Internet, mail order and phone sales require specific checks as neither the cardholder nor the card is present during the transaction. These are referred to, in the industry, as Card Not Present (CNP) transactions. Over 60% of all fraud on Irish issued payment cards takes place in a CNP environment (internet shopping, phone or mail order sales). All shop and retail employees should have a detailed understanding of the risks associated with CNP sales.
NB: Ensure that you follow the card acceptance procedures which you agreed with your payment card processor or bank (if you are a physical merchant, you can’t simply start accepting cards over the Internet without revising your terms with your processor)
For all CNP sales, the following details must be obtained:
- The card number
- Cardholder’s name, as it appears on the card
- Card expiry date
- The cardholder’s billing address
- Delivery address (if different to billing address)
- Contact phone number (preferably a landline number as mobile phone numbers are not always traceable)
- The name of the card issuing bank
- Ask the customer for their Card Security Code (CSC), the three digits on the signature panel (The CSC will be verified online against the card, by the card issuer)
Minimise the risk of CNP fraud by considering these points:
- Incentivise staff to look out for fraud risks
- Frequently update your staff fraud training programs
- If you become suspicious of a customer, take your time checking them out. If you are not fully comfortable with them, don’t proceed with the sale
- It is important to undertake checks to authenticate the details provided by the customer. You can check most business and personal addresses in a telephone directory (either the online or printed version).
- Be wary of orders coming from free e-mail addresses such as hotmail or yahoo as these cannot be traced back to the sender
- Is the payment card in the customer’s name? If the answer is no, do not proceed with the transaction
- Check if the delivery address has been used previously at your business but with different card details, contact names and/or phone number
- Check if the payment card number has been used previously at your business, to purchase goods for an address different to that being provided in the current sale
- Call your acquiring processor and ask them to check the name and address of the cardholder with the card issuer. The issuer is not obliged to give you a customer’s details but they should be in a position to confirm contact details for a customer
- If you become a victim of card fraud, contact the Gardaí immediately. It is a crime after all
Other checks to help you reduce the risk of fraud include:
- Contacting the customer to confirm the order (using a number you know to be correct for the genuine cardholder)
- Using a caller display service to ascertain which telephone number a customer is calling from
- Being wary if the contact phone number is a mobile phone number; a landline number should be requested where possible
- Be aware when the customer has trouble remembering their address or details
- Checking order records to see if there is a large number of transactions over a short period of time from a company or person with whom previous business has not been conducted
- Use of the online authentication tool 3D Secure (Verified by Visa or MasterCard SecureCode are detailed in the section entitled 3D Secure). Online Authentication Tools are proven to be beneficial for online retailers. They not only reduce fraudulent activity, but also give greater protection against fraud-related chargebacks.
We strongly recommend that retailers incorporate the information above into all staff training programs.
The higher the staff turnover, the more frequently training programs should be carried out. It is vital that all staff members are trained to stop card fraud from the outset. It can help save enormous amounts of time and money if the fraud is stopped from the outset.
Note: These directions do not replace your own bank or processor’s operating instructions.