIALS YELLOW PAGES AD CATALOG DIRECT MAIL-LETTER/BROCHURE NEWSPAPER/MAGAZINE ADVERTISEMENT TELEPHONE/TELEMARKETING REFERRAL TELEVISION/RADIO TYPE OF OWNERSHIP SOLE OWNERSHIP PARTNERSHIP JOINT VENTURE CORPORATION OTHER EQUIPMENT TYPE: LEASE PURCHASE REPROGRAM COMMENT: O WNERS OR O FFICERS (1) NAME TITLE: SOCIAL SECURITY #: RESIDENCE ADDRESS CITY STATE FORMER ADDRESS CITY STATE DRIVER S LICENSE # STATE HOME TELEPHONE (2) NAME TITLE SOCIAL SECURITY # RESIDENCE ADDRESS CITY STATE FORMER ADDRESS CITY STATE DRIVER S LICENSE # STATE: HOME TELEPHONE: (PLEASE ATTACH LIST OF ADDITIONAL OFFICERS) Notice: The information furnished herein by Visa U.S.A. is CONFIDENTIAL and PROPRIETARY and is distributed to Visa Members for their exclusive use in operating their Visasponsored programs, and shall not be duplicated, published, or disclosed in whole or in part, without the written permission of Visa U.S.A. B1 Visa Acquirer Risk Management Guide CONFIDENTIAL 183

190 C REDIT I NFORMATION ANNUAL BANK CARD VOLUME $ AVERAGE TICKET $ MAIL, TELEPHONE, INTERNET ORDER SALES (Complete if any portion of your sales are generated through mail/telephone/internet order.) PERCENT OF ANNUAL VISA GENERATED THROUGH MAIL ORDER % TELEPHONE ORDER % POS TOTAL=100% NUMBER OF DAYS TO PREPARE SHIPMENT FOR DELIVERY TO CUSTOMERS FROM DATE OF ORDER PERCENT OF CUSTOMER ORDERS DELIVERED IN 0-7 DAYS % 8-14 DAYS % DAYS % MORE THAN 30 DAYS% =100% VISA SALES ARE DEPOSITED (CHECK ONE) AT DATE OF SHIPMENT OTHER NAME OF FULFILLMENT HOUSE DELIVERY TIME FRAME STREET ADDRESS CITY STATE ZIP NAME OF SHIPPING SERVICE USED DELIVERY TIME FRAME STREET ADDRESS CITY STATE ZIP HOW DO YOU ADVERTISE FOR YOUR MAIL/TELEPHONE ORDER SALES? (CHECK AS APPROPRIATE) CATALOG DIRECT MAIL-LETTER/BROCHURE TELEVISION & RADIO TELEPHONE/TELEMARKETING NEWSPAPER/MAGAZINE (SPECIFY NAMES) NOTE: CURRENT COPIES OF THE ABOVE MATERIAL SHOULD BE ATTACHED. IS AN INCENTIVE OFFERED TO PURCHASE THE SERVICE OR PRODUCT? YES NO TYPE OF INCENTIVE: S ALES D EPOSIT POLICY ARE CONSUMERS REQUIRED TO PROVIDE A DEPOSIT? YES NO IF YES, PERCENT REQUIRED % IF YES, NUMBER OF WEEKS UNTIL COMPLETE DELIVERY OF PRODUCT/SERVICE: R EFUND P OLICY DO YOU HAVE A REFUND POLICY FOR YOUR VISA SALES? YES NO CHECK THE APPLICABLE REFUND POLICY CASH EXCHANGE STORE CREDIT VISA CREDIT IF A VISA CREDIT, WITHIN HOW MANY DAYS DO YOU DEPOSIT CREDIT TRANSACTIONS? 0-3 DAYS 4-7 DAYS 8-14 DAYS OVER 14 DAYS B USINESS C REDIT R EFERENCES (1) NAME PHONE ( ) ADDRESS CONTACT CITY/STATE/ZIP ACCOUNT NUMBER (2) NAME PHONE ( ) ADDRESS CONTACT CITY/STATE/ZIP ACCOUNT NUMBER (3) NAME PHONE ( ) ADDRESS CONTACT CITY/STATE/ZIP ACCOUNT NUMBER I F MERCHANT HAS PREVIOUSLY ACCEPTED BANK CARDS, THE LAST 3 MONTHS MERCHANT STATEMENTS MUST BE PROVIDED CURRENT PROCESSING BANK, IF APPLICABLE BANK OR PROCESSOR NAME PHONE ( ) CITY/STATE/ZIP CONTACT REASON FOR CHANGING BANK OR PROCESSOR MERCHANT ACCOUNT # NAME OF MERCHANT S PRINCIPAL BANK ACCOUNT # LENGTH OF TIME AT PRINCIPAL BANK PHONE ( ) CONTACT HAVE ANY OF THE PRINCIPALS FILED FOR BANKRUPTCY? YES NO IF YES, NAME CHAPTER FILED DATE COUNTY/STATE HAVE PRINCIPALS EVER MANAGED OR OWNED ANOTHER BUSINESS THAT ACCEPTED BANK CARDS? YES NO IF YES, PROVIDE BUSINESS NAME CITY/STATE 184 CONFIDENTIAL Visa Acquirer Risk Management Guide

