Security advice for accepting payments

  • Practical guidance on what to look out for and how to deal with suspected fraud
  • Tips on security checks for transactions whether cardholders are present or not
  • Advice on who to contact to verify a card or transaction
  • How to secure card data

Overview

Ways to prevent and deal with fraud

Card fraud is still a very real issue, and one which you, as a business that accepts card payments, need to be aware of. We're committed to providing our business clients with practical support and advice on reducing fraud, as well as services and initiatives to help protect you, including:
  • Cardholder Authentication which gives you the ability to prove that the cardholder used their card at the time of transaction. It helps prevent chargebacks; where cards are used fraudulently, or where the cardholder denies using the card. This is something we offer through our PDQ terminals, and for payments taken online.
  • Card Security Code and Address Verification Services offer a fast, efficient and economical way to validate Visa, MasterCard and Maestro cardholder. The service works by electronically checking the security code (the last 3 numbers on the cardholder's signature strip), then checking the numerics of the address. The data check response helps you decide whether or not to proceed with the transaction.
Barclaycard also offer additional protection through Internet Authentication – a system that helps protect businesses from fraudulent payments and trade online safely.
 

Useful tips

Protect your business from the effects of card fraud

It's important that all employees who accept card payments are aware of what to look out for to help detect fraudulent cards or users. So we've put together some tips to help.

Transactions when card and cardholder are present

  • When processing payments through your electronic terminal, always check that the card number that appears on your till receipt matches the number embossed on the front of the card.
  • If a card fails to swipe through or be recognised by your terminal, it may be a counterfeit card. It could also just be that the magnetic strip no longer works. You should try the card again, and try manually entering the details using the keypad. If it still doesn't work, or you're suspicious about the card or the person using it, call our authorisation department and say that you would like to make a 'Code 10' call. The operator will understand the situation and deal with it as delicately and swiftly as possible.
  • Where a transaction is manually keyed, you must also imprint and complete a sales voucher; this will prove the card was present at the time of the transaction. Full details of the transaction should be recorded on the voucher, which your customer will need to sign. The words "For Verification Only" should be written across the voucher. Your copy of the terminal receipt and the voucher should be stored together in case of further query. The voucher should not be banked, as your account will be credited via the terminal in the normal way.
  • Be aware of any distraction tactics that someone using a fraudulent card may use, such as trying to hurry the transaction or seeking to draw attention away from the transaction.
  • If the customer challenges you or queries why you need authorisation, explain that it's a procedure you're required to carry out on occasion by the banks. If the cardholder is genuine, they will understand this.
  • Remember that authorisation is not a guarantee of payment and doesn't prevent a card payment being charged back to you.


General transaction tips

Orders taken via mail, telephone and internet require extra vigilance as the cardholder is not present and these methods are more commonly used by fraudsters. They are also more likely to result in chargebacks. You're not obliged to take these orders under the terms of your Merchant Agreement.
  • Not all fraudulent transactions can be detected by your point of sale equipment. If a stolen card is used, the genuine cardholder may not be aware of its loss. If it hasn't been reported as stolen then the fraudulent transaction may be authorised.
  • It's against the terms of your Merchant Agreement to process transactions on behalf of someone else, and could damage your business, putting you at risk of chargebacks.
  • If you're approached by anyone about processing other business transactions through your merchant number then please contact us immediately.
  • Check the card number against any warning notices you may have received from us. Do not volunteer or reveal any information, even if the caller claims to be from Barclaycard or any other part of the Barclays Group. Beware of calls asking for information about your business such as:
  • cards and card numbers
  • expiry dates
  • floor limits
  • transaction amounts
  • merchant number
  • terminal details or any other such request
  • Ask the caller for a telephone number, saying you will call them back with the information and then call us immediately, and we will investigate it.
  • Beware of people posing as engineers claiming they have come to remove your terminal for service or repair. This is a common tactic used by criminals who steal the terminals to access the information that 's stored in them. Always ask for identification and never allow anyone to take your terminal unless you requested the visit.
  • Call us to verify whether an engineer has been sent by us before letting anyone have access to your terminal.

