Security in connection with card payments. Non-face-to-face transactions (e-commerce/mail and telephone order)



Similar documents
Security in connection with card payments. Non-face-to-face transactions (e-commerce/mail and telephone order)

Merchant Agreement for MasterCard, Maestro, Visa, Visa Electron, V PAY, JCB, China UnionPay and American Express. Business Procedures

Instructions for merchants

When checking the status of the Cardholder's Card (card status check) a so-called "zero value authorisation" shall always be used.

BWA Merchant Services. Credit Card Fraud Protection User Guide

increase your resistance How card not present gaming companies can minimise the risk of losing money through chargebacks

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Payment Card Industry Data Security Standard PCI DSS

YOUR GUIDE TO SAFER, SMARTER CREDIT CARD PAYMENTS. What you need to know about chargebacks and fraud on mail, telephone, IVR and Internet orders

C A R D C O N D I T I O N S V I S A / D A N K O R T

Guide to BBPS and BBMS Blackbaud Payment Services and Blackbaud Merchant Services explained.

Recurring Transactions Enquiry Service. Merchant Implementation Guide

Guide to credit card security

Blackbaud Merchant Services Web Portal Guide

Merchant Business Solutions. Protecting business against credit card fraud.

Fraud Minimisation Guide ANZ Merchant Business Solutions

Merchant Account Service

FREQUENTLY ASKED QUESTIONS - CHARGEBACKS

CARD CONDITIONS DANSKE MASTERCARD DIRECT OVER 18

Risk Management Service Guide. Version 4.2 August 2013 Business Gateway

Fraud Detection. Configuration Guide for the Fraud Detection Module v epdq 2014, All rights reserved.

TERMS AND CONDITIONS for Using Secure Online Payments Service with a Bank Card for business clients (Terms and Conditions)

Fraud Detection Module (basic)

Terms and Conditions Dankort and Visa/Dankort

Guide to BBPS and BBMS Blackbaud Payment Services and Blackbaud Merchant Services explained.

CREDIT CARD FRAUD PROTECTION. how to protect your business and your customers

Realex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

Visa Merchant Best Practice Guide for Cardholder Not Present Transactions

CREDIT CARD PROCESSING POLICY AND PROCEDURES

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.


Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

Questions and Answers PCI Compliance (Updated May 23, 2014)

Credit and Debit Card Handling Policy Updated October 1, 2014

IBM Payment Services. Service Definition. IBM Payment Services 1

For Card Not Present (CNP) Merchants. Card Acceptance Operating Guide

First Data E-commerce Payments Gateway

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

GP webpay: Practical Examples

BOV e-commerce. your guide to: General Product Information The Benefits Your Checklist Important Information Our Fees and Charges Terms and Conditions

Global Iris Integration Guide ecommerce Remote Integration

University of York Policy on the Management of Debit/ Credit Card Data

Sage Pay Fraud Prevention Guide

Visa Debit processing. For ecommerce and telephone order merchants

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Card and Account Security. Important information about your card and account.

en (pf.ch/dok.pf) PF. Manual e-payment PostFinance Ltd Payment Service Providing

Westpac Added Online Security. Terms and Conditions

TOP TRUMPS Comparisons of how to pay for goods and services online

Volume PLANETAUTHORIZE PAYMENT GATEWAY. vtiger CRM Payment Module. User Guide

Card Acceptance - General details

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

3D Secure Code: Shop Safely Online

David Jones Storecard and David Jones American Express Card Member Agreement, Financial Services Guide and Purchase Protection. Terms and Conditions

FREQUENTLY ASKED QUESTIONS

UPCOMING SCHEME CHANGES

Elavon Payment Gateway Integration Guide- Remote

GP webpay - service description

NATIONAL BANK s MasterCard SecureCode / Verified by VISA Service - Questions and Answers

Registration and PCI DSS compliance validation

DalPay Internet Billing. Technical Integration Overview

Streamline Cardholder Authentication. Avoid being the target of online fraud

A multi-layered approach to payment card security.

Merchant Operating Guide

Merchant Best Practices & Guidelines

Bankwest. Account Access. Conditions of Use 19 May making banking easier

BinBase.com REPORT: credit card fraud

Getting Started. Quick Reference Guide for Payment Processing

UCSD Credit Card Processing Policy & Procedure

Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

Processing credit card payments over the internet. The business of getting paid.

Trends in Merchant Payment Acceptance

NAB ecommerce Merchant Solutions. Getting Started Guide and Application Form

Integrated EFTPOS User Guide

Fraud Minimisation, Data Security and Chargeback Guide SECURING YOUR BUSINESS

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Credit Card Acceptance & Chargeback Prevention

Sydbank MasterCard Private

Merchant Card Processing Best Practices

Merchant Account Set-up Guide

General Conditions for the Assignment, Registration and Administration of Domain Names under the.dk Top Level Domain

Avoiding Fraud. Learn to recognize the warning signs for fraud and follow these card acceptance guidelines to reduce your risk.

