Reducing Fraud

Print MOI section

Card fraud is becoming increasingly sophisticated and, if you are not vigilant, can result in financial loss for your business. Your exposure to fraud will depend upon how aware you are of the risks and how carefully you and your staff handle card transactions. This section gives you some useful tips to help you reduce your risk of losing money through fraud.

• Always remember
• Training your staff
• Withholding payments
• Card present transactions
• Card not present transactions

Always remember 

• Follow all the prompts on your terminal.
• Be alert and aware – for card present transactions, if you are suspicious about a card or the person presenting it, make a 'Code 10' call and follow the prompts.
• Be discreet when you are suspicious – don’t take risks with anyone’s safety.
• Keep the supervisor’s card/PIN code safe and secure – anyone who has access to this could make fraudulent refunds to a card. Unauthorised refunds will incur a financial loss for your business.
• Never allow a third party to authorise or process card transactions using your facility – this would breach your terms and conditions and may result in withdrawal of your facility. You will be liable for any fraud/chargebacks irrespective of the fact you have processed transactions on behalf of someone else.
• Keep your terminal in sight during a transaction and to recover it from your customer as soon as they have entered the PIN.

Authorisation does not guarantee payment. It simply means that the card has not been reported lost or stolen and that there are sufficient funds available at the time of the transaction. Find out more about Authorisation.

Back to top

Training your staff 

Alert, well-trained staff members are your frontline defence against card fraud and can significantly reduce the risk of financial loss to your business.

If you or your staff allow fraud to take place through carelessness, you could lose money and we may even stop processing card payments for you.
 
Please make sure your staff read this guide carefully, and any other fraud prevention publications we send you.

Back to top

Withholding payments 

If we are suspicious about a transaction you have processed or we believe that a transaction could be fraudulent, we may hold back payment while we investigate. If appropriate we will use these funds to cover any chargebacks received. Upon concluding our investigations any remaining funds will be credited to your account if in our opinion there remains no contingent liability. There is no set time limit for investigations to be resolved, but we will provide updates to you upon request.

Back to top

Card present transactions 

These are face-to-face transactions where your customer and their card are with you at the point of sale. Find out more in Card Present Transactions.

Look out for fraud warning signs
Be aware of how customers normally behave when they are shopping. If you notice anything out of the ordinary, or something that just doesn’t feel right, it could be a sign of potential fraud, so act on your instincts and don’t go ahead if you are suspicious. Look out for...

• Random, careless or bulk purchases – Most customers ask questions and, for example, try on clothing, but a fraudster will just buy goods that can be easily re-sold.
• Rapid repeat visits – A customer who returns to buy more in a short period of time may be making the most of the fact that the card has been accepted already.
• Nervous or hurried customers – They may be worried about being caught.
• Cards signed in felt-tip pen – This can be used to disguise the original signature – remember all cards should be signed in ballpoint pen.
• Interruptions – A customer who tries to distract you during the transaction, and who seems fully conversant with how the authorisation process works, may be trying to prevent you from noticing something suspicious.

Take extra care when a signature is needed
Nearly all cards in the UK now use chip and PIN technology, but you may sometimes come across cards that need to be verified using a signature rather than a PIN. Knowing when these cards can be used and their security features will help you to identify genuine transactions and also to spot potential fraud. Take extra care when accepting these transactions because you could be financially liable if a transaction is confirmed as invalid or fraudulent.
In certain circumstances, you can accept:

• Chip and signature cards – You should only use a signature to verify a transaction in exceptional cases. The main ones are if the customer has a non-UK-issued card, or an impairment that means they need to sign. Your terminal will prompt you to ask for a signature. Never accept a signature just because the customer doesn’t know their PIN.
• Magnetic stripe and signature cards  – These will mostly be non-UK-issued cards from countries that have not yet upgraded to chip and PIN.

