Sunteți pe pagina 1din 256

Global Visa Acquirer

Fraud Control Manual


Tools and Best Practices for
Risk Management and
Loss Prevention
October 2010
Global Visa Acquirer
Fraud Control Manual
Tools and Best Practices for
Risk Management and
Loss Prevention
October 2010
Table of Contents

About This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1


Chapter 1: The Big Picture—Payment System Fraud Control and
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How Visa’s Electronic Payment System Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Visa Transaction Flow for Magnetic-Stripe and Chip Cards . . . . . . . . . . . . . . . . . . 10
Visa Transaction Flow for PIN-Based Point-of-Sale and ATM . . . . . . . . . . . . . . . . 12
Visa Fraud-Prevention Tools for Merchants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding E-Commerce Risk Exposures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 2: Acquirer Strategy and Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Building a Strategic Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Acquiring Center Organizational Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Organizational Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Acquirer Fraud Control Functions and Key Considerations . . . . . . . . . . . . . . . . . . 32
Acquirer Fraud Control and Security Function Performance Review . . . . . . . . . 36
Tracking Organization and Fraud Loss Performance . . . . . . . . . . . . . . . . . . . . . . . . . 37
Fraud Control Relations with the Criminal Justice System . . . . . . . . . . . . . . . . . . 39
Fraud Forums and Member Bank Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Third-Party Agent Relationship Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 3: Merchant Underwriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Portfolio Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Visa Transactions and the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Making the Most of Your Merchant Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Merchant Site Inspections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Merchant Website Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Merchant Approvals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 4: Merchant Contracting and Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Developing Merchant Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Mandatory Agreement Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Optional Agreement Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Agreement Requirements for Chip Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
New Merchant Start-Up and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Merchants Fraud Prevention Communication and Education . . . . . . . . . . . . . . . . 75

Global Visa Acquirer Fraud Control Manual i


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
TABLE OF CONTENTS

Chapter 5: Fraud Prevention for Card-Present Merchants . . . . . . . . . . . . . . . . . . . . 77


Card-Present Transaction Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Checking Visa Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Authorization Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Matching Cardholder Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Handling Cash Disbursements/Cash Advances . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Processing Visa payWave Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Processing Visa Easy Payment Service Transactions . . . . . . . . . . . . . . . . . . . . . . . . 91
Looking for Warning Signs of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Making a Code 10 Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Recovered Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Using Visa Electron Cards in the Card-Present Environment . . . . . . . . . . . . . . . . 98
Acquirer Support of Merchant Code 10 Efforts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Acquirer Actions For Card Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chip Acceptance Procedural Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 6: Fraud Prevention for Card-Absent Merchants . . . . . . . . . . . . . . . . . . . 105
General Card-Absent Transaction Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Specific E-Commerce Transaction Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 109
Asking for the Card Verification Value 2 Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Using the Visa Address Verification Service (U.S. and Canada) . . . . . . . . . . . . . 112
Using Verified by Visa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Looking Out for Suspicious Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
A Closer Look at Recurring Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Chapter 7: Merchant Fraud and How to Recognize It . . . . . . . . . . . . . . . . . . . . . . . 123
Merchant Fraud Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Bust-Out Merchants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Laundering (Factoring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Telemarketing Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Credit and Cash-Advance Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Counterfeit Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Skimming Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
System Intrusion and Data Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
White Label ATM Scams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Pinpointing the Common Point of Purchase (CPP) . . . . . . . . . . . . . . . . . . . . . . . . 140
Account Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Understanding Key-Entered Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

ii Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
TABLE OF CONTENTS

Managing Inactive Merchant Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144


Chapter 8: Merchant Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
New Merchant Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Ongoing Merchant Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Periodic Merchant Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Identifying and Following Up on Suspicious Activity . . . . . . . . . . . . . . . . . . . . . . . 157
Chapter 9: Merchant Fraud Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Fraud Control and Investigation Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Components of a Successful Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Conducting an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
When a Scam is Confirmed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Case Prosecution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
When a Merchant Agreement is Terminated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Merchant Communication During and After an Investigation . . . . . . . . . . . . . . . 171
Chapter 10: Cardholder Information and
Personal Identification Number Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Information Security—Who, What, and Why . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Cardholder Data Storage and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
What is the Payment Card Industry Data Security Standard? . . . . . . . . . . . . . . . 176
Visa PIN Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Minimizing Third-Party Agent Branded ATM Risk . . . . . . . . . . . . . . . . . . . . . . . . . 182
Visa White Label ATM Compliance Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Acquiring Center Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Chapter 11: In the Event of a Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Steps and Requirements for Compromised Entities
(Members, Merchants, and Third-Party Agents) . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Step and Requirements for Visa Acquirers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Forensic Investigation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Using the Compromised Account Management System (CAMS) . . . . . . . . . . . 194
Chapter 12: Visa Risk Control Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Merchant Fraud Performance Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Global Merchant Chargeback Monitoring Program . . . . . . . . . . . . . . . . . . . . . . . . 201
Acquirer Monitoring Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Brand Protection Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
High-Risk Chargeback Monitoring Program (U.S. Only) . . . . . . . . . . . . . . . . . . . 206

