How do card transactions work?
In this video, you will find out about:
- the card ecosystem and authorization flow;
- possible transaction types;
How to start accepting payment cards?
In this video, you will learn about:
- available card acceptance solutions;
- how to obtain the terminal and how to quickly set it up;
- where to get technical support.
Online card acceptance
In this video, you will get information about:
- what is online card acceptance;
- what are the benefits of online acceptance;
- how do online payments work;
- what are the requirements for online merchant;
- how can the risk be minimized in online environment.
What is chargeback?
In this video, you will get to know about the chargebacks – the process, timeframe, responsibilities, and solutions to avoid them.
What is card fraud?
This will explain the key things about fraud:
- what to do in case of suspected fraud;
- how to minimize it.
What a merchant needs to do to be compliant?
This video will explain:
- what are the main responsibilities of the merchant
- how to ensure compliance with rules of the international card organizations and the bank.
What is the PCI DSS?
With this video, you will understand:
- what is the Payment Card Industry Data Security Standard (PCI DSS);
- how card data can be stolen;
- what are the consequences of the merchant not following the PCI DSS rules;
- what can a merchant do to comply with the PCI DSS.
Payment Card Indrustry Security Standarts Council (PCI SSC) has been established by the leading international cards organisations Visa, MC, Amex, Diners, Discovery, JCB. PCI SSC had been worked out as PCI DSS rules and documents to regulate and define card security principles and policies. Payment security guidance must be applied to all entities (including banks, merchants, payment processors) which store, process or transmit cardholder data. These rules set the technical and operational requirements for organizations accepting or processing payment transactons.
Please see the latest version of requirements and standards here
All merchants that store, process or transmit cardholder data must be PCI DSS compliant.
What are the card data and sensitive authentication data elements?
Card data and sensitive authentication data elements:
|
Data Element |
Storage Permitted |
Render Stored Data Unreadable |
| Cardholder Data |
|
Primary Account Number (PAN) |
Yes |
Yes |
|
Cardholder Name |
Yes |
No |
|
Service Code |
Yes |
No |
|
Expiration Date |
Yes |
No |
| Sensitive Authentication Data |
|
Full Track Data |
No |
Prohibited |
|
CVV2/CVC2 |
No |
Prohibited |
|
PIN/PIN Block |
No |
Prohibited |
How to make sure of compliance with PCI DSS requirements?
How to be sure that you are compliant with PCI DSS requirements?
Bank informs merchants once per year what kind of action must be taken to comply with PCI DSS . Requirements are presented in the table in below.
Merchants are categorized into 4 levels based on the annual number of card payment transaction by one card brand (i.e., MC, VISA, Amex etc.). Level 1- Level 3 merchants are required to report their compliance status and Level 4 merchants are required to report filled SAQ directly to their acquiring bank.
| Merchant level |
Merchants transaction criteria |
Required actions from merchants |
Frequency |
| Level 1 |
Merchants with 6 million and more annual transactions in total for Mastercard or VISA |
External security audit made by Qualified Security Assessor(QSA) |
once per year |
| Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
| Level 2 |
Merchants with 1 to 6 million annual transactions in total for Mastercard or VISA |
QSA or Internal Security Assessor (ISA) |
once per year |
| Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
| Level 3 |
E-commerce merchants with 20 000 to 1 million annual transactions in total for Mastercard or VISA |
Completing annual self-assessment (SAQ) form required by the bank |
once per year |
| Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
once per quarter |
| Level 4 |
All other merchants |
Annual self-assessment (SAQ) at merchant discretion |
Recommended once per quarter |
| Network Scan conducted by an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) |
Recommended once per year |
Keep in mind, that you’ll need to perform:
- Security audit, that is made by a certified auditor acting as Qualified Security Assessor (QSA) at the legal entities, who are presented on the PCI DSS official web-site.
- Scanning of the network, that is made by a qualified net scanning vendor acting as Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA). ASV can conduct a scanning procedure for physical and online merchants but have no rights to perform an annual audits.
