Security in connection with card payments. Non-face-to-face transactions (e-commerce/mail and telephone order)



Similar documents
Security in connection with card payments. Non-face-to-face transactions (e-commerce/mail and telephone order)

Merchant Agreement for MasterCard, Maestro, Visa, Visa Electron, V PAY, JCB, China UnionPay and American Express. Business Procedures

Payment Card Industry Data Security Standard PCI DSS

BWA Merchant Services. Credit Card Fraud Protection User Guide

increase your resistance How card not present gaming companies can minimise the risk of losing money through chargebacks

Merchant Account Service

Guide to credit card security

Merchant Business Solutions. Protecting business against credit card fraud.

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

YOUR GUIDE TO SAFER, SMARTER CREDIT CARD PAYMENTS. What you need to know about chargebacks and fraud on mail, telephone, IVR and Internet orders

Fraud Minimisation Guide ANZ Merchant Business Solutions

Blackbaud Merchant Services Web Portal Guide

Recurring Transactions Enquiry Service. Merchant Implementation Guide

Instructions for merchants

Risk Management Service Guide. Version 4.2 August 2013 Business Gateway

FREQUENTLY ASKED QUESTIONS - CHARGEBACKS

When checking the status of the Cardholder's Card (card status check) a so-called "zero value authorisation" shall always be used.

Guide to BBPS and BBMS Blackbaud Payment Services and Blackbaud Merchant Services explained.

Fraud Detection. Configuration Guide for the Fraud Detection Module v epdq 2014, All rights reserved.

Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

Card and Account Security. Important information about your card and account.

Credit and Debit Card Handling Policy Updated October 1, 2014

CREDIT CARD FRAUD PROTECTION. how to protect your business and your customers

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Fraud Detection Module (basic)

Visa Debit processing. For ecommerce and telephone order merchants

C A R D C O N D I T I O N S V I S A / D A N K O R T

TERMS AND CONDITIONS for Using Secure Online Payments Service with a Bank Card for business clients (Terms and Conditions)

Realex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1

First Data E-commerce Payments Gateway

UCSD Credit Card Processing Policy & Procedure

Merchant Operating Guide

FREQUENTLY ASKED QUESTIONS

For Card Not Present (CNP) Merchants. Card Acceptance Operating Guide

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

Visa Merchant Best Practice Guide for Cardholder Not Present Transactions

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

Elavon Payment Gateway Integration Guide- Remote

Fraud Minimisation, Data Security and Chargeback Guide SECURING YOUR BUSINESS

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

important for me Postbank P.O.S. Transact

Global Iris Integration Guide ecommerce Remote Integration

GP webpay - service description

Registration and PCI DSS compliance validation

Acceptance to Minimize Fraud

Guide to BBPS and BBMS Blackbaud Payment Services and Blackbaud Merchant Services explained.

Integrated EFTPOS User Guide

Westpac Added Online Security. Terms and Conditions

NAB ecommerce Merchant Solutions. Getting Started Guide and Application Form

TERMS & CONDITIONS FOR THE ISSUANCE AND USE OF A DEBIT CARD

University of York Policy on the Management of Debit/ Credit Card Data

ELECTRONIC VALUE TRANSFER CONTRACT (EVT) CREDIT CARD CHARGEBACKS. What is a Chargeback?

Credit Card Acceptance & Chargeback Prevention

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Bankwest. Account Access. Conditions of Use 19 May making banking easier

Volume PLANETAUTHORIZE PAYMENT GATEWAY. vtiger CRM Payment Module. User Guide

Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

Avoiding Fraud. Learn to recognize the warning signs for fraud and follow these card acceptance guidelines to reduce your risk.

Merchant e-solutions Payment Gateway Back Office User Guide. Merchant e-solutions January 2011 Version 2.5


Getting Started. Quick Reference Guide for Payment Processing

ANZ EFTPOS card and ANZ Visa Debit card

David Jones Storecard and David Jones American Express Card Member Agreement, Financial Services Guide and Purchase Protection. Terms and Conditions

Many of these tips are just common sense and others are tips to keep in mind when doing a transaction, at ATMs, restaurants and merchants.

