Tuesday, June 5, 2012

Face-to-Face Card Payment Acceptance

Card-present transactions (also called face-to-face transactions) occur when both the card and the cardholder are present throughout the payment processing. Face-to-face payment processing settings reduce the risk of fraudulent transactions. The cardholder has the card in his physical possession and the payment information is read from the card's magnetic stripe as it is swiped through the terminal. The merchant has a responsibility to make sure that the transaction is legitimate and should physically examine the card and compare the cardholder's signature on the back panel to the one the customer provided on the sales receipt. Because of the lower processing risk, associated with card-present transactions, Visa and MasterCard have set lower interchange rates for them. The processing rate, at which a transaction is processed, is the sum of the interchange fees for this particular card type and the processing cost incurred by the acquiring bank. Besides processing rates there are other fees and charges that merchants pay for using their processing accounts. Following is a breakdown of card-present merchant account processing rates and fees and our suggestions as per what they should be.
  • Discount rate. Discount rate is a percentage of the transaction amount. You should pay no more than 1.69% for credit cards and 1.40% for debit cards. These are the rates for consumer cards which are the most widely used. Various business-to-businesses, commercial, rewards and other types of cards typically get charged at a higher interchange rate (the base processing rates set by Visa and MasterCard). You need to ask your merchant services provider what pricing structure they are using. The best choice for you will most likely be the interchange-plus pricing which will ensure that the payment processing costs they add to the interchange fees are the same for all types of cards and you will not get overcharged.
  • Transaction fee. Transaction fee is a fixed dollar amount that you pay for each transaction. You should not accept anything higher than $0.20 (it will most likely be the same for debit and credit cards).
  • Set up fee. You should not be paying any set up or application fees, even if your merchant account provider attempts to convince you otherwise!
  • Monthly maintenance fee. Every merchant account provider will charge you such a monthly fee, although they might have different names for it. You should not be paying more than $10.
  • Support fee. Another monthly fee that you should not agree on paying.
In order to accept cards, you will need a payment processing terminal and your merchant account provider will provide you one and configure it to work with their system. You can purchase the terminal from a third-party vendor as well. You should carefully review the whole merchant processing agreement for charges that may make it more expensive than it seems. All agreements will include provisions for chargebacks, bounced checks, representations, etc.

Card-Present Transactions Processing without using a Terminal

Often in card-present processing environments merchants will find themselves unable to read the card's account information with the use of their terminal or they may not be able to obtain an authorization for the transaction. The issue may be caused by one of three things:
  • The terminal's magnetic stripe reader is not working properly.
  • The card is not being swiped through the reader correctly.
  • The card's magnetic stripe has been damaged or demagnetized. Be advised that damage to the card may happen by accident, but it may also be a sign that the card is counterfeit or has been altered.
When the terminal is not reading the card's information, the terminal operator should:
  • Check the terminal to make sure that it is working properly and that the cardholder is swiping the card correctly.
  • If the terminal proves to be in order, the point-of-sale staff should examine the card to make certain that it has not been tampered with and it is valid.
  • If the examination of the card discovers that the problem is caused by the magnetic stripe, the point-of-sale person should follow store procedures. One option would be to override the swiping procedure and to key-enter the transaction data or a call to the merchant services provider's authorization center may be required.
  • For both key-entered and voice authorized transactions the merchant should take a manual imprint of the front of the card to prove that the card was present. The imprint should be made on the sales receipt or on a separate sales receipt signed by the customer. The card imprint protects the merchant from chargebacks if a case of a fraud.
Although keyed card payment processing transactions are fully acceptable, the merchant should keep in mind that they are associated with higher levels of fraud and chargebacks. A significant disadvantage proves to be the fact that certain security features, such as expiration date and Card Security Codes, are unavailable.

