every card. every time. · creditcards need to know whatto look for and whatactions to take if they...

MonerisS O L U T I O N S

™

> Every Card. Every Time.

Fraud Prevention ProgramReference Guide


Moneris Solutions | Fraud Prevention Reference Guide

Table of ContentsSuspicious customer behaviour 1Card security features 5Proper processing procedures 6Code 10 Procedures 16Mail/Telephone Order and Internet fraud 18Skimming 24


In this Reference Guide you willfind everything you need to help minimize credit card fraud.Fraud is an ongoing issue thathurts us all, and could have significant financial implicationsfor your company.

The most effective way to reducefraud is through employee educationand training. Store clerks whoaccept the customers’ debit andcredit cards need to know what tolook for and what actions to take ifthey are suspicious of fraud. Onceemployees are aware, they needconstant reinforcement of themessage and we hope our slogan“Every Card. Every Time.” is a usefulreminder. Like any good habit, staffbehaviour can easily slip back intosloppy card handling if the staffand store are busy.

This Guide covers the followingtopics in detail:

• Suspicious customer behaviour• Card security features• Proper processing procedures

• Code 10 Procedures• Mail/Telephone Order andInternet fraud

• Skimming

Please post the ongoing promotionmaterials in a lunch room or otherstaff area, the reminder card nearthe POS and place the tent card ina visible spot at checkout.

Once staff has been trained onproper processing procedures,management needs to encouragestaff to use common sense, and tofollow their instincts. While somefraud activity is quite sophisticateddue to today’s plastics technology,your front-line staff can make ahuge difference with somethingas simple as calling for a Code 10authorization.

It’s important that the messageabout fraud prevention tacticscomes from an employee’s direct supervisor. It needs to beengrained that being vigilantagainst credit card fraud is a“must do” element of the job.

Welcome to the Moneris Solutions Fraud Prevention Program.

1

L O S T O R S T O L E N C A R D S

Indiscriminate purchases

• The customer has randomly collected merchandise and mayappear nervous or in a hurry.

• The customer may make purchases just as the store is closing.

• The customer does not take the care usually associated withmaking a purchase.

• In a clothing store, the customermay have chosen merchandisewithout regard to size, colour,style or price. They may not havetried the items on.

• When purchasing expensive electronics, they may notask about technical specifications or warranties.

• For large items, they may takeimmediate delivery and notrequest assistance.

1Suspicious CustomerBehaviour

Be alert and observe your customers.

Detecting credit card fraud begins with keeping your eyes and ears open.

Bad cards can be broadly classified into two groups. The first category

is lost or stolen cards, where the card is legitimate, but the user is not the

authorized cardholder. The second is counterfeit cards, where the card is

illegally produced but looks and works like a legitimate card.

Our experience shows that the perpetrators of credit card fraud often display the following characteristics:

The card

• The customer may take the card from their pocket insteadof a wallet or purse.

• The customer may sign the sales draft in a deliberate orunnatural way.

• The signature on the card andthe draft may not match.

• The card may have a femalename but be used by a male,and vice versa.

• The customer may randomlycharge expensive items on anewly valid card.


2

C O U N T E R F E I T C A R D S

Confidence

• The customer will look the part of a customer who purchases expensive items.They will likely be well-dressedand self-confident.

• They are confident their purchases will be approvedgiven they are a part of the production of these high-quality cards.

• They may spend a lot of timebrowsing and very often pick upmerchandise the following day.

Come back for more

• The customer will frequentlyreturn with friends, who alsohave counterfeit cards, claimingthey find the merchandise andprices attractive.

Important note• Any of these characteristics can

be present in a legitimate transaction, just as the absenceof these characteristics does notguarantee a legitimate trans-action. Common sense is alwaysthe best guide.

• If you or your staff have anydoubts or suspicions, give yourself, not the customer, thebenefit of the doubt. Call for aCode 10 authorization (See page17) which is used when yoususpect a card transaction maybe fraudulent, or should be given a closer look.

Suspicious Customer Behaviour

3

“Detecting credit card fraud begins with

keeping your eyes and ears open.”

Topic

5

2Card Security Features

K N O W W H AT T O L O O K F O R

All credit cards are designed with special security elements to deter

counterfeiting and alteration. When you are presented with a card, look

for the following elements:

A L L C A R D S Verify the match of print andembossing

Do the pre-printed digits match thefirst four digits of the embossedaccount number?

EmbossingThe embossing should be clear anduniform in size and spacing.

HologramAre the four last numbers of thecard embossed in the hologram?

