Is my business protected against fraud related chargebacks?
If you have implemented Mastercard Secure Code and Verified by Visa (known as cardholder authentication) providing the process is carried out correctly, your business may be protected against fraud related chargebacks i.e. where the cardholder denies taking part. There are a number of restrictions and you can still receive chargebacks for other reasons, such as duplicated processing, goods not received and no authorisation.
Why do I sometimes have to call for an authorisation code?
Your terminal will normally provide you with an authorisation code. However, there will be occasions when the terminal will prompt you to make a voice authorisation call. This is known as a referral and has been requested by the card issuer. You should always act on this prompt and make the call.
The transaction was authorised, why have I now received a chargeback?
Even with a valid authorisation, transactions can occasionally be disputed by the cardholder or the card issuer. Chargebacks can be received for many reasons and each one has specific time-limits, rules and requirements that are set by Mastercard and Visa and influence the action we are able to take. For further information see our .
Why does authorisation not guarantee payment?
When a transaction is authorised, an authorisation code is given by the card issuer on the basis that there are sufficient funds in the cardholder’s account at the time of the request and the card has not been reported lost/stolen. Authorisation does not confirm the authenticity of the card and/or the presenter. The introduction of Chip and PIN gives comfort that the person entering the PIN should be the authorised cardholder and therefore limits your liability should the transaction be disputed. For mail and telephone order transactions, where the card and cardholder are not present, you are unable to take advantage of inbuilt security within the card, for example, chip or magnetic strip. You will be liable for the transaction if it is disputed by the authorised cardholder.
What should I do if I suspect a member of my staff has processed unauthorised refunds?
Refunds should always be made back to the card used for the original purchase, therefore a refund should generally be equal to or less than the purchase transaction it relates to. Firstly, satisfy yourself that the refunds can not be matched to a corresponding purchase. If after conducting an internal investigation, you identify a member of staff responsible, seek an explanation as there could be a legitimate reason. If after speaking with your employee you feel the matter merits Police involvement, or you are unable to identify the individual responsible but feel a fraud has been committed, you should consider reporting this to your local Police office. If you require further assistance, email us at Fraudrisk@worldpay.com where a member of the Fraud team may be able to provide guidance.
General fraud information
How can I minimise my exposure to fraud?
We recommend you:
- Always follow the prompts on your terminal
- Train your staff so they know what to look out for, ensure that everyone taking card payments has read the customer operating instructions and understands the risks involved especially if you accept transactions where the card and cardholder are not present (CNP). We also recommend you hold regular training sessions with all your staff to refresh their understanding.
- Follow your instinct. If something doesn’t feel right or the sale is ‘too good to be true’ then it probably is. Act on your instincts and do not proceed with the transaction. For additional information see our .
What should I do if I suspect a card is fraudulent, or being used fraudulently?
Do not proceed with the transaction or send out goods. Make a code 10 call to our authorisation centre, telephone 08457 600 500, take the second option, speak to an operator and mention you are making a code 10 call.
What is a 'Code 10' call?
A 'Code 10' call is an additional security check that is available, should you become suspicious about a transaction. This can be done at anytime, even if the transaction has been processed through the terminal and has been authorised. If you are suspicious about the card, the authenticity of the cardholder or something just doesn’t feel quite right, we recommend you make a 'Code 10' call to our authorisation centre on telephone no. 08457 600 500, select option two and speak to an operator. For further information see our .
Why should I keep the supervisor cards/access codes secure?
Refunding a transaction requires the use of the supervisor card/access code. Restricting access to this will reduce the likelihood of misuse. Unauthorised or fraudulent refunds will incur a financial loss to your business.
Why do I have to enter an access code/use supervisor’s card to process a refund?
When you make a refund on a card transaction, the amount of the refund is returned to the customer’s card account and a corresponding debit will be made to your nominated bank account. As a security procedure you can only process a refund by using the access code or supervisor’s card. Anyone who has access to the supervisor’s card/access code can make unauthorised refunds which will incur financial loss to your business; therefore the supervisor’s card/access code should always be kept secure to ensure no misuse takes place.
The customer wants to pay for goods using more than one card, can they do this?
