Documente Academic
Documente Profesional
Documente Cultură
Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Sample Merchant Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Sample Third-Party Site Inspection Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Quick Reference — Attended and In-Store Fraud Prevention . . . . . . . . . . . . . . . . B-3
Quick Reference — Automated Fuel Dispenser Fraud Prevention . . . . . . . . . . . B-4
Manual The Global Visa Acquirer Fraud Control Manual is intended to provide acquiring
Purpose members with up-to-date information and resources for improving portfolio
profitability by reducing and preventing fraud losses. The manual combines plain-
language versions of acquirer and merchant standards from the Visa International
Operating Regulations with vital information on current merchant fraud scams
and how to recognize them. Fraud-prevention practices from acquirers are
also presented, along with descriptions of Visa’s loss-reduction programs and
other resources currently available. The information contained in the Global
Visa Acquirer Fraud Control Manual should be useful to all employees—new
and experienced—involved in an acquirer’s merchant operations. This includes
underwriters, portfolio managers, fraud investigators, credit analysts, and
internal auditors. The manual can also be used as a tool to support merchant
communication and education efforts.
Where there may be any difference in the interpretation between the Visa
International Operating Regulations and the information in this manual, the
regulations take precedence.
What’s Inside The Global Visa Acquirer Fraud Control Manual has been divided into thirteen
chapters, each with a different main focus. You can work through this manual in
its entirety, or move directly to any of the topics listed here.
Manual The Global Visa Acquirer Fraud Control Manual is designed for ease of use with
Navigation icons that cue you to specific resources or information:
Important Most of the information and best practices contained in this document pertain
Note About to all countries. However in some countries, there are specific products, services,
Country and regulatory differences that must be noted. In these instances, country
Differences specific details have been identified with a universally recognized icon for the
country under discussion.
The country icons are as follows:
United States
Canada
Manual The individual sections of the Global Visa Acquirer Fraud Control Manual can be
Usage and reproduced or modified for use as training materials or desk references. To help
Customization you in this effort, all of the information contained in this manual is available to
members in a downloadable PDF via your Visa Online regional site.
If necessary, contact your Regional Risk Representative or Visa Account
Executive for online access.
The information in this presentation is provided for informational purposes only and does not provide legal advise, analysis, or opinion. It should
not be relied upon by you or your institution for marketing, legal, regulatory, or other advice. Your institution’s practices should be independently
evaluated by your institution in light of its specific business needs and any applicable laws and regulations. Visa is not responsible for you or your
institution’s use of the information provided in this document, including errors of any kind, or any assumptions or conclusions you or your institution
might draw from this document. Please consult your institution’s legal counsel for legal advice applicable to your institution.
Visa works closely with its members to define the appropriate types of tools and
controls they need to actively manage payment system risk and limit related
exposures. On the acquiring side of the business, fraudulent activity prevention
and detection are critical because members are responsible for transactions
accepted by their merchants. As such, members must employ measures to
control fraudulent activity throughout the payment transaction life cycle.
This chapter provides a high-level view of Visa’s payment processing infrastructure.
It also discusses risk issues faced by acquirers today and briefly defines the
Visa security measures and fraud-prevention tools in place to reduce risk and
associated losses.
What’s Covered
n How Visa’s Electronic Payment System Works
n Visa Transaction Flow for Magnetic-Stripe and Chip Cards
n Visa Transaction Flow for PIN-Based Point-of-Sale and ATM
n Visa Fraud-Prevention Tools for Merchants
n Understanding E-Commerce Risk Exposures
Visa Visa operates and maintains VisaNet—the world’s largest consumer payment
Transaction system. VisaNet is a collection of systems that support:
Processing • An authorization service by which Visa card transactions are approved or
Basics declined by the issuer (or by Visa on the issuer’s behalf).
• A clearing and settlement service that processes transactions electronically
between acquirers and issuers to ensure that the:
– Information moves from acquirers to issuers for posting to cardholder
accounts.
– Payment moves from issuers to acquirers for Visa transactions and are
posted to the merchant accounts.
Visa transaction processing takes place in two very different environments—
card-present and card-absent—each of which offers unique card acceptance and
fraud issues.
The following illustrations show the life cycle for Visa magnetic-stripe and chip
credit or debit card transactions. Processing events and activities may vary
slightly for any one merchant, acquirer, or card issuer, depending on card and
transaction type, and the processing system used.
Merchant
deposits the
transaction
receipt with
acquirer.* VisaNet:
• Facilitates Card issuer:
settlement. • Posts the
• Pays the transaction to
acquirer and the cardholder
debits the card account.
issuer account, • Sends the Cardholder
then sends the monthly receives the
transaction to the statement to the statement.
card issuer. cardholder.
Issuers and
acquirers can
outsource various
payment, authorization,
clearing, and settlement
functions to Third-Party
Agents. Both sides,
however, are responsible
*Merchants or their Third-Party Agents that store, process, or transmit account information may
to Visa for proper
not store sensitive authentication data (full magnetic-stripe or chip), Card Verification Value 2
(CVV2),** data, or PIN Verification Value (PVV) data—even if it is encrypted. Once an authorization performance and Visa
is processed, such data should no longer exist. The only components of the magnetic-stripe or chip International Operating
that can be stored are the cardholder’s name, personal account number (PAN), and expiration date. Regulations compliance by
This information can only be stored if encrypted, suppressed, or masked—as to render it useless in the its outside agents.
event of a data breach.
VisaNet
• Passes on the
request to the
Cardholder card issuer.
presents a card to
• Facilitates
pay for purchases.
settlement.
Card issuer
• Provides
an online
response.
• Posts the
transaction to
Merchant receives the the cardholder
authorization response account.
and completes the
Before approving a
transaction accordingly.
Acquirer forwards transaction, the issuer makes
VisaNet forwards the
the response to sure the funds are available
card issuer’s authorization
the merchant. and does the following:
response to the acquirer.
• Checks for all “statused”
accounts such as lost,
*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading stolen, counterfeit, and
device. If a chip reading device is available, preference must always be given to chip card processing available funds.
before attempting to swipe the stripe. • Validates the PIN.
4
5
Card issuer
Visa/Plus
• Provides an online
forwards the card
response.
issuer’s response to the
ATM acquiring bank. • Posts the transaction to
the cardholder account.
Before approving a
transaction, the issuer makes
sure the funds are available
and does the following:
• Checks for all “statused”
accounts such as lost,
stolen, counterfeit, and
available funds.
• Validates the PIN.
Payment Card The Payment Card Industry (PCI) Data Security Standard (DSS) is intended to
Industry (PCI) help protect Visa cardholder data—wherever it resides—ensuring that customers,
Data Security merchants, and service providers maintain the highest information security
Standard standard. As mandated by Visa, all issuers, merchant banks, Third-Party Agents,
(DSS) merchants, and service providers that store, process, or transmit cardholder data
are required to comply with PCI DSS.
Fraud Control Card-absent merchants are perfect targets for payment card scams simply
for Card- because there’s no face-to-face customer contact, no tangible card, and no
Absent physical signature on the sales draft.
Merchants Today’s scam artists are savvy. They understand the
payment structure and the security processes involved For further details
with each type of transaction. They’re constantly about fraud
coming up with different ways to circumvent the prevention and
system, and they are always on the look out for detection tools for mail
vulnerable merchants who are susceptible to fraud. order/telephone order
(MO/TO) and Internet
This is why Visa has developed a “layered approach merchants, refer to
to security” in the card-absent environment that Chapter 6: Fraud Prevention
offers both merchants and consumers multiple for Card-Absent Merchants
security checkpoints. in this manual.
Visa’s Layered The following Visa fraud prevention and detection tools are designed to
Approach to complement each other and work together as multiple services that can help
Card-Absent MO/TO, and Internet merchants verify the legitimacy
Security of a Visa cardholder and card to help better
combat fraud. AVS can only
be used to
• Address Verification Service (AVS)* enables confirm addresses
a card-absent merchant to verify the billing in the United States
and Canada. In other
address of a customer presenting a Visa card for
countries, card issuer
payment. It verifies the credit card billing address participation in AVS is
of the customer who is paying with a Visa card. optional.
The merchant includes an AVS request with the
transaction authorization and then receives a result code (separate from the
authorization response code) that indicates whether the address given by
the cardholder matches the address in the issuer’s file. A partial or no-match
response may indicate fraud risk.
• Card Verification Value 2 (CVV2)** is a three-digit code that appears
either on or in a white box to the right of the signature panel of all Visa cards.
Telephone order and Internet merchants use CVV2 to verify that the customer
has a legitimate Visa card in hand at the time of the order. The merchant asks
the customer for the three-digit code and sends it
to the issuer as part of the authorization request.
The issuer checks the CVV2 code to determine its In some markets
validity, then sends a CVV2 result code back to the CVV2 is required
merchant along with the authorization decision. for all card-absent
merchants.
The merchant evaluates the CVV2 result code,
taking into account the authorization decision and
any other relevant or questionable data.
• Verified by Visa offers an extra level of security for online transaction
authentication. It is an innovative service that verifies cardholder identity in
real-time so customers can shop more confidently and Internet merchants
can accept Visa cards with peace of mind while authenticating a cardholder’s
identity at the time of purchase.
Internet 4 4 4 4 4
Telephone
4 4 4
Order
Mail
4 4
Order
Many risk management issues associated with the acquiring side of the payment
card industry are, for the most part, preventable when a strategic business
approach is in place. A sound, comprehensive plan sets forth specific goals and
objectives by which profitability, growth, operational efficiencies, service levels,
and most importantly, risk reduction can be measured. But even the best-laid
plans can fall short without the proper resources. To be effective, an acquiring
institution’s business strategies must have a strong organizational structure to
support it.
This chapter reviews the major components of an acquirer’s strategic business
plan with an emphasis on key risk management considerations. It also includes
suggestions for building and maintaining a risk-responsible Acquiring Center.
What’s Covered
n Building a Strategic Framework
n Acquiring Center Organizational Structure
n Organizational Roles and Responsibilities
n Acquirer Fraud Control Functions and Key Considerations
n Acquirer Fraud Control and Security Function Performance Review
n Tracking Organization and Fraud Loss Performance
n Fraud Control Relations with the Criminal Justice System
n Fraud Forums and Member Bank Participation
n Third-Party Agent Relationship Management
Key Success One secret to acquiring a profitable merchant business is to ensure that all key
Factors factors concerning the prospective merchant are fully understood and analyzed.
Among these factors, acquirers should consider the following:
• Merchant discount rate. Merchants pay for their ability to accept bankcards
through a fee. The rate varies depending on transaction volume, average
transaction amount, type of merchant, processing methods and costs, the
interchange fee for which transactions from the merchant qualify, and acquirer
profitability.
Setting Successful merchant operations management requires the right people in the
Up a Risk- right positions throughout the organization. An essential part of this process
Responsible involves defining key organizational roles and responsibilities.
Merchant All too often, the people responsible for security and risk and/or fraud
Operation control management are not correctly positioned in the organization. Many
organizations don’t even have a dedicated risk management group. While it is
not the intention of this manual to show how an Acquiring Center should be
structured, the following diagram is offered as an example of a risk-responsible
organization.
Acquiring Center Manager
Collections &
Investigations
Operations Manager • Develop procedures for effective • Supervise personnel and delegate
Supervises activities operations work assignments.
in the operations • Set up operating schedules and • Hire employees, recommend
areas of the center. coordinate workflow through the promotion, transfers, terminations
Establishes procedures, center. and salary adjustments.
prepares reports
for management,
• Maintain accounting records,
maintains safeguards compile reports.
and administers • Train, counsel, and inform staff
personnel policies. members on policies, goals,
practices and procedures through
individual meetings, staff meetings
and training programs.
Accounting • Report to operations manager, • Recommend procedural and
Supervisor supervise employees involved in equipment changes.
Supervises employees data entry, tabulating, accounting. • Supervise balancing, reporting,
engaged in servicing • Organize and coordinate workflow, aging of general ledger accounts,
and maintaining Visa delegate work assignments, hire process sales transaction receipts
merchant accounts. employees, recommend promotions, and remittances.
transfers, terminations and salary • Answer mail and telephone
adjustments. inquiries from merchants and
• Train and instruct employees in acquirers regarding servicing or
procedures and use of equipment. operating problems.
• Coordinate computer use.
Organizational How a member organizes its Fraud Control Department, or similar in-house
Placement function, depends on a variety of factors, such as the size of the member’s Visa
merchant program; its current organizational structure; and available physical,
human, and financial resources.
Wherever these functions are located, it is important that trained specialists
be dedicated to controlling fraud. Visa suggests the following options for
organizational placement of the fraud control function:
• Centralized Security Departments that exist in some medium–sized
institutions. This organization allows for more thorough investigation of
cases, as specialists with law enforcement experience are available to
investigate all types of fraud, including checks, deposit and card fraud. It is,
however, difficult to assign budget and performance goals as this unit may
not have responsibility for fraud loss budgets.
• The Merchant Division (in larger acquirer institutions). The Fraud control
function may fall under the Risk Management Department. This is preferred,
as the Risk Management will have budget responsibility for operations and
losses.
• A separate department in the Acquiring Center. This option establishes a
direct line of communication to the Center Manager. Control, responsibility,
and accountability are more clearly defined, which improves the
department’s ability to achieve desired results.
• A collateral function of the acquirer’s Credit or Collections Department.
When the amount and frequency of fraudulent activity does not justify full-time
personnel, members with smaller merchant programs frequently consolidate
fraud control with a related department, like credit or collections. In such cases,
staffing for the department must include individuals who have received special
training in fraud control and investigation. The risk to this type of organization is
that the managers of the department may not focus as many resources on the
fraud loss numbers.
Fraud Control Preventing and promptly detecting fraud requires personnel who are
Staff Skill/ immediately available to execute their assigned responsibilities in all three units.
Knowledge In smaller programs, the functions may be combined in fewer staff members
Requirements but all three functions must be performed continuously. The staff in a Fraud
Control Department generally consists of knowledgeable fraud prevention, fraud
detection, and fraud investigations personnel, along with support personnel.
• Fraud prevention staff members should be able to:
– Monitor MIS data that reflects loss trends.
– Stay knowledgeable of Visa fraud control products and how to effectively
implement them.
– Interface with fraud-prevention units in other organizations to stay abreast
of current fraud schemes.
– Interface with their third-party service or processor to ensure they are
providing effective fraud-prevention services.
• Fraud detection staff usually consists of individuals with the ability to:
– Manage an in-house fraud detection system.
– Manage the effectiveness of the fraud detection system and operation.
This includes changing strategies, implementing rules, and ensuring the
24 hour operation is effectively staffed seven days a week.
Fraud Control Because the incidence of fraud fluctuates and is unpredictable, acquirers
Staffing Levels should conduct a periodic review of staffing levels. Factors influencing staffing
requirements include the following:
• Size of merchant portfolios
• Number of disputed cases received and investigated
• Fraud loss experience and target goals
• Cardholder and merchant sales volume
• Volume and character of card fraud criminal activity in the member’s prime
marketing areas
• Effectiveness of cardholder and merchant education programs
• Effectiveness and cooperation of police and postal authorities
• Effectiveness and cooperation with other payment card issuers
• Quality and performance of the fraud staff
• Card distribution procedures
• Statutory criminal legislation and penalties relating to card fraud
• Cooperation of other Acquiring Centers
• Internet operation and how to investigate Internet fraud
Fraud Control Fraud personnel must be trained in the following skills and areas of expertise:
Staff Training • Bankcard center’s organizational structure, its policies, and operation
• Fraud abatement tools and their use
• Investigative techniques and procedures
• Cardholder and merchant education techniques to prevent fraud
• Visa International Operating Regulations, as well as applicable regional versions
of the regulations
• Data processing and analysis
• Card distribution procedures
• Liaison for, or communicating with, other bankcard centers and with Visa
regional fraud control contacts
• Liaison for, or communicating with, criminal justice system personnel
• Criminal statutes relating to card fraud
• Member’s prosecution policy
• Physical security of the bankcard center and related facilities. This may or
may not be a fraud department responsibility
• Use of the Visa Interchange Directory (VID)
• Visa authorization and settlement system
Continued training and education in fraud prevention and investigative
techniques must enhance the effectiveness of your Fraud Control staff.
Administrative Management should use annual personnel reviews to evaluate the effectiveness
Action of the fraud control and security functions. Periodic evaluations should also be
considered to compliment annual performance reviews in regard to providing
Fraud Control personnel with constructive suggestions for improving their
performance.
A managerial review should include a thorough check of selected fraud
investigation files as part of the annual personnel performance evaluations.
Specific criteria to be evaluated should include, but not be limited to the
following:
• A comparison between net annual fraud losses and statistics on local,
regional, and national fraud loss
• Case documentation including investigation, interviews, other contacts, and
physical evidence
• Periodic reviews of investigators’ initiative, ingenuity, and effort on assigned
cases
• Timeliness of the investigator’s response
• Selection of fraud abatement procedures
• Thoroughness of the investigation
• A review of the time required stopping fraudulent activity after detection or
notification
• Investigation, outcome, including the amount of restitution obtained, and the
results of prosecution
• Ability to effectively respond to and mitigate fraud in relation to incidents of
data compromise
Importance of To properly control the acquiring business and identify the early warning issues
Proper Control of fraud losses, poor profitability or interchange margins; management needs
information to track and measure key performance indicators. Communication
between the Acquiring Center functional areas, as well as to senior management
is absolutely fundamental in running a profitable acquiring business because it
allows managers to:
• Make informed decisions,
• Focus on the risk issues that affect the whole acquiring business, and
• Commit to necessary resources to address issues.
Fundamental Keeping in mind that there is no limit as to how acquirer performance data can
Risk Reports be sorted and reported, management should, at minimum, receive the following
“fundamental” risk reports on a monthly basis.
Reports: Data Elements:
Key Operational and • Request-for-copy transactions by merchant type
Leading Indicators • Request-for-copy transactions by merchant
• Chargeback volume by merchant type
• Chargeback volume by merchant
• Fraud-related chargebacks by merchant
– Alteration of amount
– Declined authorization
– Fraudulent multiple transactions
– Magnetic-stripe counterfeit
– Missing imprint
– Non-matching account number
– Risk Identification Service
(RIS)*
Merchant Floor
– Split sale Limits
– Canada Domestic Merchant Acquirers need
Fraud Performance Program to use the effective
(DMFPP)** assignment and
enforcement of floor limits
– Unauthorized signature to identify and monitor
• Consumer-disputed chargebacks fraud-prone merchants or
by merchant those in areas with high
fraud rates. For example,
– Defective merchandise merchants identified as
– Not as described high fraud risks can be
– Services not rendered assigned zero floor limits,
which require them to
Acquired Risk • Fraud-to-sales rate by merchant request an authorization
type for every transaction. In
cases where a perpetrator
• Fraud-to-sales rate by merchant
routinely charges
• Fraud by type, e.g., card not fraudulent transactions
received, counterfeit for an amount just below
• Fraud above versus below floor a specific merchant’s floor
limit, temporarily lowering
limit
the limit may enable the
• Investigations by merchant type member to identify and
• Investigations by merchant apprehend the suspect.