Questions and Answers PCI Compliance (Updated May 23, 2014)

Merchant Card Processing Best Practices

Realex Payments Resource Document. Version: v1.1

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

TOP TRUMPS Comparisons of how to pay for goods and services online

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

en (pf.ch/dok.pf) PF. Manual e-payment PostFinance Ltd Payment Service Providing

Merchant Account Glossary of Terms

Card Conditions of Use

GP webpay: Practical Examples

CARD CONDITIONS DANSKE MASTERCARD DIRECT OVER 18

New Account Reference Guide

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

NATIONAL BANK s MasterCard SecureCode / Verified by VISA Service - Questions and Answers

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Processing credit card payments over the internet. The business of getting paid.

DalPay Internet Billing. Technical Integration Overview

TERMS AND CONDITIONS OF AGREEMENT FOR CREDIT CARD WITH FIXED PAYMENT Valid as of

Credit Card Handling Security Standards

Terms and Conditions Dankort and Visa/Dankort

How to complete the Secure Internet Site Declaration (SISD) form

Information Technology

MySagePay. User Manual. Page 1 of 48

BOV e-commerce. your guide to: General Product Information The Benefits Your Checklist Important Information Our Fees and Charges Terms and Conditions

Version 15.3 (October 2009)

Transcription:

Security in connection with card payments Non-face-to-face transactions (e-commerce/mail and telephone order)

Most people are honest luckily Every year, millions of transactions are carried out with payment cards and fortunately most of them go well. But in situations where the merchant and the customer do not meet, it can be tempting for a fraudster to use stolen card details to pay with. You cannot always be sure that the card belongs to the person using it, and it is not possible for Teller to verify the customer. Therefore, it is extremely important that you and your employees are alert when you receive card payments because you can do a lot to reduce the risk of fraud. You can avoid many situations of fraud by following the recommendations in this document. Make sure that your employees have been clearly informed of what can be done to reduce the risk of fraud, and what must be done if you suspect any attempts at fraud. How fraud happens Criminals may have stolen the card details (card number, expiry date and CVC/CVV) from a cardholder; the criminal may have seen the card or tricked the cardholder to disclose the information e.g. by email or fraudulent websites using phishing. The criminals then use the card details to shop online. When cards are stolen, the card details can be used in ecommerce and for mail and telephone orders before the card is blocked. Which cards can you accept? You can accept the following cards in e-commerce and for mail and telephone orders: Dankort, including Visa/Dankort (merchants located in Denmark and transactions in DKK only) MasterCard Visa Visa Electron (if the issuer permits it) JCB American Express (merchants located in Denmark and transactions in DKK only) The following cards can also be used in e-commerce: edankort (merchants located in Denmark and transactions in DKK only) Maestro (in combination with MasterCard SecureCode). See the business procedures for more information. Your responsibility for non-face-to-face transactions You must use payment software which has been tested and approved by Teller. Your web site must as a minimum meet the requirements indicated in the general rules and business procedures with regard to information etc. The cardholder has the option to dispute the transaction if, for example, the product has not been delivered. Therefore, you must ensure you have documentation stating that the customer has received the product. If you are unable to provide such documentation, Teller may charge back the amount from your account. It is your responsibility to implement the security measures described in this document. The more monitoring parameters/security checks you use, the better your chances of avoiding fraud. What you should be aware of Check the customer s information Request a telephone number which you can compare with the delivery address. If a different delivery address is used, check that the tele phone number provided matches the payment address and not the delivery address. A c/o delivery address makes any follow-up more difficult. You should therefore always request additional information. Where there is insufficient information for an order, you should always contact the customer to obtain more details. Beware of orders from senders with a free e-mail address, as you cannot trace the sender. In this case ask for the customer s private e-mail address. Avoid all forms of customer anonymity. The more anonymity, the greater the risk of fraud! Use your common sense if it sounds all too good to be true, it often is. Reject the sale if you are in doubt. Pay attention to the customer s behaviour Is it a very large order? It is a very expensive item? Is the same product being ordered several times? Are the products being ordered at night? Has express delivery been ordered regardless of the cost? Is the same customer ordering many items within a relatively short time frame? Is the customer requesting that the payment be divided between several card numbers? (this is not allowed and often means that it is a case of fraud) Are the letters Æ, Ø and Å omitted from names/ delivery addresses in Denmark? 2

