Costados Merchant Information Costados Merchant Information Costados Merchant Information

Costados KnowledgeBase: Basic Transaction Guidelines

Reduce the risk of encountering a counterfeit or fradulent card by being alert at the point of sale. If you know that a card is invalid, don't accept it. These simple steps can help you prevent fraud:

Step 1: Inspect the Card

When you first obtain the credit card, be sure to inspect the front of the card. Make sure the Visa account number begins with a "4," (Mastercard begins with a "5") and that the first four digits match the first four digits of the embossed account number. If so, proceed to Step 2.

If not, call the voice authorization center and request a Code 10, a procedure for suspect cards. During a Code 10 call, keep the card in your hand and follow the operator's instructions. If the operator instructs you to keep the card, do so only if you can do so by peaceful means. (If not, return the card to the customer immediately.) Cut recovered cards in half lengthwise without cutting through the magnetic stripe, the account number, or the hologram. Notify your merchant bank that the card has been recovered and ask for further instructions.

Step 2: Swipe Properly

By taking the following simple steps, you can help ensure that your terminal is in good working order and that the cards are being properly read.

How to swipe a card properly:

  • Look at the card. Hold it so the magnetic stripe (the black stripe on the back of the card) faces the reader.
  • Always swipe the card in the direction of the arrow(s) shown on the reader.
  • Never swipe a card in both directions. Swiping a card back and forth can prevent the reader from reading the stripe properly.
  • Never swipe a card through a reader at an angle. The card should be held steady and the swipe should be made straight through the reader.

Swipe the card only once, in one direction, through the terminal. The last four digits of the account number shown on the terminal or sales draft should match the last four digits of the embossed account number. If they do, go to Step 3. If they don't, make a Code 10 call as explained above.

After you swipe the card, you may get a "Call" message, which means you should call your voice authorization center. Tell the operator you are responding to a "Call" message and follow the instructions.

Step 3: Check the Signature

Check the back of the credit card while the customer is signing the sales draft. On a Visa card, the panel should have the repeated word "Visa" printed at an angle in blue, or blue and yellow, letters on a white background. Also, verify that the signature on the back of the card matches the signature on the sales draft. If the panel on the card seems suspicious, and/or the signatures do not match, make a Code 10 call.

Step 4: Check ID

If the signature panel is not signed, ask the customer to sign the receipt, then ask to see a government ID such as a driver's license or passport. When the customer signs, compare the signatures of the receipt and the ID.

If the signatures match, give the card back to the customer. You've completed the transaction successfully.

If the customer refuses to sign the card/receipt or the signatures between the card and sales draft do not match, make a Code 10 call.

Step 5: File the Sales Drafts

After you've completed the transaction, be sure to file your sales slips. Follow these additional procedures for added security:

  • Store Level:
    Sales drafts stored at an individual store location should be organized into daily, weekly, and monthly packets. You should ensure that a draft is re-filed in its original location once a copy is made. Most sales draft requests are delivered and managed via e-mail, a spreadsheet database, or fax.
  • Closeout Reports:
    After closing the business, management should review and match sales drafts to the register records to identify any missing documentation. If a document is absent, you should attempt to find it. If you cannot locate it, that may be an indication that something is wrong.
  • Audits:
    You should randomly compare sales drafts to the register records to ensure they match. This approach is a good way to identify problems associated with a specific register or sales associate. You can change the register ribbon or paper to ensure the legibility of all sales drafts. You can also address any needed training issues with your sales associates.

Guidelines for Card-Not-Present Transactions (Mail/Telephone Orders):

Ask for the card expiration date. The Visa/Mastercard Operating Regulations state that where possible, card-not-present merchants should ask customers for the card expiration, or Good Thru date. Including the date in your authorization request helps to verify that the card and transaction are legitimate. A Mail Order, Telephone Order, or Internet Order containing an invalid or missing expiration date may indicate counterfeit or other unauthorized use.

Ask for the CVC2/CVV2 number to confirm the cardholder has a genuine Mastercard/Visa. The Card Verification Code (CVC2) / Card Verification Value Service (CVV2) is a three-digit security number printed on the back of a Mastercard/Visa to help validate two things:

  1. The customer has a genuine credit card in their possession.
  2. The card account is legitimate.

Train employees to recognize suspicious orders and customer behaviour. Being able to recognize suspicious orders may be particularly important for merchants involved in mail or telephone sales, and employees should be given clear instructions on the steps to verify these transactions.

What to do if you are suspicious:

  • If you are suspicious about an order, try to verify the transaction by asking the customer for additional information. These requests should be made in a conversational tone so as not to arouse the customer's suspicions. If the customer balks or asks why the information is needed, simply say that you are trying to protect cardholders from potential fraud.

  • Ask for a Code 10 authorization. A separate phone call to the authorization center asking for a Code 10 authorization lets the center know you have concerns about a transaction. Ask for the name of the financial institution on the front of the card. Separately confirm the order with the customer. Send a note to the card billing address, rather than the "ship to" address.

Fraud Detection in a Card-Not-Present Sales Environment:

To enhance profitability in the competitive e-commerce market, your business needs a secure payment infrastructure that can handle the unique risks of card-not-present sales. There is no face-to-face contact with customers, no physical payment card to inspect for security features, and no physical signature on a sales draft to check against the card signature.

Fradulent transactions lead to lost revenue, and also to higher operational costs for your business. Furthermore, if fraud is excessive, it can affect your merchant discount rates and potentially even your ability to accept payment cards. The point is, if you do not manage fraud it will impact your profitability.

CVV2/CVC2: A New Three-Digit Value

An important new security feature for card-not-present transactions now appears on the back of most Visa and Mastercards. This new feature is a three-digit value which provides a cryptographic check of the information embossed on the card.

The CVV2/CVC2 three-digit value is printed on the signature panel on the back of Visa/Mastercards immediately following the Visa/Mastercard card account number. CVV2/CVC2 is printed only on the back of these cards, it is not contained in the magnetic stripe information, nor does it appear on sales receipts.

Fewer Chargebacks means more money for your business:

Everyone in direct marketing and e-commerce wants to see chargebacks reduced. Using the CVV2/CVC2 value can help minimize the risk of unknowingly accepting a counterfeit card or being a victim of fraud.

For transactions conducted over the Internet, you may ask cardholders for their CVV2/CVC2 online. Your website might include these elements, for example:

  • Including the CVV2/CVC2 in Authorization Requests.
  • Merchants using a CVV2/CVC2 can expect to receive a "match" or "no match" response for the card in question.
  • Authorization requests should include at least:
  1. The account number
  2. The expiration date
  3. The CVV2/CVC2 value
  4. The transaction dollar amount