Inter-Bank Visa strongly recommends that both its acquiring and issuing members establish
Cooperation a fraud forum in their respective markets. These groups are extremely effective
in helping members increase the level of inter-bank cooperation in their market
place. In addition, fraud forums enable members to deal with the increasing
range of complex risk and fraud concerns that face both issuing and acquiring
institutions in the region.
Key objectives of fraud forums are stated below:
• Develop counter-measures to deal with fraud and criminal activity.
• Formulate cohesive and effective fraud and risk management strategies.
• Develop a “market” position for fraud/risk matters affecting the fraud forum
membership.
Key Principal In order for a fraud forum to operate effectively each participating member bank
must agree to adhere to the key principles of the fraud forum. These include the
following:
• Communication and cooperation,
• Endorsement and support from Senior For more
Management, information
regarding the
• Agreed upon objectives that have been fully establishment of a fraud
implemented, forum in your market,
please contact your Visa
• Appropriate representation,
Regional Risk Manager.
• Defined priorities, resources, and targets,
• Set deliverables, and
• Regularly held meetings.
In addition, all members should contribute and sign an agreement to a fraud
constitution.
For acquiring member banks, this may result in new opportunities for increased
profitability. It also, however, adds another level of exposure to fraud. Close
monitoring of third parties and their bankcard-related activities is essential to
ensure that the security of the cardholder information they process is properly
protected throughout the life cycle.
The Visa Third-Party Agent Due Diligence Risk Standards represent the minimum steps
members need to follow when evaluating new and existing agent relationships. Members
with ongoing agent relationships must conduct the Visa Third-Party Agent Due Diligence
Risk Standards reviews annually. These risk standards apply to all issuing and acquiring
agent relationships.
The Visa Third-Party Agent Due Diligence Risk Standards is available through your
Online regional site.
A TP:
• Is an entity that is not defined as a VNP, but instead provides payment
related services, directly or indirectly, to a member and/or stores, processes,
or transmits cardholder data.
• Must be registered by all Visa members that are utilizing their services,
directly or indirectly.
It is important to note that Agent Banks are not considered Third-Party Agents.
An Acquiring Associate Member per Visa’s By-Laws cover what an Agent Bank can
and cannot do. As the Agent Bank’s sponsor, it is up to the acquirer to determine
how much an Agent Bank should be allowed to do based on the risk the acquirer
is ready to accept.
The chart on the next page categorizes and describes Third-Party Agents that
provide services requiring registration.
Encryption and Support Organizations (ESOs) • ESO—maintains a business relationship with a Plus
perform cryptographic key management member that includes loading or injecting encryption
services to support member’s ATM programs keys into ATMs or loading software into an ATM
or to deploy point-of-sale PIN Entry Devices which will accept Plus cards. ESOs may also maintain
(POS PEDs) or PIN pads. Additionally, some a business relationship with an Interlink member
members outsource various cryptographic key that includes loading software into a terminal that
management responsibilities to ATM and PIN accepts cards, loading or injecting encryption keys
pad manufacturers to improve the efficiency of into terminals or PIN pads, performing merchant
their Visa programs. These entities would also be help desk support that includes re-programming of
considered as ESOs in this capacity. terminal software.
Merchant Servicers (MSs) store, process, or • An MS stores, processes, or transmits Visa account
transmit Visa account numbers on behalf of the numbers on behalf of a member’s merchants.
member’s merchants. The MS has a contract Function examples include providing such merchant
with the member’s merchant, not with the services as online shopping cards, gateways, hosting
member. The MS category closes the transaction facilities, data storage, authorization and/or clearing
loop between the merchant and the member’s and settlement messages.
processor
Internet Payment Service Providers (IPSPs) enter An IPSP accepts Visa transactions on behalf of a
into a contract with acquirers to provide payment sponsored merchant classified with any Merchant
services to sponsored merchants. Category Code (MCC), except MCC 5967.
A High-Risk Internet Payment Service Provider
(HRIPSP) is an IPSP that enters into a contract with
an acquirer to provide payment services to sponsored
merchants and signs one or more sponsored merchants
required to be classified with MCC 5967 (Direct
Marketing—Inbound Teleservice Merchant) in its
sponsored merchant portfolio.
What’s Covered
n Portfolio Development
n Visa Transactions and the Law
n Making the Most of Your Merchant Application
n Merchant Site Inspections
n Merchant Website Requirements
n Merchant Approvals
Portfolio Development
Critical Issues Effective underwriting begins with carefully defined portfolio development
that Affect policies that specify the markets, merchant categories, and levels of risk an
Portfolio acquirer is, and is not, willing to accept when approving new accounts. An
Profitability acquirer policy should also spell out minimum financial and credit requirements
for new merchants, as well as the level of management approval that will be
needed for specific kinds of businesses.
When establishing or reviewing portfolio development policies, acquirers should
take into account a range of critical issues that may affect portfolio profitability.
These include the following:
• Current portfolio size and sales volumes
• Geographic location relative to the acquirer’s location
• Short- and long-term financial goals
• Level of risk an acquirer is willing to accept in their portfolio
• Human and systems resources
Card-Absent When investigating and signing card-absent businesses, take these measures to
Merchant reduce exposure:
Application • Ask for additional application information. This includes detailed business
Best Practices plans, samples of merchandise, and copies of all relevant marketing materials,
including catalogs, brochures, telemarketing scripts, and print and broadcast
advertisements.
• Carefully evaluate application information to
determine potential risk for chargebacks.
Acquirers must
• Beware of any merchant selling services, or a conduct a
product with a low manufacturing cost, but a high physical site
price. A thorough review is also recommended for inspection of all new
any merchant using selling methods associated merchant and card-absent
merchant locations to
with high-chargeback rates—specifically, sales
obtain a detailed
pitches involving gifts, cash prizes, sweepstakes, description of the
installment payments, multi-level marketing, business.
telemarketing and up-selling.
• Ensure that all business principals undergo a thorough background check.
Personal credit reports should be scrutinized, and addresses verified. If
appropriate, a criminal background check should also be performed.
• Collect and verify additional application data and financial documents for
Internet merchants. Risk exposure can be lowered by taking a few extra
steps during the application process to obtain additional information from
questionable merchants. Required data might include:
– Uniform Resource Locator (URL), also known as the website address
(e.g., www.merchant.com) and Internet Protocol (IP) server address for the
merchant website. By collecting this information, an acquirer is able to
review the actual website and confirm that the merchant is actually
conducting the business as described on its application.
– Contact details for the website hosting service. This information can be used
to contact the hosting service and verify that the merchant maintains a
legitimate business.
– E-mail addresses and phone numbers for merchant customer service.
Acquirers can verify that a merchant’s e-mail address is valid by sending
a message to that address. An alert should be triggered if the message
is returned as “undeliverable” or “bounced.” In addition, the acquirer
should check the merchant’s customer service for its quality response and
timeliness, as this will decrease customer disputes and chargebacks.
– Descriptions of any links on the merchant’s website to other sites to which
they may or may not be affiliated. This should raise a flag if the linkages do
not make sense or represent merchant types that you do not sign.
U.S. Only — The Visa Advanced ID Solutions, Issuers’ Clearinghouse Service (ICS)
supplements other risk management tools available to members such as credit bureau
reports and scoring systems. ICS is a centralized national database designed to reduce
issuers’ losses due to fraudulent applications, and other credit abuse such as bankruptcy
filings.
ICS can also be used by acquirers to help qualify sole proprietorship, or partnership
merchants where consumer social security is used for underwriting.
Merchant Site • Always conduct the site inspection during normal business hours.
Inspection • Ensure that your site inspection covers all relevant aspects of a merchant’s
Best Practices business operations. Key considerations include:
– Location. Is the merchant’s location consistent with its business plan and
projected sales volume? For example, if a retail outlet depends mostly on
walk-in business, is it located in an area with good foot traffic?
– Premises and physical layout. Are the merchant’s signage and sales
fixtures consistent with an established legitimate business?
– Business documentation. Does the merchant have all necessary licenses,
permits, and other legal documents related to the business?
– Inventory. Does the quality and quantity of current inventory support
projected figures for average ticket prices and sales volume?
– Employees. Are staffing levels sufficient to support projected sales? Do
employees seem knowledgeable about the merchant’s goods and services
and customer service policies?
– Return policy. Does the merchant have a return policy? Is it clearly
disclosed on the cardholder’s transaction receipt and in close proximity to
the cardholder’s signature?
– Data security. Are transaction records or other confidential customer
information kept on the premises; and if so, are they stored in a secure
area? Is access to this information limited to authorized personnel? What
steps have been taken to ensure the security of computer and phone
lines, and electronic customer data? How long is confidential customer
information retained?
• If possible, take a photograph of the interior and exterior of the business
during the site inspection. File the photograph with the merchant
application and agreement upon completion of the application approval
process.
Signs of Experience has shown that merchant facilities can be set up for the express
Suspicious purposes of laundering of sales transaction receipts or key-entered transactions
Activity where there is no intent to supply goods to customers. In these situations,
the merchant facility is purely a front to import illegal transactions into the
acquirer’s processing and generate fraudulent credits.
During a site inspection, suspicions may be aroused when the:
• Merchant claims to have been trading for some time, but there is little or no
stock to be sold. This could indicate financial difficulties or potential fraud.
• Trading address is determined to be a private residence rather than being
in a recognized business area. This could indicate that the business is of ill
repute or lacks financial substance.
• Principals appear to lack a clear understanding of the business.
Merchant Approvals
Merchant To reduce risk exposure, acquirers should establish guidelines for reviewing and
Credit Review approving merchant applications. In this area, best practices are as follows:
and Approval • Set levels of authority for approval based on the merchant’s projected
Best Practices sales volume. For example, the application for a merchant with US $1 million
projected sales would require approval by a high-level executive of the
institution.
• Accept ONLY complete applications. All required documentation must be
enclosed.
• Establish separate application verification processes: one for low-risk
merchants and a more stringent process for high-risk merchants. This can
protect the organization from potential losses by:
– Requiring high-risk merchants to provide additional references.
– Verifying these references carefully.
– Performing a more detailed evaluation of business financials and physical
site inspections.
What’s Covered
n Developing Merchant Agreements
n Mandatory Agreement Provisions
n Optional Agreement Provisions
n Agreement Requirements for Chip Migration
n New Merchant Start-up and Preparation
n Merchant Fraud Prevention Communication and Education
The merchant agreement is a legal document that binds the merchant to operate
under the rules and regulations established by Visa and the acquirer. This
agreement should be thorough enough to protect the acquirer from improper
card processing and include certain minimum provisions contained in the Visa
International Operating Regulations. Acquirers, however, may as appropriate, vary
the agreement form appearance, as well as the wording of these contracts.
Looking at the An acquirer’s merchant agreement should be designed from a risk perspective to:
Agreement • Reduce the institution’s exposure to fraud and
from a Risk business failure losses to the greatest extent
Perspective allowable by law.
The Visa
International
• Ensure the agreement makes clear the Operating
circumstances under which the acquirer has the Regulations state that
an acquirer must have
right of termination. These can include changes a signed merchant
in ownership or any activity that (in the acquirer’s agreement for each
opinion) might indicate increased risk of credit/ merchant account,
fraud loss. The agreement should specify—for and that all merchant
both sides—a maximum of 30 days’ notice of agreements must be kept
on file at the acquirer’s
termination, but indicate that either party may place of business.
terminate at any time for any reason. Note: Most
agreements have the “terminate for any reason” clause; the “restricted
termination” clause is the exception.
• Confirm the right of the acquirer to seize or withhold funds.
• Guarantee the safe and sound operation of merchant activities.
• Include provisions that add protection against fraud and credit losses
beyond the minimum requirements stated in the Visa International Operating
Regulations.
• Determine if merchant has ever been in the “enforcement” stages of a
Payment Plan’s Compliance Program.
• Outline all regulatory issues.
Most acquirers have a standard agreement for the majority of their merchants;
however, an acquirer may have a custom agreement with a larger merchant.
Acquirers that do use custom agreements should have a contract management
tool in place that tracks variations from the standard agreement.
A merchant agreement must include some form of the following provisions. For a
full list of mandatory provisions, see the Visa International Operating Regulations.
Area: Provisions:
Data Security • Merchants shall not disclose cardholder account information to
third parties, except when needed to complete a transaction or
when required by law.
• All merchants and any Third-Party Agents that transmit, store,
or process cardholder data for the merchant must be compliant
with the Payment Card Industry (PCI) Data Security Standard
(DSS) Compliance program.
• Merchants must store all material containing account numbers—
including sales transaction receipts, credit vouchers, vehicle
leasing agreements and carbons—in a secure area accessible
only to selected personnel.
• The business’ disposal procedures must also ensure security;
materials containing account information must be made
unreadable before they are discarded.
• The merchant must not retain or store Card Verification Value 2
(CVV2)* data subsequent to the authorization of a transaction.
• Merchants (and their Third-Party Agents) must not retain
full-track magnetic-stripe data subsequent to authorization.
Financial • The merchant’s liability for chargebacks, credits, fees, and fines
Responsibility should be clearly stated.
• The merchant is liable to the bank for any losses that arise
from the merchant’s failure to comply with the merchant
agreement.
• The merchant will be liable for any sales transaction receipt
charged back to the acquirer if:
– The transaction was not performed in accordance with the
merchant agreement.
– Goods or services were purchased with an altered card.
• Chargebacks will be directly debited from the merchant’s
account, and the merchant may be required to maintain
account reserves to cover these payments. Reserve amounts
may be based on a percentage of sales to be determined by the
acquirer.**
Area: Provisions:
Split Sales Split sales transaction receipts are not allowed. Specifically,
Transaction merchants may not use two or more sales transaction receipts for
Receipts a single transaction to avoid or circumvent authorization limits.
Laundering of Laundering of sales transaction
Sales Transaction receipts is specifically prohibited by Acquirers are
Receipts the Visa International Operating responsible for
Regulations. To ensure new merchants ensuring that
understand the anti-laundering merchants who are
provisions of your agreement, you participating in Verified
should review this section with them by Visa operate in
accordance with product
and have them initial it. (See
rules and the Visa
“Laundering (Factoring)” in Chapter 7 International Operating
of this manual.) Regulations, and that such
requirements are included
Surcharges Merchants may not impose surcharges
in merchant agreements.
on transactions, unless local law
The merchant agreement
expressly requires that a merchant be must state that merchants
permitted to impose a surcharge. must not make the
use of Verified by Visa
Visa Marks The Visa Brand Mark or logo may only
a condition of Visa
be used on a merchant’s promotional
card acceptance at the
materials to indicate that Visa cards merchant’s online store.
are accepted as payment for the
business goods and services. The logo and mark may not be
used, either directly or indirectly, to imply that Visa endorses a
merchant’s goods or services; nor may a merchant refer to Visa
when stating eligibility requirements for purchasing its products,
services, or memberships.
Refund Vouchers Refund vouchers may not be submitted for noncredit transactions.
Specifically, merchants may not accept money from a cardholder
and then prepare and deposit a credit voucher for the purpose of
crediting the cardholder’s account.
Previous Cardholder payments for previous Visa transactions are prohibited.
Transactions
Area: Provisions:
Cash Cash disbursements to cardholders are prohibited except if made
Disbursements by the following categories of merchants:
• Lodging merchants participating in Visa Hotel Services, or
cruise line merchants. These merchants may make cash
disbursements to Visa cardholders under the specific
circumstances defined in the Visa International Operating
Regulations.
• Disbursements made by merchants who sell travelers cheques
or foreign currency are limited to the value of cheques, travel
money, or currency sold in a single transaction, plus any
applicable commissions. Under no circumstances may the
transaction represent collection of a dishonored cheque.
Scrip Merchants may not accept Visa cards for the purchase of scrip.
Authorization Merchants must obtain authorization:
Requirements – For transaction amounts above the specified maximum floor
limits required by the acquirer; or
– In the event of a chip transaction when so requested by the
card, if the point-of-sale (POS) terminal is chip-capable.
Uncertain If cardholder identification or the card’s validity is uncertain, the
Cardholder merchant must contact its acquirer for instructions. If the acquirer
Identification asks the merchant to recover the card, the merchant must comply
according to established procedures.
While not required by the Visa International Operating Regulations, the following
provisions can help acquirers reduce their exposure to fraud and risk losses. In all
cases, applicable local law should be observed.
Area: Provisions:
Termination of The acquirer reserves the right to
Agreement terminate the merchant agreement
for any reason at any time. Visa does not
provide legal
Right to Hold Payment of funds to the merchant is advice to its
Funds provisional. The acquirer has the right acquiring member banks.
to freeze or hold deposits whenever The optional provisions
fraudulent activity is suspected. listed here are intended
as only a partial checklist
Change in Merchants must notify the acquirer of terms that an acquirer
Ownership of any changes in ownership, such should consider including
as limited partnership agreements, in a merchant agreement.
or any other changes in business Acquirers are encouraged
practices or sales method—including to seek legal advice with
respect to their specific
expected changes in average draft
business and legal
or deposit amount. Specifically, a circumstances.
merchant must notify the acquirer
(and agree in writing) before adding and performing mail order,
telephone order, or Internet sales activity and/or making changes
to the products or services being sold.
Secured Interest The merchant must grant the acquirer a secured interest in all
its assets. This means the acquirer will be recognized as a legal
creditor in case the merchant declares bankruptcy.
Use of Personal Merchants may not use their own merchant accounts for personal
Accounts Visa card transactions. For example, merchants cannot use their
personal Visa cards to withdraw cash or to purchase goods and
services from their own business.
Card-Present Acquirers should view the setting up of a new card-present merchant account as
Merchant an opportunity to establish strong fraud-prevention practices. To ensure terminal
Setup Best and transaction data security, as well as reduce overall fraud exposure:
Practices • Make sure all point-of-sale (POS) devices are fully Card Verification Value
(CVV)-capable and chip-capable (if applicable). Ensure that the devices
meet Visa International Operating Regulations for suppression of account
information on transaction receipts.
http://usa.visa.com/merchants
Select a country
www.visa.com/globalgateway/
To increase profitability and reduce fraud losses, acquirers must ensure that
proper card acceptance procedures are being followed by all merchants in their
daily business. Collectively, these procedures, which are outlined in the Visa
International Operating Regulations, serve as a critical tool for loss reduction at the
point of sale. Routine fraud-prevention practices, can lead to tangible benefits
for merchants and acquirers. Chargeback rates can be minimized, even in cases
where fraudulent or other unauthorized transactions do occur.