Policies and Procedures. Merchant Card Services Office of Treasury Operations

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

ANZ EFTPOS card and ANZ Visa Debit card

important for me Postbank P.O.S. Transact

MASTERCARD SECURECODE ISSUER BEST PRACTICES

Cardholder Authentication Guide. Version 4.3 August 2013 Business Gateway

The Comprehensive, Yet Concise Guide to Credit Card Processing

Transcription:

Security in connection with card payments Non-face-to-face transactions (e-commerce/mail and telephone order)

Most people are honest luckily Every year, millions of transactions are carried out with payment cards and fortunately most of them go well. But in situations where the merchant and the customer do not meet, it can be tempting for a fraudster to use stolen card details to pay with. You cannot always be sure that the card belongs to the person using it, and it is not possible for PBS to verify the customer. Therefore, it is extremely important that you and your employees are alert when you receive card payments because you can do a lot to reduce the risk of fraud. You can avoid many situations of fraud by following the recommendations in this document. Make sure that your employees have been clearly informed of what can be done to reduce the risk of fraud, and what must be done if you suspect any attempts at fraud. How fraud happens Criminals may have stolen the card details (card number, expiry date and CVC/CVV) from a cardholder; the criminal may have seen the card or tricked the cardholder to disclose the information e.g. by email or fraudulent websites using phishing. The criminals then use the card details to shop online. When cards are stolen, the card details can be used in e- commerce and for mail and telephone orders before the card is blocked. Which cards can you accept? You can accept the following cards in e-commerce and for mail and telephone orders: Dankort, including Visa/Dankort (merchants located in Denmark and transactions in DKK only) MasterCard Visa Visa Electron (if the issuer permits it) JCB American Express (merchants located in Denmark and transactions in DKK only) The following cards can also be used in e-commerce: edankort (merchants located in Denmark and transactions in DKK only) Maestro (in combination with MasterCard SecureCode). See the business procedures for more information. Your responsibility for non-face-to-face transactions You must use payment software which has been tested and approved by PBS. Your web site must as a minimum meet the requirements indicated in the general rules and business procedures with regard to information etc. The cardholder has the option to dispute the transaction if, for example, the product has not been delivered. Therefore, you must ensure you have documentation stating that the customer has received the product. If you are unable to provide such documentation, PBS may charge back the amount from your account. It is your responsibility to implement the security measures described in this document. The more monitoring parameters/security checks you use, the better your chances of avoiding fraud. What you should be aware of Check the customer s information Request a telephone number which you can compare with the delivery address. If a different delivery address is used, check that the telephone number provided matches the payment address and not the delivery address. A c/o delivery address makes any follow-up more difficult. You should therefore always request additional information. Where there is insufficient information for an order, you should always contact the customer to obtain more details. 2

Beware of orders from senders with a free e-mail address, Sales abroad Payment card fraud in e-commerce is a as you cannot trace the sender. In this case ask for the customer s private e-mail address. Avoid all forms of customer anonymity. The more ano- global issue. You should be particularly careful when sending goods to high-risk countries. There is no fixed definition of the nymity, the greater the risk of fraud! Use your common sense if it sounds all too good to be true, it often is. Reject the sale if you are in doubt. term high-risk countries as fraud patterns change all the time. Therefore, you should check whether the orders seem realistic. For example, mobile phones sent from Denmark to Ghana or bicycles sent to Singapore do not really seem Pay attention to the customer s behaviour Is it a very large order? It is a very expensive item? realistic! Rejected authorisations Is the same product being ordered several times? Are the products being ordered at night? Has express delivery been ordered regardless of the cost? Is the same customer ordering many items within a rela- Where technically possible, you should have information on all authorisation requests, including those that have been rejected. The information contributes to your overall perception of the customers behaviour. An approved payment preceded by several declined au- tively short time frame? Is the customer requesting that the payment be divided thorisation requests is usually a sign of attempted fraud. Your payment solution can be set up to limit how many between several card numbers? (this is not allowed and transactions/declined authorisation requests are permit- often means that it is a case of fraud) ted on an individual card number within a certain period. Check the IP address being used (if you cannot find the IP address, contact your payment solution provider) You can check the geographical location of IP addresses on the internet (e.g. at www.db.ripe.net/whois) When checking IP addresses you should consider the following: Does the geographical location of the IP address match that of the delivery address? Do the IP addresses used match? (For example, an increasing number of orders from different customers with almost identical IP addresses) We recommend that you block IP addresses connected to fraud (contact your payment solution provider for more details on blocking IP addresses) PCI DSS (Payment Card Industry Data Security Standard) You must ensure that your payment solution provider complies with the PCI Data Security Standard which was developed by the international card companies (Visa, MasterCard, American Express, JCB and Discover). PBS is naturally also part of this, which means that Dankort is also covered. The PCI-DSS focuses on complying with the six points below. Find out more at www.pbs.dk Have a secure network Protect card data Address vulnerabilities using fixed procedures Implement strong access control Regularly monitor and test your network Maintain a security policy You must be able to produce evidence that you are fulfilling the requirements of the PCI DSS. 3