191 Sample Site Inspection Form CLIENT: CONTACT: ADDRESS: 3 RD PARTY SITE INSPECTION FORM SAMPLE MERCHANT S ITE INFORMATION BUSINESS: MERCHANT: ADDRESS: PHONE: PHONE: OWN LEASE LANDLORD PHONE: NUMBER OF EMPLOYEES: PERSON INTERVIEWED: LOCATION BUSINESS HOURS SQUARE FOOTAGE: SUNDAY: TO SHOPPING MALL: MONDAY: TO STRIP MALL: TUESDAY: TO OFFICE BUILDING: WEDNESDAY: TO PRIVATE HOME: THURSDAY: TO OTHER: FRIDAY: TO TYPE OF BUSINESS : OTHER BUSINESSES AT THIS LOCATION: SATURDAY: TO RELATED BUSINESS LOCATIONS: YES NO IF YES, AND MORE THAN ONE ADDITIONAL LOCATIONS, PLEASE LIST ON PAGE 2 OF THIS DOCUMENT. SPECIAL INSTRUCTIONS: BUSINESS NAME: ADDRESS: CITY: STATE, ZIP: IS INVENTORY CONSISTENT WITH TYPE OF BUSINESS? IS INVENTORY SUFFICIENT FOR TYPE OF BUSINESS? CURRENTLY OPERATING (IF NOT, EXPLAIN IN COMMENTS) APPEARS LEGITIMATE? BANK CARD DECALS VISIBLE ANY SPECIAL PHONE SYSTEM REQUIRED FOR TERMINAL ARE GOOD AND SERVICES DELIVERED AT THE TIME OF SALE? IS BUSINESS OPEN AND OPERATING? Notice: IF YES, LENGTH OF TIME OPEN? IF NO, ESTIMATED OPEN DATE? ANY MAIL, TELEPHONE, OR INTERNET ORDER SALES ACTIVITY? IF YES, WHAT PERCENTAGE IS MAIL AND TELEPHONE? % IF YES, WHAT PERCENTAGE IS INTERNET? % PLEASE LIST ADDITIONAL RELATED BUSINESS LOCATIONS: The information furnished herein by Visa U.S.A. is CONFIDENTIAL and PROPRIETARY and is distributed to Visa Members for their exclusive use in operating their Visasponsored programs, and shall not be duplicated, published, or disclosed in whole or in part, without the written permission of Visa U.S.A. DATE: DATE: YES NO Visa Acquirer Risk Management Guide CONFIDENTIAL 185