Global Visa Acquirer Fraud Control Manual iii


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
TABLE OF CONTENTS

Visa Fraud Reporting System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207


Chapter 13: Working with Third-Party Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
What Are the Risks? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Acquirer Responsibilities in Reducing Agent Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Adhering to Visa Third-Party Agent Due Diligence Risk Standards . . . . . . . . . . . . . 213
Establishing Reserves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Tri-Party Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Agent Monitoring and On-Site Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Agent Education and Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Merchant Monitoring and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Sample Merchant Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Sample Third-Party Site Inspection Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-5
Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Quick Reference — Attended and In-Store Fraud Prevention . . . . . . . . . . . . . . . . B-3
Quick Reference — Automated Fuel Dispenser Fraud Prevention . . . . . . . . . . . B-4

iv Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

About This Manual

Introduction Globally, credit and debit card fraud are billion-dollar


problems affecting banks, merchants and individual
A single
consumers, all of whom feel the fraudster’s pinch in undetected scam
increased operating expenses and higher prices for can result in
goods and services. Chargebacks alone cost acquirers losses of hundreds of
and merchants hundreds of millions of dollars thousands, or even
millions, of dollars.
each year.

The Changing Nature of Bankcard Fraud


Equally important, the continually changing nature of the bankcard fraud
environment means today’s acquirers are faced with a landscape of growing risks,
where the need for acute awareness and vigilance is constant. Current evidence
also suggests that fraudsters’ scams have grown more sophisticated and harder
to detect.
Fraud schemes that used to involve individuals or local gangs are now being
run by national or international crime organizations that specialize in what is
called merchant or, more commonly, entrepreneurial fraud. These fraud rings
have the resources to set up seemingly legitimate retail storefronts - or purchase
established businesses - and then obtain merchant accounts for the sole purpose
of skimming account numbers from valid cards or running laundered or other
fraudulent transactions. They have also shown themselves capable of stealing
account data at almost any point in the authorization or settlement process, from
a merchant’s point-of-sale (POS) terminal to an issuer’s or acquirer’s host system
or third-party processor.

The Message to Acquirers is Clear and Unmistakable.


The unpredictability of fraud leaves each acquiring organization vulnerable.
Consequently, loss-reduction awareness must be incorporated into every aspect
of merchant relationships and daily business operations. Fraud prevention must
be a central concern in portfolio development policies, profitability analysis,
underwriting standards and procedures, merchant agreements, and ongoing
merchant education and monitoring programs. Similarly, an organizational
commitment to consistent and rigorous implementation of loss-reduction policies
must be instituted and communicated to all personnel, from management
on down.

Global Visa Acquirer Fraud Control Manual 1


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

Manual The Global Visa Acquirer Fraud Control Manual is intended to provide acquiring
Purpose members with up-to-date information and resources for improving portfolio
profitability by reducing and preventing fraud losses. The manual combines plain-
language versions of acquirer and merchant standards from the Visa International
Operating Regulations with vital information on current merchant fraud scams
and how to recognize them. Fraud-prevention practices from acquirers are
also presented, along with descriptions of Visa’s loss-reduction programs and
other resources currently available. The information contained in the Global
Visa Acquirer Fraud Control Manual should be useful to all employees—new
and experienced—involved in an acquirer’s merchant operations. This includes
underwriters, portfolio managers, fraud investigators, credit analysts, and
internal auditors. The manual can also be used as a tool to support merchant
communication and education efforts.
Where there may be any difference in the interpretation between the Visa
International Operating Regulations and the information in this manual, the
regulations take precedence.

What’s Inside The Global Visa Acquirer Fraud Control Manual has been divided into thirteen
chapters, each with a different main focus. You can work through this manual in
its entirety, or move directly to any of the topics listed here.