All acquirers are responsible for providing card-present merchants and their
employees with appropriate card acceptance and fraud-prevention education.
This chapter is intended to assist in this effort.
What’s Covered
n Card-Present Transaction Procedures
n Checking Visa Security Features
n Authorization Processing
n Matching Cardholder Signatures
n Handling Cash Disbursements/Cash Advances
n Processing Visa payWave Transactions
n Processing Visa Easy Payment Service Transactions
n Looking for Warning Signs of Fraud
n Making a Code 10 Call
n Recovered Cards
n Using Visa Electron Cards in the Card-Present Environment
n Acquirer Support of Merchant Code 10 Efforts
n Acquirer Actions For Card Recovery
n Chip Acceptance Procedural Differences
*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading device. If a chip reading device is
available, preference must always be given to chip card processing before attempting to swipe the stripe.
Every Visa card contains a set of unique design elements and security features
developed by Visa to help merchants verify a card’s legitimacy. A visual check of
the Visa card security features should be one of the first steps in all card-present
transactions. Any sign that a card design element or security feature is not
genuine or has been tampered with may mean that the merchant has been given
a counterfeit or invalid card.
Merchants should
always request
an authorization
on an expired card. If the
card issuer approves the
transaction, the merchant
can proceed with the sale.
A merchant should never
accept a transaction that
*In certain markets, CVV2 is required for all card-absent transactions. has been declined.
The two-color Visa Brand Mark (as shown here) does not have the The two-color reverse Visa Brand Mark (as shown here) does not
standardized white background. have the standardized white background and has been reversed to
white with a gold wing within the letter form of the V.
Visa Mini-Card
Cardholder Name or a
Generic Title may appear on
an unembossed card.
ELECTRONIC USE ONLY communicates to cardholders and merchants that this card
is a limited acceptance product and it can only be used at electronic point-of-sale
terminals. Merchants without an electronic terminal should ask for another form of
Visa payment. Electronic Use Only may be displayed on the front or back of the card.
Visa Chip cards are embedded with a chip that communicates information to a point-of-sale terminal.
Upper left placement of the Visa Brand Mark is allowed only
on cards with a chip.
*Visa Electron Card is only available in certain countries, but can be used in all countries.
Authorization Processing
If a Card In some instances, the POS terminal will not be able to read the magnetic-stripe
Won’t Read or in order to perform an authorization. When this occurs, it usually means one of
Swipe four things:
• The terminal’s magnetic-stripe reader is not working properly.
• The card is not being swiped through the reader correctly.
• The merchant may have a counterfeit or altered payment card.
• The magnetic-stripe on the card has been damaged or demagnetized.
Damage to the card may happen accidentally, but it may also be a sign that the
card is counterfeit or has been altered.
When the card won’t swipe, merchants should first
check the terminal to make sure it is working properly.
An acquirer
If the terminal is operating correctly, and the problem must have
appears to be with the magnetic-stripe, merchants established
should follow the established procedures for procedures for its
key-entered transactions. In addition, they should merchants when the
check the card security features and match signatures, magnetic-stripe or chip
cannot be read by the POS
as outlined in this chapter. The merchant should also terminal.
take an imprint of the card.
If the Terminal Visa policies state that chip cards must be read as
Cannot Read chip at all times unless the card, chip-reading device,
For more
the Chip or terminal is malfunctioning. In the event that a chip information
cannot be read, the merchant should “fall back”to about chip
lesser method. Because the fallback transaction is acceptance refer to Chip
swiped or keyed, the normal rules of transaction Acceptance Procedural
processing must come into play. This means that a Differences section in this
chapter.
signature will be required, rather than a PIN. For key-
entered transactions, manual imprints will be required.
Responding to An authorization is an indication that the account funds are available and a card
Authorization has not been reported lost or stolen. It is a process in which the card issuer
Messages approves or declines a transaction. An authorization is not proof that the true
cardholder or that a legitimate card is involved. Most sales are authorized quickly.
There are times, however, when a merchant may receive an authorization
message indicating a potential problem with a card or cardholder. Negative or
alert messages include the following:
• Decline. The transaction has been refused by the issuer (e.g., the credit limit
on the account has been exceeded).
• Call or Call Center Referral. The issuer needs more information before
approving the sale.
• Pick up. The issuer wants to recover the card.
• No Match. (U.S. Only) The embossed or printed account number on the
front of the card does not match the account number encoded on the
magnetic-stripe.
Whenever a negative or alert message is received, the response is displayed on
the POS terminal. A sales transaction receipt, however, is never printed.
Comparing Most POS terminals also allow merchants to verify that the cardholder account
Card and number on the front of the card is the same as the account number encoded on
Terminal/ the card’s chip or magnetic-stripe. How the merchant checks these numbers will
Report depend on their POS terminal. In some cases, the partial number will be displayed
Information on the terminal or printed on the sales transaction receipt; in others, the terminal
may be programmed to check this information electronically. In such instances,
the merchant will be prompted to enter the last four digits of the embossed or
printed account number, which will then be matched against the last four digits of
the account number encoded on the chip or magnetic-stripe. If the numbers and/
or names do not match, the merchant should make a Code 10 call.
Obtaining and For a signature-based transaction, the final step in the card acceptance process
Comparing for magnetic-stripe transactions and some chip card transactions is to ensure
Signatures the customer signs the sales transaction receipt or POS terminal signature
window display, and to compare that signature with the signature on the back
of the card. Depending on the Visa card product and POS processing system,
the customer should be within the merchant’s full view when signing the receipt
or POS terminal signature window display. If possible, the merchant should
check the two signatures closely for any obvious inconsistencies in spelling or
handwriting.
If the signature on the receipt or terminal window display does not match
or closely resemble the signature on the card, the transaction should not be
completed. If the transaction is accepted and it turns out to be fraudulent,
the merchant may be liable for the chargeback, even if an authorization was
received for the sale.
Handling While checking card security features, a merchant should also make sure that the
Unsigned Card card is signed when a magnetic-stripe transaction is involved, and in some cases,
for chip card* transactions. An unsigned card is considered invalid and should not
be accepted. If a customer hands over an unsigned card, the following steps must
be taken:
• Check the cardholder’s ID. Ask the cardholder for some form of official
government identification, such as a driver’s license or passport. Where
permissible by law, the ID serial number and expiration date should be
written on the sales receipt before you complete the transaction.
• Ask the customer to sign the card. The card should be signed within your full
view, and the signature checked against the customer’s signature on the ID.
A refusal to sign means the card is still invalid and cannot be accepted. Ask
the customer for another signed Visa card.
• Compare the signature on the card to the signature on the ID. If the cardholder
refuses to sign the card, and you accept it, you may end up with financial
liability for the transaction should the cardholder later dispute the charge.
*When a chip card transaction is PIN-based, Visa’s best practice is not to print a signature line on the receipt. Merchants need to be aware that
they should not request a signature from the cardholder when a signature line is not present on the receipt.
Requesting Although Visa rules do not preclude merchants from asking for cardholder ID,
Cardholder ID merchants cannot make an ID a condition of acceptance. Therefore, merchants
cannot refuse to complete a purchase transaction because a cardholder refuses
to provide ID. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several countries also make it
illegal for merchants to write a cardholder’s personal information, such as an
address or phone number, on a sales receipt.
Visa Cash Back The Visa Cash-Back Service allows merchants to disburse a limited amount of
cash when cardholders buy goods at point-of-sale. The service can be offered to
all Visa cardholders. It supplements, rather than replaces, the use of ATMs.
When a Visa Cash-Back Service is offered, cardholders are asked and must
specify if they would like a cash disbursement to be added to their transaction
when they present their card at POS. They also decide on the amount they
would like. The merchant simply adds the cash amount to the bill and processes
a transaction for the total.
What is Visa Merchants can take advantage of increased speed and convenience—and offer
payWave? them to cardholders—with Visa payWave, a payment method that uses the
latest technology to send card data wirelessly to a terminal reader. A cardholder
simply holds their card in front of the reader.
For many transactions, there is no need to sign a receipt or hand over the card.
Visa payWave provides merchants and consumers with a number of benefits.
Merchant Benefits
Cost Savings/Efficiency
• Decreased transaction time—up to half that of cash transactions.
• Customer initiates the transaction by simply holding the card in front of the
reader rather than swiping or handing the card to the clerk.
• Reduction in coin/cash handling.
Customer Loyalty
• Attracts new customers and builds loyalty with added speed and
convenience.
Competitive Advantage
• Sets merchants apart from their competitors in categories like fast food
restaurants where speed and convenience are compelling benefits.
What is Visa Purchases of US $25 and under represent a significant share of all consumer
VEPS? spending. The Visa Easy Payment Service (VEPS) helps deliver greater efficiency
and convenience to both merchants and consumers.
The VEPS program provides face-to-face merchants with the ability to accept
a Visa card issued in any country for purchases without requiring a cardholder
signature or PIN and foregoing a receipt unless requested by the cardholder.
This program has the potential to increase speed at the point-of-sale, enhance
customer satisfaction and deliver operating efficiencies for merchants. It can
boost customer throughput and build customer loyalty by helping consumers
use their Visa cards safely, quickly and easily.
Program Effective 16 October 2010, transactions from over 98 percent of MCCs (except
Eligibility— those listed in the table on the next page) will be eligible to qualify for the
Transaction program.
Qualification For qualifying transactions, the Visa Easy Payment Service program:
• Eliminates the need for merchants to capture a signature or PIN.
• Eliminates the receipt requirement, unless requested by the cardholder.
• Allows reduced receipt data when a receipt is provided.*
• Eliminates the need for merchants to retain transaction receipts and prohibits
issuers from making retrieval requests.
• Provides chargeback protection for fraud**, and against the receipt
requirement.
Transactions qualify for the program if they meet the following criteria:
• Value is less than or equal to the country limit
• Face-to-face environment
• Authorized
• Applies in all MCCs, except those listed in the table on the next page
• Terminal must read and transmit unaltered magnetic-stripe track data,
unaltered chip data, or unaltered contactless payment data
If eligible, the merchant runs the transaction as they normally would and
eliminates the steps of PIN entry or checking and collecting the cardholder’s
signature. In addition, the merchant only needs to provide a transaction receipt if
the cardholder requests one.
*Except in the U.S. region, where merchants must use full transaction receipt data when a receipt is provided.
**EMV liability shift still applies to transactions in Canada and CEMEA regions.
If merchant staff see signs that make them suspicious, they should:
• Hold on to the customer’s card if they think they can do so safely.
• Follow company procedures and notify their supervisor.
• Call the voice authorization center and request a “Code 10” authorization
using a normal tone of voice. An operator will tell them what to do.
Signs of Fraud Retail petroleum merchants should also be looking for suspicious behaviors at
at the Petrol/ petrol/fuel service stations.
Fuel Service
At the Counter At the Automated Fuel Dispenser
Stations
• Individual buying an unusual amount • A single customer activating
of convenience store items. multiple automated fuel dispensers.
• Limited or no eye contact from • Filling multiple vehicles from
customer and/or they are acting one automated fuel dispenser
“strangely.” transaction.
• Buying large amounts of alcohol, • Filling large non-vehicle containers.
cigarettes, and phone cards/gift • Fueling several times a day (system
cards. wide and location specific).
• Buying money orders and/or lottery • Card testing (inserting payment
tickets with credit card. card for authorization without
• Attempting to bribe the cashier. pumping).
• Requesting large amounts of cash • Island surfing (persons walking
back on small purchases. around offering to pump fuel with
their payment card in exchange for
cash).
Retail petroleum owners and operators can help reduce fraud exposure by communicating card
acceptance and risk management policies across the retail enterprise. The should also ensure
managers and employees are properly trained and fully informed on “Attended and in-store”
fraud-prevention procedures.
Refer to Appendix B for a sample of two Visa Quick Reference tools. Attended and In-Store Fraud
Prevention and Automated Fuel Fraud Prevention.
What Card- A merchant makes a Code 10 authorization request call to let the card issuer
Present know there is suspicious activity—without alerting the customer. During a
Merchants Code 10 call, the merchant receives instructions on what, if any, action to take.
Should Do If In this case, the merchant actually speaks with the card issuer’s special operator.
Suspicious Sometimes a merchant will not feel comfortable making a Code 10 call while the
cardholder is around, or the merchant may become suspicious of a cardholder
after he or she has already left the store.
It is important that merchants understand they can still make a Code 10 call
after a cardholder leaves. A Code 10 alert—even after a cardholder is gone—
may still help stop fraudulent card use at another location, or perhaps during
another visit to the store.
Recovered Cards
Reasonable In general, a merchant should recover a card if the merchant has reasonable
Grounds for grounds for believing the card is being used fraudulently or is altered or
Card Recovery counterfeit. The following situations are considered reasonable grounds for
recovery:
• Card security features are missing or irregular, or appear to have been
tampered with (see Checking Visa Security Features on page 80 of this
manual.)
• The account number on the magnetic-stripe does not match the number
embossed on the front of the card.
• The merchant has received a pick-up response when a card has been swiped
for electronic authorization, or the merchant has been instructed to recover
the card during a Code 10 call.
Card Recovery The following card recovery procedures apply to all Visa credit, debit, and
Procedures Electron cards. Merchants should be instructed to do the following:
• Recover the card only if you can do so safely. Never take unnecessary risks.
• Tell the cardholder you have been instructed to keep the card, and that he or
she may call the card issuer for more information.
• Remain calm and courteous. If the cardholder behaves in a threatening
manner, return the card immediately.
• Make a readable copy of the front and back of the card, if possible.
• Cut the card in half along the length, but be careful not to damage the
hologram, chip-embossed account number, or magnetic-stripe.
• Tell your acquirer that you have recovered a card and ask for further
instructions.
For cards that are inadvertently left at a merchant location and remain unclaimed,
merchants should follow the current acquirer procedures for contacting the
financial institution and sending in the card.
A Closer Visa Electron is issued in different parts of the world* as a consumer debit,
Look at the credit, or prepaid card; however, it is usually issued as a debit product. The Visa
Visa Electron Electron card can be used for payment, at merchants with POS terminals, on the
Card Security Internet, and for cash withdrawals at ATMs.
Features The Visa Electron card’s security features and acceptance procedures, however,
are slightly different than the Visa card, as described below.
• The Visa Electron card is often unembossed, and the account number is
laser-engraved or indent-printed.
• To deter key entry, the issuer may print only the
first four digits of the Bank Identification Number Visa member
(BIN) and the last four digits of the account financial
institutions issue
number, instead of the entire 16-digit account
Visa Electron in Africa,
number. Asia, the Caribbean,
• The cardholder name and expiration date may not Europe, the Middle East,
and South America.
be displayed if the card was “instantly issued” at a
bank branch.
• The dove hologram and ultraviolet dove are optional.
• The words “Electronic Use Only” must be printed
on the front of the card.
• The signature panel may be on the front or back of the card.
• Electronic authorization is required for all Visa
Electron transactions. This means the merchant
Neither U.S.
must be able to perform the authorization by
nor Canadian
swiping the stripe through a POS terminal, financial
inserting the chip card into the chip-reading device, institutions issue Visa
or waving the card in front of a Visa payWave Electron, but Visa Electron
terminal. Key-entered authorizations are not cards are accepted at
electronic merchants and
allowed. If the magnetic-stripe is damaged or
ATMs in the U.S. and
cannot be read by the terminal, the card cannot be Canada.
used.
*Visa Electron Card is only available in certain countries, but it can be used in all countries.
Internal and It is up to the acquirer to make sure that Code 10 call procedures are clearly
Merchant Staff defined and communicated to internal staff members and merchants. Best
Code 10 Setup practices in this area include the following:
Best Practices • Develop and provide “quick reference” aids for merchants. This can include
materials such as:
– POS stickers that provide contact telephone numbers.
– Merchant procedures for making Code 10 calls.
• Provide up-to-date educational resources to authorization center staff who
handle Code 10 calls. Make sure all staff members are familiar with the latest
card security features, changes in policy, etc.
• Consider implementing a speed dial service to make the Code 10 (and
referral) call process more efficient. This is particularly important for
overseas transactions.
After a Card is Once a recovered card has been received, the acquirer must:
Received • Notify the issuer of the recovery situation.
• Complete a Recovered Card Advice and send it with the card, along with any
other pertinent information about the recovery.
• Mail the card to the issuer’s security contact within five calendar days.
Acquirers are also allowed to charge issuers a US $15 handling fee for each
returned card.
*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading device. If a chip reading device is
available, preference must always be given to chip card processing before attempting to swipe the stripe.
CVM Options
• Signature. Visa card programs bearing a chip are required to carry a
magnetic-stripe and a signature panel on the card. The signature still
remains the international default for cardholder verification and is also the
default for many domestic card transactions. Requirements for checking
signature-verified transactions in the chip environment remain the same as
they are today in the magnetic-stripe environment.
• PIN. The convenience and additional security of PIN entry to verify the
cardholder identity will become more prevalent for both domestic and
international Visa card transactions. Where PIN pads are deployed,
merchant training should include these points:
– The card and terminal interaction determines the appropriate cardholder
verification method and whether to prompt for a PIN.
– Because the card determines whether PIN entry is required on each
transaction, the lack of a terminal PIN prompt should not be considered
an error. The terminal will prompt for the PIN when the chip card requires
a PIN. The merchant should not request a PIN entry from the cardholder,
unless the terminal issues this prompt.
– Where a cardholder is required to enter a PIN, the secrecy of the PIN entry
must be maintained.
– When a transaction is PIN-based, Visa’s best practice is to not print a
signature line on the receipt. Merchants need to be aware that they should
not request a signature from the cardholder when a signature line is not
present on the receipt.
No Cardholder A chip card issuer has the ability to specify that a transaction may be completed,
Verification subject to other processing checks, without the need for the cardholder to
Required provide a signature or enter a PIN. “No CVM required” is a valid cardholder
verification option where both the terminal and card agree on this as the CVM
option.
This option would typically be used in unattended terminal environments. An
issuer, however, may select this option in the event that fast processing of
offline-authorized transactions is required. Even when a card initiates a “No CVM
Required” for a particular type of terminal, that terminal may choose to default to
the cardholder verification method as specified for a magnetic-stripe transaction
to protect the transaction liability (e.g., signature at a POS or online PIN at an
ATM).
Offline In merchant locations where terminals with both offline and online authorization
Versus Online capability are deployed, merchants must be trained to understand that
Authorized some transactions will be processed offline, while others will require online
Transactions authorization. They should not view these differences as errors, or treat the
transactions or customers differently. Merchants, however, should be aware that
offline transactions may be faster than online transactions.
Other Suspicious transactions, reversals and voids must be completed in the same
Transactions way they are performed today, but via the chip—subject to individual acquirer
requirements.
Other card security features may need checking at the point-of-sale, as
appropriate.