192 BUSINESS NAME: 3 RD PARTY SITE INSPECTION FORM SAMPLE ADDRESS: COMMENTS: CITY: STATE, ZIP: BUSINESS NAME: ADDRESS: COMMENTS: CITY: STATE, ZIP: BUSINESS NAME: ADDRESS: COMMENTS: CITY: STATE, ZIP: BUSINESS NAME: ADDRESS: COMMENTS: CITY: STATE, ZIP: COMMENTS: ONE INTERIOR AND ONE EXTERIOR PHOTO WAS TAKEN AND SENT TO CLIENT LISTED ABOVE (DATE): I VERIFY ALL THE ABOVE INFORMATION TO BE FACTUAL : REP S NAME REP S SIGNATURE DATE COMPLETED 186 CONFIDENTIAL Visa Acquirer Risk Management Guide

193 Appendix B Visit your regional Visa OnLine Global Fraud Information Service to download soft copies. Sample Merchant Training Program PowerPoint slides and Presentation Notes Slide 1 Introduction to Merchant Fraud Awareness Seminar Good morning/afternoon, and welcome to [name of your institution] s Merchant Fraud Awareness Workshop. My name is. [Provide a brief description of your roles and responsibilities at your institution.] We appreciate the time you ve taken from your busy schedules to join us. Today we re going to show you how to avoid becoming victims of credit card fraud. With fraud losses increasing, we need to step up our fraud reduction efforts. The truth is, you are our most valuable resource in doing so. Visa Acquirer Risk Management Guide CONFIDENTIAL 187

194 Slide 2 Agenda The training you will receive today is short, simple, and to the point. Over the next 30 minutes we re going to: Give you an idea of the size of the fraud problem, and how much of the fraud can actually be prevented by you, the merchants, at the point of sale. We ll review the proper card acceptance procedures to follow in each and every transaction, focusing on card security features that will help you spot and prevent fraud it only takes a few seconds. We ll also talk about what to do if you are suspicious or uncomfortable at any point during a transaction. Finally, we ll provide educational materials you can share with your staff or coworkers. Please feel free to ask any questions along the way. 188 CONFIDENTIAL Visa Acquirer Risk Management Guide

195 Slide 3 Fraud Losses in 2002 Worldwide fraud losses in 2002 for Visa only were $1.62 billion (US$). This number doesn t even take into account fraud losses on the other credit cards. If you include MasterCard, AMEX and Discover losses, the number is in the billions. So you can see it's a big problem. On average, one-third of all fraud losses are absorbed by merchants through the chargeback process. When you add the back-office expenses linked with fraud, such as copy requests and the handling of chargebacks, it is easy to see that the cost of fraud to your store is significant much more than you would think. Visa Acquirer Risk Management Guide CONFIDENTIAL 189

196 Slide 4 Fraud Losses by Type When we analyze retail losses by type of fraud, we see that 34% comes from lost and stolen cards, and 32% from counterfeit cards. Both these types of fraud can be prevented at the point of sale. Fraud from lost and stolen cards can be prevented most of the time simply by comparing signatures. I'm sure everyone can tell us of a time when their card was swiped and immediately returned to them. And counterfeit card fraud can be prevented by checking card security features. The bottom line? You have the opportunity to prevent up to 66% of fraud right at the point of sale. It s really a matter of putting your fraud-fighting resources to good use. Speaker s Note: The other category includes fraudulent applications, account takeover, cards stolen from the mail, mail order/telephone order, and Internet fraud. 190 CONFIDENTIAL Visa Acquirer Risk Management Guide

197 Slide 5 Fraud Fighting Resources We have two very sound fraud-fighting resources: Technology and People. From a technology perspective, authorization terminals have proven to be very effective in obtaining authorizations quickly and easily. But as helpful as the terminals have been in preventing fraud, there are limitations to their benefits. A terminal can tell you whether a cardholder has the balance available to make a purchase, and whether their account has been blocked by the Issuer. A terminal cannot tell you: Whether the card security features are irregular or missing. Whether the signatures match. And terminals won t ever notice a customer acting suspicious. That s where you come in. The problem is, we ve come to rely more on technology than on people to fight fraud. Criminals know this. In fact, they re taking advantage of our reliance on these terminals. The reality is, you are the first line of defense against fraud. You can stop fraud on cards that are not yet blocked in the authorization system. Everyone who accepts cards from customers can make a tremendous difference in fighting fraud by following proper acceptance procedures and examining card security features. By taking four simple steps in each and every transaction, you can help reduce fraud. Let s discuss those steps one by one. Visa Acquirer Risk Management Guide CONFIDENTIAL 191