4 Chapter 1: The Big Picture—Payment System Fraud Control and Risk


Management introduces the Visa® payment system. It also highlights the
factors that contribute to a profitable acquiring business and reviews typical
risk issues currently affecting acquirer programs.
4 Chapter 2: Acquirer Strategy and Organization reviews the key components
of an acquirers business plan with an emphasis on risk management and
fraud control considerations. It also includes suggestions for building and
maintaining a risk-responsible Acquiring Center.
4 Chapter 3: Merchant Underwriting contains detailed guidelines for
evaluating new merchant accounts and establishing clear, realistic portfolio
development policies to minimize risk and losses.
4 Chapter 4: Merchant Contracting and Setup reviews mandatory and
optional merchant agreement provisions. It also describes key considerations
for setting up new merchants to accept Visa cards and properly process
transactions.
4 Chapter 5: Fraud Prevention for Card–Present Merchants highlights
merchant requirements for checking card security features and the
cardholder’s signature. It also covers what to do if a fraudulent card or
transaction is suspected.
4 Chapter 6: Fraud Prevention for Card–Absent Merchants reviews the tools
that can help today’s mail order/telephone order (MO/TO) and Internet
merchants verify the legitimacy of a Visa cardholder and card in order to
better combat fraud.

2 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

4 Chapter 7: Merchant Fraud and How to Recognize It provides an overview


of current merchant fraud scenarios. The information here on new scams
and emerging fraud trends, such as skimming and bust-out merchants, may
be of particular interest to acquirer risk analysts and fraud investigators.
4 Chapter 8: Merchant Activity Monitoring focuses on regular, ongoing
monitoring of merchant deposit and authorization activity. The chapter
includes routine monitoring actions that can help an acquirer spot any
unusual or sudden change in normal deposit activity.
4 Chapter 9: Merchant Fraud Investigation contains helpful standards
and practices for initiating and conducting a successful merchant fraud
investigation.
4 Chapter 10: Cardholder Information and Personal Identification Number
Security offers background information about the Payment Card Industry
(PCI) Data Security Standards (DSS) and PIN security requirements for
acquirers.
4 Chapter 11: In the Event of a Compromise walks through the steps that
Visa requires compromised entities and acquirers to take in the event of a
security incident. Forensic investigations are also discussed.
4 Chapter 12: Visa Risk Control Programs looks at the risk control standards
and programs developed by Visa to help acquirers reduce fraud losses.
4 Chapter 13: Working with Third-Party Agents covers the basic requirements
for all acquiring members that use Third-Party Agents for direct or indirect
payment related services and/or to store, process, or transmit, cardholder data.
At the end of this manual, you will find:
• A Glossary that defines key terms commonly used in the payment card
industry.
• An Appendix that includes the supplemental forms and tools referenced in
this manual.

Global Visa Acquirer Fraud Control Manual 3


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

Manual The Global Visa Acquirer Fraud Control Manual is designed for ease of use with
Navigation icons that cue you to specific resources or information:

This Icon: Points you to:

Acquirer risk management best practices.

Additional insights related to the topic that is being


covered.

A brief explanation of the Visa International Operating


Regulations pertinent to the topic at hand.

Referral to related topics in the manual.

Visa tools and resources available to acquirers and/or


merchants.

Important Most of the information and best practices contained in this document pertain
Note About to all countries. However in some countries, there are specific products, services,
Country and regulatory differences that must be noted. In these instances, country
Differences specific details have been identified with a universally recognized icon for the
country under discussion.
The country icons are as follows:
United States

Canada

Latin America and Caribbean (LAC)

Asia Pacific (AP)

Central Europe, Middle East, and Africa (CEMEA)

4 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

Manual The individual sections of the Global Visa Acquirer Fraud Control Manual can be
Usage and reproduced or modified for use as training materials or desk references. To help
Customization you in this effort, all of the information contained in this manual is available to
members in a downloadable PDF via your Visa Online regional site.
If necessary, contact your Regional Risk Representative or Visa Account
Executive for online access.

The information in this presentation is provided for informational purposes only and does not provide legal advise, analysis, or opinion. It should
not be relied upon by you or your institution for marketing, legal, regulatory, or other advice. Your institution’s practices should be independently
evaluated by your institution in light of its specific business needs and any applicable laws and regulations. Visa is not responsible for you or your
institution’s use of the information provided in this document, including errors of any kind, or any assumptions or conclusions you or your institution
might draw from this document. Please consult your institution’s legal counsel for legal advice applicable to your institution.