What’s Covered
n General Card-Absent Transaction Procedures
n Specific E-Commerce Transaction Requirements
n Asking for the Card Verification Value 2 Code
n Using with the Address Verification Service (U.S. and Canada)
n Using Verified by Visa
n Looking Out for Suspicious Orders
n A Closer Look at Recurring Transactions
Unique Data An Internet merchant must provide the cardholder with a transaction receipt.
Requirements Acquirers, however, need to be aware of the following unique data requirements
for Receipts for transaction receipts and copy fulfillments for e-commerce transactions:
• Concealed cardholder account number. For e-commerce transactions, the
cardholder account number must not appear on the transaction receipt.
• Unique identification number. To assist in dispute resolution between the
cardholder and merchant, the merchant must assign a unique identification
number to the transaction and display it clearly on the transaction receipt.
• Website address. The merchant must always include its website address.
In addition, it is suggested that the transaction receipt include wording to
indicate that the cardholder should print or save the receipt for his records.
The Internet merchant can choose to send a separate e-mail message to the
cardholder containing this required information, or—as with mail and telephone
order transactions—send a physical receipt in the mail, or both.
To minimize cardholder inquiries, merchants are encouraged to send an online
acknowledgment of the transaction in addition to the transaction receipt.
In the card-
absent sales
In some markets,
environment,
CVV2 is required
CVV2 is an
for all card-absent
excellent tool merchants.
CVV2
for verifying
that the
customer has a legitimate
Visa card in hand at the
time of the sales order.**
How CVV2 CVV2 is an important three-digit security feature for merchants who accept
Works? Visa cards as payment over the telephone or online. Located on the back of all
Visa cards, the CVV2 code consists of the last three digits either printed on the
signature panel or on a white box to the right of the security panel.
4 Before completing the transaction, the merchant evaluates the CVV2 result
code, taking into account the authorization decision and any other relevant
or questionable data.
Result Action
M – Match Complete the transaction (taking into account all transaction
characteristics and any questionable data).
N – No Match* View the “No-Match” as a sign of potential fraud and take it into
account along with the authorization response and any other
questionable data. Potentially hold the order for further verification.
P – Not Processed View the “Not Processed” as a systemic technical problem or the
request did not contain all the information needed to verify the
CVV2* code. Resubmit the authorization request.
S – CVV2 should Consider following up with your customer to verify that he or she
be on the card checked the correct card location for CVV2. All valid cards are
required to have CVV2 printed either in the signature panel or on a
white box to the right of the signature panel.
U – Issuer does Evaluate all available information and decide whether to proceed with
not participate in the transaction or investigate further.
the CVV2 service
*In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.
**For more information regarding the Zero Amount Account Number Verification Service, contact your merchant bank.
What is AVS? AVS* allows card-absent merchants to check a Visa cardholder’s billing address
with the card issuer. An AVS request includes the billing address (street address
and/or zip or postal code). It can be transmitted in one of two ways: (1) as part
of an authorization request, or (2) by itself. AVS checks the address information
and provides a result code to the merchant that indicates whether the address
given by the cardholder matches the address on file with the issuer.
AVS can only be used to confirm addresses in the United States and Canada. For
other countries it is optional for the card issuers to participate in AVS.
2 The merchant:
– Confirms the usual order information.
– Asks the customer for the billing address (street address and/or zip
or postal code) for the card being used. (i.e., the address is where the
customer’s monthly Visa statement is sent for the card being used.)
– Enters the billing address and the transaction information into the
authorization request system and processes both requests at the
same time.
3 The issuer makes an authorization decision separately from AVS request
and compares the cardholder billing address sent with the billing address
for that account. The issuer then returns both the authorization response
and a single character alphabetic code result that indicates whether the
address given by the cardholder matches the address on file with the
card issuer.
AVS Result One of the following AVS result codes will be returned to the merchant
Codes indicating the issuer’s response to the AVS request. A merchant’s bank may
modify these single character alpha AVS codes to make them more self-
explanatory—for example, a “Y” response may be shown as an “exact match” or
as a “full match,” while an “N” response may be shown as a “no match.”
Code Applies to
Code Definition Cross-
Domestic
border
A Street addresses match. The street addresses match but the postal or ZIP
codes do not, or the request does not include the postal or ZIP code. a a
B Street addresses match. Postal or ZIP code not verified due to incompatible
formats. (Merchant bank sent both street address and postal or ZIP code.) a a
C Street address and postal code or ZIP code not verified due to incompatible
formats. (Merchant bank sent both street address and postal or ZIP code.) a a
Guidelines for Using U.S. and Non-U.S. Country AVS Result Codes
While Visa cannot recommend any particular approach, the following general
guidelines are drawn from card-absent industry practices and may be helpful.
Merchants should establish their own policy regarding the handling of
transactions based on AVS* result codes.
U.S. Int’l.
Definition Explanation Action(s) to Consider
Code Code
Y DM Exact Match Both street address Generally speaking, merchants will want to proceed
and ZIP or Postal with transactions for which they have received an
Code match. authorization approval and an “exact match.”
A B Partial Match Street address Merchants may want to follow up before shipping
matches, but ZIP or merchandise. The issuer might have the wrong
Postal Code does ZIP or Postal Code in its file; merchant staff may
not. have entered the ZIP or Postal Code incorrectly; or
this response may indicate a potentially fraudulent
situation.
Z P Partial Match ZIP Code matches, Unless a merchant sent only a ZIP or Postal Code
but street address AVS request and it matched, the merchant may
does not. want to follow up before shipping merchandise. The
issuer may have the wrong address in its file or have
the same address information in a different format;
the cardholder may have recently moved; merchant
staff may have entered the address incorrectly; or
this response may indicate a potentially fraudulent
situation.
N N No Match Street address and Merchants will probably want to follow up with
ZIP or Postal Code the cardholder before shipping merchandise. The
do not match. cardholder may have moved recently and not yet
notified the issuer; the cardholder may have given
you the shipping address instead of the billing
address; or the person may be attempting to execute
a fraudulent transaction. “No match” responses
clearly warrant further investigation.
AVS result codes and explanation provided here are meant to give merchants
enough information to make their own determination of what works best for their
environment. How one merchant treats these codes may be different than the
way another merchant may choose to interpret them.
On ZIP or Postal Code only requests and P.O. Box addresses, issuers may respond
either with a “Y” (Exact Match) or a “Z” (Partial Match — ZIP Code/Postal Code
Matches).
What is Verified by Visa was designed to serve as one of Visa’s “multiple layers of
Verified by security” by providing cardholder authentication for online, Internet transactions.
Visa? Based on the 3-D Secure protocol, the Verified by Visa service verifies the
authenticity of cardholders to participating merchants. It allows cardholders
to choose a password through their card issuer, and use it to authenticate
themselves while making a purchase. This helps ensure that their card number
cannot be fraudulently used at an Internet merchant website.
Cardholders sign up for the Verified by Visa service through their issuing financial
institution and choose their own personal password to authenticate themselves
online.
To Verify: Then:
Card information Use Visa Account Updater (VAU) In determining the
number and
frequency of
authorization attempts,
Cardholder billing Use AVS* (if available) merchants should take
address into account, among other
factors, the incremental
Card authenticity Submit CVV2 as part of the cost of retrying the
authorization and the
authorization request
transaction amount. The
Cardholder’s Implement Verified by Visa Visa International Operating
authenticity online Regulations prohibit
depositing a declined
• Check the authorization response and take the transaction. To view a copy
appropriate action based on the response. If you of the Visa International
receive a decline response for any reason other Operating Regulations, visit
than “lost”, “stolen”, or “pick-up”, you may retry www.visa.com.
the authorization if it is cost-effective for your
business to do so. Note: An authorization may be
retried up to a maximum of four times within 16 Voice plus is often
calendar days of the original request. used by
merchants to
• Ensure that all applicable state or federal laws are capture the cardholder’s
followed when establishing this agreement with voice or key tones as
the cardholder. Visa recommends the merchant confirmation.
consult with their own legal counsel.
Customer • Provide customers with a toll-free phone number, an e-mail address,
Satisfaction and/or easy to find (and use) online procedures for cancelling recurring
Best Practices transactions.
• Train sales and customer service staff on the proper procedures for
processing recurring transactions. This is important as these transactions are
particularly customer service sensitive.
• Fully disclose all necessary transaction terms and conditions.
VAU Service Utilize the VAU service to verify that the cardholder’s on-file information,
Best Practices account number, and/or expiration date, are correct.
• Keep the expiration date on file and include the
expiration date in all authorization requests. To minimize
chargebacks and
• To reduce possible fraud, use the AVS (if available) transaction
on every transaction. processing costs, submit
transaction payment
• Ensure that all recurring transactions are information to your
identified with a unique processing code (“50”), processor in a timely
market-specific authorization data indicator manner.
(“B”) and electronic commerce indicator (“2” for
recurring or “3” for installment).
• Notify the customer of the transaction before or at the time of billing.
• Put proper controls in place to protect account and transaction information.
All merchants must meet the Payment Card Industry (PCI) Data Security
Standard (DSS) basic requirements.
• Do not store CVV2* data.
What’s Covered
n Merchant Fraud Defined
n Bust-Out Merchants
n Laundering (Factoring)
n Telemarketing Fraud
n Credit and Cash-Advance Schemes
n Counterfeit Cards
n Skimming Attacks
n System Intrusion and Data Compromise
n White Label ATM Scams
n Pinpointing the Common Point of Purchase (CPP)
n Account Testing
n Understanding Key-Entered Fraud
n Managing Inactive Merchant Accounts
In the past few years, bankcard fraud globally has undergone a gradual, very
significant transformation for acquirers. Systems to detect cardholder fraud,
the types of fraud that primarily affect Issuers, have become more effective and
harder for criminals to circumvent.
As a result, fraud involving merchant locations, with and without a merchant’s
knowledge or active participation, has become more prevalent and the scams and
perpetrators committing them are more sophisticated and elusive. Old fashioned
laundering schemes, targeting smaller retail merchant outlets, still occur but they
are being steadily overshadowed by hi-tech scams run by international crime
organizations who often work in cooperation.
Underestimating the ingenuity or capabilities of these modern-day bandits is a
risk few acquirers can afford to take. While certain scams may be associated with
a specific sales environment, card-present, mail order/telephone order (MO/TO),
or Internet, current evidence suggests that criminals can and will quickly exploit
any market where merchants or acquirers seem vulnerable.
Types of Here is a snapshot of the most common types of merchant fraud that acquirers
Merchant are currently encountering. Each of these merchant fraud classifications is
Fraud explained in more detail on the following pages.
• Bust-out Merchants. A criminal opens what appears to be a legitimate
merchant account with an acquirer, and after a brief period of seemingly
normal sales activity, suddenly processes a large volume of fraudulent
transactions—using fake or stolen account information. The merchant
receives payment and then disappears. Bust-out merchants often work in
collusion with other merchants using valid card information. A bust-out
merchant is just as likely to be found operating online as out of a traditional
storefront location.
• Laundering (Factoring). A business with a valid merchant agreement
with an acquirer deposits transactions for a company without a merchant
account. The unsigned business offers the valid merchant a percentage
of the sales amount (from one percent to 20 percent) to process the
unsigned company’s transactions. Usually these transactions are fraudulent
and involve stolen account information. The unsigned business abruptly
disappears, leaving the legitimate business to contend with chargebacks it
may not be able to cover.
• Telemarketing Fraud. Criminals make mail or telephone solicitations to
either obtain valid cardholder account information or to charge unauthorized
sales to a valid account.
Bust-Out Merchants
Identifying Some acquirers have reported that the following indicators can be helpful in
Bust-Out identifying ongoing bust-out schemes:
Merchants • Large, even-dollar transactions (this is common to many current schemes)
• Excessive deadlines
• Sudden excessive volume decreases
• ANI mismatch with a telephone number associated with that merchant
account
• Multiple merchant accounts using the same principal name, address, and
Social Security number
• Merchant types most often associated with merchant bust-out fraud:
– Small grocery store and meat markets
– Clothing, jewelry, or electronics stores
– Leather goods
– Limousine services
– Auto repair
– New insurance brokers
• Merchants are often signed by the same Third-Party Agent.
Laundering (Factoring)
What is The term “laundering” (also known as factoring) refers to any situation where
Laundering a business that has a valid merchant agreement with an acquirer deposits
(Factoring)? transactions for a company without a merchant account. These scams are used
to process fraudulent or other high-risk transactions through a legitimate
business location and are often targeted at small, less sophisticated merchants
who may be truly unaware of the financial and legal exposure they are facing.
The unsigned merchant may be a fraudulent business fronting for a criminal
organization, or a company which, for a variety of reasons, may be unable or
unwilling to get a valid agreement—for example, a high-risk telemarketer
operating on the edge of legality.
Telemarketing Fraud
What is Telemarketing fraud is a classic scam in which mail, telephone, or Internet order
Telemarketing solicitations are used for fraudulent purposes—either to obtain valid cardholder
Fraud? information for fraudulent transactions, or to charge unauthorized sales to a
valid account. The businesses involved in these schemes may be run by outright
criminals, or the perpetrators may simply be unethical merchants who are
pushing the limits of legality.
How There are many different kinds of telemarketing scams related to bankcard
Telemarketing fraud. Some of the more common scams include the following:
Scams Work • Phony Contests or “Too Good To Be True” Product Offers. In a typical scam,
consumers receive mail, phone calls, or e-mail messages announcing that
they have “won” a vacation to Hawaii, Acapulco, or some other exotic
location. In other cases, vitamins, water purifiers, or travel packages are sold
at “fantastic” discounts. There is, however, always a catch. The contest or
product is available for a limited time only, and another small purchase or
“handling fee”—which must be paid by credit card—is required immediately.
Using high-pressure sales tactics or trickery, the telemarketers persuade
consumers to give them their Visa account numbers and other personal
information. The cardholder is then billed for merchandise which is never
delivered or turns out to be shoddy and substandard.
• Lottery Ticket Sales. Generally these scams target the elderly, and often the
telemarketers don’t even purchase lottery tickets with the money they
collect.
• Credit Card Protection. While many firms offering credit card protection are
legitimate, there are criminals who will contact and misrepresent themselves
to cardholders as employees of Visa or a Visa member. The perpetrators use
deceptive practices to get cardholders to buy a “protection package” and
often make it difficult to cancel the sale.
• Pyramid Schemes. These plans purport to offer products—or even Visa
cards—in exchange for a membership fee and participation in a “multilevel-
marketing” plan. The new member must recruit others to the plan; often no
products exchange hands, however, and the acquirer is left with chargebacks
once consumers discover they have been defrauded.
Handling When the transaction is disputed with the cardholder’s issuing bank, the result
Telemarketing is usually a chargeback to the acquirer. Chargeback categories associated with
Fraud Disputes these scams include “Fraudulent Transaction – Card Absent Environment,” “No
Authorization,” “Not As Described or Defective Merchandise” and “Services
Not Provided or Merchandise Not Received.” Of course, by the time the acquirer
receives the chargebacks, the fraudulent telemarketers may have emptied their
account and disappeared. The valid account numbers they obtained will turn up
weeks or months later in other fraud scams.
Credit The latest fraud attack on acquirers involves scams where the perpetrator uses a
Schemes legitimate merchant’s account information to issue the credits. The perpetrator
Without then uses the credits to make large purchases or cash advances or—in the case
Merchant of debit cards—closes his or her checking account once the credits are posted
Involvement and the funds are withdrawn. In both cases, the acquirer is left with potential
liability for the fraud.
Three methods are currently being used to effect this fraud scheme:
• The perpetrator “takes over” a merchant account by either obtaining a new or
additional terminal through misrepresentation to the acquirer, or convincing
the acquirer to reprogram a “phantom” terminal over the telephone. The
individual then uses the terminal to deposit credits into his or her own, or
a co-conspirator’s personal Visa account, along with enough fraudulent
transactions using other account numbers to offset the credit amount. This
ensures against deposit spikes appearing in the acquirer’s monitoring system.
Merchant To safeguard merchant accounts from credit scheme fraud exposure, the
Account following best practices are recommended:
Protection • Verify any requested change to a merchant account with the known
Best Practices business owner or an authorized merchant manager.
• Generate a call to the known business owner(s) to confirm the requests for
terminal service—e.g., adding, replacing, or reprogramming terminals.
• Conduct a site inspection when there is a merchant address change or the
addition of new locations.
• Conduct a new credit review and a call to the known business owner(s)
when there are changes to the merchant’s Direct Deposit Account. In
addition to fraud, these changes can signal an ownership change, bankruptcy,
or other credit-related issue. In today’s financial services environment, where
payments are made by wire, unauthorized changes to a merchant Direct
Deposit Account is an easy way to quickly and thoroughly defraud a
legitimate merchant.
• When confirming merchant ownership, make sure the information
gathered includes the current business tax ID, as well as the current
financial institution name and account number of the Direct Deposit
Account. All changes should be confirmed in writing on an original
document that includes a signature from the person currently authorized
to sign for any change request.
Counterfeit Cards
Skimming Attacks
Types of It is often difficult to detect when a system has been attacked or a server
Attacks and intrusion has taken place. Distinguishing normal events from those that are
Intrusions related to an attack or intrusion is a critical part of maintaining a secure
payment processing environment.
Security breaches come in many different forms and, while detecting them
may be challenging, there are certain signs that tend to appear when a security
breach has occurred:
• Unknown or unexpected outgoing Internet network traffic from the payment
card environment
• Presence of unexpected IP addresses on store and wireless networks
• Unknown or unexpected network traffic from store to headquarter locations
• Unknown or unexpected services and applications configured to launch
automatically on system boot
• Unknown files, software and devices installed on systems
• Anti-virus programs malfunctioning or becoming disabled for unknown
reasons
• Failed login attempts in system authentication and event logs
• Vendor or third-party connections made to the cardholder environment
without prior consent and/or a trouble ticket
• SQL Injection attempts in web server event logs
• Authentication event log modifications (i.e., unexplained event logs are being
deleted)
• Suspicious after-hours file system activity (i.e., user login or after-hours
activity to POS server)
• Presence of .zip, .rar, .tar, and other types of unidentified compressed files
containing cardholder data
• Presence of a rootkit, which hides certain files and processes in, for example,
Explorer, the Task Manager, and other tools or commands
• Systems rebooting or shutting down for unknown reasons
What is White White-label ATM fraud involves non-legitimate cash-dispensing machines that
Label ATM have been set up by criminals for the sole purpose of capturing cardholder
Fraud? bankcard account and PIN data.
How Does a White-label ATMs are private cash-dispensing machines that can be legitimately
White-Label purchased by non-banking entities. These machines are typically installed in
ATM Scam various locations, such as malls, hotel lobbies, mini-markets, etc. In legitimate
Work? operations, private companies that own white-label ATMs contract with various
ATM network systems to accept and process their transactions. In a non-
legitimate situation, a criminal may purchase one of these machines and set it
up to skim the bankcards and capture the account numbers and associated PINs
for counterfeiting purposes.