198 Slide 6 Card Acceptance Procedures Step 1: Hold the Card Step 1 is to hold the card. When your customer hands you a Visa card, it s important that you hold the card throughout the entire transaction. Do not automatically return the card to the customer after you insert or swipe it you ll need it for steps 2, 3, and CONFIDENTIAL Visa Acquirer Risk Management Guide

199 Slide 7 Step 2: Review Security Features Step 2 is to review the card s security features. Every card has several built-in security features. Let s review them one at a time. Visa Acquirer Risk Management Guide CONFIDENTIAL 193

200 Slide 8 Step 2: Review Security Features Four-digit printed number First, match the numbers. All Visa cards have a printed four-digit number below the embossed account number. This number should exactly match the card s first four embossed numbers. Also, all Visa cards should begin with a 4. If the printed number is missing or does not match the first four embossed numbers, do not complete the transaction. You re going to make what s known as a CODE 10 call, which we ll talk about in a moment. Speaker s Note: MasterCards begin with a 5. American Express Cards begin with a 3. Discover Cards begin with a CONFIDENTIAL Visa Acquirer Risk Management Guide

201 Slide 9 Step 2: Review Security Features Embossing Next, look carefully at the card s embossing. All embossed numbers and letters should be clear and evenly spaced. If they re crooked, or appear to have been flattened and re-embossed, the card may be fraudulent. Also, make sure the last group of embossed numbers extends into the hologram. If the card has been tampered with, it s usually easiest to spot here. Visa Acquirer Risk Management Guide CONFIDENTIAL 195

202 Slide 10 Step 2: Review Security Features Security character Next, look for an embossed security character, to the right of the expiration date. Visa s security character is a stylized V, called a flying V because it s italicized. Many counterfeit cards don t have a security character, or it appears in a different font. The Flying V is different from a typewriter V. If the security character is missing or not italicized, you should make a CODE 10 call. 196 CONFIDENTIAL Visa Acquirer Risk Management Guide

203 Slide 11 Step 2: Review Security Features Hologram Next, check out the hologram. Visa s hologram is an image of a dove that appears three-dimensional when tilted back and forth. If the hologram looks one dimensional or non-photographic, it may be a fake foil sticker. To find out, run your fingernail across the edges of the hologram. If it catches, like the edge of a sticker would, the hologram may be fraudulent. Except for the embossed characters, credit cards are smooth. You should not be able to peel off the pre-printed numbers or the hologram. Visa Acquirer Risk Management Guide CONFIDENTIAL 197

204 Slide 12 Step 2: Review Security Features Signature panel Flip the card over to review the final security feature: the signature panel. The signature panels should always have the word Visa repeated at an angle in blue and gold lettering. Some Visa cards but not all will also have the account number indent-printed on the panel, followed by a three-digit code. First, check for tampering. Check for white tape or whiteout applied over the signature panel. The signature panel should appear smooth and you shouldn t be able to peel it away. Check for writing over another name with a felt-tip pen. With Visa cards, any attempt to erase a signature will cause damage to the panel and the word void will appear. 198 CONFIDENTIAL Visa Acquirer Risk Management Guide