Card-Present Processing

Processing card transactions in a card-present environment offers the advantage of having the card available for inspection and the cardholder is present so he or she can be asked to provide additional information, if needed. To benefit from this advantage and to ensure that transactions are processed the right way, merchants need to follow a few simple procedures at the point of sale. Incorporating these suggestions into your card payment processing practices will significantly lower the levels of fraudulent transactions at your establishment. Consequently, customer disputes and chargeback levels will also decrease and your payment processing costs will be the lowest possible.
  • Swiping the card. The first step in the card payment acceptance process is the swiping the card. Place the card's magnetic stripe against the card reader and hold it through the entire transaction. This procedure can be performed, and usually is, by the cardholder.
  • Checking the card's security features. While waiting for the authorization response, check the card's security features to make certain it is authentic. Make sure that the card account and verification numbers have not been tampered with and that the back of the card is signed.
  • Obtaining your customer's signature on the sales receipt. If the authorization response is positive, you should obtain the cardholder's signature on the sales receipt. Without a signed receipt you may lose your representation rights in the case of a chargeback.
  • Comparing the information on the sales receipt to the one on the card. Once you have obtained your customer's signature, compare it to the one on the back of the card. Also, compare the name and account number on the card to the ones printed on the receipt. If everything checks out, return the card to your customer and provide him with the bottom copy of the receipt. You will want to keep the top, white copy of the receipt because it produces better quality copies, in case you need one later.
  • If you suspect a fraud, make a "Code 10" call. If a security feature is missing or it appears as if it has been tampered with, or if the signature that your customer provided on the sales receipt does not much the one on the back of the card, make a "Code 10" call to your authorization center for instructions on how to proceed. You may be asked to decline the transaction and keep the card. You should only keep the card if it is safe to do so. Otherwise, complete the transaction and alert the card issuer after the customer leaves the store.

Card-Present Fraud Signs

There are signs of suspicious behavior that unauthorized card users may display at the point of sale and, if your personnel have received the proper training, they should be able to identify them and act according to your organization's procedures. Identifying fraud before it actually takes place helps to avoid chargebacks against which you have no remedy. Following is a list of suspicious signs at the point of sale that you should look out for:
  • Purchasing large quantities without much attention to details. If a customer is purchasing a sizable amount of merchandise, without much care for size, color, or even price, that might be an indication for fraud.
  • Ignoring free delivery options. If your customer asks no questions or completely ignores a free delivery option, in favor of a quicker but paid one, this could be a warning sign.
  • Rushing the cashier into a quicker processing of the payment. Although your customer may really be in a hurry, such behavior may be intended to force the point-of-sale person to circumvent fraud prevention measures.
  • Making multiple purchases within a short period of time. If a customer completes a purchase, leaves the store and then comes right back in, he or she might be doing it because they believe that making multiple fraudulent transactions, each for a lesser amount, would not attract much scrutiny.
  • Shopping either right after the store opens or before it closes. A fraudster might be shopping early in the morning or late in the evening, in the hope that the point-of-sale personnel will not be as attentive as during other stretches of the day.
Be advised that, although suspicious, a certain behavior might be perfectly well justified and explained in another, completely legitimate way. By themselves, none of the above examples constitutes a proof of a fraudulent activity. You should always use your observations of customer behavior in the context of the particular setting. Different establishments attract different types of customers and what is considered a normal customer behavior at one place might be interpreted as completely irregular at another.

Once the point-of-sale person has accumulated enough observations to conclude that a fraudulent activity is probably taking place, you should contact your merchant bank's authorization center and make a "Code 10" request. You should keep the card in your possession, but only if it is safe to do so. If you feel threatened or uncomfortable, complete the transaction and make the call to your merchant account bank's center right after the customer leaves. Then follow the instructions your merchant bank gives you.

Skimming of Credit Cards

What is skimming. Skimming is a fraudulent activity involving the illegal copying, or "skimming", of the account information, stored in the magnetic stripe of a credit or debit card. Skimming typically takes place after the card has been presented to be used in a legitimate transaction. The copied information is subsequently used to make copies of the payment card to be used in fraudulent transactions or the information itself may be sold to criminals.

The skimming process. Sadly it is way too easy to skim the information off of a credit or debit card. The information theft is usually committed in a card-present setting, for example in a restaurant, a bar or in other similar establishments where the swiping of the payment card takes place out of sight of the cardholder. Once the customer presents his or her card and it is taken to the processing terminal, it is run through a small mobile device which copies the information contained in the magnetic stripe. Then the card is also run through the terminal's slot to complete the legitimate transaction and it is eventually returned to the unsuspecting cardholder.