This is a typical scheme used by Eastern European organized crime. In the past,
the industry has seen crime rings lease gasoline stations and post a performance
bond. In most cases, the gas station will operate for four to six months. During
this time, both credit and debit cards are skimmed as they are swiped at the
gas pump dispensers. None of the cards are fraudulently used while the gas
station is in operation. At the end of the four- to six-month operation, however,
the criminals walk away from the gas station and forfeit the bond. During the
next long weekend, a well-organized attack of the payment card system occurs;
hundreds of cards are used in a three-day span by multiple fraudsters. Most of
the transactions are ATM cash advances–withdrawn after the empty-envelope
deposits have been made to inflate balances. The debit cards are initially the
target of the group. The credit accounts are either sold to other crime groups or
are held for a period of time.
Issuer CPP Issuers are usually the first to detect the signs of suspicious activity
Requirements associated with skimming, but acquirers should also be familiar with the basic
characteristics of potentially skimmed transactions. Acquirers have to rely on
data provided by issuers. Consequently, issuers must have a process to confirm
fraudulent skimmed counterfeit transaction activity that includes the following
minimum criteria:
• The authorization data includes a POS Entry Mode Code 90.
• The CVV in the authorization message matches the code on file with the
issuer.
• The cardholder is in possession of all valid cards and can verify that the suspect
transaction was not made by him- or herself, or by anyone else with access to
valid cards, such as a family member or friend.
• All alternative fraud types have been eliminated.
Issuers must also prepare documentation about how the CPP was identified and
forward this documentation to the acquirer and the acquirer’s Visa region. The
documentation must provide the following information about the issuer:
– Issuer’s name.
– Issuer’s contact including:
- Name.
- Telephone number.
- FAX number.
– Acquirer’s BIN.
Acquirer CPP On the acquiring side, it is important to investigate CPPs. When notified of
Requirements an identified CPP, it is the acquirer’s responsibility to conduct a thorough
investigation of the alleged skimming activity at the identified CPP merchant and
ask the following questions:
– How was the account compromised? Was it an isolated case of skimming
or a data compromise?
– Who was responsible?
– What is the basis of determination?
Acquirers are also responsible for the following reports:
– A preliminary report is required within 10 calendar days from the date the
issuer or Visa region notified the acquirer.
– A final report is required within 30 days after the acquirer has taken
action.
If an acquirer terminates a merchant because of skimming activity, that acquirer
must list the merchant on the Terminated Merchant File (TMF).
Account Testing
How Does Like skimming, account testing often occurs at merchant locations, but may not
Account involve a business’ principals or collusive employees. In a common scenario, a
Testing Work? criminal will test a stolen or counterfeit card on an Internet site to determine
whether the account is blocked and—in the case of counterfeit—whether the
issuer checks expiration dates in the authorization process. Then to determine
whether the CVV is checked, he/she will use a re-encoded card to buy a few
dollars’ worth of gas at a cardholder-activated pump. In other cases, lists of
account numbers may be run through a bust-out
merchant or spoof site. In these schemes, the
At many
accounts being tested will be submitted for authorization
authorization only; few, if any, completed transactions centers today,
will be processed from the site. calls are answered by
automated voice-response
Criminals may also test accounts by gaining access units, which makes early
to a merchant’s transaction-processing system in detection of these scams
other ways, for example, by getting a business’s even more difficult. The
merchant account number and the phone number lack of human interface
prevents authorization
for its authorization center. This information is often agents from speaking
posted near POS terminals and is relatively easy directly with customers
to copy down, or it may be provided by a collusive and identifying account
employee. Fake transactions can then be called into testing or other potentially
the authorization center from a public pay phone, suspicious calls.
stolen cell phone, or any other hard-to-trace location.
Inactive On the other hand, an inactive account can signal one of two fraud schemes:
Account Signs • A bust-out scam. Where a fraudulent merchant signs with several acquirers
of Fraud simultaneously, moving from one to the next as the scam is perpetrated or
detected.
• The fraudulent diversion of the merchant’s deposits to a bogus merchant
account with another acquirer. In this scheme, an individual claiming to
represent the acquirer tells the merchant that he or she needs to replace or
reprogram the POS terminals. The funds are then routed to an account that
individual has set up elsewhere, and neither the merchant nor the legitimate
acquirer sees the deposit.
In some circumstances a genuine merchant may also become an inactive
merchant due to a number of reasons. Merchants that rely on tourism trade, for
example, will generally have very seasonally based active and inactive periods.
Inactivity could also be a sign of the merchants business failing, for this reason it
is essential to investigate periods of inactivity, as a merchant is more likely to act
collusively with criminals if the business is not doing very well. It is not always
profitable to keep inactive merchants as you have the costs and risks associated
with the POS equipment and services without the profit from a healthy level of
sales.
Acquirers should have exception monitoring in place to flag inactive accounts,
and follow up on all such exceptions with the known business owner (as
described in the next chapter).
What’s Covered
n New Merchant Monitoring
n Ongoing Merchant Monitoring
n Periodic Merchant Reviews
n Identifying and Following Up on Suspicious Activity
Daily Reviews To ensure careful monitoring of new merchants, a daily review of merchant
of Merchant activity is recommended for a two- to three-month period. During this time, any
Activity variations or deviations in activity should be flagged and promptly investigated.
Suspicious activity may include any of the following:
• Deposit Variations. Check for any variations As specified in
in deposit amount, frequency, or type. Has a the Visa
merchant suddenly changed from weekly to daily International
deposits? In the case of manual deposits, are they Operating Regulations,
acquirers must monitor
being made at a branch office where the merchant
new high-risk merchants
normally doesn’t do business? Are paper drafts (which are registered as
handwritten or imprinted with another merchant’s such with Visa Inc.) on a
name—a sign of possible laundering? Do the daily basis.
deposit totals and average transaction size coincide
with projections on the merchant’s application?
• Large Deposits. Unusually large bankcard deposits
Criminals who
should be treated the same as any large deposit to
set up merchant
a checking or savings account; that is, they should facilities will often
be reviewed by bank personnel, and funds held make normal deposits for
when appropriate. Acquirers should pay particular a month or two before
attention to deposits containing large, even- there is a sudden “spike”
in the deposit of a large
monetary amounts or excessive credits, which may
number of counterfeit or
indicate that a merchant is making cash advances laundered transactions,
or other improper payments (see “Suspicious which results in a large
Credit Activity” on next page). Similarly, look for number of chargebacks.
multiple drafts with the same account number on
them or any sudden increase or decrease in a merchant’s average
ticket amount.
Deposit Report Normal Acquirers must gather on a weekly basis each merchant’s:
Monitoring Weekly • Gross sales volume
Activity • Average transaction amount
Reporting
• Number of transaction receipts
• Average elapsed time between the transaction date of
the sales transaction receipt and the endorsement date
(date a transaction receipt is prepared for clearing through
interchange)
• Number of chargebacks
Normal Daily Acquirers must gather on a daily basis each merchant’s:
Activity • Gross sales volume
Reporting • Average transaction amount*
• Number of transaction receipts
• Average elapsed time between the transaction date of
the sales transaction receipt and the endorsement date
(date a transaction receipt is prepared for clearing through
interchange)
• Number of chargebacks
Exception Acquirers must compare merchant activity to the normal weekly activity
Reporting established for each merchant at least once a week and generate reports
(Required)* for merchants who meet the following criteria:
• Weekly gross sales volume equals or exceeds U.S. $5,000
and/or any of the following exceeds 150 percent of the normal
weekly activity:
– Number of transaction receipts deposited
– Gross sales volume
– Average transaction amount
– Number of chargebacks
– Average elapsed time between the transaction date and
the endorsement date for a transaction, counting each as
one day respectively, exceeds 15 calendar days
Chargebacks Acquirers should monitor for the following chargebacks:
• High percentage of chargebacks month-to-date
• Total number by merchant type
• Dollar volume by merchant type, compared to merchant’s sales
volumes
• Types of chargebacks
*An average transaction amount is usually the single most obvious predictor of a significant change in merchant activity. While not necessarily
an indicator of risk, a radical change is a sign that something has happened and should be explored.
Merchant • Establish automated velocity controls over high-risk transactions and deposits.
Activity Depending on needs and resources, elect to use any of these options:
Monitoring – Set an authorization limit for monthly volume or single transaction
Best Practices amount to avoid the risk of large-scale fraud. This approach protects
both the acquirer and the merchant, but may have an adverse impact on
the merchant’s business and generate negative merchant reaction. For
best results, clearly communicate the authorization velocity controls to
the merchant at the time of signing. Then, monitor authorization activity.
If the merchant comes close to the limit, conduct a review to determine
whether a limit increase is warranted.
– Prevent high-risk transactions or batches of settlement activity from
entering interchange until they have been reviewed. This second option
offers protection from the risk of chargeback and losses, but—unlike
authorization controls—would not protect a merchant from accepting
fraudulent transactions.
– Withhold funding from suspect batches. This third option also offers
protection from risk exposure, but would not prevent future chargebacks
since these transactions will have been submitted into interchange.
• Automatically suspend large credit transactions that do not have a preceding
debit transaction. In some cases, merchants try to reduce discount fees or
commit fraud by submitting credit transactions to their own or an accomplice’s
account. In this fraud scenario, the merchant submits a large credit batch
without sufficient funds in its account to cover the credit.
• Develop effective criteria for monitoring and reporting suspicious activity.
In addition to standard merchant monitoring parameters, the following
criteria should be applied:
– Unusual authorization activity. To mitigate risk, look for descending
authorization amounts, excessively high decline or referral rates, or a large
number of authorizations to same account number or the same Bank
Identity Numbers (BINs.).
– Unusual activity on other payment products. While Discover, American
Express, Diners Club, and other card products do not necessarily expose
an acquiring institution to risk, unusual activity on these card products
could indicate the likelihood of future merchant fraud on the acquirer’s
Visa or MasterCard products.
– Reduction in sales credits. This can be a sign of cash flow problems or
business failure for the merchant, leading to excessive chargebacks for
your institution.
– Increases in draft retrieval requests. Growing draft retrieval requests
with a fraud reason code may provide an early warning of future
chargebacks and potential problems.
Recognizing In many, if not most cases, merchant fraud will result in a sudden, dramatic
the Signs of change in sales activity. To catch these unexpected shifts and fluctuations,
Suspicious Exception reports must be monitored daily—and if possible, before any
Merchant payments for the day’s transactions are deposited in a merchant’s account. In
Activity addition, all transactions from new merchant locations should be reviewed on
a daily basis for a two-to three-month period. Signs of suspicious activity may
include any of the following:
• An unusual or unexpected increase in the number or dollar amount of
transactions. Likewise, a sudden re-activation of a previously inactive account.
• A dramatic shift, up or down, in the average transaction size.
• A high or disproportionate amount of key-entered sales.
• A large number of high or even-dollar transactions, especially if they are
key-entered.
• A sudden drop or stop in sales deposits. Acquirers
• Discrepancies between a merchant’s authorization should establish
and transaction activity, specifically a high volume and document
procedures for
of authorizations with few or no corresponding investigating suspect
transactions. This may be a sign of skimming or activity.
account testing. For additional details
• Account numbers in a numerical sequence or on how to investigate
within the same BIN. Acquirers should also track suspect activity and follow
up accordingly, refer
deposits over periods of a few days or weeks to Chapter 9: Merchant
to check for transactions or authorizations with Fraud Investigation in this
account numbers in a single BIN. A string of manual.
account numbers may be the first sign of fraud
associated with CreditMaster or other account number-generating software.
• An unusual proportion of declined transactions. This could be another
indication of account testing.
• Authorization or transaction activity that takes place after hours, when the
business should be closed. After-hours sales are associated with several
types of fraud, including bust-out merchants and account testing.
• Excessive credits (especially to the same account number), or discrepancies
between sales and credits. Acquirers should check transaction records
for any discrepancies between the number and dollar amount of sales
and credits—often the first sign of a merchant credit scam. For example,
a business might issue a credit without a corresponding sale, or it could
deposit several small- or medium-sized sales and then issue a single large
credit to the merchant’s personal account.
What’s Covered
n Fraud Control and Investigation Standards
n Components of a Successful Investigation
n Conducting an Investigation
n When a Scam Is Confirmed
n Case Prosecution
n When a Merchant Agreement is Terminated
n Merchant Communication During and After an Investigation
As an acquirer, you maintain full responsibility of the actions (losses) of all your
merchants. If a merchant has chargebacks in excess of the assets you have on
deposit and the merchant goes out of business, you are held responsible for the
remaining losses.
The following fraud control and investigative standards have been included to
help acquirers control fraud losses through prevention, early detection, effective
investigation, and resolution of payment card fraud. These standards are
intended as recommendations only; Visa encourages individual members to
adapt them to reflect the specific needs of their organization and merchant
program.
Fraud Control A key to effective fraud control is to centralize the prevention and investigation
Performance functions in a Fraud Control Department or similarly defined organizational
Standards structure. At a minimum, a member’s Fraud Control Department, or specially
trained fraud control personnel, must be able to support the following basic
activities:
• Monitor, investigate, detect, analyze, and report fraudulent activity against
the Visa brand and products. Focus should be on these three primary
functions:
– Prevent by following best practice recommendations and using all the
fraud-prevention systems developed and made available by Visa for each
fraud type.
– Detect by using a system that alerts you to transactions that have a high
probability of being fraudulent.
– Recover by detecting “friendly fraud” at the time a dispute is reported,
reviewing transactions for chargeback opportunities, and recovering
fraudulent activity resulting from compromised account information.
• Plan and supervise security for the production, storage, and distribution of
Visa products.
• Safely and securely maintaining all account information.
• Act as an interface with the criminal justice system, along with educating
and maintain effective working relationships with criminal justice personnel.
• Make sure all facilities involved in operating the member’s Visa merchant
program are physically secure.
• Make sure merchants are educated about fraud prevention.
Investigation Investigating payment card fraud is one of the primary functions of a member’s
Performance Fraud Control Department or specially trained fraud control personnel. Members
Standards that routinely and rigorously investigate fraud cases send a strong message of
deterrence to potential perpetrators.
Compliance with the following standards can help
ensure timely and effective fraud investigations. Visa may take
appropriate
Specifically, acquirers and/or assigned risk
actions to ensure
management personnel should do the following: that a member complies
with these performance
• Establish a 24-hour contact phone, fax, or telex
standards and the Visa
number to support investigative inquiries from International Operating
other Visa members, law enforcement, or criminal Regulations. Such actions
justice personnel. may include, but not
be limited to, assigning
• Subject to applicable local law, have access to, and appropriate resources
be authorized to provide, at least the following to bring the member
details to other members or law enforcement and into compliance at the
other criminal justice personnel: member’s expense.
– Cardholder data
– Card expiration date
– Status of the card and account
– Suspected or reported fraudulent activity
– Full details of the loss or theft of the card
• When a subject is in custody, provide the following information to other
members or law enforcement and other criminal justice personnel within
12 hours:
– Identity of the cardholder and authorized users
– Card expiration date
– Status of the card and account
– Suspected or reported fraudulent activity
– Full details of the loss or theft of the card
• Provide a substantive response to all inquiries from other members or law
enforcement within 72 hours of receiving the initial request.
• Document all inquiries and responses when requested.
• Notify their designated Visa regional fraud control contact of any other
member’s failure to comply with investigative support performance
requirements.
• Have access to cardholder and merchant transaction data for at least the
prior six months’ activity.
• Maintain documented investigative procedures governing all phases of a
fraud investigation.
Conducting an Investigation
Fraud Loss If a fraud scam is confirmed or seriously suspected, acquirers should consider
Reduction Best the following possible actions, if consistent with the acquirer’s legal and
Practices contractual rights:
Case Prosecution
Acquirer If the fraudulent use of a Visa card is considered a crime, criminal justice system
Cooperation personnel may ask for cooperation from the acquirer’s fraud investigators in
prosecuting the offender. While the decision to prosecute suspected fraud
perpetrators is usually left up to an individual member’s discretion, a consistent
policy of prosecution can provide substantial benefits.
• First, routinely prosecuting suspected fraud deters potential fraud
perpetrators.
• Second, it also gains the respect of law enforcement authorities and helps
ensure their future cooperation.
After requesting assistance from law enforcement authorities in apprehending
suspected fraud perpetrators, acquiring members should proceed with
prosecution of the case and advise legal counsel of all cases taken to prosecution,
if appropriate. In the course of a prosecution, witnesses (including the legal
cardholder and the member’s representatives) may be subpoenaed to appear in
court, possibly at the member’s expense.
Do not drop charges because of the expense involved in providing witnesses or
because the suspect has offered to make restitution.
Loss Control Whether a merchant agreement is terminated for simple business reasons,
Best Practices fraud, or credit risk issues, actions should be taken to protect the acquiring
organization and the payment system from losses. The following best practices
should be applied:
• Establish pre-defined authorities to suspend merchant processing and hold
funds, as well as formal internal responsibilities, policies, and procedures
for terminating merchants. This formal approach will minimize indecision in
terminating merchants.
• Develop an effective and timely merchant termination process that protects
Visa, the payment system, and the acquiring institution’s interests.
• If owned by the acquirer, remove POS terminals from the merchant
location.
• To preclude the processing of further transactions, suspend settlement to
the merchant’s account. Authorization processing should be blocked as well.
• If a processor is used for authorizations or settlement, notify the processor
and request that the merchant account be blocked to prevent account
testing and any further deposits.
• Add merchant name to the Terminated Merchant File (TMF) when the
merchant account has been closed for cause, as specified in the Visa
International Operating Regulations.
Attention to these details will preclude time spent investigating account testing
and can help prevent fraud in the long run.
Every piece of cardholder account information that passes through the Visa
payment system is vital to our business. Without proper safeguards in place, this
information can be vulnerable to internal and external compromise, leading to
fraud and loss of consumer confidence. The goal of Visa’s security programs is to
ensure the highest standard of due diligence to protect sensitive cardholder data
from hackers and fraudsters. This chapter explains the Payment Card Industry
(PCI) Data Security Standard (DSS) Compliance Program. It also covers the
security measures needed to protect cardholder PINs and prevent the possibility
of compromise in the acquiring environment.
What’s Covered
n Information Security—Who, What and Why
n Cardholder Data Storage and Security
n What is the Payment Card Industry Data Security Standard?
n Visa PIN Security
n Minimizing Third-Party Agent Branded ATM Risk
n Visa White Label ATM Compliance Program
n Acquiring Center Security
Visa members, merchants, and their Third-Party Agents have always been
accountable for putting into place effective controls to protect account and
transaction information. Maintaining the confidentiality, integrity, availability,
and authenticity of this information has always been the highest priority of
the payment industry. These assets must be protected from unauthorized
modification, disclosure, and destruction.