205 Slide 13 Step 2: Review Security Features Make sure the card is signed Last and perhaps most important, make sure the card is signed. Remember, a Visa card is not valid unless it is signed by the cardholder. Unfortunately there are some cardholders who think an unsigned card, or one with check ID written in the signature panel, is more secure. This is not true it just allows the thieves to sign their own name or use a fake ID with an y signature. If an unsigned card is presented to you: Advise the customer that the card must be signed. Have the customer sign the card in your presence and provide a current, valid government ID that has been signed (such as a passport or driver's license). Compare the signature on the ID to that on the card. If the customer refuses to sign the card, do not complete the transaction. If it turns out to be fraudulent, your store could be liable for it. Visa Acquirer Risk Management Guide CONFIDENTIAL 199

206 Slide 14 Step 2: Review Security Features Visa Electron Difference Before we move on to Step 3, let s take a quick look at the Visa Electron card features. Visa Electron is issued in different parts of the world as a consumer debit, credit, or prepaid card, with or without chip, although it is usually issued as a debit product. The Visa Electron card can be used for payment at more that 12 million electronic merchants around the world, on the Internet, and for cash withdrawals at more than 600,000 ATMs. As you can see here, however, the Visa Electron card s security features and acceptance procedures are slightly different than the Visa flag card. The Visa Electron card is almost always unembossed, and the account number is laserengraved or indent-printed. The cardholder name and expiration date may not be displayed if the card was instantly issued at a bank branch. The dove hologram and ultraviolet dove are optional. The words Electronic Use Only must be printed on the front of the card. The signature panel may be on the front or back. That s it for Step 2. Now let's talk about Step CONFIDENTIAL Visa Acquirer Risk Management Guide

207 Slide 15 Step 3: Obtain Authorization Step 3 is to obtain authorization. To obtain an authorization for a transaction over the floor limit, all you need to do is insert the chip card into a reader or just swipe the card through your POS terminal. Some terminals will prompt you to key in the last four digits of the Visa account number. This is an additional security check to confirm that the embossed number on the front of the card matches the encoded account number on the chip or magnetic stripe. If these numbers do not match, you ll get a no match response and the terminal will not proceed with the authorization request. You should make a CODE 10 call. If your terminal does not have this automatic read-and-compare feature, proceed with the printing of the sales draft. Then compare the last four digits of the account number printed on the sales draft to the last four embossed numbers on the card itself, before you give the customer the draft to sign. If the customer name prints on the draft you should also compare it to the embossed name. If the numbers do not match, you should make a CODE 10 call. If the transaction is declined, do not attempt to get authorization for a smaller dollar amount. Return the card to the customer and ask for another card. Speaker s Note: Preference must be given to the processing of a chip card before attempting to swipe the magnetic stripe. Visa Acquirer Risk Management Guide CONFIDENTIAL 201

208 Slide 16 STEP 3: Obtain Authorization Key-entered transactions Let s talk for a moment about key-entered transactions. Every once in a while, a terminal can t read a card because the chip or the magnetic stripe isn t functioning. In this situation, you need to key-enter the card s account number into the terminal to obtain authorization. One of the easiest ways criminals can avoid counterfeits being detected by the terminal is by simply disabling the chip or magnetic stripe. If a card s chip or magnetic stripe cannot be read by your terminal: Pay special attention to the card security features we discussed earlier. Imprint the card on a sales draft using a standard printer, as evidence that a card was present for the transaction. Just because you have to key-enter a card number doesn t necessarily mean that a crook is attempting to use a fraudulent card. It could mean that a legitimate customer accidentally de-magnetized the stripe, or your terminal may in fact not be functioning and may be in need of repair or cleaning. If there are too many key-entered transactions, be sure to let your manager know he or she should check the terminal to ensure it is operating correctly. Speaker s Note: Electron card transactions must be authorized electronically. Key-entered authorizations are not allowed. 202 CONFIDENTIAL Visa Acquirer Risk Management Guide

209 Slide 17 Step 4: Compare Signatures Step 4 is compare signatures. Have the cardholder sign the draft, and then compare the signature on the back of the card to the signature on the draft. If you have any questions about the validity of the signatures: Continue to hold the card and ask the customer to sign again. If you are still not satisfied, ask for identification or make a CODE 10 call. Who can tell me what to do if the card presented is not signed? Speaker s Note: See Speaker s Notes for Slide 13 Now let s talk about CODE 10. Visa Acquirer Risk Management Guide CONFIDENTIAL 203