Valid DateDoes today’s date fit between theeffective and expiry dates? The cardis valid until the last day of themonth shown.

Compare account numbersIs the account number embossed on the card exactly the same asthe account number printed on thesales draft and displayed on the terminal (if equipment allows)?


6

1234VALIDFROM

GOODTHRU

1. A mismatch between the printedfour-digit number and the firstfour embossed numbers

2. Embossed characters that areenlarged or out of proportion tothe other characteristics on thesame line

3. Numbers or letters that are ill-defined or of varying typestyles

4. Inconsistent spacing or crookedembossed lines

5. A printed surface that ischipped or scratched

6. The absence of a three-dimensional hologram

7. The absence of a stylized V (VISA)and MC (MasterCard) on the card

8.Silver or gold paint used totouch up the hologram after re-embossing the accountnumber

Today’s technology can help fraud artists alter or counterfeit cards. Youcan outsmart them by looking for these signs:

S P O T T I N G A B A D C A R D ( F R O N T )

2 – 4

6

7

1

Card Security Features

7

E L E M E N T V I S A M A S T E R C A R D

Account Does it begin with a “4”? Does it begin with a “5”?Number Is it 16 digits?

Security All VISA cards show a All MasterCard cards have stylized “V”. Some cards a stylized “MC” embossedmay have one other on the line next to the letter prior to the V. valid date

Hologram Does a dove appear to Do the interlocking fly when the card is tilted globes showing three in light? continents move when

the card is tilted? Does the word “MasterCard”appear in the backgroundof the hologram?

NOT VALID UNLESS SIGNED

RE

LOGO HERE

O HERE LOGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO HERE

ERE LOGO HERE L

OGO

ERE LOGO HE

ERE

1234 5678 9101 1234 567


8

• The word “VOID” exposed by anerasure of the signature panel

• Damage to the word mark pattern on the signature panel,or no pattern at all

• Glued-on paper, white adhesivetape or paint covering the original signature panel

S P O T T I N G A B A D C A R D ( B A C K )

Card Security Features

9

A L L C A R D S ( B A C K ) Signature Panel

Is the account number (VISA) orthe last 4 digits of the accountnumber (MasterCard) printed inreverse italics on the signaturepanel? Is it followed by a 3-digitcard validation code?

Signature

Is signature panel signed? If it isnot signed, ask the cardholder tosign the card and compare thatsignature with one on a valid government-issued I.D.

Does the signature on the back ofthe card reasonably compare withthe signature on the sales draft?

“All credit cards are designed with special

security elements to deter counterfeiting

and alteration.”

E L E M E N T V I S A M A S T E R C A R D

Signature Is the word “VISA” Is the word “MasterCard”Panel repeated at an angle repeated at an angle

across signature panel? across signature panel?

R E M E M B E R T H E B A S I C SBy following proper processingprocedures, you reduce thechance of fraud:

• Look at the hologram, the four-digit printed bank identificationnumber, the unique embossedsymbol and the signature panel.

• Check the card expiration date.

• If you use a terminal to author-ize credit card transactions,swipe the card through it.Check the terminal’s display ofthe account number encoded in the card’s magnetic stripe andcompare it with the accountnumber embossed on the card.

• If you are satisfied that the cardis genuine, use your normalauthorization procedures torequest approval. Do not givethe card back to the customeruntil the authorization proce-dure is complete.

• Have the customer sign the draftin full view.

• Compare the signature on thecard with the signature on thedraft for similar handwriting.

A LWAY S S W I P E T H R O U G H A T E R M I N A L

• It’s faster and helps to preventfraud.

• Swipe card once and in onedirection only. Do not slide itback and forth.

• Compare account numbers.Do last four digits of accountnumber on sales draft matchlast four digits of embossedaccount number? If not, phonethe Moneris authorization centreat 1 866 802 2637 and followthe prompts for a Code 10authorization.

Topic

11

3Proper ProcessingProcedures

• If you receive a message of “Call” or“Call Centre”, call the authorizationnumber. If you suspect fraudulentactivity, or have any questionsregarding transaction approval, askfor a Code 10 authorization.

• If the authorization centre requeststhat you retain a customer’s card,do so only by reasonable andpeaceful means. Never put yourselfin danger.

When a card’s magnetic stripecan’t be read, it’s usually because:

• the magnetic stripe reader is broken or dirty

• the reader is obstructed,preventing a clean swipe

• the sales associate swiped the cardimproperly

• the card’s magnetic stripe is damaged

M A N U A L T R A N S A C T I O N S• The magnetic stripe is an active

component of the card’s securitythat makes manual processingappropriate only when a card’sstripe can’t be read.