Some basic fraud checks to use when a signature is required
If you do carry out a transaction using a signature as verification, you should take extra security precautions:

• Check the security features of the card. Find out more in our Card Recognition Guide.
• Check the cardholder’s signature matches that on the back of the card.
• If possible, check that the spelling on the card is the same as the signature – fraudsters sometimes don’t spell the name correctly.
• Check the title on the card matches the gender of the person presenting it.
• Check the signature strip for tampering – has another strip been placed over the top of the original one? If the word "void" appears on the strip, this could be an indication that the genuine signature has been removed and a substitute used.
• If you have an ultraviolet (UV) lamp, put the card under it and check the appropriate inbuilt security feature - find out more in our Card Recognition Guide.
• While the point-of-sale receipt is printing, check the last four digits of the card number on the receipt match those on the front of the card. If they don’t, make a 'Code 10' call.

Find out more in When a signature is needed.

If the Authorisation Centre asks you to retain the card
Explain politely that the card issuer has asked you to hold onto the card. Your own company policy will decide whether you detain the cardholder or call the Police. Never put yourself, your staff or the public at risk.

Even if the Authorisation Centre does not ask you to retain the card, you may decide that a card or a transaction is suspicious – for example, if you have identified it as counterfeit. Card thieves act fast, and will often try to use a card before the owner notices that it has gone.

There may be a reward for recovering a card that is being misused.

Preserving evidence
Cards used fraudulently are EVIDENCE.
Treat them with care and you will make it easier for the Police to catch and prosecute the thieves.

Please check that these instructions are in line with business policy. If you are responsible for company policy, you should consider incorporating this advice as far as possible into staff training. If staff come into contact with criminals, it is far better – and less stressful – if they are prepared for the possibility and have an agreed process to follow.

• Preserve the card:
• Don't cut the card in half!
• Handle it by the edges so as to preserve fingerprints. Cut off the bottom left-hand corner (as seen from the front).
• Don't damage any other part of the card.  Handle it as little as possible and place it in a plastic bag or envelope until you can give it to the Police.
• Keep the voucher or receipt:
• Keep the best copy possible.
• Don't pin or staple anything to it. Put it in the same envelope/bag as the card to give to the Police.
• Keep the video/CCTV:
• If you have a video surveillance system, keep the tape and give it to the Police.
• Keep a copy if you can.
• Note down a description of the presenter:
• Write down the details immediately while they are fresh in your memory.
• Think about the person's unique features such as their accent, scars, tattoos and body language rather than the clothes they are wearing.

Involving Police
If your company policy dictates and the Police are called, they may ask for the card.  You should:

• Allow the Police Officer to take it.
• Take a note of the officer's name, number and station.
• Obtain the Crime Reference Number.
• Get a receipt and keep it safely as this may enable you to claim a reward.
• Tell the Authorisation Centre.

Rewards
Depending on the circumstances, there may be a £50 reward for cards you hold on to when asked by the Authorisation Centre.
 
Return these cards to:  
Harrogate Cards Centre
Card Rewards Section
PO Box 700
Central House
Otley Road
HARROGATE
HG3 1XG
 
When you send the card, please also provide the following information:

• The name and address of your business
• Your Merchant Number and telephone contact details
• The date on which you kept the card
• The name on the card
• The card number (the 16- or 19-digit number across the centre of the card)
• Details of the person who should get any reward

If the Police take the card as evidence, include the Police Officer’s details in the above list plus the date reported and the Crime Reference Number. Keep a copy of these details.
 
A Cards Reward booklet SMS 3401 can be ordered direct from Streamline and explains the procedure for returning a retained card. Simply call the Streamline Helpdesk for a copy. Refer to Section 1 ‘How to contact Streamline’.
 
Find out more about fraudulent card not present transactions.

Back to top

Card not present transactions 

These are Mail Order Telephone Order (MOTO) transactions, or sales over the Internet – eCommerce transactions.

Something not right?
If you are suspicious of the card, cardholder or circumstances of the sale at any time we recommend you do not continue with the transaction or send out the goods. If you decide not to proceed once you have already processed the transaction, you will need to make a refund to the card. Find out about Refunds.