Preventing skimming. Skimming is illegal and it is every merchant's responsibility to ensure that it is not taking place in his or her establishment. You and your personnel should be on guard against:
  • The use of all electronic devices that are not needed or normally used in your type of business. If you are not sure exactly what a particular device is used for, you should investigate.
  • Any offers to record payment card account information for whatever reason.
If you believe or suspect that skimming might be taking place in your establishment, you should immediately contact your payment processing provider and take the appropriate measures against the employee(s) involved.

Minimizing Key-Entered Transactions

Merchants that accept payments in a face-to-face environment have the advantage of processing transactions at lower rates compared to their counterparts operating in a card-not-present environment. Key-entered transactions, however, are charged at higher rates and should be kept to a minimum.

The first step in the process of minimizing the key-entered card processing transactions is to estimate their share of the total transactions. To do that you should divide the total number of key-entered transactions for a certain period (a month or a quarter) by the total number of sales. If your business is processing mail order and telephone order transactions, you should exclude them from both totals. To represent the result as a percentage, you should multiply it by 100.

If your key-entered transactions exceed one percent per terminal, you should investigate the situation. Following is a list of the most common reasons for high rates of key-entered transactions and possible solutions.
  • Damaged Magnetic Stripe Reader. Check magnetic stripe readers regularly to make sure they are working.
  • Dirty Magnetic Stripe Readers. Clean magnetic stripe reader heads several times a year to ensure continued good use.
  • Magnetic Stripe Reader Obstructions. Remove obstructions near the magnetic stripe reader. Electric cords or other equipment could prevent a card from being swiped straight through the reader in one easy movement.
  • Spilled Food or Drink. Remove any food or beverages near the magnetic stripe Falling crumbs or an unexpected spill could soil or damage the machines.
  • Anti-Theft Devices that Damage Magnetic Stripes. Keep magnetic anti-theft deactivation devices away from any counter area where customers might place their cards. These devices can erase a card’s magnetic stripe.
  • Improper Card Swiping.
    • Swipe the card once in one direction, using a quick, smooth motion.
    • Never swipe a card back and forth.
    • Never swipe a card at an angle; this may cause a faulty reading.

Code 10

Credit card processing companies offer the Code 10 authorization procedure as an additional protection against fraud in a card-present transaction environment. Code 10 is an authorization call that a processing terminal operator can make to his or her payment processing provider's authorization center when he or she suspects that a customer is attempting to commit a fraud at the point of sale. The cause for a suspicion may be that the card looks as if it has been tampered with or altered, or that the customer is behaving in a suspicious manner. If the terminal operator believes that there is enough evidence to suspect that a fraudulent activity is taking place, he or she should make a "Code 10" call and request a voice authorization for the transaction at issue with their payment processing provider.

The process of requesting a "Code 10" transaction authorization is pretty straightforward. It consists of the following steps:
  • Having the card in his or her possession the terminal operator should dial the payment processing provider's voice authorization center.
  • The operator should then state to the representative who picks up the call "I have a Code 10 authorization request." The authorization center's representative will probably asked for some transaction details and then the call will be routed to the card issuer.
  • When speaking with a representative at the card issuer's authorization center, the terminal operator will be asked questions about the transaction at issue which he or she will answer by a simple yes or no. The card issuer's representative will then determine whether or not the transaction is fraudulent and provide instructions on how to proceed.
  • The operator should follow the instructions of the card issuer's representative.
  • If the instruction is for the card to be picked up, it should only be done if it is safe. Otherwise the transaction should be completed and further action should be taken after the customer leaves the store.
Placing a Code 10 call after the customer has left the store is very important. Even though a fraudulent transaction might already have been processed, placing the call at that time will prevent the same fraud from being committed elsewhere or even in the same store in the future.