• When a card’s stripe can’t be read, amanual sales draft must be completedthat includes all of the following:• Date• An imprint of the card• Details of the transaction• Dollar amount• Customer signature

Note:• Do not write “void” or “copy” on the

face of the manual salesdraft.

• The card number must then be manually keyed to obtain anauthorization.

On the POS terminal receipt you must:

• Print “PROOF COPY” on thesignature line

• Record the pre-printed referencenumber as it appears on themanual sales draft

Retain records:

Copies of both the manual salesdraft and the POS transactionreceipts are needed to fulfil anyretrieval request generated byMerchant Services. Failure to followthese procedures may result infinancial loss to your business.

• If a transaction is key-entered,always get a card imprint on thesales draft. In case the charge islater disputed, an imprint proves thecard was present, and helpsprotect you from chargebacks.

• For authorizations, each over-the-floor-limit credit card transactionmust be approved, and the subse-quent code must appear on thesales draft.

• If the ratio of key-entered transac-tions to total transactions isgreater than one percent for salesassociates or card readers, try todetermine the reason.It’s a good idea to monitor yourrate regularly.


12

Proper Processing Procedures

13

K E Y E N T R YKey-entered (as opposed tocard-swiped) transactions havesome real disadvantages:

• The most significant is theincreased risk of fraud or counterfeit.

• It can also lead to increasedcosts, as your merchant discountrate is calculated based on yourability to read and transmit themagnetic stripe data at POS.

• It is less efficient, as transactionstake longer to complete and areprone to errors.

• It may lead to lost sales becausethe authorization decline rates are higher for key-entered transactions, so the potential for lost sales is also higher.

S T E P S T O AV O I D K E Y- E N T R Y• Regularly check the magnetic

stripe reader at POS to be sure itis working properly.

• Clean readers periodically with the ReaderClean card that camewith your terminal. They canalso be purchased at most officesupply stores.

• Position readers to facilitate a full card swipe, with anyobstructions removed.

• Do not allow staff to place itemsnear readers that could soil ordamage these devices, particularlyfood and beverages.

• Do not place readers near any equipment that deactivatesmagnetic anti-theft devicesattached to merchandise.

T E A C H S A L E S A S S O C I AT E ST H E P R O P E R WAY T O S W I P EA C A R D :

• Before swiping, make sure thestripe is facing the reader.

• Always swipe the card once inthe direct of the arrow shown onthe reader.

• Never swipe a card back andforth or at an angle, as it maycause the reader to misread thestripe.

H E L P C U S T O M E R S “ P R O T E C TYO U R P I N ”Interac has developed a campaignto raise cardholder awareness andtrigger their behaviour aroundPIN protection at point of use.

W H AT YO U C A N D O T OR E D U C E P I N T H E F TEnsure the terminal is installed sothat your customers can easilyshield the PINpad while enteringtheir Personal IdentificationNumber.

Allow your customers to hold the PINpad until they receive the final approval/decline responsemessage.

Always give your customers a copy of the transaction record and return their banking (debit)cards to them.


14

Proper Processing Procedures

15

If the terminal is not working,please check the following beforecontacting Moneris:

Are the electrical and telephoneconnections in place?

Does the terminal have recordingpaper?

Are the telephone lines working?

C O N S I D E R A D D I N G AC O U N T E R F E I T A N D F R A U DD E T E C T I O N D E V I C E T O YO U RF R A U D P R E V E N T I O N M I XAdditional security products may also help prevent credit cardfraud. All major credit cards con-tain security features that areinvisible to the eye under normallighting conditions, but easy tospot when held under the speciallight of fraud detection equip-ment. SecuriSource, a manufac-turer of security products, offersthe ID-2000 Counterfeit Detectordesigned to cut losses. The device works for US and Canadian currency, all major creditcards, and all cheques and gift

certificates encoded with special security features. Its visible presence will act as a deterrentagainst counterfeit and fraud,and is most effective when keptat every point of purchase wherecredit and cash transactions are made.

Check out their websitewww.securisource.com, or call 1-800-866-5166 for details. Moneris Solutions has negotiateda preferred pricing arrangementfor Moneris Merchants withSecuriSource.

PROTECTI NG YOU R BUSI N ESSEven when proper procedures are followed and a card is swiped,and a matching signature isobtained on the sales draft,there is no guarantee that it is a legitimate transaction. If thereis any suspicion of fraud, initiatea Code 10 authorization.