• For members, merchants, and their agents. Data security should be a key
component of all policies and practices related to the acceptance and
processing of transactions.
• For Visa cardholders. It is a matter of selecting and doing business with a
reliable, reputable entity. They want assurance that their account information
is being guarded and that their personal data is safe.
• For Visa. It means identifying the requirements and tools that encourage
members, merchants, and their agents to establish appropriate cardholder
and transaction information security and privacy controls and measures.
Potential Without proper information security controls, threats to account and transaction
Costs and Risk information can expose an organization to several different types of risk.
Exposure • Financial Exposure. Direct theft, destruction, or other loss of assets.
• Reputation Exposure. The loss of brand equity, customer relationships, or
competitive position in the market due to weakened trust, and customer
relationships, resulting from an enterprise’s vulnerability to threats.
• Regulatory and/or Legislative Exposure. Loss, or loss potential based on
unresolved or unmitigated exposures, may result in an enterprise being
penalized, depending on local laws. Many countries and regional jurisdictions
have introduced legislation dictating how organizations must protect sensitive
information.
Tactical, The Payment Card Industry (PCI) Data Security Standard (DSS) is a
Practical, and comprehensive set of international security requirements for protecting
Necessary cardholder data. The PCI DSS was developed by Visa and the founding payment
brands of the PCI Security Standards Council to help facilitate the broad
adoption of consistent data security measures on a global basis. These 12
requirements are the foundation of Visa’s data security compliance program
known as the Account Information Security (AIS) Program. This program was
formerly known as the Cardholder Information Security Program (CISP) in the U.S.
• Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
• Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information
across open public networks
• Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
• Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Visa Member All Visa acquirers and issuers must comply, and must also ensure the
Responsibilities compliance of their merchants and service providers who store, process, or
transmit Visa account numbers. This program applies to all payment channels
including card present, mail/telephone order, and e-commerce. Visa members
must:
• Designate an individual or group of individuals to play an active role in fully
implementing and enforcing PCI DSS.
• Adequately inform merchants and agents of their PCI DSS-compliance role
and responsibilities and the penalties of non-compliance.
• Ensure that merchants and agents contractually require all associated
third parties with access to cardholder data to adhere to PCI DSS security
requirements.
• Provide tools and training opportunities to ensure merchants and agents
understand the PCI DSS requirements, as well as specific data security
measures and procedures.
• Validate that their merchants and all supporting agents comply with
the program.
Why Comply? Consumer trust in the security of sensitive information is more critical than
ever. To build the confidence of mutual customers, all Visa constituents need
to be vigilant in their efforts to maintain data security. The PCI DSS helps Visa
members, merchants, and agents meet the obligations to the Visa payment
structure. Other compelling reasons for fully implementing and validating
compliance with the PCI DSS include:
• Maintaining the integrity of cardholder information — Customers
seek out merchants that they feel are “safe.” Confident consumers are
loyal customers. They come back again and again, as well as share their
experience with others.
• Minimizing both direct losses and associated operating expenses —
Appropriate data security protects your customers, limits risk exposure, and
minimizes the losses and operational expense that stem from compromised
cardholder information.
• Maintaining a positive image — Information security is on everyone’s mind…
including the media’s. Data loss or compromise not only hurts customers, it
can seriously damage a business’s reputation.
How Separate from the mandate to comply with PCI DSS is the validation of
Compliance compliance. Validation identifies vulnerabilities and ensures that appropriate
Validation levels of cardholder information security are maintained. Visa has prioritized and
Works defined validation levels based on the volume of transactions and the potential
risk and exposure introduced into the Visa system.
Some businesses validate compliance through an Annual On-Site Security
Assessment and Quarterly Network Vulnerability Scan; others complete an Annual
Self-Assessment Questionnaire and Quarterly Network Vulnerability Scan.
Merchants
Merchants who store, process, or transmit Visa cardholder data generally fall into
one of four merchant levels based on Visa transaction volume over a 12-month
period. Transaction volume is based on the aggregate number of Visa transactions
(inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA).
Merchant
Description
Level
1 Merchants processing over six million Visa transactions annually (all channels)
or Global merchants identified as Level 1 by any Visa region.
2 Merchants processing one million to six million Visa transactions annually (all
channels).
3 Merchants processing 20,000 to one million Visa e-commerce transactions
annually.
4 Merchants processing less than 20,000 Visa e-commerce transactions
annually and all other merchants processing up to one million Visa transactions
annually.
Service Providers
Service providers that store, process or transmit Visa cardholder data on behalf of
Visa acquirers, issuers, merchants or other service providers fall into one of two
service provider levels. Level 2 service providers are not posted on Visa’s list of
compliant services providers unless they opt to undergo a Level 1 onsite security
assessment.
Posted
on Visa’s
Service
Global List
Provider Description
of Validated
Level
Service
Providers
1 VisaNet® processors or any service provider that stores, processes Yes
and/or transmits over 300,000 Visa transactions annually.
2* Any service provider that stores, processes and/or transmits less No*
than 300,000 Visa transactions annually.
*Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa’s Global List of Validated Service
Providers.
Ongoing Through ongoing communication and education efforts, Visa members can
Information ensure that merchants and Third-Party Agents are up to speed on the front-line
Security defense they need to avoid internal and external security compromises.
Communication
The Visa PIN Security Program is a global acquirer program designed to support all
participants in the acquiring transaction processing chain to maintain the highest
level of PIN security. The program is based on the PCI PIN Security Requirements,
a set of mandatory requirements for the secure
management, processing and transmission of
All participants
cardholder PINs during transaction processing at ATM
in the acquiring
and point-of-sale (POS) PIN-entry devices (PEDs). transaction
Today, Visa initiatives and controls continue to evolve processing chain that
to safeguard PIN transactions. manage cardholder PINs
and encryption keys must
be in full compliance
Visa PIN Today, Visa initiatives and controls continue to evolve with the PCI PIN Security
Security to safeguard PIN-based transactions. Requirements.
Initiatives and
Controls Visa PIN Security Program
The Visa PIN Security Program supports all participants in the acquiring
transaction processing chain as they work to maintain the highest level of PIN
security. The program helps merchants, Third-Party Agents, processing, and
encryption and support organizations adequately protect the confidentiality of
cardholder PINs through educational workshops on the management of encryption
keys used in PIN pads and hardware security modules. The program also includes
special publications such as the PCI PIN Security Requirements and the Visa
PIN Security Program: Auditor’s Guide. These publications are available to all PIN
accepting entities free of charge and can be accessed at www.visa.com/pin and look
under “Security and Authentication.”
Visa International Operating Regulations prohibits merchants from storing the full
contents of any magnetic-stripe, CVV2*, or PIN block payment card data. Merchants can
mitigate the risk of exposing cardholder data through compromise by utilizing vendors who
offer payment applications that meets the Payment Application Data Security Standard
(PA-DSS), a PCI Standard Security Council (SSC) managed program formerly known as the
Payment Application Best Practices (PABP).
The PA-DSS is intended to help software vendors and others develop secure payment
applications that do not store prohibited data and support compliance with the PCI Data
Security Standard (DSS). To learn more about Visa’s PA-DSS mandates please visit
www.visa.com/cisp site, click on Risk Management, then Payment Applications. For a
downloadable list of payment applications that meets PA-DSS log onto to the Council’s
website at www.pcisecuritystandards.org.
ATM Risk The connection of privately owned (Third-Party Agent) ATMs to the Visa’s Plus
Controls ATM Network has raised a number of operational and risk management
concerns for Visa members. Visa has instituted new rules to help manage
the risks introduced by third-party branded ATMs. To properly address this
situation, Plus System Inc. By-Laws and Operating Regulations and Visa International
Operating Regulations were revised and policies introduced to ensure that ATM
acquirers maintain adequate risk controls to safeguard the Visa’s Plus ATM
Network. These include the following:
• Minimum Tier One Capital Requirements for members to sponsor Plus Third-
Party Agents
• Quarterly Reporting by sponsoring Plus members of all sponsored ATMs,
including make, model and location
• ATM Labeling Requirements stating who the acquirer is for Plus transactions
with a call in phone number to report suspicious activity
• Required submission of PIN Security due diligence for all new Plus Third-
Party Agent registrations
• Active compliance monitoring program to ensure Plus agent compliance with
applicable rules
• Mandatory education requirements for Plus Third-Party Agents and their
sponsoring members
• ATM operator agreement requirements
ATM Operator The ATM operator rules are designed to help Visa members:
Rules • Establish consistent operational and risk management requirements for ATM
acquirers to manage entities that own or operate their own ATMs.
• Ensure that entities connected to the Visa’s Plus ATM Network have been
subjected to an adequate due-diligence review.
• Ensure that entities connected to the Visa’s Plus ATM Network have a
written agreement with a member.
• Clearly define member responsibility for ATM operators.
• Safeguard the Visa’s Plus ATM Network from unregistered Third-Party Agents
or other entities that have not been properly screened for risk.
Third-Party All Visa members that use Third-Party Agents to deploy cash disbursement
Agent Branded machines (Third-Party Agent branded ATMs) are required to:
ATM Controls • Track and report on a quarterly basis to Visa the
physical location of each device sponsored. All Third-Party
• Determine whether such devices comply with PCI Agent branded
PIN Security Requirements. cash
disbursement machines
These controls ensure sponsoring members are bearing the Plus and/
prominently identified on each device and enable or Visa marks are also
required to display a
cardholders to report suspicious activity. label that identifies the
Members must report on a quarterly basis to Visa sponsoring financial
institution and must
Corporate Risk information on the physical location of include a customer service
each Visa/Plus cash disbursement machine deployed phone number for
through a Third-Party Agent. The reports contain the cardholders to contact in
following: the event of operational
problems, or to report
• Physical street address of each device suspicious activity.
Member–branded ATMs
• An indication whether or not the device meets PCI are exempt from this
PIN Security Requirements requirement.
• Device manufacturer and model number
• Software and firmware versions
This detailed tracking information helps Visa and its sponsoring members to
quickly identify devices in the event of a compromise, as well as further ensure
full device compliance with the PCI and PED Security Requirements.
Members that fail to comply with Visa’s reporting and labeling requirements are
eligible for fines and the imposition of conditions as specified in the Plus System
Inc. By-Laws and Operating Regulations.
Physical Acquirers need to ensure the physical security of the Acquiring Center. Measures
Security must include access control, surveillance, and monitoring of the following
operational areas:
• Building access, both entry and egress
• Filing areas, including fraud investigation and cardholder credit files
• Data processing area
• Payment processing area
• Embossing area
• Mailing area
Business Acquirers must also develop procedures to ensure the safety and security of the
Continuity Center and personnel in case of fire, natural disasters, bomb threat, or riot. This
Planning requires a review and drill on a regular basis, the documenting of problems, and
any necessary corrective action.
What’s Covered
n Steps and Requirements for Compromised Entities (Members, Merchants, and
Third-Party Agents)
n Steps and Requirements for Visa Acquirers
n Forensic Investigation Guidelines
n Using the Compromised Account Management System (CAMS)
If you are a financial institution, contact the appropriate Visa region at
the number provided above.
3. Notify the appropriate law enforcement agency. Contact the Visa Incident
Response Manager above for assistance in contacting local law enforcement
agency.
4. Consult with your legal department to determine if consumer or regulatory
laws apply.
5. Provide all compromised Visa, Interlink, and Plus accounts to the Visa
acquiring bank or to Visa within ten (10) business days. All potentially
compromised accounts must be provided and transmitted as instructed by
the Visa acquiring bank and Visa. Visa will distribute the compromised Visa
account numbers to issuers and ensure the confidentiality of entity and non-
public information. Note: If you are an issuer, provide foreign accounts or
accounts from other financial institutions to Visa.
6. Within three (3) business days of the reported compromise, provide
an Incident Report to the Visa member or to Visa. If you are a financial
institution, provide the Incident Report to Visa.
Note: If Visa deems necessary, an independent forensic investigation by a
Visa-approved Qualified Incident Response Assessor (QIRA) will be initiated
on the compromised entity.
Security In the event of a security breach, the Visa International Operating Regulations
Breach require members to immediately report the breach and the suspected or
Reporting confirmed loss or theft of any material or records that contain cardholder data.
A member must, upon completion of the investigation, demonstrate its ability
or its merchants’ or agents’ ability to prevent future loss or theft of transaction
information consistent with the PCI DSS requirements. Visa, or an independent
third-party acceptable to Visa, must verify this ability by conducting a
subsequent security review.
1. Immediately report the suspected or confirmed loss or theft of Visa
cardholder data. Members must contact Visa Fraud Control immediately.
2. Obtain at-risk account numbers from compromised entity. Within 48 hours,
advise Visa whether the entity was in compliance with PCI DSS requirements
at the time of the incident and, if so, provide appropriate proof.
3. Participate in all discussions with compromised entity and Visa.
4. Ensure that a Visa-approved Qualified Security Assessor is engaged to
perform the forensic investigation.
5. Obtain information about the compromise from the entity.
6. Determine whether compromise has been contained.
7. Inform Visa of investigation status within 48 hours.
8. Ensure that entity has taken steps necessary to prevent future loss or theft
of account information, consistent with PCI DSS requirements.
Investigation Entities must initiate investigation of the suspected or confirmed loss or theft of
Actions account information within 24 hours of compromise. The following actions must
be taken as part of the forensic investigation:
• Determine cardholder information at risk. This includes:
– Number of accounts at risk, identify those stored and compromised on all
test, development, and production systems
– Type of account information at risk:
- Account number
- Expiration date
- Cardholder name
- Cardholder address
- Card Verification Value 2 (CVV2)*
- Track 1 and Track 2
- PIN blocks
- Any data exported by intruder
• Determine if payment application is retaining full track data, including PIN
blocks.
• Perform incident validation and assessment:
– Establish how compromise occurred Identify the source of compromise
Determine timeframe of compromise.
– Review entire network to identify all compromised or affected systems,
considering the e-commerce, corporate, test, development, and production
environments as well as VPN, modem, DSL and cable modem connections,
and any third-party connections.
– Determine if compromise has been contained.
• Check for CVV2, Track 1 and Track 2 storage. Examine all potential
locations— including payment application—to determine if CVV2,
Track 1, or Track 2 data are stored, whether encrypted or unencrypted—e.g.,
in duplicate or backup tables or databases, databases used in development,
application logs, transaction logs, stage or testing environment data on
software engineers’ machines, etc.
What is The Compromised Account Management System (CAMS) offers a secure and
CAMS? efficient way for acquirers, merchants, law enforcement agencies, and financial
institutions to transmit compromised and recovered account data to and
from Visa through an encrypted site. Using CAMS, acquirers, merchants, and
law enforcement officers can upload potentially compromised and recovered
accounts directly to Visa.
Subscribing financial institutions can access CAMS by logging on to their
regional Visa Online site and receive compromise alerts via e-mail regarding
their accounts.
2. From the drop down menu, select your assigned Visa contact. This field is
required.
3. Enter a brief description of the files you are uploading for the compromise.
4. If applicable, indicate whether the file includes an expiration date. (Indicating
an account expiration date will help the issuer identify which accounts are
good candidates for monitoring.)
The ingenuity of today’s criminals means that even the most conscientious and
careful acquirer may at times miss crucial evidence of a scam and suffer the
resulting losses. To fight fraud more effectively, system-wide support is needed.
In response, Visa has implemented a range of services and programs aimed at
helping acquirers identify risky transactions.
This chapter provides an overview of Visa’s services and programs developed
specifically for acquirers.
What’s Covered
n Merchant Fraud Performance Program
n Global Merchant Chargeback Monitoring Program
n Acquirer Monitoring Program
n Brand Protection Programs
n High-Risk Chargeback Monitoring Program (U.S. Only)
n Visa Fraud Reporting System
How the • Identifications – The MFP program includes global minimum standards that
MFP Program address inter-regional merchant fraud problems. Additionally, domestic and
Works intra-regional fraud performance thresholds are established regionally to
address local market needs.
Each month, Visa monitors the fraud performance of merchant outlets against
program thresholds. The performance thresholds are subject to periodic
review and are adjusted as needed. Advance notifications of changes to the
thresholds are provided through updates to the Merchant Fraud Performance
Program Guide.
The current global thresholds are as follows:
– Minimum Thresholds:
- US $25,000 of reported inter-regional fraud*, and
- 25 inter-regional fraud transactions, and
- 2.5% inter-regional fraud-to-sales ratio.
– Excessive Thresholds:
- US $250,000 of reported inter-regional fraud, and
- 2.5% inter-regional fraud-to-sales ratio.
• Remediation – Visa will notify an acquirer of any merchant that meets or
exceeds the program performance thresholds. The acquirer must then work
with the merchant to address the fraud exposure and reduced fraud so that it
is below the performance thresholds.
*Fraud accepted on cards originally issued by clients outside the merchant country and region.
How the • Identifications – The GMCMP program includes merchant-level and acquirer-
GMCMP level minimum standards.
Works Each month, Visa identifies merchants and acquirers whose chargeback levels
are in excess of the GMCMP thresholds. The performance thresholds are
subject to periodic review and are adjusted as needed. Advance notifications
of changes to the thresholds are provided through updates to the Global
Merchant Chargebacks Monitoring Program Guide
• The global thresholds effective June 2010 are:
– Merchant-level Thresholds:
- 200 international sales* count, and
- 200 international chargeback count, and
- 2 percent international chargeback-to-sale count ratio.
– Acquirer-level Thresholds:
- 500 international sales count, and
- 500 international chargeback count, and
- 1.5 percent international chargeback-to-sale count ratio, and
- 1 merchant identified in the program during the same reporting
month.
• Remediation – Visa will notify an acquirer if its monthly chargeback
performance, or its merchant’s chargeback performance exceeds or meets
the program thresholds. Once notified, an acquirer should take prompt and
rigorous action to investigate the cause of the excessive chargebacks activity.
*Visa may levy penalties for trailing chargeback activity for up to 4 months after merchant termination, regardless of sales volumes.
*Merchants whose MCCs are specified under the ‘high-risk’ category as specified in VIOR Section 2.3.J.3.a.
How AMP • Identifications – AMP includes global minimum standards and regionally-
Works managed thresholds.
Each quarter, Visa identifies acquirers who exceed
3 times the worldwide or regional fraud-to-sales The AMP is a
ratio. The performance thresholds are subject global program;
to periodic review and will be adjusted as needed. however, almost
every region has its own
• Remediation – Visa will notify an acquirer if its regionally-managed
quarterly fraud performance exceeds the program thresholds and exceptions
thresholds. Once notified, an acquirer should take for this program. For
more information about
prompt and rigorous action to investigate the cause
the global and regional
of the excessive fraud activity. Acquirer Monitoring
• Compliance – Fines would be imposed on acquirer Program, contact
your Regional Risk
if the acquirer’s performance does not fall below the
Representative or Visa
AMP thresholds within specified timelines. If Account Manager.
performance problems continue, penalties will
escalate and include restriction and revocation of acceptance privileges.