210 Slide 18 Code 10 So what if something doesn t feel right? You think you have an altered card or a tampered signature panel, for example. Remember, a terminal can t detect a problem with one of the security features, nor can it detect whether the cardholder is acting suspicious. Trust your instincts. If you re suspicious of the card or customer, follow these procedures carefully: If you can, immediately and confidentially inform your manager of the situation without letting go of the card. Then call the authorization center and, in a normal tone of voice, ask for a Code 10 authorization. By doing so, you put the center on alert without letting the customer know you are suspicious. If you are able to speak freely, tell the operator what you are suspicious about. Otherwise, the operator will ask you a series of yes or no questions about the transaction, so be sure to have the card and sales draft in your hand. You should also know your merchant number. When placing a CODE 10 call, always remember your safety comes first. If you re asked to pick up the card and you feel you may be in danger, just decline the transaction and return the card to the customer. If you are unable to make a CODE 10 call at the time of the transaction, do so as soon after the transaction as possible. The important part is that you make the card issuer aware of the situation. The issuer can investigate and block the account from further use if need be. Speaker s Note: About 50 percent of Code 10 calls result in approvals. The other 50 percent are determined by the Issuer to be fraudulent so half the time, you are stopping fraud. 204 CONFIDENTIAL Visa Acquirer Risk Management Guide

211 Slide 19 Summary of Acceptance Procedures Let s recap the four steps: 1. Hold the card throughout the transaction. You cannot complete the rest of the steps if you return the card too soon. 2. Check the card s security features. Printed number Do the four printed numbers match the first four embossed numbers? Embossing Is the embossing clear and straight? (Or, is Electron printing clear and straight?) Security character Does the card have the stylized flying V to the right of the expiration date? The Hologram Is the hologram legitimate? (Or, is the Electron symbol legitimate?) Signature Panel Has the signature panel been tampered with? Is the word VISA repeated at an angle? (Or, is the Electron pattern in panel?) 3. Obtain Authorization. 4. Compare Signatures. (Remember, you must still be holding the card in order to compare signatures!) If you re suspicious, make a CODE 10 call. Any questions? Visa Acquirer Risk Management Guide CONFIDENTIAL 205

212 Slide 20 What s wrong with this card? The signature panel is blank; the word Visa should appear in the signature panel at an angle. 206 CONFIDENTIAL Visa Acquirer Risk Management Guide

213 Slide 21 What s wrong with this card? There is no Flying V. Visa Acquirer Risk Management Guide CONFIDENTIAL 207

214 Slide 22 What s wrong with this card? The last four digits of the account number are not in the hologram. 208 CONFIDENTIAL Visa Acquirer Risk Management Guide

215 Slide 23 What s wrong with this card? Pre-printed and embossed numbers do not match. Visa Acquirer Risk Management Guide CONFIDENTIAL 209

216 Slide 24 A Winning Combination To sum up what we ve discussed today: We ve established that fraud is a multi-billion dollar problem. We ve pointed out that 66% of fraud can be prevented at the point of sale, and it takes a winning combination of technology and people to do it. With your help, criminals will stop getting away with fraud and that s a win-win situation. We appreciate your concern and your time. We hope today s session has been helpful. Any questions? Speaker s Notes: You can anticipate a number of questions from merchants attending your workshop. 210 CONFIDENTIAL Visa Acquirer Risk Management Guide

