Automatic Merchant Fraud Protection With the Fast Charge Payment Gateway
In addition to the merchant-initiated protection mechanisms described in this section, several automatic features have been incorporated into the Merchant Fraud Protection module to block out customers exhibiting suspicious buying behaviors, including:
A feature to block a credit card that is submitted and declined twice within 24 hours using different expiration dates.
A feature to check City and State entries for validity against the zip code entered.
A feature to check area codes for validity against the zip code entered.
SSL Technology
Secure Sockets Layer (SSL) technology is the industry-standard method for protecting web communications developed by Netscape Communications Corporation.
The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities.
SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the “session key” generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code.
Most browsers support 40-bit SSL sessions, and the latest browsers, including Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions – trillions of times stronger than 40-bit sessions.
The Address Verification Service (AVS) is a system designed by credit card and bankcard processors to aid in the detection of suspicious credit card transaction activity. AVS matches billing address information provided by the cardholder with the cardholder’s billing address on file at the credit card issuing bank. The processing network then sends an AVS response code indicating the results of the match to the payment gateway. The AVS response code can be found in the payment gateway transaction response as well as on the Transaction Detail page. Based on your AVS rejection settings, the transaction is accepted or rejected. Transactions that are rejected will display a transaction status of Declined (AVS Mismatch) on the Transaction Detail page.
The following chart explains all the different response codes a processing Bank may return:
When Square Inc. launched its mobile card reader in 2009, VeriFone Systems Inc. was on its heels with PayWare Mobile. Now the terminal maker’s ready to roll out another rival to Square with a product it calls Sail.
Whereas VeriFone designed PayWare Mobile for use off the shelf, it designed Sail for small businesses with technical savvy. It plans to offer Sail with open-source software that developers can adapt to work with merchants’ inventory software.
Merchants also may use Sail as is, just like VeriFone’s earlier product. Square similarly designed its product for merchant use right out of the box.
Developers will be able to register with San Jose, Calif.-based VeriFone to receive programming interface tools. By the end of the year, Sail will work with several different advertising platforms and smartphone apps.
“Square did a great job in showing everyone there is a micromerchant market,” says Greg Cohen, senior vice president and general manager with the SMB Commerce group at VeriFone. “But Square only works with Square [software]; … ours is open to develop other applications on top of it, or inside our application.”
Other payment companies, such PayPal and the major card brands, offer developers toolkits to better integrate their payment products.
VeriFone is “playing catch-up baseball in a market that is now crowded by Square, PayPal” and others, says Brian Riley, a senior research director in the bank cards practice at CEB TowerGroup. “It’s a play that they have to make, and they are definitely making it late in the game.”
Since Square’s launch, VeriFone has criticized the rival product. Its most blatant broadside was a website it made dedicated to the idea that Square’s reader could be adapted to work as a skimming device. Square endured the attack and reportedly has worked to improve its device’s security.
Sail is the first product to come out of VeriFone’s roughly five-month-old SMB Commerce group. Cohen joined VeriFone about six weeks ago.
VeriFone has a better shot at success with Sail than with PayWare Mobile, says Rick Oglesby, a senior analyst at Aite Group.
“Their previous strategy was to work with traditional merchant acquirers who weren’t focused at targeting micromerchants, so there was a bit of a mismatch between the product and the channel,” he says. “This is a step forward because they are now matching their products and their channels.”
Most chargeback situations arise at the point of transaction – at the time the transaction is completed – and most can be prevented with a little training. Point-of-sale staff (and in some cases, order-takers for card-not-present transactions) may find these tips helpful in avoiding potential chargebacks.
Declined Authorization – Do not complete a transaction if the authorization request was declined. DO not repeat the authorization request after receiving a decline.
Referrals – In response to an authorization request you may receive a “Call” message. Call your authorization center and tell them you received a “Call” message. Be prepared to answer questions. The operator may ask to speak with the cardholder. If approved, write the authorization code on the sales receipt. If declined, ask the cardholder for another Visa card.
Card Imprint for Card-Present Transactions –If you have a point-of-sale terminal with a magnetic-stripe reader, swipe the card through the reader for every face-to-face transaction. If the terminal isn’t working or a card’s magnetic stripe cannot be read, key-enter the account information and make an imprint of the embossed information onto the sales receipt using a manual imprinter. Even if the transaction is authorized and the cardholder signs the receipt, if the receipt does not have an imprint of the embossed account number and expiration date, the transaction may be charged back to you for “no imprint” if the cardholder later denies participating in the transaction.
Cardholder Signature – The cardholder’s signature on card-present transactions is required. Failure to obtain the cardholder’s signature could result in a chargeback for “no signature” if the cardholder denies authorizing or participating in the transaction.
Digitalized Cardholder Signature – Some Visa cards have a digitized cardholder signature on the front of the card for easier viewing; however, these cards also have a signature panel on the back of the card. Sales staff must always compare the customer’s signature on the sales receipt with the hand-written signature in the signature panel on the card.
Legibility – Ensure that the transaction information on the sales receipt is complete, accurate, and legible before completing the transaction. An illegible receipt, or a receipt which produces an illegible copy, may be returned because it cannot be processed properly. The growing use of electronic scanning devices for the electronic transmission of copies of sales receipts makes it imperative that the item being scanned be very legible.
Change Point-of-Sale Printer Cartridge –Change point-of-sale printer cartridge routinely, faded, barely visible ink on sales receipts is the #1 cause of illegible receipt copies.
Change Point-of-Sale Printer Paper – Change point-of-sale printer paper when colored streak first appears. The colored streak down the center or the edges of printer paper indicates the end of the paper roll and diminishes the legibility of transaction information.
Keep White Copy of Sales Receipt – Keep the white copy of the sales receipt – give customers the colored copy. Colored paper does not copy as clearly as white paper and often results in illegible copies.
Carbonless Paper Sales Receipts – Handle carbonless paper and carbon / silver-back sales receipt paper carefully. Silver-back paper appears black when copied. Any pressure on carbonless and carbon-back paper during handling and storage causes black blotches, making copies illegible.
One imprint per Transaction – Make only one imprint of the card for each transaction. Making more than one imprint can lead to duplicate deposits and increase the chance for a chargeback. If you need to redo a sales receipt because of an error, write “VOID” across the incorrect sales receipt, inform the cardholder, and tear up the incorrect sales receipt in view of the customer.
One Entry for Each Transaction – Ensure that transactions are entered into point-of-sale terminals only once – and deposited only once. Entering the same transaction into a terminal more than once, or depositing both the merchant copy and the bank copy of the sales receipt with your merchant bank, or depositing the same transaction with more than one merchant bank can all result in “duplicate transaction” chargebacks.
Duplicate Sales Receipts and Voiding Incorrect Sales Receipts – Ensure that incorrect sales receipts are voided and that transactions are processed only once..
Disclosing Refund/Return/Service Cancellation Policy – If your establishment has policies regarding merchandise returns, refunds, or service cancellation, disclose these policies to the cardholder at the time of the transaction. Your policy should be pre-printed on your sales receipts; if not, write or stamp your refund/return policy information on the sales receipt near the customer signature before the customer signs (be sure the policy shows clearly on all copies of the sales receipt). Failure to disclose such policies at the time of the transaction will be to your disadvantage should the customer return the merchandise.
Depositing Sales Receipts – It is always to your advantage to deposit transactions promptly. Deposit sales receipts with your merchant bank as quickly as possible, preferably within one to five days of the transaction date – do not hold on to them. Failure to deposit in a timely manner can result in chargebacks for “late presentment.”
Timely Deposit of Credit Transactions –Deposit credit receipts with your merchant bank as quickly as possible, preferably the same day as the credit transaction is generated. Failure to process credits in a timely manner can result in chargebacks for “credit not issued.”
Responding to Copy Requests – If your establishment stores sales receipts, always respond to a request for a copy of a sales receipt in a timely manner. Send a legible copy of the requested receipt or receipt substitute to your merchant bank. Failure to respond, or failure to respond within the specified time frame, almost always leads to a chargeback for “non-fulfillment of a copy request” for which generally there is no remedy.
Microfilming Sales Receipts – If your establishment microfilms sales receipts, make copies from the microfilm at the same size as the original receipt – reduced images result in blurred and illegible copies and could result in “illegible copy” chargebacks.
Company Logo Position on Sales Receipts –Owners or their marketing staff should position the company’s logo or marketing messages on sales receipts away from transaction information – your company name, logo or marketing message printed across the face of sales receipts can make copies illegible and cause you to receive “illegible copy” chargebacks.
Requests for Cancellation of Recurring Transactions – If a customer requests cancellation of a transaction which is billed periodically (monthly, quarterly, annually), always respond to the request and cancel the transaction immediately or as specified by the customer. As a customer service, advise the customer in writing that the service, subscription, or membership has been cancelled and state the effective date of the cancellation. Failure to respond to customer cancellation requests almost always leads to chargebacks.
Customer Service – Keeping customers informed on the status of their transactions is key to good customer service and to your profitability.
– Delayed Delivery – If the merchandise or service to be provided to the cardholder will be delayed, advise the cardholder in writing of the delay and the new expected delivery or service date. Not only is this good customer service, but it also may help avoid a chargeback for “merchandise not received” or “service not performed.”
– Item Out of Stock – If the merchandise ordered by the cardholder is out of stock and delivery will be delayed or this item is no longer available, advise the cardholder in writing and offer the cardholder the option of purchasing a similar item or canceling the transaction. Do not substitute another item unless the customer agrees to accept it. By giving the customer notice and the option to cancel, you may help avoid a customer dispute regarding the merchandise and a possible chargeback for “merchandise not as described,” or “merchandise never received.”
Ship Merchandise Before Depositing Transaction – Don’t deposit transactions with your merchant bank until you have shipped the related merchandise. If customers see a transaction on their monthly Visa statement before they receive the merchandise, it could lead to a preventable chargeback for “merchandise never received.”
Recognizable Merchant Name –It is very important that your customers are able to recognize transactions made at your establishment on their monthly Visa statements. When cardholders don’t recognize transactions, they typically call their card issuer to question or dispute the item. The card issuer may then request a copy of the transaction to aid the customer in identifying it. Sometimes these questions lead to chargebacks. To ensure that your establishment’s name is recognizable to your customers, consider taking the following steps:
– Ask your merchant bank to show you how your name appears in the settlement record (this is the way your name will be passed through the processing system to the card issuer for posting to the cardholder’s Visa statement). If it is correct or potentially misleading to customers, ask your merchant bank to correct it.
– Verify that the name your merchant bank shows for you is the same as the name you show on the receipts you give your customers. (Generally, the name used for settlement should be the name you use for your business signage.)
– Double check your establishment name by purchasing an item in each of your outlets on your Visa card and check the merchant name and location on your monthly Visa statement – will your customers recognize transactions made at your establishment?
Penn Station Inc. has confirmed that 43 of its 235 U.S. restaurants may have been affected by a payments breach that exposed credit and debit details.
In a June 1 statement and list of frequently asked questions posted on Penn Station’s corporate website, the restaurant chain identifies franchise locations in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania and Tennessee that may have been affected by the attack.
Details about the breach are vague; exactly how the card details were exposed is unclear.
Penn Station President Craig Dunaway says Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of Penn Station’s franchised locations. From there, Dunaway says Penn Station contacted its processor, Heartland Payment Systems.
“We’ve been working with Heartland to address the issue,” Dunaway says. “The key is to work with the Secret Service and get down to the bottom of what happened.”
Dunaway says he does not know the nature of the breach, and could not say if the card compromises resulted from tampered with POS devices or a network hack.
But industry experts suggest the breach is likely linked to either a processing hack or a point-of-sale scheme similar to the one discovered by the Michaels crafts store chain in May 2011.
Penn Station suspects the compromise dates back to March, based on a preliminary investigation, according to its FAQ posting. Debit and credit cards used during March and April may have been exposed.
“Upon learning of the possibility of unauthorized access to credit and debit card information, all of the individual owners of the Penn Station restaurants changed the method for processing credit and debit card transactions,” the FAQ states.
The investigation is ongoing, and Penn Station says it expects to update its list of affected locations if more are identified.
Penn Station says only account holder names and card numbers were breached. Whether PINs or card verification codes were part of that information has not been clarified.
What Type of Scheme?
Experts can only speculate, but Gartner analyst Avivah Litan says the scenario sounds like a POS-device swapping scheme – a scam that involves fraudsters physically swapping or trading a merchant’s POS device and/or PIN pad with a device manipulated to skim card and PIN details.
“It sounds a lot like Michaels,” Litan says. “Maybe they only hit 20 percent of the locations because Penn Station caught it early.”
John Buzzard, who monitors card fraud for FICO’s Card Alert Service, also says the breach sounds like a POS-device attack of some sort, but he says it’s too early to determine how those devices might have been targeted.
“It’s possible that a simple default admin password was never changed for the POS system at the affected locations,” he says.
Jason Malo, a research director at CEB TowerGroup who covers security and fraud, says the breach seems localized, and organized. “I don’t think it’s not a network breach,” he says. “By listing the stores that were affected, there’s a point-of-sale aspect to it, and that automatically makes you think there’s something that happened with the devices.”
Because only some locations in certain geographic markets were hit, Malo says the breach likely involved an organized effort coordinated among numerous players.
But Aite analyst Julie McNelley believes the compromise is more likely linked to a network hack, referencing Penn Station’s note about updating its payments processing procedures.
“This just further highlights how vulnerable merchants are and highlights the importance of upgrading to more current data security standards, such as tokenization and end-to-end encryption,” she says.
The Point of Compromise
Most breaches at merchant locations are reported by card-issuing banks to Visa and MasterCard, Litan says. After a number of fraud reports come in to the card brands, they trace the fraud back to identify the point of compromise.
But Litan says fraudsters have learned to expand their windows of compromise by only using cards from one or two card issuers at a time. “When only one or two banks report fraud, it takes longer for Visa and MasterCard to link the fraud to a larger compromise,” she says.
The Penn Station breach appears to have been detected relatively quickly. In the Michaels case, the exposure was traced back to December 2010, more than five months before the breach was discovered. In all, 90 individual PIN pads at stores in 20 states were identified as being sources of the Michaels breach.
Get a Quick Quote:
Learn How We Can
Lower Your Credit Card
Processing Fees!
module to block out customers exhibiting suspicious buying behaviors, including:
chain identifies franchise locations in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania and Tennessee that may have been affected by the attack.