Preventing card fraud

Understanding card fraud and how to help prevent it

There are two main types of card fraud: identity fraud and stolen cards. With identity fraud the card itself is not stolen. Thieves assume the identity of cardholders using information from credit card receipts, email or phone scams. They then use this information fraudulently to pay for things, most commonly by phone, mail order or internet.

When a card is stolen, sometimes by intercepting the post when a new card is sent, the thief will use the card before the owner knows it's missing. Often, this is only discovered when the owner receives their monthly statement and sees transactions they didn't make. If we notice irregular spending patterns on a customer's account, we may also call the cardholder to verify that the transactions made were theirs.

If a cardholder reports their card stolen and disputes transactions made through your business, you may be unable to prevent some chargebacks. If you're suspicious about anything, call us to verify the authenticity of the card and for authorisation. You can also watch out for:

Bounced emails
If a purchase receipt email is returned before it gets to your customer, ask yourself why? Did they simply misspell the email address, or is it perhaps that it does not exist? Try to contact them again to verify, but don't dispatch the goods if you're unsure.

Billing address and postcode
Barclaycard provides a Card Security Code and Address Verification Service designed to help protect businesses taking mail, phone or online orders. Information obtained from the cardholder during the transaction is sent to the card issuer for electronic verification. The service works by checking the card 'security code', numbers in the cardholder's postcode, and up to the first five numbers of the cardholder's full statement address. You can use this service if you process transactions through your own or a third party supplied payment system.

Telephone number
Always ask for a contact telephone number. Check the STD code of the contact telephone number against the address given by the cardholder to see if they match.

Card details
Does it have a valid expiry date?

Use the Modulus 10 check
A digit algorithm you incorporate into the payment page code of your website. It's called a Modulus 10 Check because the result of a mathematical equation applied to the card number must be divisible by 10 to be valid. This is not a completely foolproof check, and doesn't guarantee a card has been issued with this number – but it can highlight fake cards, so is worth doing.

Check the order details
Use Volume & Value Verification to monitor the number and value of orders from individuals. The trend in fraud online is to place a small number of modest orders to test the water, then dramatically increase the volume and value of orders before the fraud is discovered. Would a customer really want three PCs or ten copies of the same book?

Keep a note of any losses or fraudulent transactions
Check this against any new orders you're unsure of. Have the customer's details, email address or card number been associated with a previous loss?

Arrange delivery through recorded or registered post
Or use a reputable carrier and where possible, get proof of delivery. You may be asked for this information if the transaction is charged backed to you.

Storing card information

Advice on secure storage of card data

Credit card details are valuable to fraudsters and are commonly sought either by accessing information systems to steal them, or manually obtaining them from receipts and statements.

If you decide to store payment card details on any of your business systems, it is your responsibility to ensure you have adequate security measures in place. Barclaycard offers the following guidance:

  • Restrict access to payment card data to only those staff who need access, and ensure that this type of information is not published internally or externally.
  • Ensure that employees who handle payment card data are aware of its importance and confidentiality.
  • Access to payment card related data could be audited and this information should be retained for a suitable period for additional security. When this period is up, you must dispose of it securely.
  • Ensure your data systems are secure from external sources via the relevant firewall protection and internally through passwords.
  • If you suspect a breach in security, from any source, report it to the card issuer as soon as possible.
  • Consider undertaking a formal security risk assessment for any system that holds or processes card payment data.
  • Ensure protection of this data falls within the terms of your own information security policies. If you do not maintain a formal policy consider how the controls fit with BS7799, the British Standard for Information Security Management.

This list is for your guidance only. It's impossible for Barclaycard to provide an exhaustive list of security issues as these vary according to each business. ultimately, it's your responsibility to ensure you have adequate security systems in place before you start storing card data, and that these procedures are reviewed on a regular basis.

For general enquiries

Call us on:

0844 811 6666

Monday to Friday 8am – 9pm
Saturday 8am – 7pm
Sunday 8am – 6pm

For Technical support:
Monday to Friday 8am – Midnight
Bank holidays 9am – 6pm

Or we can call you back at a time that suits you.