CNP transactions are considered high-risk because you have no opportunity to physically check the card or meet the cardholder. Although most CNP sales are genuine, this type of transaction is appealing to fraudsters who want to obtain goods to resell easily for cash. So take extra care and consider the risks before you process CNP payments, because you may be financially liable if a transaction is confirmed as invalid or fraudulent.

Look out for fraud warning signs (MOTO)
Here are some signs that a transaction is likely to be fraudulent. Get to know them and make sure that all members of your staff recognise them too. Sometimes the first sign of fraud can just be a general feeling that something isn’t quite right, If that happens, act on your instincts and don’t send out the goods until you’ve carried out further checks.

• Multiple or bulk orders – Watch out for customers buying lots of the same item – either in the same transaction or separately.
• First-time customers who place multiple orders – The risk of fraud is smaller when dealing with customers you know.
• High-value orders – Orders larger than normal may indicate fraud. High-value items such as jewellery or electrical goods are often targeted by fraudsters because they are easy to resell, so take extra care with this type of transaction.
• Hesitant customers – Customers who seem uncertain about personal information, such as their postcode or spelling of their street name, could well be using a false identity. Also watch out for customers being prompted when giving the requested information.
• Same name, different title – Could your customer be using the card of a family member?
• Sales that are too easy – Be suspicious if a customer is not interested in the price and/or detailed description of the goods, but is only interested in delivery times.
• Suspicious card combinations such as:
• Transactions on several cards where the billing address matches but different/various shipping addresses
• Multiple transactions on a single card over a very short period of time
• Multiple cards beginning with the same first six digits offered immediately after the previous cards are declined
• Customer offering multiple different cards one after another without hesitation when previous cards are declined
• Orders shipped to a single address but purchased with various cards
• Requests for urgent delivery – This could be genuine, but rush orders are common in fraud scams that aim to obtain goods for quick resale before the card is reported stolen.
• Overseas shipping address – Be careful when shipping overseas, especially if you are dealing with a new customer or a very large order.
• Different shipping address – Orders where the shipping address is different from the billing address may be legitimate (for example, when sending flowers or a birthday present) but requests to send goods to hotels, guest houses or PO boxes are often associated with fraud.
• Duplicate shipping address – Has the shipping address been used previously for similar orders? Be cautious if you identify the same delivery address being used.
• Requests to send funds abroad – This is typically a request for a money transfer or other payment method to pay for couriers, interpreters or other similar services or requests. For example, a request to take a payment greater than the value of the goods/services being purchased, where the customer requests the surplus funds to be sent overseas or to another bank.

 
Authorisation does not guarantee payment. It simply means that the card has not been reported lost or stolen and that there are sufficient funds available at the time of the transaction. Find out more about Authorisation.
 
Look out for fraud warning signs (eCommerce)  
Here are some signs that an eCommerce transaction is likely to be fraudulent. Get to know them and make sure that all members of your staff recognise them too. And remember that the first sign that something is wrong can just be a general feeling of unease. If that happens, act on your instincts and carry out further checks.