MasterCard SecureCode, Verified by Visa and J/Secure (3-D Secure) If you decide to apply the security standard developed by MasterCard, Visa and JCB when receiving payment cards in e-commerce (incl. Maestro), you must ensure that the payment solution you are using supports the standard. Remember it is not permitted to store or otherwise save the CVC/CVV number once the payment transaction has been completed. It is your responsibility to ensure that this does not happen. With mail and telephone orders you must, for instance, ensure that the CVC/CVV is destroyed or deleted once the payment transaction is complete. The advantage of using 3-D Secure is that in addition to providing the card number, expiry date and CVC/CVV, the cardholder must identify him/herself by using a password which he/she chooses. The card issuer automatically checks that the password and card match. When you comply with this security standard you will significantly reduce your financial risks. It is important to note, however, that this does not exempt you from further checks of the customer and the order. Remember that although you are using 3-D Secure you must be able to provide documentation for the transaction stating that the customer has received the product. Contact your payment service provider if your payment solution does not support 3-D Secure. Merchant risk related to non-face-to-face transactions When conducting non-face-to-face transactions, you bear the risk of card fraud. In other words, if the actual cardholder solemnly declares that he/she did not carry out the transaction, the whole amount including a dispute fee (find out more in general rules and price list) will be charged back from your merchant account. Therefore you must always take the security measures described here in order to reduce your risk of loss. It is not enough to get an authorisation on the card. However, the use of 3-D Secure significantly reduces your risk of disputes due card fraud in e-commerce. You bear the risk if the product is damaged, stolen, etc. before it is delivered to the customer, regardless of whether you or a different company is in charge of the freight. The product must not be left in a garage, delivered to the neighbours, etc., unless this has been agreed with the customer. CVC/CVV When you accept a payment card in e-commerce or for mail or telephone orders, the CVC/CVV must be included in the transaction. This means that when making a card payment in e-commerce, the cardholder must provide the payment card s CVC/CVV in addition to the card number and expiry date. The CVC/CVV is three digits, usually the last three in a sequence printed on the back of the payment card (however, four digits on the front of American Express cards). The general rule is that the customer has 14 days right of return, and he/she can refuse to receive or pick up the ordered product. You must then refund the customer immediately and no later than 30 days after receipt of the returned product. Just like in face-to-face transactions, there is a limited payment guarantee for Dankort and Visa/Dankort transactions. For more information, see General Rules for Dankort, clause 5. The payment guarantee does not apply in the case of third party fraud. Additionally, a payment guarantee has been defined for edankort, see below. 4

Authorisation of international payment cards For cards covered by the merchant agreement for international cards, an approval response to an authorisation request means that the card is valid and that it will be reserved for the amount stated in the authorisation request. In order to avoid problems for the cardholder, if for instance you cannot deliver the product, it is very important that you ensure you do not authorise and reserve the same amount several times. An authorisation code does not mean the correct cardholder is using the card. Therefore you must always take the security measures we have described in this document. If you are unable to deliver the products ordered by the cardholder within seven days of the order, or if you doubt you will be able to deliver, you must not send an authorisation request to PBS International for the whole order amount. You can choose to send an authorisation request of e.g. DKK 1.00 to make sure that the card has not been blocked. You can then authorise when you are ready to deliver the product. You can also divide the delivery into several part deliveries. This means you must simply send an authorisation request for the relevant amount with each part delivery. If you have already requested an authorisation and received an approval response but are unable to deliver anyway, or the customer cancels his/her order, you must cancel the authorisation immediately. This also applies if you are using MasterCard SecureCode, Verified by Visa and J/Secure. You must then keep the authentication response until you are ready to carry out authorisation. The requirements set by PBS for payment service providers/payment gateways fulfil the functions described above. However, it is your responsibility that your provider handles your transactions correctly. Status check for Dankort When you receive payments with Dankort, you must ensure that the system performs a status check of the card, including card number, expiry date and CVC/CVV number. Naturally, if you receive a decline response, you must not complete the transaction. An approval response means that the card has not been blocked, however, you must still take the security measures we have described in this document. Remember that CVC/CVV must never be stored and that you must delete CVC/CVV numbers received with a cardholder s order once the card payment has been controlled. With late deliveries, part deliveries and subscriptions, CVC/CVV will only be sent with the first status check. For more information, see the Dankort Business Procedures, chapter 4. Status check for edankort When the customer is using edankort, the customer and payment transaction will be approved in the cardholder s online banking system. This means you will not risk any disputes about third party fraud and that you have a payment guarantee of DKK 4,000 for an edankort transaction. With edankort you have 31 calendar days to deliver the product and forward a payment transaction to PBS. Remember that you must be able to provide documentation of the order, stating that the customer has received the product. 5

PBS, Lautrupbjerg 10, P.O.500, DK-2750 Ballerup, Denmark, Tel. +45 44 89 24 80, Fax +45 44 89 23 23, www.pbs.dk/kontakt PBS A/S / CVR-nr.: 20 01 61 75 / PBS marketing Graphics Department / (12.09) / (815) / ZCA010

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information