Security advice for accepting payments
- Practical guidance on what to look out for and how to deal with suspected fraud
- Tips on security checks for transactions whether cardholders are present or not
- Advice on who to contact to verify a card or transaction
- How to secure card data
Ways to prevent and deal with fraud
- Cardholder Authentication which gives you the ability to prove that the cardholder used their card at the time of transaction. It helps prevent chargebacks; where cards are used fraudulently, or where the cardholder denies using the card. This is something we offer through our PDQ terminals, and for payments taken online.
- Card Security Code and Address Verification Services offer a fast, efficient and economical way to validate Visa, MasterCard and Maestro cardholder. The service works by electronically checking the security code (the last 3 numbers on the cardholder's signature strip), then checking the numerics of the address. The data check response helps you decide whether or not to proceed with the transaction.
Protect your business from the effects of card fraud
Transactions when card and cardholder are present
- When processing payments through your electronic terminal, always check that the card number that appears on your till receipt matches the number embossed on the front of the card.
- If a card fails to swipe through or be recognised by your terminal, it may be a counterfeit card. It could also just be that the magnetic strip no longer works. You should try the card again, and try manually entering the details using the keypad. If it still doesn't work, or you're suspicious about the card or the person using it, call our authorisation department and say that you would like to make a 'Code 10' call. The operator will understand the situation and deal with it as delicately and swiftly as possible.
- Where a transaction is manually keyed, you must also imprint and complete a sales voucher; this will prove the card was present at the time of the transaction. Full details of the transaction should be recorded on the voucher, which your customer will need to sign. The words "For Verification Only" should be written across the voucher. Your copy of the terminal receipt and the voucher should be stored together in case of further query. The voucher should not be banked, as your account will be credited via the terminal in the normal way.
- Be aware of any distraction tactics that someone using a fraudulent card may use, such as trying to hurry the transaction or seeking to draw attention away from the transaction.
- If the customer challenges you or queries why you need authorisation, explain that it's a procedure you're required to carry out on occasion by the banks. If the cardholder is genuine, they will understand this.
- Remember that authorisation is not a guarantee of payment and doesn't prevent a card payment being charged back to you.
General transaction tips
- Not all fraudulent transactions can be detected by your point of sale equipment. If a stolen card is used, the genuine cardholder may not be aware of its loss. If it hasn't been reported as stolen then the fraudulent transaction may be authorised.
- It's against the terms of your Merchant Agreement to process transactions on behalf of someone else, and could damage your business, putting you at risk of chargebacks.
- If you're approached by anyone about processing other business transactions through your merchant number then please contact us immediately.
- Check the card number against any warning notices you may have received from us. Do not volunteer or reveal any information, even if the caller claims to be from Barclaycard or any other part of the Barclays Group. Beware of calls asking for information about your business such as:
- cards and card numbers
- expiry dates
- floor limits
- transaction amounts
- merchant number
- terminal details or any other such request
- Ask the caller for a telephone number, saying you will call them back with the information and then call us immediately, and we will investigate it.
- Beware of people posing as engineers claiming they have come to remove your terminal for service or repair. This is a common tactic used by criminals who steal the terminals to access the information that 's stored in them. Always ask for identification and never allow anyone to take your terminal unless you requested the visit.
- Call us to verify whether an engineer has been sent by us before letting anyone have access to your terminal.
Preventing card fraud
Understanding card fraud and how to help prevent it
There are two main types of card fraud: identity fraud and stolen cards. With identity fraud the card itself is not stolen. Thieves assume the identity of cardholders using information from credit card receipts, email or phone scams. They then use this information fraudulently to pay for things, most commonly by phone, mail order or internet.
When a card is stolen, sometimes by intercepting the post when a new card is sent, the thief will use the card before the owner knows it's missing. Often, this is only discovered when the owner receives their monthly statement and sees transactions they didn't make. If we notice irregular spending patterns on a customer's account, we may also call the cardholder to verify that the transactions made were theirs.
If a cardholder reports their card stolen and disputes transactions made through your business, you may be unable to prevent some chargebacks. If you're suspicious about anything, call us to verify the authenticity of the card and for authorisation. You can also watch out for:Bounced emails
Billing address and postcode
Use the Modulus 10 check
Check the order details
Keep a note of any losses or fraudulent transactions
Arrange delivery through recorded or registered post
Storing card information
Advice on secure storage of card data
Credit card details are valuable to fraudsters and are commonly sought either by accessing information systems to steal them, or manually obtaining them from receipts and statements.
If you decide to store payment card details on any of your business systems, it is your responsibility to ensure you have adequate security measures in place. Barclaycard offers the following guidance:
- Restrict access to payment card data to only those staff who need access, and ensure that this type of information is not published internally or externally.
- Ensure that employees who handle payment card data are aware of its importance and confidentiality.
- Access to payment card related data could be audited and this information should be retained for a suitable period for additional security. When this period is up, you must dispose of it securely.
- Ensure your data systems are secure from external sources via the relevant firewall protection and internally through passwords.
- If you suspect a breach in security, from any source, report it to the card issuer as soon as possible.
- Consider undertaking a formal security risk assessment for any system that holds or processes card payment data.
- Ensure protection of this data falls within the terms of your own information security policies. If you do not maintain a formal policy consider how the controls fit with BS7799, the British Standard for Information Security Management.
This list is for your guidance only. It's impossible for Barclaycard to provide an exhaustive list of security issues as these vary according to each business. ultimately, it's your responsibility to ensure you have adequate security systems in place before you start storing card data, and that these procedures are reviewed on a regular basis.