Illegal Cross- The growth of Internet distribution has increased the possibility that merchants,
border while acting in accordance with the laws of their own country’s jurisdiction,
Transaction may be acting contrary to the laws of a cardholder’s legal jurisdiction. Such
Program transactions may have legal or regulatory impact on Visa and its members,
which may adversely affect their reputation.
Visa operates the Cross-border Illegal Transactions Program to ensure Visa
acquirers and merchants do not process illegal transactions in the Visa payment
system, as specified in the Visa International Operating Regulations.
To avoid the program fee assessment of for each URL found non-compliant, the
acquirer must:
• Carefully review the sales practices of merchants when they are selling
products to customers outside of their own country,
• Ensure that merchants are properly coding all transactions to correctly
identify their nature, and
• Not accept any illegal transactions from a merchant for submission into the
Visa payment system, or any transaction that the merchant could have known
was illegal.
Online The Online Gambling Audit Program was introduced in 2001 to ensure Online
Gambling Gambling merchants properly identify authorization transactions so that issuers
Audit Program are able to make appropriate authorization decisions.
Under the program, Internet Gambling merchants are required to use the
following authorization data elements to correctly identify their transactions as
“Online Gambling”:
• Merchant Category Code (MCC) – 7995
• POS Condition Code (POS CC) – 59
• Processing Code positions 1 and 2 – 11
• Mail/Telephone or Electronic Commerce Indicator – 05 through 09
Visa assesses a fee to acquirers whose merchants violate the established criteria
and fail to rectify the violation within a stipulated correction period.
How the As defined in the Visa International Operating Regulations, when a merchant
Program equals or exceeds a one percent overall chargeback-to-interchange transaction
Works ratio, the acquirer is notified in writing.
To qualify for the HRCMP, the merchant must have 100 or more interchange
transactions, 100 or more chargebacks, and a one percent or greater
chargeback-to-transaction ratio.
Remedial The HRCMP penalties, parameters and requirements are defined in the Visa
Action and International Operating Regulations. Under the HRCMP, there is no warning period
Penalties and fees begin immediately when the merchant has excessive chargebacks.
The Visa Fraud Reporting System (FRS) has been developed to provide members
with risk management information and services specifically aimed at pinpointing
sources of risk and fraud activity and combating payment card fraud and fraud
losses. The fraud reporting process normally begins when a cardholder notifies
an issuer about a disputed transaction on the cardholder’s Visa account. The
issuer then reports the details of the fraudulent transaction to Visa.
Fraud Report Fraud reports include information on the cardholder, the merchant, and how the
Categories transaction was processed. The issuer identifies the type of fraud committed
using one of the following fraud categories:
• Lost.
Acquirers
• Stolen. may request
customized
• Not received.
analysis of fraud activity
• Fraudulent application. that is tailored to meet
their risk management
• Counterfeit. needs. For example,
reports can be designed to
• Fraudulent use of an account number. pinpoint specific sources
of risk by geographic area
• Miscellaneous/undefined. (city, state, or country),
merchant, or fraud type.
How the Visa The Visa FRS operates in this manner:
FRS Works 1. Visa-issuing members use VisaNet to report their fraudulent transactions
to Visa.
2. Based on reported fraud, Visa sends daily or weekly, monthly, and quarterly
Fraud Activity Reports to members. These reports advise members of the
acceptance status of the reports they submitted (if the member’s fraud
reports were entered correctly and accurately), and provide summaries of
fraud reported to date.
3. The reports enable all Visa members to track their organization’s fraud
activity, analyze risk potential, and take specific action.
Visa FRS can help acquirers identify sources of high-risk transactions and develop
merchant fraud control systems and programs tailored to meet their specific needs.
If activity reports show high levels of fraud or certain categories of fraud, members
may be required to take further action with regard to specific kinds of transactions
or merchants.
Why Fraud A commitment to regular and rigorous fraud reporting by individual members
Reporting is So protects the entire Visa membership from excessive fraud losses. Analyzing
Important worldwide patterns of fraudulent activity enables Visa to develop new fraud
control strategies and work with members, law enforcement, and government
agencies to identify and contain new sources of fraud. Members benefit also
through chargeback rights on fraud-related transactions that have been correctly
reported to Visa.
For more information about the Visa FRS, refer to the Visa Fraud Reporting System User
Guide or contact your Regional Risk Representative or Visa Account Manager.
What’s Covered
n What are the Risks?
n Acquirer Responsibilities in Reducing Agent Risk
n Adhering to Visa Third-Party Agent Due Diligence Risk Standards
n Establishing Reserves
n Tri-Party Agreements
n Agent Monitoring and On-Site Review
n Agent Education and Communication
n Merchant Monitoring and Control
Reputational Acquirers need to be cognizant of the potential damage that can occur to their
Risks reputation if they should engage in a relationship with a disreputable Third-Party
Agents. The majority of these agents are established, well-known entities that
contribute to the continued growth of the payment industry. However, there are
some whose practices may not only harm a member’s reputation, but also result
in other negative actions. For example, a disqualification proceeding can be
initiated by Visa if a member is unwilling or unable to prevent the entity from
harming the Visa payment system or goodwill of the Visa brand. Some key
reputational risks include the following:
• Hidden fees and costs for merchants
• Long-term high-rate leasing contracts for terminals
• Improper use of and misrepresentation of the member and Visa’s name
and logo
• Bait and switch pricing schemes
• Contract cancellation penalties
• Internet advertising that can include “spamming” practices
Operating If an acquirer fails to control the Third-Party Agent relationship, Visa may place
Regulation conditions on the member or assess fines to a member as an enforcement
Violation Fines action. Visa will take such action if the member’s failure violates the Visa
and Conditions International Operating Regulations and is such that it poses a risk to the payment
system or creates harm to the goodwill of the Visa brand. These conditions may
include, but are not limited to the following:
• Signing restrictions
• The disqualification of a Third-Party Agent
• An independent review of the member or the other Third-Party Agent
practices
Who Holds Third-Party Agents often assume the liability for the processing activities of
the Financial merchants that they have solicited and signed. While this is often used to
Liability mitigate a member’s risk, it is important to remember that a shift in liability will
only be enforceable to the limit of the third-party organization’s financial means.
Visa holds the member financially liable for all payment system obligations.
Therefore, acquiring members need to review all processing-related exposures
before approving the agent, and then implement proper risk reduction tools to
help mitigate the member’s loss potential.
The Visa Third-Party Agent Due Diligence Risk Standards have been established to
ensure that acquiring members meet Visa’s minimum requirements for mitigating
risk to the payment system. All members must comply with these standards
during the Third-Party Agent registration process and throughout the life of the
business agreement.
Establishing Reserves
Tri-Party Agreements
Tri-Party The disclosure page must be dated and signed by the principal owner or senior
Agreement authorized officer of the merchant at the time of solicitation to indicate they
Sign-off have received and reviewed the document. A copy of the executed disclosure
Requirements page must be provided to the merchant at the time that it is signed, and must be
maintained by the member in the merchant’s file as a part of the required due
diligence. The merchant is also required to retain a copy of the disclosure page.
Monitoring All acquiring members are responsible for monitoring the performance of third-
Third-Party party entities that solicit merchants on their behalf. A monthly recap can provide
Agent the member with data that is crucial to maintaining a profitable relationship. This
Solicitation data would include, but is not limited to the following information for each entity:
Performance • Number of existing merchants at the beginning of the month,
• Number of merchants voluntarily closed,
• Number of merchants on the books at the end of the month,
• Sales volume for the merchants,
• Number and amount of credits and chargebacks, and
• Amount of residuals paid to the Third-Party Agent.
The acquirer’s Senior Merchant Services Officer should review and approve the
monthly performance recap to ensure continued portfolio profitability and to
maintain an appropriate business relationship balance.
Quarterly Visa’s current requirements for reporting on agent performance were revised to
Reporting for includes specific information on each agent.
Agents Members must maintain a file on each agent and review their performance on
an annual basis. The report must be signed by a senior officer and be made
available to Visa upon request.
Members must provide summary-level performance data for each agent. Failure
to provide the report within 30 days may result in the assessment of fees.
As part of their agent activity quarterly report to Visa, acquirers must include the
following solicitation agent performance level:
• Sales count and amount
• Chargeback count and amount
• Number of existing merchants
• Number of new merchants
• Number of accounts closed
Acquirer Acquirers must conduct an on-site review of all Third-Party Agent entities at
Risk Program least once a year. More frequent reviews may be advisable, however, based on
Compliance the services provided by the entity. The on-site review can provide an acquirer
and On-Site with first hand knowledge of the entity’s practices and operations.
Reviews
Remediation Visa Enterprise Risk and Compliance will work with members whose
Mechanisms independent report of their operations indicates non-compliance with the
Acquirer Risk Program requirements. Members must provide an acceptable
plan to address the deficiencies identified. Visa’s response is determined by
the severity of the deficiency issues identified and the member’s ability and
willingness to rapidly address them. This response could include specific
corrective actions, fees in various amounts, and ultimately, if a member fails to
implement an approved plan, suspension from acquirer activities or expulsion
from membership.
Visa acquirers and issuers must register all Third-Party Agents with Visa.
Registration of Third-Party Agents can be accomplished through the Visa
Membership Management (VMM) application, which is accessible through the
Visa Online site for your region.
Compliance
Validation Actions:
Actions:
Educating Through prompt and proper training, acquirers need to ensure that all Third-
Agents Party Agent organizations fully understand the Visa International Operating
Regulations that pertain to their roles and responsibilities, as well as those of the
merchant. Agent education coverage must include, but are not limited to the
following:
• Merchant solicitation
• Merchant underwriting criteria
• Prohibited merchant categories
• Merchant Category Codes (MCCs)
• PCI DSS requirements
Acquirers must also provide a copy of their relevant corporate policies and
procedures to all Third-Party Agents that are offering services on the member’s
behalf in support of the merchant portfolio.
Communicating All Third-Party Agents that engage in merchant solicitation must be provided
Merchant with the acquiring member’s merchant underwriting criteria. In doing so, the
Underwriting member should clearly describe all prohibited merchant types and the required
Criteria documentation for each. Certain merchant types are considered high risk and
are known to generate high levels of chargebacks and credits. The following
three merchant types must be registered with Visa before accepting and/or
processing any transactions:
• Direct Marketing of Travel Related Services (MCC 5962)
• Inbound Telemarketing (MCC 5966)
• Outbound Telemarketing (MCC 5967)
A complete description of these high-risk merchant types and MCCs can be obtained in the
Visa Merchant Data Manual.
Merchant Many Third-Party Agent entities are capable of monitoring merchant exception
Exception activity. While acquirers allow these entities to perform some merchant
Activity monitoring services, this does not absolve the member of its responsibilities.
Monitoring Members must monitor all merchants in their portfolio (including where the
Third-Party Agent has accepted the liability) as outlined in the Merchant
Monitoring Standards in the Visa International Operating Regulations.
Merchant Failure to make timely merchant data changes and/or control volume may
Control expose an acquirer to losses. Merchant data changes include the following:
• Doing Business As (DBA),
• Demand Deposit Account (DDA),
• Business structure (Sole Prop, Partnership, Corp, etc.),
• Address,
• Phone number, and
• Business type.
Requests for sales volume increases must be controlled and approved by the
acquirer, and preferably, reviewed by Credit/Risk Management.
Merchant Acquirers need to provide clear merchant pricing guidelines to all Third-Party
Pricing Agents that source merchants. All pricing and fees must be disclosed in writing
to the merchant at the time the application is signed and submitted.
Merchant Fee An acquirer must collect all merchant fees directly from the merchant. Third-
Collection Party Agent entities are not permitted to touch or hold the merchant settlement,
reserve, or processing fee funds.
Glossary
Access Control Issuers participating in Verified by Visa support the ability to activate cardholders during
Server (ACS) online purchases using an Access Control Server (ACS). An issuer may operate an ACS
itself or contract with an ACS Processor. The issuer ACS processes authentication
transactions received from participating merchants.
Account Visa’s data security compliance program. This program was formerly known as the
Information Cardholder Information Security Program (CISP) in the U.S.
Security (AIS)
Program
Account Account and transaction information that is necessary to process Visa transactions
Information correctly, including all information recorded electromechanically or otherwise on a Visa
card.
Account Number The 16-digit account number that appears on the front of all valid Visa cards. The
number is one of the card security features that should be checked by merchants to
ensure that a card-present transaction is valid.
Account Testing A fraud scam used by criminals to verify whether an account number is currently valid.
To “test” an account, the perpetrators make a small purchase on it—for example, a few
dollars’ worth of gas—or they will submit an authorization request but not a sales
transaction receipt. If the account is valid, it will then be used for additional, larger
fraudulent transactions.
Acquirer A three-letter tag or label consisting of the letters “ACQ” used to identify financial
Identifier institutions as acquirers for credit bureau listings. For example, an acquirer with the
name First National Bank would be listed as “Frst Natl Bnk-ACQ.” The use of acquirer
identifiers is recommended by Visa to help acquiring institutions spot potential fraud
scams involving multiple applications.
Acquirer Identifies acquirers with disproportionate levels of acquired fraud compared to their
Monitoring peers. The program’s goal is to reduce fraud and the cost of fraud to Visa members.
Program (AMP) AMP includes global minimum standards and regionally-managed thresholds.
Address AVS allows merchants that accept card-absent transactions to compare the billing
Verification address (the address to which the card issuer sends its monthly statement for that
Service (AVS)* account) given by a customer with the billing address on the card issuer’s master file
before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent
transactions in a card-absent environment by indicating the result of the address
comparison.
Agent A Visa-sponsored program that ensures proper oversight and monitoring of members’
Registration business relationships with Third-Party Agents. Members must register all Third-Party
Program Agents with the program and file quarterly reports with it on the activities and
performance of these agents.
Authenticate To verify the identity of an Internet user, computer, or person. For example, some
merchants will use advanced security systems to authenticate the consumer before
accepting an online order.
Authorization The process by which bankcard transactions are approved by issuers. Authorizations
occur at the point of sale before a transaction is completed. With point-of-sale (POS)
and other electronic transaction-processing devices, authorization is automatic.
Telephone authorizations are also available from authorization centers.
Bank The Bank Identification Number (BIN) is a unique six-digit number Visa assigns to
Identification members for identification purposes. BINs always begin with a “4” and are the first six
Number (BIN) digits in bankcard account numbers.
BASE II The VisaNet system that provides clearing and settlement services to members.
Boiler Room A single room or small office used by criminals to enter fraudulent transactions on
multiple POS terminals or similar transaction-processing devices. Boiler rooms are most
frequently associated with telemarketing and account testing scams.
Bust-out A seemingly legitimate merchant, who opens a valid account with an acquirer and after
Merchant a brief period of normal sales activity, deposits a large number or high-dollar amount of
fraudulent transactions. Once payment for the transactions is received, the merchant
disappears. Bust-out merchants often make applications to several acquirers at the
same time.
Card-Absent A merchant, market, or sales environment where transactions occur without a valid
Visa card being present. Card-absent is used to refer to mail order/telephone order
merchants and sales environments, as well as the Internet.
Card Acceptance The procedures a merchant or merchant employee must follow at the point of sale to
Procedures ensure a card and cardholder are valid. Both card-present and card-absent merchants
are required to take all reasonable means to ensure the validity of the transactions
they process.
Card-Present A merchant, market, or sales environment where a transaction can be completed only
if both a valid Visa card and cardholder are present and the sale is processed by an
individual representing the merchant or acquirer. Card-present transactions include
face-to-face retail sales and cash disbursements.
Card Recovery International printed list of lost, stolen, counterfeit, or other cards that issuers in
Bulletin countries outside the United States have listed for pickup. The Card Recovery Bulletin is
printed only in countries outside the United States.
Card Security The alphanumeric, pictorial, and other design elements that appear on the front and
Features back of all bankcards. These features must be checked by merchants for all card-present
sales to ensure the card is valid. The exact physical dimensions and placement of the
card security features are specified by the Visa International Operating Regulations and are
difficult to copy exactly.
Card Verification A unique three-digit code included on the magnetic-stripe of all valid Visa cards. The
Value (CVV) CVV is checked during the authorization process for card-present sales to ensure that
the card is valid. When setting up a new merchant account, an acquirer should ensure
that the point-of-sale (POS) terminals used by the business are CVV-capable.
Card Verification A Visa fraud-prevention system used in card-absent transactions to ensure that the card
Value 2 (CVV2)* is valid. The CVV2 is the three-digit value that is printed on the back of all Visa cards.
Card-absent merchants ask the customer for the CVV2 and submit it as part of their
authorization request. For information security purposes, merchants are prohibited from
storing CVV2 data.
Cardholder- A POS terminal that can only be activated when a cardholder swipes a bankcard through
Activated it. CATs are commonly found in gas pumps and have been used by criminals for account
Terminal (CAT) testing scams.
Check-Digit A mathematical formula used to create and verify the validity of Visa bankcard account
Algorithm numbers. These formulas can also be used by criminals to create counterfeit account
numbers, for example, by running a valid number through an account number-generating
computer program such as CreditMaster.
Chip An integrated microchip that is embedded into a plastic credit or debit card. It is virtually
impossible to copy, facilitates the evolution of security methods and processes, and is
capable of holding many applications.
Chip card A plastic credit card with an embedded computer chip that communicates information
to a chip-reading device during the transaction process.
Chip-initiated An EMV and VIS-compliant chip card transaction which is processed at a chip-reading
transaction device using full-chip data, and limited to Visa and Visa Electron Smart Payment
Applications, or EMV and VIS-compliant Plus applications.
Code 10 Call The telephone call merchants make to their authorization centers when they have
reason to believe that a card or transaction is not valid, but do not wish to alert the
customer of their suspicions. The merchant dials the center and requests a “Code 10
authorization.” In most cases, the call is then referred to the account issuer for special
handling.
Common The merchant location or other site at which data theft or replication occurs in a
Purchase Point skimming scam.
(CPP)
Compromised Visa operated notification system to alert Visa issuers of recovered, compromised
Account account numbers and requesting that the issuer take steps to prevent their use
Management fraudulently.
System (CAMS)
Credit Voucher A transaction receipt for a refund or price adjustment to be credited to a cardholder’s
account. Credit vouchers can only be issued to an account for transactions previously
charged to that account. Improper use of credit vouchers by merchants is a violation
of the Visa International Operating Regulations and can result in the termination of the
merchant agreement.
CreditMaster A computer program used by criminals to generate lists of potentially valid bankcard
account numbers for fraudulent use. CreditMaster is the most well-known of several
account number-generating programs that can now be downloaded from the Internet.
These programs are not illegal; however, criminals can be arrested for using computer-
generated account numbers in counterfeit or other fraud scams.