• A risk alert from the payment service or acquiring bank. This indicates that there is a cause for concern and that further checks are required before an order is fulfilled.
• Multiple transaction attempts using the same or similar shopper details, such as name, e-mail address or IP address across one
• Different shopper details with one element the same – such as ten transactions from the same IP address giving different shopper names and e-mail addresses.
• Multiple cards used by same shopper, especially where the card numbers are similar.
• Obvious ‘card testing’, where the last four or eight digits of cards in a series of attempted payments contain similar numbers, or the card numbers are cycled repeatedly in a rough pattern or sequence.
• Nonsensical shopper details, such as 'dgsgsgdf@dsgsd.com' as a shopper e-mail address or 'gdfgdfgfg' as a shopper name or billing address
• High-value transactions, especially where the amount is out of the ordinary for your usual daily processing amounts.
• Mismatching Card Security Code (CSC) or mismatching Address Verification Check (AVS). Consider rejecting orders that carry mismatches or carry out further checks.
• Mismatching combination of billing country, issuer country and IP country, especially where any one of these is from a high-risk area/country such as Nigeria, Ghana, Indonesia or Venezuela.
• A delivery country that’s out of the ordinary for your business and regarded as high-risk
• Use of 'freemail' e-mail addresses, such as Yahoo!, Hotmail, MSN, Gmail, Live or YMail. Although these e-mail services are completely legitimate, they are often associated with fraud attempts because they are easily available and relatively anonymous.
• An e-mail address that bears no relation to the shopper name.
• A request to hurry the order shortly after it has been placed.
• A request to send anything of the same value.
• Indiscriminate buying or unusually large orders that seem out of the ordinary.
• A request to change the delivery address, especially to a high-risk area/country (see above).
• Shoppers who give card numbers by e-mail and seem reckless with sensitive information. Sending full card numbers by unencrypted e-mail is not PCI-DSS-compliant.
• Shoppers who give a high number of card details or lots of different billing information.
• A request to conceal or alter payment details, or the way in which the payment is made, to make it look more legitimate.
• General inconsistency between the shopper’s name, e-mail address, or the way they communicate and the kind of goods or services being purchased.

How to combat eCommerce fraud

One of the best ways to combat fraud is to be alert and to check up on anything that seems suspicious. Here are a few other important ways to help reduce the exposure of your business to fraud.

• Make the most of industry tools like Cardholder Authentication, CSC and AVS checks.
• Screen transactions and consider applying risk scoring and alerts to flag suspect activity that merits further checks. You may be able to design your own in-house system – or ask your PSP.
• Compare new shopper information to data you already hold. Keep records of previous fraud attempts and chargebacks and reject orders where there are matches.
• Look for patterns such as similarities between transactions and repeat use of the same shopper name, e-mail address or IP address – and investigate anything suspicious.
• Verify the shopper’s identity if you are suspicious. Test their contact details to see if they work – send an e-mail and call the telephone number. You may also ask for copies of utility bills, card statements, passport or driving licence (with any sensitive details obscured).
• Establish a fraud policy setting out what should be done if fraud is suspected and ensure that all members of your staff are trained to act.

What else to consider

Establish authenticity of customer
It is advisable to establish the authenticity of a customer before delivery by obtaining residential address, telephone number, etc. – perhaps checking with data that is available publicly.

Search the Internet for imposters
We recommend that you regularly search the Internet for websites using similar names to your own. These may have been set up to impersonate your company illegally.

Use expert input
A number of companies, such as payment service providers (PSPs), provide services to help you to look out for potential fraudulent transactions. Fraud-screening measures include:

• Parameter-based technology to filter card transactions
• Third-party name- and address-checking techniques
• Methods of validating cardholder data

To find out more about how we can help, contact us or get in touch with your PSP.

Additional security

We recommend you take full advantage of the additional security checks available through your terminal (Card Security Code (CSC) and Address Verification Service (AVS)).

If we have supplied your terminal, it should prompt you for the information needed to make the additional checks – if you have any other terminal, you may need to speak to your supplier to find out how to take advantage of these.

These additional checks via your terminal cannot confirm cardholder names and therefore you should take additional steps to do so if you are in any way unsure about the transaction.
One option would be to request a landline number and checking via a directory enquiries service.

Delivery

There are also opportunities for fraud at the delivery stage. You should have your own policies when it comes to reducing this type of fraud, but here are a few recommendations that can help.

• Make sure that goods are always delivered to the billing address (preferably inside your customer’s premises) and to the person set out in the order.
• Obtain a signature from the cardholder as proof of delivery – this can be used as evidence in the event that a dispute subsequently arises.
• Don’t release goods to third parties such as friends or relatives of the cardholder, taxi drivers, messengers, etc.
• If using your own staff for delivery, consider using a mobile terminal to enable you to take the transaction as card present when the goods are delivered.
• If a cardholder changes their mind and wishes to collect the goods, they should attend your premises in person and produce their card. You must either cancel or refund any previously-completed CNP transaction and process a new card present transaction.

Find out more about fraudulent card present transactions.

Back to top