Credit Card Recovery

Visa and MasterCard regulations demand that in certain circumstances a credit card should be picked up from a customer at the point of sale, but only if it is safe to do so. Typically, if there is sufficient evidence to believe that a credit or debit card is being used fraudulently or if its security features look as if they have been altered, your point-of-sale personnel should attempt to recover the payment card. Any of the following examples would provide a sufficient reason for picking up a payment card:
  • The card's security features are missing or altered. If the 3- or 4-digit card verification security code (CVV2, CVC2 or CID) is missing or has been tampered with, or if the hologram does not appear right, or if the "Good Through" date is altered, that should raise your suspicion.
  • The card number on the sales receipt does not match the account number on the card. If the account number that your terminal has read from the magnetic stripe and printed on the sales receipt does not match the one on the front of the card, this should immediately raise a red flag.
  • The merchant receives a pick-up response. If, upon placing a "Code 10" call with the card issuer, you have been instructed to pick up the card, you should follow the instructions.
When attempting to pick up a card from a customer you should follow these procedures:
  • A card recovery should only be attempted if it is safe to do so. If not, you should complete the transaction and, once the customer leaves, alert the card issuer and the management of your business. Do not try to be a hero, if your customer is threatening you or becomes violent, you should let him or her go.
  • Inform the cardholder that the card issuer has instructed you to recover the card and that, for more information, he or she should contact them.
  • Be polite and courteous with the cardholder. Treat the situation as a business transaction, not as a law-enforcement procedure.
  • Once you have recovered the card, contact your payment processing provider for further instructions.
  • Cut the card in half lengthwise and be sure to not damage the hologram and the account number or the magnetic stripe.
  • Send the recovered card's pieces to your payment processing provider.
Be advised that there are cash rewards that the Credit Card Associations of Visa and MasterCard pay to merchants who have recovered counterfeit cards. Ask your payment processing provider for details.

Zero-Percent Tip Authorizations

Transaction amounts should never be estimated. Following this rule is particularly important for restaurant merchants and it means that card transactions should only be authorized for the known amount of the bill. Merchants should never add on an estimated tip. Consumers today can, and do, check their credit card activity online in almost real time. If they see an amount that they do not recognize, cardholders are likely to ask questions and contact their card issuer.

Policies on Unsigned Cards

One of the merchant's responsibilities at the point of sale is to make certain, using the information that is available, that the card used to make the payment is valid and to compare the signature on its back panel to the one provided by the customer on the sales receipt. But what is to be done when the card is not signed? Well, all unsigned cards are considered invalid and should not be accepted, even if all other security features are valid and there is no other reason to be suspicious. When you are presented with an unsigned card at the point of sale, you should follow these steps:
  • Request that your customer provides a valid ID. A driver's license or a passport would be sufficient. Where the law allows it, the ID's serial number and expiration date should be written on the receipt before the transaction is completed.
  • Request that the customer signs the card. The card should be signed in front of you. Examine the signature and compare it to the one on the ID. If the customer refuses to sign the card, the card remains invalid and you should not accept it. Ask for another payment method.
  • If the provided signature matches the one on the ID, go ahead and complete the transaction.
If your customer refuses to sign the card and you still accept it, you will most likely have no recourse if the transaction is later disputed and will end up with a chargeback.

Card Type, Account Number and Expiration Date

Credit and debit cards bear several identification features that make them unique and help merchants and cardholders prevent their fraudulent use. These features are used during the transaction authorization process as well. Merchants should incorporate the following best practices to ensure that transactions are processed in a safe and secure fashion:
  • Request that customers provide both the account number and the card type and ensure that they match. Consider applying the following procedures:
    • Request that customers select their card's type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card's account number.
    • Verify the validity of the provided information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of every payment card identifies its type. Listed in the table below are the first digits that the major American card brands place in their account numbers.
      Card Type
      First Digit of Account Number
      American Express
    • Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the data.
    • Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
  • Request that customers provide their card's expiration date. You can either provide a blank field to be filled in by the customer or a pull-down menu from which the customer to make a selection. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent the customer from erroneously select it. The default date will most likely be different from the actual one and the transaction will be declined.
(Learn more here.)

No comments:

Post a Comment