217 Appendix C Notification Manually-Keyed Transaction Warning Fraudulent Sales Transaction Draft Warning Fraudulent Sales Deposit Cancellation of Merchant Agreement Visit your regional Visa OnLine Global Fraud Information Service to download soft copies. Sample Merchant Letters Notification Manually-Keyed Transaction Date Business Name Street Address City, State/Province Postal Code RE: Dear Manager/Owner, To ensure payment for all transactions, please adhere to the procedure outlined below to manually-key transactions on your point-of-sale (POS) terminal: 1. Swipe all Visa card transactions through your POS terminal. 2. If the Visa card fails to swipe and the transaction must be keyed manually, get an imprint of the Visa card and attach it to the signed POS terminal receipt. 3. Mark VOID across the sales draft. This will assure your customers that they will not be double billed. 4. When you receive a draft retrieval request, make sure to provide copies of both the imprinted sales draft and the POS draft with the signature. Any future cardholder dispute that arises from a manually-keyed transaction that is not supported by an imprinted sales draft will result in a debit posting to your current account. Should you require an imprinter, do not hesitate to call our Merchant Operation Support Unit. They will arrange for one to be sent to you. If you have any questions or concerns, please call. Yours truly, Visa Acquirer Risk Management Guide CONFIDENTIAL 211

218 Warning Fraudulent Sales Transaction Draft Date Business Name Street Address City, State/Province Postal Code RE: VISA Amount $ Date of Trans: / / Dear : A recent investigation has revealed that fraudulent Visa sales draft(s) have been deposited by your business totaling $. Since this situation is of mutual concern, we feel we must take necessary corrective action. While it is our commitment to work with you to resolve this matter, you should be aware that suspension or cancellation of your Visa Merchant Agreement may result if this activity continues. There are some proactive measures that you can initiate to prevent future problems and we would welcome discussing them with you at your earliest convenience. Please contact me at for more information on what you can do to prevent fraud. Yours truly, 212 CONFIDENTIAL Visa Acquirer Risk Management Guide

219 Warning Fraudulent Sales Deposit Date Business Name Street Address City, State/Province Postal Code RE: Merchant Dear : Through our merchant monitoring reports, we have determined that you are depositing sales drafts drawn on your own credit card. We enclose the supporting documentation. This practice is in violation of our Merchant Member Agreement and must stop immediately. You should be aware that suspension or cancellation of your Visa merchant membership may result if this practice continues. Please feel free to contact me if you require any further information. Yours truly, Visa Acquirer Risk Management Guide CONFIDENTIAL 213

220 Cancellation of Merchant Agreement Date Business Name Street Address City, State/Province Postal Code RE: VISA Attention: Manager Dear Sir/Madam: This is to advise you that your Merchant Visa privileges have been cancelled under the terms of our Merchant Membership Agreement as of. We are holding funds in the amount of $ to cover any incoming chargebacks and merchant fees. Once we are assured that all financial obligations have been met, we will release the remaining funds to you. Yours truly, 214 CONFIDENTIAL Visa Acquirer Risk Management Guide

221 Appendix D Visa Acquirer Risk Management Guide Evaluation We hope this guide has provided you with the tools and information you need in the area of Acquirer risk management and loss prevention. Visa is seeking your input regarding your experience in using this guide. First-hand feedback helps us evaluate our Member education efforts and identify areas of improvement and opportunity. Please fill out the evaluation form and fax to: Visa Acquirer Risk Management Guide Evaluation (650) Content Clearly Presented Information of Value Chapter Agree Disagree Agree Disagree Acquirer Strategy and Organization Merchant Underwriting Merchant Contracting and Setup Merchant Card Acceptance and Fraud Prevention Merchant Fraud and How to Recognize It Merchant Activity Monitoring and Follow-Up Account Information Security Personal Identification Number (PIN) Security Merchant Fraud Investigation Visa Risk Control Programs Management Information E-Commerce Merchant Fraud Management Are there topics you would like to see added to this guide? Please explain. What overall suggestions do you have to improve the guide? Do you have any final comments? Visa Acquirer Risk Management Guide CONFIDENTIAL 215

222 Notes 216 CONFIDENTIAL Visa Acquirer Risk Management Guide

223 Notes Visa Acquirer Risk Management Guide CONFIDENTIAL 217

224 Notes 218 CONFIDENTIAL Visa Acquirer Risk Management Guide