Check the IP address being used (if you cannot fi nd the IP address, contact your payment solution provider) You can check the geographical location of IP addresses on the internet (e.g. at www.db.ripe.net/whois) When checking IP addresses you should consider the following: Does the geographical location of the IP address match that of the delivery address? Do the IP addresses used match? (For example, an increasing number of orders from diff erent customers with almost identical IP addresses) We recommend that you block IP addresses connected to fraud (contact your payment solution provider for more details on blocking IP addresses) Sales in Denmark What can you do yourself to minimise the risk of payment card fraud in Denmark? The delivery of products to countries abroad is not the only risk scenario you need to consider. It is also important that you check deliveries to Denmark that are suspected of being related to card fraud. In connection with fraud at a national level, it is not uncommon for individuals to be employed to receive and forward packages. In most of these cases the individuals do this in good faith and have no idea that they have been employed by a bogus firm with card fraud in mind. This is why the customers in such situations will also confirm that they want the product to be delivered. We therefore recommend that you contact the customer and ask them the following questions when you suspect card fraud in Denmark: Did the customer place the order themselves? Was the order in question made with the customer s own card? Does the customer have to forward the package? Has the customer been employed to receive/forward packages? Sales abroad Payment card fraud in e-commerce is a global issue. You should be particularly careful when sending goods to high-risk countries. There is no fixed definition of the term high-risk countries as fraud patterns change all the time. Therefore, you should check whether the orders seem realistic. For example, mobile phones sent from Denmark to Ghana or bicycles sent to Singapore do not really seem realistic! Rejected authorisations Where technically possible, you should have information on all authorisation requests, including those that have been rejected. The information contributes to your overall perception of the customers behaviour. An approved payment preceded by several declined authorisation requests is usually a sign of attempted fraud. Your payment solution can be set up to limit how many transactions/declined authorisation requests are permitted on an individual card number within a certain period. PCI DSS (Payment Card Industry Data Security Standard) You must ensure that your payment solution provider complies with the PCI Data Security Standard which was developed by the international card companies (Visa, MasterCard, American Express, JCB and Discover). Teller is naturally also part of this, which means that Dankort is also covered. The PCI-DSS focuses on complying with the six points below. Find out more at www.teller.com/pcidss Have a secure network Protect card data Address vulnerabilities using fi xed procedures Implement strong access control Regularly monitor and test your network Maintain a security policy You must be able to produce evidence that you are fulfilling the requirements of the PCI DSS. MasterCard SecureCode, Verifi ed by Visa and J/Secure (3-D Secure) If you decide to apply the security standard developed by MasterCard, Visa and JCB when receiving payment cards in e-commerce (incl. Maestro), you must ensure that the payment solution you are using supports the standard. The advantage of using 3-D Secure is that in addition to providing the card number, expiry date and CVC/CVV, the cardholder must identify him/herself by using a password which he/she chooses. The card issuer automatically checks that the password and card match. When you comply with this security standard you will significantly reduce your fi nancial risks. It is important to note, however, that this does not exempt you from further checks of the customer and the order. 3