- Internal audit, during which questions in SAQ (Self Assessment Questionnaire) have to be answered. The questionnaire content depends on technical solution.
What are the requirements and objectives of PCI DSS?
PCI DSS requirements and goals
The 12 requirements and goals in the table below will help you to understand what important actions must be performed to be compliant wiht PCI DSS rules.
| Goals |
PCI DSS Requirements |
| Build and maintain a secure network and system |
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|
| Protect cardholder data |
3. Protect the stored cardholder data.
4. Encrypt transmission of cardholder data across open public networks.
|
| Maintain a vulnerability managemenet program |
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
|
| Implement strong access control measures |
7. Restrict access to cardholder data under business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
|
| Regularly monitor and test networks |
10. Track and monitor all access to network resources and cardholder data.
11. Test security systems and processes on a regular basis.
|
| Maintain an information security policy |
12. Maintain a policy that addresses information security for all personnel. |
For more information please visit https://www.pcisecuritystandards.org/
Cardholders have the right to dispute any card transaction processed on a Mastercard or Visa card. Such disputes are resolved as chargebacks and are governed by a series of rules set forth by the international card organizations. In the chargeback process, the burden of proof lies with the merchant who is given the opportunity to provide supporting documentation to prove the legitimacy of the transaction. If the merchant is successful, the value of the transaction is credited back to their account. If the merchant is unsuccessful or does not respond in a timely fashion, they are held financially responsible for returning funds to the consumer who filed the complaint.
What are the most common Chargeback reasons?
Common reasons for chargebacks include:
- the cardholder did not perform the transaction (frequently an indication of fraud);
- cancelled recurring transaction;
- goods not as described;
- goods faulty or defective;
- failure to respond to voucher requests.
Chargebacks may also be made for other reasons, including goods or services not having been received.
How to avoid Chargebacks?
Tips on dealing with chargebacks:
- In order to prevent undelivered product claims it is highly recommended to use a delivery service that offers delivery confirmation.
- In order to prevent broken merchandise claims during shipping, always purchase shipping insurance if your items are fragile. Make sure you clearly document the timeframe in which such claims will be processed.
- There are two ways of handling claims concerning merchandise breakage not caused by shipping: have the customer contact the manufacturer directly if the item is under warranty or ask the customer to ship the item back to you. Make sure your returns policy is very clear about the timeframe and the returned merchandise authorisation process.
- If the customer claims they never ordered the product, make sure you have clear documentation of their order.
- Whenever possible handle communication via e-mail as that way you will have a precise record of all conversations.
- The requirement is to have terms and conditions clearly presented on the website where the online services are provided. The Consumer Protection Regulations set out the information that must be provided to customers prior to entering into an agreement. The regulations apply to anyone who supplies goods or services under a distance contract; you cannot opt out of them.
- The information must be provided in a clear and comprehensible manner appropriate to the means of distance communication used. The information you need to provide includes specific details of the goods or services in question, their price (including VAT and other taxes) and delivery charges, as well as the details of customers' cancellation rights. You also need to include the full contact details of your business.
- If the goods or services ordered by the customer are likely to be unavailable, you must inform them if you wish to provide substitute goods or services of equivalent quality and price.
Merchants face various risks when accepting card transactions. This information has been put together to help you understand the types of risk you face and the steps to take in order to reduce the risk of loss. One of the greatest risks to merchants is that of fraudulent transactions. If you are not careful, fraud could cost your business dearly. Some types of merchants - depending on the type of goods sold - are more vulnerable to fraudulent transactions than others. Merchants should be aware that they may be targeted.
It is essential to understand the term "authorisation" - what it does and does not mean.
What does “authorization” mean?
What authorisation does mean:
- The account number is valid
- The card has not been reported as lost or stolen (although it may still be lost, stolen or compromised, i.e. the card details may have been unduly obtained or copied) and the card owner may be unaware of this)
- There are sufficient funds available to cover the transaction
What “authorization” does not mean?