In most cases, transactions arelegitimate, but you should knowwhat to do in the event of aCode 10:

• Call the Moneris authorizationcentre at 1 866 802 2637 andfollow the prompts for a Code 10.

• Identify the call as a Code 10.

• Hold the card in your hand during the authorizationprocess. Stay calm and remaincasual and courteous with the customer.

• Your call may be transferred.Please do not hang up.

• you will be asked a series of yesor no questions to verify theauthenticity of the card.

• Follow the instructions givento you over the telephone.

• Do not try and apprehend ordetain the cardholder.

• A reward may be paid for thereturn of a lost, stolen or counterfeit card.

If for any reason you become suspicious of a transaction orcardholder, call the Moneris authorization department.Code 10 procedures have beendeveloped for your protection.

Trust your instincts and alwayserr on the side of caution.

17

Code 10 is a universal code that allows merchants to alert an

authorization centre of a suspected fraudulent transaction without

alarming the individual who is presenting the card.

4Code 10 Procedures

I F YO U S U S P E C T F R A U DIf you are suspicious of a transaction, ask the customerfor additional information:

• day and evening telephonenumbers, which can be verifiedthrough Directory Assistance orwww.canada411.ca

• additional information such as the bank name on frontof card

• separately, confirm the order by sending a note via the cus-tomer’s billing address, ratherthan the “ship to” address.

Topic

19

5Mail/Telephone Order andInternet Fraud

Many of the safeguards against fraud in traditional retail environments

do not work in situations where the card is not present, including

mail/telephone orders (MOTO), and the world of e-commerce. These

transactions do not require face-to-face contact or an actual

card in hand, so there is more anonymity.

All MOTO and Internet merchants must authorize their transactions.

If funds are available and a card has not been reported lost or stolen,

the transaction will most likely be approved by the issuing bank. For

merchants, it is important to remember that an authorization is

not proof that the true cardholder is making a purchase or that a

legitimate card is involved. An authorization only means that credit

is available and that the card is not currently blocked. To detect fraud,

authorizations must be augmented with the right combination

of tools and controls.

M O T O F R A U DMerchants are open for chargebacks with this type ofprocessing. Any disputes will bereturned, regardless of whatwas verified or investigated. The only exception is the Verified byVISA program.

V E R I F I E D B Y V I S AMerchants must register and beapproved for Verified by VISA.The objective of this program isto guarantee the transaction asa legitimate one for the merchantby transferring liability to theissuing bank, and thereforeminimizing chargebacks.

This password verificationprocess allows the cardholders’identities to be confirmed inreal-time during checkout by the cardholder’s financial institution. It is meant to closelyreplicate a “card present”environment, which can help to reduce the risk of fraud.

Verified by VISA is initiated whenthe cardholder proceeds to yourcheckout page and clicks “buy”.The program creates a windowfor the cardholder to enter their password. The cardholder’sfinancial institution can thenauthenticate the cardholder andsend you the response needed toproceed with paymentauthorization.


20

I N T E R N E T F R A U D – W H AT T OWATC H O U T F O R :

• Internet merchants should neveraccept orders via email, even if your site is secure, because thecard data is exposed from thecardholder’s end.

• First time shoppers – criminalsare always looking for new victims.

• Larger-than-normal purchases –because stolen cards or accountnumbers have a limited lifespan, thieves need to maximizethe size of their purchases.

• Orders consisting of several ofthe same item – having multi-ples of the same item increasesthe criminal’s profits.

• Orders placed using numerouscredit cards – transaction is splitbetween several cards.

• Orders placed on cards issued bya country different than thecountry the goods are shippedto (e.g. orders on Australian

cards and goods shipped toBulgaria).

• Orders made up of “big-ticket”items – these items have maximum resale value andtherefore maximum profitpotential.

• Orders shipped “rush” or“overnight” – thieves who wantto quickly resell items aren’tconcerned about extra deliverycharges.

• Orders from Internet addressmaking use of free e-mail services.For these services, there’s nobilling relationship and often no audit trail or verification that the legitimate cardholderhas opened the account.

• Orders shipped to an inter-national address – a significantnumber of fraudulent trans-actions are shipped to fraudulentcardholders outside NorthAmerica.

Mail/Telephone Order and Internet Fraud

21

“Many of the safeguards against fraud

in traditional retail environments do not

work in the world of e-commerce.”


22

H O W T O S TAY “ C Y B E R S A F E ”• Develop and maintain a customer

database or account history filesto track buying patterns andcompare individual sales forsigns of possible fraud.