Remember that although you are using 3-D Secure you must be able to provide documentation for the transaction stating that the customer has received the product. Contact your payment service provider if your payment solution does not support 3-D Secure. CVC/CVV When you accept a payment card in e-commerce or for mail or telephone orders, the CVC/CVV must be included in the transaction. This means that when making a card payment in e-commerce, the cardholder must provide the payment card s CVC/CVV in addition to the card number and expiry date. The CVC/CVV is three digits, usually the last three in a sequence printed on the back of the payment card (however, four digits on the front of American Express cards). Remember it is not permitted to store or otherwise save the CVC/CVV number once the payment transaction has been completed. It is your responsibility to ensure that this does not happen. With mail and telephone orders you must, for instance, ensure that the CVC/CVV is destroyed or deleted once the payment transaction is complete. Merchant risk related to non-face-to-face transactions When conducting non-face-to-face transactions, you bear the risk of card fraud. In other words, if the actual cardholder solemnly declares that he/she did not carry out the transaction, the whole amount including a dispute fee (find out more in general rules and price list) will be charged back from your merchant account. Therefore you must always take the security measures described here in order to reduce your risk of loss. It is not enough to get an authorisation on the card. However, the use of 3-D Secure significantly reduces your risk of disputes due card fraud in e-commerce. You bear the risk if the product is damaged, stolen, etc. before it is delivered to the customer, regardless of whether you or a diff erent company is in charge of the freight. The product must not be left in a garage, delivered to the neighbours, etc., unless this has been agreed with the customer. The general rule is that the customer has 14 days right of return, and he/she can refuse to receive or pick up the ordered product. You must then refund the customer immediately and no later than 30 days after receipt of the returned product. Just like in face-to-face transactions, there is a limited payment guarantee for Dankort and Visa/Dankort transactions. For more information, see General Rules for Dankort, clause 5. The payment guarantee does not apply in the case of third party fraud. Additionally, a payment guarantee has been defined for edankort, see below. Authorisation of international payment cards For cards covered by the merchant agreement for international cards, an approval response to an authorisation request means that the card is valid and that it will be reserved for the amount stated in the authorisation request. In order to avoid problems for the cardholder, if for instance you cannot deliver the product, it is very important that you ensure you do not authorise and reserve the same amount several times. An authorisation code does not mean the correct cardholder is using the card. Therefore you must always take the security measures we have described in this document. If you are unable to deliver the products ordered by the card holder within seven days of the order, or if you doubt you will be able to deliver, you must not send an authorisation request to Teller for the whole order amount. You can choose to send an authorisation request of e.g. DKK 1.00 to make sure that the card has not been blocked. You can then authorise when you are ready to deliver the product. You can also divide the delivery into several part deliveries. This means you must simply send an authorisation request for the relevant amount with each part delivery. If you have already requested an authorisation and received an approval response but are unable to deliver anyway, or the customer cancels his/her order, you must cancel the authorisation immediately. This also applies if you are using MasterCard SecureCode, Verifi ed by Visa and J/Secure. You must then keep the authentication response until you are ready to carry out authorisation. The requirements set by Teller for payment service providers/payment gateways fulfill the functions described above. However, it is your responsibility that your provider handles your transactions correctly. 4

Status check for Dankort When you receive payments with Dankort, you must ensure that the system performs a status check of the card, including card number, expiry date and CVC/CVV number. Naturally, if you receive a decline response, you must not complete the transaction. An approval response means that the card has not been blocked, however, you must still take the security measures we have described in this document. Remember that CVC/CVV must never be stored and that you must delete CVC/CVV numbers received with a cardholder s order once the card payment has been controlled. With late deliveries, part deliveries and subscriptions, CVC/ CVV will only be sent with the first status check. For more information, see the Dankort Business Procedures. Status check for edankort When the customer is using edankort, the customer and payment transaction will be approved in the cardholder s online banking system. This means you will not risk any disputes about third party fraud and that you have a payment guarantee of DKK 4,000 for an edankort transaction. With edankort you have 31 calendar days to deliver the product and forward a payment transaction to Teller. Remember that you must be able to provide documentation of the order, stating that the customer has received the product. 5

TEL049 01.12 Bohemian.dk Teller A/S Lautrupbjerg 10 P.O 500, DK-2750 Ballerup Customer Service.+45 44 89 24 80 Telefax... +45 44 86 09 30 CVR-nr... 27226086 www.teller.com/dk

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information