DBA A DBA (Doing Business As) is a merchant’s legal business name as differentiated from
the names of a company’s principals or other entity that owns or manages the business.
If a merchant’s DBA is different from the principal’s or business name on a merchant
application, both should be submitted to a credit bureau and matched during the
application review process.
Direct Deposit A business bank account that a merchant establishes with an acquirer for the deposit
Account (DDA) of payments for bankcard transactions. Prospective merchants should open a Direct
Deposit Account with an acquirer before or at the time a merchant agreement is signed.
Dove Hologram A three-dimensional hologram of a dove in flight that may appear on the front of valid
Visa Brand Mark or Visa logo cards. When the card is tilted back and forth, the dove
should appear to “fly.” The dove hologram is one of the card security features that
merchants should check to ensure a card-present transaction is valid.
Electronic A transaction data field used by Internet merchants and acquirers to differentiate Internet
Commerce merchants from other merchant types. Use of the ECI in authorization and settlement
Indicator (ECI) messages helps Internet merchants meet Visa processing requirements, and enables
e-commerce transactions to be distinguished from other transaction types. Visa requires
all Internet merchants to use the ECI.
Electronic Data An electronic system that uses a data capture terminal located at a merchant’s place of
Capture (EDC) business to record and authorize transactions. Authorized transactions are automatically
stored and then processed at the end of each business day. Funds are transferred
directly to the acquirer’s account, and then to the merchant, within 48 hours.
Embossed The 16-digit account number that appears in raised print on the front of all valid Visa
Number cards. The embossed number is one of the card security features that should be checked
by merchants to ensure that a card-present transaction is valid.
Encrypting PIN A device for secure PIN entry and encryption without a display or card reader. An EPP is
Pad (EPP) typically used in an ATM for PIN entry and controlled by an ATM device controller. An
EPP has a clearly defined physical and logical boundary, and a tamper-resistant or
tamper-evident shell.
Encryption The translation of data into a secret code. Encryption is the most effective way to
achieve data security. To read an encrypted file, you must have access to a secret key or
password that enables you to decrypt it. Unencrypted data is called plain text; encrypted
data is referred to as cipher text. There are two main types of encryption: asymmetric
encryption (also called public-key encryption) and symmetric encryption.
Encryption An organization that performs cryptographic key management services to support their
and Support member’s ATM programs or to deploy point-of-sale PIN Entry Devices (POS PEDs) or
Organization PIN pads. Additionally, some members outsource various cryptographic key
(ESO) management responsibilities to ATM and PIN pad manufacturers, which would also be
considered ESOs in this capacity, to improve the efficiency of their Visa programs.
Even-monetary A bankcard transaction for an even-dollar amount, for example, US $10.00 rather than
Transaction US $10.25. A large number of even-dollar transactions deposited by a single merchant
may be the first sign of a fraud scam.
Exception Report Reports on unusual or suspicious sales activity—such as a sudden change in the number
or average dollar amount of transactions—generated by an acquirer’s host system or
third-party processor. Visa strongly recommends that acquirers monitor all merchant
deposits and review exception reports daily.
Floor Limit A specific dollar limit established for a single transaction over which a merchant must
obtain authorization.
Flying V A stylized, embossed “V” located to the right of the Good Thru Date on all valid Visa
cards. The “flying V” is one of the card security features that should be checked by
merchants to ensure that a card-present transaction is valid.
Full-track Data A cardholder’s complete account information, including CVV, encoded in one or two
tracks on the magnetic-stripe on the back of a valid bankcard. Acquirers should ensure
that merchants’ POS terminals are set up so that full-track data can be read but not
displayed during authorization and transaction processing.
Global Merchant A Visa-operated program that reduces high customer dispute levels and increases
Chargeback consumer confidence in using Visa cards by:
Monitoring
• Identifying merchants that generate a disproportionate number of international
Program
chargebacks.
(GMCMP)
• Allowing issuers to recover chargeback processing costs as a result of inadequate
acquirer/merchant risk management practices.
• Encouraging adoption of sound risk controls by merchants and acquirers.
Good Thru Date The date after which a bankcard is no longer valid, embossed on the front of all valid
Visa cards.
Hacker A person who deliberately logs on to other computers by circumventing the log-on
security system. This is sometimes done to steal valuable information or to cause
irreparable damage.
High-Risk A merchant whose business includes telemarketing activity that presents a financial
Telemarketing or goodwill risk to Visa and its members. Businesses designated by Visa as “high-risk”
Merchant telemarketing merchants include direct marketing travel-related arrangement services,
inbound teleservices, and outbound telemarketing firms. Before signing a business of
this type, acquirers must submit a High-Risk Telemarketing Merchant Registration and
Certification Form to Visa.
Identification An element of the Risk Identification Service (RIS); a report triggered by excessive fraud
Report or suspect activity at a merchant location and sent to the merchant’s acquirer, who may
then be required to take remedial action to help the merchant reduce fraud losses. RIS
issues four types of identification reports: Advices, Notifications, Alerts, and Warnings.
The remedial action an acquirer takes will depend on the type and number of alerts
received in a six-month period.
Independent An organization that has a direct relationship with issuing and/or acquiring members.
Sales Members contract with ISOs to provide specific services such as merchant solicitation,
Organization cardholder solicitation, customer service and card application processing. Plus ISOs act
(ISO) on behalf of members to deploy and/or service qualified ATMs. Prepaid ISOs have
relationships with issuers to solicit other entities (i.e., merchant, corporate members,
government entities, etc.) to sell, activate or load prepaid cards.
Internet Gateway Third-party vendor that supplies a computer network to the merchant that forwards
Vendors transaction activity to the acquirer.
Internet Payment An online entity that contracts with an acquirer to provide payment-related services to
Service Provider sponsored merchants. The IPSP interfaces with the acquirer on behalf of its sponsored
(IPSP) merchants, and must ensure that its sponsored merchants are contractually obligated
to operate according to Visa requirements. IPSPs are responsible for the actions of their
sponsored merchants, and bear liability for their actions. An IPSP is only permitted to sign
sponsored merchants.
Internet Protocol A unique number that is used to represent every single computer in a network. All the
(IP) Address computers on the Internet have a unique IP address, which is used to route messages
to the correct destination within the Internet’s worldwide web of computers and other
related devices. The format of the IP Address is four sets of numbers separated by dots
(e.g., 198.123.124.7).
Key-entered The use of key-entered transactions for depositing fraudulent sales transaction receipts.
Fraud Key-entered fraud often occurs in bust-out scams, laundering, and telemarketing
schemes.
Key-entered A bankcard transaction that is entered on the alphanumeric keys of a POS device by
Transaction using the terminal’s manual override feature. Key-entering is used for card-absent sales
and for card-present sales where the terminal cannot “read” a card’s magnetic-stripe.
Laundering Any situation where a business with a valid merchant agreement deposits transactions for
a company without an agreement. Whether or not the transactions processed are actually
fraudulent, laundering is a federal offense and a violation of the Visa International Operating
Regulations. It can result in a business losing its merchant agreement and being liable for
criminal prosecution.
Magnetic-Stripe A strip of magnetic tape on the back of all bankcards that is “read” when a card is
(Mag-stripe) swiped through a POS terminal. The stripe is encoded with identifying account
information as specified in the Visa International Operating Regulations. On a valid card,
the account number on the magnetic-stripe matches the embossed number on the front
of the card.
Mail Order/ A merchant, market, or sales environment where mail or telephone sales are the primary
Telephone Order or a major source of income. Such transactions are frequently charged to customers’
(MO/TO) bankcard accounts.
Member An organization that is a member of Visa and which issues cards and/or signs
merchants.
Merchant The contract between a merchant and an acquirer permitting the merchant to accept
Agreement Visa cards for payment of goods and services, and requiring that the merchant abide by
certain rules governing the acceptance and processing of Visa transactions.
Merchant A form acquirers use to obtain necessary personal and financial information about
Application a merchant before signing a merchant agreement with the merchant’s business. As
specified in the Visa International Operating Regulations, individual acquirers determine
the design of the merchant application and the specific information requested.
Merchant Fraud A monitoring program that identifies merchant with exceptionally high levels of fraud. It
Performance includes a set of global standards, as well as intra-regional and/or domestic thresholds.
(MFP) Program
Merchant Profile A report compiled and periodically updated by acquirers on each of their merchants,
which is used to evaluate ongoing risk exposure and to investigate suspected instances
of fraud. The merchant profile should contain basic information on a company—
including its current financial health, number of employees, type of POS terminal used—
and document its account history, previous incidents of fraud, and any recent changes in
ownership, sales methodology, and transaction volumes.
Merchant An organization that stores, processes, or transmits Visa account numbers on behalf of
Servicer (MS) the member’s merchant. The MS has a contract with the merchant, not the member.
Mini-Dove Design The mini-dove design hologram may appear on the back anywhere within the outlined
Hologram areas shown on page 80 of this manual. A three-dimensional dove hologram should
(May appear on the reflect light and seem to change as you tilt the card. Most counterfeit cards contain a
back of Visa Brand one-dimensional printed image on a foil sticker.
Mark Cards)
Multiple The practice, used by criminals in bust-out merchant and other fraud scams, of
Applications submitting applications for merchant accounts to several acquirers at the same time.
National National databases that list information on terminated or high-risk merchants. The
Merchant Alert NMAS is available only in participating country markets in the Asia-Pacific and Latin
Service (NMAS) America regions; each country has its own service. Acquirers in countries with an NMAS
can query the file for information before signing a merchant.
Normal Weekly Parameters established by acquirers to identify and monitor merchant transaction
Activity activity and detect any unusual or suspicious patterns in merchant deposits. Acquirers
are required to set Normal Weekly Activity parameters as part of the Merchant Deposit
Monitoring Standards program.
Payment Card A set of comprehensive requirements for enhancing payment account data security. The
Industry (PCI) PCI DSS was developed by the founding payment brands of the PCI Security Standards
Data Security Council, including American Express, Discover Financial Services, JCB, MasterCard
Standard (DSS) Worldwide and Visa International, to help facilitate the broad adoption of consistent data
security measures on a global basis. The PCI DSS is a multifaceted security standard
that includes requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures.
Payment An open global forum for the ongoing development, enhancement, storage,
Card Industry dissemination and implementation of security standards for account data protection.
(PCI) Security
Standards Council
Payment Gateway A system that provides e-commerce services to merchants for the authorization and
clearing of Secure Electronic Transaction Specification-compliant transactions.
PIN Entry Device A keypad, laid out in a prescribed format, combined with electronic components housed
(PED) in a tamper-resistant or tamper-evident shell that can capture and encrypt cardholder
PINs.
Point of Sale The physical location at which a bankcard transaction takes place.
(POS)
Point-of-Sale The electronic device used for authorizing and processing bankcard transactions at the
Terminal (POS point of sale.
Terminal)
Potentially A counterfeit fraud transaction in which skimming is suspected as the source of the
Skimmed counterfeit account number. A potentially skimmed transaction can be identified by
Transaction three characteristics: a POS Entry Mode Code 90, a verified CVV, and confirmation that
the legitimate cardholder is still in possession of the valid card.
Principal The individual or individuals who hold legal ownership and who manage and are
financially responsible for a business with a merchant account with an acquirer. When
underwriting a new account, acquirers should conduct a thorough financial investigation
of the business’ principals.
Printed Account The 16-digit account number that may appear in print on the front of valid Visa cards.
Number The printed number is one of the card security features that should be checked by
merchants to ensure that a card-present transaction is valid.
Printed Number A four-digit number that is printed below the first four digits of the printed or embossed
account number on all valid Visa cards. The four-digit printed number should begin
with a “4,” and be the same as the first four digits of the account number above it. The
printed four-digit number is one of the card security features that merchants should
check to ensure that a card-present transaction is valid.
Risk Identification A Visa loss control program for acquirers that compiles fraud data and identifies
Service (RIS) merchant locations where fraud or other risk-related activity exceeds parameters set by
Visa. Acquirers receive identification reports on merchants with excessive fraud activity
and are required to take remedial action to help the merchant reduce losses.
Sales Transaction A paper or electronic record of a bankcard transaction, which a merchant submits to an
Receipt acquirer for processing and payment. In most cases, paper drafts are now generated by
a merchant’s POS terminal. When a merchant fills out a draft manually, it must include
an imprint of the front of the card.
Security Module A physically and logically secure computer that performs cryptographic processes.
Signature Panel The panel for the cardholder’s signature on the back of all Visa cards. The words
“Authorized Signature” and “Not Valid Unless Signed” must appear above, below, or
beside the signature panel. A three-digit CVV2 code appears either in a white box to the
right of the signature panel, or in a white box within the signature panel.
Skimming The replication of account information encoded on the magnetic-stripe of a valid card
and its subsequent use for fraudulent transactions in which a valid authorization occurs.
Full-track data is captured from a valid card and then re-encoded on a counterfeit card.
The term “skimming” is also used to refer to any situation in which electronically
transmitted or stored account data is replicated, and then re-encoded on counterfeit
cards or used in some other way for fraudulent transactions.
Split Sale The preparation of two or more sales transaction receipts for the purchase of a single
item charged to a cardholder’s single account, in order to avoid authorization limits. Split
sales are a violation of the Visa International Operating Regulations.
Sponsored An online seller that contracts with an Internet Payment Service Provider (IPSP). The
Merchant IPSP performs some or all of the sponsored merchant’s payment-related operations on
its behalf. The sponsored merchant must meet all card acceptance requirements in the
Visa International Operating Regulations, with the single exception that it may have a
contract with an IPSP, rather than an acquirer.
Spoof Shop A fraudulent merchant location—such as a storefront or website—set up for the sole
purpose of stealing or replicating account information from legitimate cardholders. A
spoof shop may or may not have a valid merchant agreement, but will act as if it does;
merchandise or services are sold to customers, but few or no transactions are entered
for settlement. Spoof shops are most often associated with skimming and account
testing scams.
Telemarketing A type of fraud in which false or inflated offers of merchandise or services, such as
Fraud vacations, vitamins, or luggage, are “sold” over the telephone by high-pressure
salespeople promising fabulous prizes. In many cases, the true goal of the scam is to
get individuals to give out their bankcard account numbers, which are then used for
fraudulent transactions.
Third-Party Agent An entity that provides payment related services, directly or indirectly, to a member
and/or stores, processes, or transmits cardholder data. A Third-Party agent must be
registered by all Visa members utilizing their services, directly or indirectly.
Third-Party An organization that stores, processes, or transmits Visa account numbers. The TPS has
Servicer (TPS) a direct relationship with issuing and/or acquiring members.
Track Data See Full-track Data.
Transaction The act between a cardholder and merchant or cardholder and financial
institution which results in the sale of goods or services.
Transaction Regular review of a merchant’s transaction records by an acquirer to check for any
Monitoring sudden changes in sales activity. A pattern of unusual or suspicious transactions
discovered by rigorous daily monitoring is often the first sign of a fraud scam.
Unsigned Card A seemingly valid Visa card that has not been duly signed by the legitimate cardholder.
Merchants cannot accept an unsigned card until the cardholder has signed it, and the
signature has been checked against valid government identification, such as a driver’s
license or passport.
Unusual Activity Any sales activity that exceeds 150 percent of a merchant’s Normal Weekly Activity
parameters, or an elapsed time of over 15 days between a transaction’s deposit and
processing dates. Acquirers must process merchant deposits so that an Exception report
is generated whenever unusual activity occurs.
Verified by Visa Validates a cardholder’s ownership of an account in real time during an online Visa
card transaction. When the cardholder clicks “buy” at the checkout of a participating
merchant, the merchant server recognizes the registered Visa card and the “Verified by
Visa” screen automatically appears on the cardholder’s desktop. The cardholder enters
a password to verify his or her identity and the Visa card. The issuer then confirms the
cardholder’s identity.
Visa Cardholder A Visa program that establishes data security standards, procedures, and tools for all
Information entities—merchants, agents, issuers, and acquirers—that store Visa cardholder account
Security Program information. Now known as the Account Information Security (AIS) Program.
(CISP)
Visa Electron A Visa International debit card that is currently accepted, but not issued in the United
Card States and can only be used for card-present transactions. Electron cards have slightly
different security features than other Visa cards: the front of the card contains an
Electron rather than dove hologram, and the 16-digit account number is printed, not
embossed.
Visa Brand Mark Visa Brand Mark must appear in blue and gold on a white background in either the
bottom right, top left, or top right corner.
Visa payWave A payment method that uses the latest technology to send card data wirelessly to a
terminal reader. A cardholder simply holds their card in front of the reader.
Visa Easy Provides face-to-face merchants with the ability to accept a Visa card issued in any
Payment Service country for purchases of US $25 or under without requiring a cardholder signature or
(VEPS) PIN and foregoing a receipt unless requested by the cardholder.
VisaNet The systems and services, including BASE II, through which Visa delivers authorization
and transaction processing services to its members.
VisaNet Access Visa equipment and software used to access the VisaNet system.
Point (VAP)
Manager/ • Always get a signature or PIN for all in-store transactions, except when the
Employee transaction is processed under the Visa Easy Payment Service (VEPS).
Best Practices • Compare and match the account number. If your terminal does not prompt
for key entry of the last four digits, compare the number on the Visa card
to the number shown on the POS terminal display or the sales receipt.
If the numbers do not match, you may have a counterfeit card. (This
recommendation does not apply to multi-application EMV chip cards.)
• Take appropriate action based on the authorization message response.
Response Action
Approved Ask the customer to sign the sales receipt and compare
signatures.
Declined Return the card to customer and ask for another Visa
card.
Call Call your authorization center and tell them you received
a “call” message. Be prepared to answer questions. The
operator may ask to speak with the cardholder.
Pick Up Keep the card if you can do so safely.
• For all key-entered and manually authorized transactions (Unable to
process authorization using card-swipe):
– Imprint payment card after receiving issuer authorization, add all required
data elements and verify Visa card security features.
– Obtain cardholder’s signature on transaction receipt and compare it to the
signature panel located on back of the Visa card.
• While processing a transaction, always check the card security features.
Any sign of tampering may mean that you have been given a counterfeit
card.
• Be aware of suspicious activity at the counter.
– Individual buying an unusual amount of convenience store items.
– Limited or no eye contact from customer and/or they are acting “strangely.”
– Buying large amounts of alcohol, cigarettes, and phone cards/gift cards.
– Buying money orders and/or lottery tickets with credit card.
– Attempting to bribe the cashier.
– Requesting large amounts of cash back on small purchases.
• Monitor levels of key-entered transactions. Managers of multiple stores
should monitor the number of key-entered transactions for unusual activity.
While higher than normal levels of key-entered transactions may indicate a
faulty card-reader (which may impact the MDR), they may also indicate an
attempt at fraudulent activity by store personnel.
Global Visa Acquirer Fraud Control Manual B-3
© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX B