Avoid credit card fraud—
take precautions, be alert

For years, thieves have been refining the techniques and technology needed to steal credit cards and data, make phony cards, alter existing cards or otherwise scam retailers into fraudulent charges.

If you accept credit cards, you must learn strategies to prevent thieves from making you their victim. The information below will help you and your employees spot credit card fraud.

The familiar diplomatic expression “trust but verify” also applies to credit card acceptance. Most customers will understand why you are being careful and will appreciate your concern for security.

Spotting fakes
The major credit card companies have designed their cards with security in mind, adding holograms, black-light sensitive areas and tamper-resistant signature panels.

But thieves know many ways to alter or counterfeit cards. If retailers do not make use of the cards’ security features, these features cannot serve their purpose.

Always ask customers to remove the card from their wallet. Hold onto it throughout the transaction. Note how the card feels, then take a closer look.

Do the magnetic strip, signature panel and hologram look and feel like those of other cards? Those who handle credit cards regularly can often spot altered or fake cards when they take the time to look and feel.

Follow the steps provided at the end of this article with every card transaction.

Although you can ask cardholders for identification, such as a driver license, to verify their identity, card issuers prohibit businesses from requiring additional identification to accept the transaction unless the signature panel says “Check ID.”

Swiping problems
When a card won’t swipe and the account number is entered by hand, the transaction is riskier, because the authorization system is not using the information encoded in the magnetic stripe. Usually, the problem is simply that the card has become demagnetized or the equipment needs cleaning.

The biggest concern, though, is that the card may be counterfeit (sometimes called “cloned”). A cloned card often has a magnetic stripe that doesn’t swipe.

Note that MasterCard now issues unembossed cards. They work exactly like other cards but are intended only for electronic use.

Unembossed cards should not be accepted if they will not swipe—without the embossed numbers you cannot make a manual imprint to prove that the card was present. Ask for another form of payment, or at least be aware that you are fully liable for the transaction in the case of a chargeback or fraud.

Since you cannot know why a card fails to swipe, it is best to treat all hand-keyed transactions with extra caution. Use the guide at the end of this article for transactions in which the card won’t swipe.

Card not present
Transactions in which the card is not present—mail, telephone or Internet orders—are the riskiest, because the card’s safety features aren’t available. Before doing significant transactions of this type, call MRA to discuss ways to minimize credit card fraud.

On a mail or phone order paid with a credit card, the retailer holds 100-percent liability for that charge. The retailer could lose both merchandise and payment.

If you encounter phone-order situations only occasionally, proceed with extreme caution. Smooth-talking “customers” have fooled many merchants into accepting a card number in what seemed at the time like a safe transaction that later turned out to be fraudulent.

To avoid falling victim to phone-order fraud, watch for the following red flags (some will apply better than others to your type of business):
• Does the customer order multiples of an item without asking any information about them?
• Does the customer try multiple credit card numbers for billing?
• Is the customer unwilling to provide a U.S. or Canadian telephone number and/or billing address associated with the account number?
• Is the customer impatient when you ask him or her to wait or hold while you run a verification process? Or does he or she provide a reason why the transaction cannot wait even a few minutes.

Security checks
For any card-not-present transaction (mail, phone or Internet), merchants should take advantage of two verification systems that improve the odds that an account number is valid: Address Verification (AVS) and the Card Security Code.

With both systems, the merchant enters information from the customer during the verification process to further verify that the account number is valid. Neither system is perfect, but they can identify stolen account numbers.

The Address Verification System (AVS) checks the billing address of the credit card provided by the customer with the address on file at the bank that issued the card.

AVS verifies the numeric portions of a cardholder’s billing address. For example, if the address is 101 Main Street, Highland, CA 92346, AVS will check 101 and 92346.

If the billing address provided by the customer and the card address on file do not match, you will receive a response code indicating this during transaction processing. You can then choose to either deny or proceed with the transaction.

AVS works with all major cards in the U.S., Canada and the United Kingdom.

The Card Security Code (CSC) goes by many names, including Card Verification Code (CVC2), CVV2, CID or simply the 3-digit Code. It is a 3-digit number (4 digits for American Express) printed on the card or signature strip, but not part of the embossed number and not encoded on the magnetic stripe.

As with AVS, merchants enter this code and receive a response code during transaction processing. Those who use this system should understand the response codes and have a policy for how to proceed with each.

It is illegal for merchants to retain or store this code in their records after the transaction is completed, because the number is intended as proof that the person presenting the account number is holding the card.

For more information on both of these security features, contact MRA or visit one of the following websites:
• usa.visa.com/merchants/ (click on “Fraud Control Basics”)
• www.mastercard.com/us/merchant/security/

When you suspect fraud
If you ever have a sales transaction where you suspect fraud, call your merchant processor’s voice authorization center and wait for an operator to explain that you have a “Code 10.” (Call 800.563.5981 if MRA is your processor.)

Also use a code word or phrase to inform store management that a fraudulent transaction is in progress and that police should be called. Some security experts recommend developing your own in-store code known only to employees and management.

Explain to the customer: “The bank won’t accept this as payment.” This response avoids calling the card fraudulent or the customer a suspect. It also focuses responsibility for card authorization on an outside authority.

Always think safety first. Confiscate the fake or stolen credit card if possible, but don’t endanger yourself or others in the process.

Don’t attempt to physically restrain or stop perpetrators from leaving the store. Note their physical appearance, including a clothing description, the kind of merchandise they attempted to purchase and the vehicle used to flee the scene.

Even if you suspect that a transaction was fraudulent after it has occurred and the customer has left or hung up, call your merchant processor during regular business hours to report it. By calling to report the fraud or potential fraud after the fact, you may help identify a card number as suspect, as well as learn more about avoiding fraud.

Debit cards
Because customers must enter a PIN number to use their debit card, debit transactions are less susceptible to fraud than credit card purchases. However, if you process debit cards in the same way as credit cards, without having customers enter a PIN number, your liability is the same as for credit card transactions.

If a customer’s debit card is refused, do not accept a check as an alternate method of payment, since the money comes from the same account and the check is likely to bounce.

Preventive measures
• Install black lights. Fluorescent-tube ultraviolet lights—installed in the checkout area, out of the customer’s view—are an inexpensive and easy way to verify the authenticity of credit cards. Driver licenses, currency and travelers’ checks also have ultraviolet-sensitive areas and can be tested with black lights.

• Reward employees: Employees must follow an extensive checklist of precautions to ensure that the credit card transaction is legitimate. Incentives that reward employees who stop a fraudulent transaction can motivate them to thoroughly check credentials.

Some stores offer their workers a reward equal to the averted chargeback costs or a percentage of the merchandise value.

• Inform customers. Tell them why you need to check the credit card and signature. As you deliver service with a smile, stress that careful attention to details protects their credit.