• Establish and enforce appro-priate controls on the employeeswho have access to the customerdatabase and account numbers.

WATC H F O R :• Transactions on account numbers

that seem to follow a pattern.

• Orders shipped to a singleaddress but made on multiplecards – these could also be characteristic of an accountnumber generated using specialsoftware available on theInternet, or a batch of stolencard numbers.

• Multiple transactions on onecard over a very short period of time – this could be anattempt to “run” a card until the account is closed.

• Multiple transactions on onecard or similar cards with a single billing address, butmultiple shipping addresses –this could represent organizedactivity, rather than one individual at work.

• Multiple cards used from a single IP (Internet Protocol)address – more than one or two cards could well indicate a fraud scheme.

Mail/Telephone Order and Internet Fraud

23

WHAT TO DO I F YOU R CREDITCARD DATA IS COMPROMISEDE-commerce merchants need to be vigilant at all times againstfraud. Hackers and thieves arealways looking for holes in secu-rity systems, and opportunitiesto steal valuable information.We know you’re doing every-thing you can to stay “cyber-safe”, but if you think you havebeen compromised:

Act fast

• Contain damage and limit yourexposure

• Preserve your logs and electronicevidence

• Do not access the compromised system

Investigate

• Within 24 hours, record all actionstaken to identify the securitybreach and possible loss ofaccount information

• Be on high alert and monitor allsystems that hold account infor-mation.

Contact MonerisCall Moneris at 1-866-319-7450and we will work with you to:

• distribute compromised accountnumbers

• identify the security vulnerabilities

• take corrective action to minimize future risk

It’s important that you contactus, because our expert staff willknow how to identify the issueand help resolve it. We can alsohelp to minimize the impact thatan incident might have on yourcustomers, business reputationand bottom line. We all have a vested interest in protecting the goodwill of our mutual customers.

G E T T I N G T H E M A G N E T I CS T R I P E I N F O R M AT I O N

• There is increasingly sophisticatedtechnology available today thatemployees use to skim magneticstripe information from creditand debit cards through either atampered or dummy terminal.

B E A L E R T• There are now very portable

skimming devices that capturecard track data running throughthe host line for authorizations.

• These devices have the capacityto run for days at a time withtheir larger storage capacity.

• Check under the counter, a convenient hiding spot for skimming devices and activity.

Topic

25

6Skimming

Skimming is the transfer of electronic data from one magnetic stripe to

another for fraudulent purposes, using card readers. Service stations

and restaurants are often the target of skimming, with staff working

alone for long periods of time, often at night or on the weekends.

F O R D E B I T C A R D S

In addition to the magneticstripe information, skimmersalso need to obtain the cardholder’s PIN number.

This is typically done in the following ways:

• “PIN surfing”– either theemployee or an accomplice will“surf” at the moment thecustomer is keying in their PIN

• A more sophisticated way is the use of a mini-camera lens,placed either in a hole in theceiling or on a shelf above thecounter and the PINpad. Withthis equipment, the PINpad hasto remain in a fixed position onthe counter in order for the lensto capture the numbers beingkeyed in.

P R E V E N T I O N

• Most often, a skimming employeeworks alone on the weekends orat night. Random visits to thestore by a manager or lessee willhelp to reduce fraudulent activity.

• In the case of mini cameras,managers and lessees shouldcheck for suspicious holes in theceiling and/or walls.


26

“Service stations and restaurants are often the

target of skimming, with staff working alone

for long periods of time, often at night or

on the weekends.”

E M P L O Y E E H I R I N G A N DA C C O U N TA B I L I T Y

To prevent employees from getting the chance to skim, it’simportant to do due diligencewith hiring and supervisingemployees.

New hires

• Full identity of potentialemployees, including name,date of birth and Social InsuranceNumber (SIN) should be provided.Ask to see government-issuedphoto identification.

• There have been numerouscases where a service station jobseeker’s primary purpose is toskim for a criminal group.

Ensuring accountability

• Meticulously updated schedulesshould be kept for a minimumof 12 months to enable investi-gators to determine employeeswho were on duty at the time ofthe skimming operation, whenlegitimate transactions tookplace. Note that skimming hasbeen reported more than 6months after the customer usedtheir cards at a suspect POS.

•A significant deterrent to skimming activity is to mandate employees to sign or write their employee number on each legitimatetransaction draft.

• Offering a reward to employeeswho report suspected skimmingactivity or who are approachedby skimming groups is alsoanother effective deterrent.

Skimming

27

every card. every time. · creditcards need to know whatto look for and whatactions to take if they...

Documents