No, this is known as a split transaction and against Mastercard and Visa card scheme rules. You should not allow two separate amounts on one card or two or more different cards to be used for one transaction. The general rule is one transaction, one payment.
Can I process transactions by manually keying the card details? (Known as Pan Key Entry (PKE) transactions)
Yes, but only in exceptional circumstances where the card and cardholder are present. Always follow the prompts on your terminal and never swipe the magnetic stripe of the card or PKE the card number into your terminal to avoid using the higher-level security features (such as Chip and PIN) If you are presented with a card that doesn’t have a chip and the terminal is unable to read the magnetic stripe you can PKE the transaction into the terminal. Where the transaction is authorised you are then required to take a back up imprint using your manual imprinter. Fully complete the voucher including obtaining the cardholder’s signature. If you are handed a Chip card and your terminal indicates that neither the Chip nor magnetic stripe can be read, we recommend you ask for another method of payment and give the card back to the customer. For transactions where the card and customer are not present (CNP), you would PKE the card transaction details into the terminal by activating the ‘MOTO’ or mail-order button on your terminal first. You will then be prompted to enter additional security information for example, the Card Security Code (CSC) and the numeric in the cardholder billing address (known as Address Verification Service or AVS). This will help you evaluate the risk of fraud.
Why should I follow the prompts on the terminal screen?
The prompts are there to guide you and ensure you process transactions correctly. Following these prompts will help protect your business by minimising the risk of losses caused by fraud and reduce the likelihood of mistakes.
Do cards have any security features that I can check?
Yes, although cards can be produced with various designs, there are industry standard security features that are present and can be checked. If you are handed the card and have the opportunity to check the security features we recommend you do so and provided they are correct then you can accept the card for payment. For further information see our .
Why am I at greater risk when processing mail and telephone order (MOTO) transactions?
Card Not Present (CNP) transactions are considered high risk because you have no opportunity to physically check the card or meet the cardholder. Whilst the majority of transactions will be genuine this type of transaction is appealing to fraudsters whose main interest is obtaining goods that can be easily re-sold for cash. You should take extra care and consider the risks before you process CNP transactions because you will be financially liable if a transaction is confirmed as invalid or fraudulent.
If the transaction is Card Not Present (CNP) should I let the customer pick up the goods?
Be cautious of requests to pick up goods. All goods ordered by mail, telephone or internet should be delivered to the address given. If the customer later does insist on collecting the goods, they should produce the card. The original CNP transaction should then be refunded and a new ‘card present’ transaction processed. Be aware of requests for goods to be released to a third Party for example, taxi drivers, messengers or friends/relatives of the cardholder as these types of transactions are at higher risk of being associated with fraud.
Delivery to a third party address, what are the risks to my business?
This information applies to all transactions. Orders where the delivery address is different from the billing address may be legitimate (for example, when sending flowers or a birthday present) but we always recommend, where possible, you deliver to the cardholder’s billing address. Be wary of last minute changes to the delivery address and requests to send goods to hotels, guest houses or PO boxes as these are at higher risk of being associated with fraud. For mail and telephone order transactions - Although there is no guarantee of payment, delivery to the cardholder’s billing address provides comfort that the genuine cardholder is receiving the goods. There is an increased risk to your business if the transaction is later confirmed as fraud as you may be held financially liable. For eCommerce transactions – if you have implemented Mastercard Secure Code and Verified by Visa (known as cardholder authentication) provided that the process is carried out correctly, your business will be protected against fraud related chargebacks ie where the cardholder denies taking part. You can still receive chargebacks for other reasons for example, duplicate processing, goods not received and no authorisation.
What are AVS/CVC?
AVS (Address Verification Service) and CVC (Card Verification Code, also known as CVV, CSC or CVV2) are additional security checks available when processing transactions where and card and cardholder are not present. By following the prompts on your terminal you will be asked to key the unique three digit code on the back of the card (CVC) and the numerics from the cardholder’s billing address (AVS). This data is matched against details the card-issuer holds in his database for the card. If the transaction is authorised you will receive a response at the bottom of your till receipt advising how much of the data matched, this will help you evaluate the potential risk of fraud and decide whether to continue with the transaction. It is important to understand that these checks are an additional security measure, and can help you make an informed decision, they do not guarantee payment.
What should I look out for when I am completing an Address Verification Service (AVS) check?
When you process a mail or telephone order (MOTO) transaction, always activate the ‘MOTO’ or mail order button on your terminal. By following the prompts you will be asked to enter the Card Security Code (CSC) and the numerics in the cardholder billing address (known as Address Verification Service or AVS). Provided that the transaction is authorised you will receive a response at the bottom of your till receipt advising how much of the customer data matched against information held by the card issuer. It is important to always check the results as this will help you evaluate the potential risk of fraud and decide whether to continue with the transaction. It is your decision based on the results of these checks to accept or decline the transaction. Be aware that a transaction can still be authorised, even if the AVS details do not match. For further information see our .
Why is authorisation given if the Address Verification Service (AVS) check doesn't match?
The authorisation request is separate to the AVS check. If the card has not been reported lost or stolen and there are sufficient funds on the cardholder’s account to cover the transaction authorisation may be given, regardless of the result of the AVS check. The AVS confirms the numerics of the cardholder’s billing address (house/flat number and post code). You should always check the results, which will appear on the bottom of your till receipt. For further informaton see our .
Should I accept a CNP transaction if the Card Security Code (CSC) and Address Verification Service (AVS) checks do not match?
We pass the information entered to the card issuer for comparison with their records. The results of the comparison are then passed back to you. You can examine the results of these checks at the bottom of your till receipt. The results help you evaluate the potential risk of fraud. We recommend you do not proceed if both of these checks fail, however it is your decision, based on these results to accept or decline the transaction. You should be aware that there is an increased risk to your business if the transaction is later confirmed as fraudulent as you may be held financially liable. For further information see our Customer Operating Instructions.
In what order to I input the numerics in the customer's billing address when completing an AVS check?
The terminal will prompt you for the numerics in the postcode initially then for the other numerics in the billing address for example, house number or flat/street number. These details are passed to the card issuer for comparison against their records. The results of the comparison are then passed back to you. For further information see our .
Are there any additional checks I can make to reduce the risk or fraud when taking Card Not Present (CNP) transactions?
Apart from the Card Security Code (CSC) and Address Verification Service (AVS) checks, there are other checks you can consider making which may help to reduce the risk of fraud.
- Compare new shopper information to data you already hold i.e. has the same card or the same delivery address been used previously
- Keep records of previous fraud attempts or chargebacks and reject orders where there are matches to these records
- If possible, always try and obtain a landline number and use this to confirm the customer’s name and address by checking on public databases
- Check your records to see whether you have had a number of transactions in a short period of time from the same company, person or card number
For mail and telephone order transactions:
- Check new business customer details on an internet search engine
- Try to check new personal customer’s details using the internet. Don’t always rely on the number they have given you
- Does your phone have ‘caller ID’. Is the number for the customer the same as that already provided?
For eCommerce transactions:
- Monitor transactions and consider applying risk scoring and alerts to flag suspect activity that merits further checks. You may be able to design your own in-house system – or ask your PSP
- Look for patterns such as similarities between transactions and repeat use of the same shopper name, email address or IP address – and investigate anything suspicious
- Verify the shopper’s identity if you are suspicious. Test their contact details to see if they work – send an email and call the telephone number. You may also ask for copies of utility bills, card statements, passport or driving licence (with any sensitive details obscured)
- Establish a fraud policy setting out what should be done. If fraud is suspected, ensure that all members of your staff are trained to act
Mastercard secure code
How do I check that I have Mastercard Secure Code and Verified by Visa set up on my website before I go live?
This should be set up as standard by your Payment Service Provider (PSP) but you can check by contacting the customer services team of your PSP and ask them to verify this.
How does Mastercard Secure Code and Verified by Visa work?
Does Mastercard Secure Code/Verified by Visa (known as cardholder authentication) protect me from all chargebacks?
No cardholder authentication will only protect you from certain fraud related chargebacks i.e. when a cardholder denies they made the purchase. Chargebacks can still be received on authenticated transactions for other reasons for example, no authorisation, duplicate processing, goods not received and faulty goods.