What authorisation does not mean:
- Authorisation does not confirm that the person providing the card number is the legitimate cardholder - the risk remains that the person providing the number has either stolen or unduly obtained the card
- There is also a risk of the purchaser having unduly obtained the card number without being in possession of the card
Although it is important to obtain authorisation for each transaction, this alone does not protect you against the risk of fraud or chargeback. These risks remain even if authorisation has been obtained.
What products are sold by e-shops that are subject to the risk of fraud the most?
Due to their high value and suitability for resale, the following types of goods are frequently targeted by fraudsters:
- Electronics
- Household appliances
- Jewellery
- Computers
- Furniture
- Goods easily sold for cash
If you trade in any of these goods, be extremely careful before handing over/shipping items. Make sure you take all possible steps to confirm that the purchaser is the actual cardholder.
Examples of transactions that warrant extra precaution
The following are indications of potentially suspicious transactions. Often it is the existence of more than one indication that suggests a potentially fraudulent activity.
- First-time shopper - Criminals are always looking for new merchants to steal from
- Larger-than-normal orders - Because stolen cards and account numbers have use only for a limited time period, criminals need to maximise their purchases
- Orders that include several varieties of the same item - Having more than one of the same item increases the criminal's profits
- "Urgent" or "overnight" shipping - Criminals want their fraudulently obtained items as soon as possible for quick resale and are not concerned about extra delivery charges
- Shipping outside of the merchant's country - There are times when items purchased in fraudulent transactions are shipped to criminals outside of the home country
- Inconsistencies - Information in order details such as a mismatch in the billing and shipping addresses, telephone area codes with corresponding near post office codes, e-mail addresses that do not look legitimate and irregular times of day when orders are placed.
- Multiple transactions on one card during a short period of time - This could be an attempt to 'run a card' until the account is closed
- Shipping to a single address via transactions on multiple cards - This could involve an account number generated using special software or even a batch of stolen cards
- Multiple transactions on one card or a similar card with a single billing address, but multiple shipping addresses - This could represent an organised activity, rather than one individual at work
- For online transactions, multiple cards used from a single IP (Internet Protocol) address - More than one or two cards could indicate a fraudulent scheme
- Orders from Internet addresses that make use of free e-mail services - These e-mail services involve no billing relationships and often neither an audit trail nor verification that a legitimate cardholder has opened the account
How to minimize the possibility of fraudulent purchases and chargebacks in e-shops?
Merchants can minimise the possibility of fraudulent purchases and chargebacks from online transactions by taking certain precautions:
- request the name of the cardholder's bank - fraudsters who have unduly obtained account details will not have this information. If the purchaser hesitates in giving the name of their bank, caution should be exercised;
- request the purchaser to provide a faxed copy of their driver's licence;
- the risk of goods not being received should be evaluated if goods are forwarded to a post office box;
- obtain a signed receipt from the cardholder when the goods are delivered;
- in the case of orders for a large number of different goods, telephone the cardholder after the order is placed to confirm the order. Also, have the purchaser read back all details of the order. Frequently, where an order is fraudulent, the purchaser is unable to confirm these details, as they were ordering at random, with no record of what they ordered;
- be suspicious in cases where multiple cards are used for a single purchase;
- do not continue to attempt authorisation after receiving a decline;
- exercise extra caution in relation to overseas orders - large orders should in all cases be held back for shipping until the enquiries above are made into the legitimacy of the purchaser. Merchants should not ship goods until satisfied that the purchase is legitimate.
By using the 3-D Secure authentication services, the merchant obtains chargeback protection (i.e. fraud liability shift) on a transaction in most events where a chargeback would normally be received on the basis of a claim that the customer did not actually participate in the transaction. These services provide customers, retailers and banks with greater security in online card payments.
Please contact us by calling 67 444 444 if you need a consultation or you wish to report a fraudulent situation. You can learn more about how to do your banking securely here.