Global Visa Acquirer Fraud Control Manual 5


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
ABOUT THIS GUIDE

6 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
The Big Picture—Payment System
Chapter 1 Fraud Control and Risk Management

Visa works closely with its members to define the appropriate types of tools and
controls they need to actively manage payment system risk and limit related
exposures. On the acquiring side of the business, fraudulent activity prevention
and detection are critical because members are responsible for transactions
accepted by their merchants. As such, members must employ measures to
control fraudulent activity throughout the payment transaction life cycle.
This chapter provides a high-level view of Visa’s payment processing infrastructure.
It also discusses risk issues faced by acquirers today and briefly defines the
Visa security measures and fraud-prevention tools in place to reduce risk and
associated losses.

What’s Covered
n How Visa’s Electronic Payment System Works
n Visa Transaction Flow for Magnetic-Stripe and Chip Cards
n Visa Transaction Flow for PIN-Based Point-of-Sale and ATM
n Visa Fraud-Prevention Tools for Merchants
n Understanding E-Commerce Risk Exposures

Global Visa Acquirer Fraud Control Manual 7


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

8 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

How Visa’s Electronic Payment System Works

Visa Visa operates and maintains VisaNet—the world’s largest consumer payment
Transaction system. VisaNet is a collection of systems that support:
Processing • An authorization service by which Visa card transactions are approved or
Basics declined by the issuer (or by Visa on the issuer’s behalf).
• A clearing and settlement service that processes transactions electronically
between acquirers and issuers to ensure that the:
– Information moves from acquirers to issuers for posting to cardholder
accounts.
– Payment moves from issuers to acquirers for Visa transactions and are
posted to the merchant accounts.
Visa transaction processing takes place in two very different environments—
card-present and card-absent—each of which offers unique card acceptance and
fraud issues.

Visa Card-present merchants—Card-present merchants who process Visa payments


Transaction must adhere to established procedures. These include:
Processing • Obtaining authorization,
Requirements
• Generating a transaction receipt with a card imprint (manual or electronic), and
• Asking the cardholder to sign the receipt or point-of-sale (POS) terminal
signature display window, or use a Personal Identification Number (PIN).
Card-absent merchants are required to obtain authorization on all Visa
transactions, but are at greater risk when it comes to fraudulent activity because
they do not have face-to-face contact, a card-in-hand, or an actual signature.

Environment: Transaction Situations:


Card-present – Both the card • Face-to-Face with a sales associate (e.g., retail
and cardholder are present merchant outlets, department stores, grocery
at the point of transaction stores, etc.)
• Both card and cardholder are present, but sales
person may not be (e.g., automated fuel dispensers
at retail petroleum stations).
Card-absent – Neither • Telephone/catalog mail orders
the card nor cardholder • Internet orders
are present at the point of
• Recurring payment— where a cardholder
transaction
authorizes a merchant to debit the cardholder’s
Visa account on a continuing and periodic basis
for goods or services to be received over a period
of time (e.g., subscriptions, insurance premiums,
membership dues).

Global Visa Acquirer Fraud Control Manual 9


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Visa Transaction Flow for Magnetic-Stripe and Chip Cards

The following illustrations show the life cycle for Visa magnetic-stripe and chip
credit or debit card transactions. Processing events and activities may vary
slightly for any one merchant, acquirer, or card issuer, depending on card and
transaction type, and the processing system used.

> Magnetic-Stripe and Chip Card—Credit or Debit Authorization


Merchant or cardholder swipes the Merchant enters the transaction amount, and,
card through a magnetic-card reader, if necessary, transmits an authorization request
dips the card into a chip-reading to the acquirer.*** For card-absent transactions,
device,** or waves the card in front of the account number and other information may be
a Visa payWave reader. digitally or key-entered.
Acquirer electronically
Cardholder presents sends the authorization
a Visa card to pay request to VisaNet.
for purchases.
For card-absent VisaNet
transactions, passes on
the cardholder For chip card transactions, the card the request
provides the and chip-reading device work together to the card
merchant with to determine the appropriate cardholder issuer.
the account number, verification method (either signature, PIN, or Visa
expiration date, billing Easy Payment Service).
address, and Card
If the transaction requires a PIN-verification, the Card issuer
Verification Value 2
cardholder follows point-of-sale (POS) prompts provides an
(CVV2).*
and enters the PIN. online
response.

Before approving a transaction,


Merchant receives the the issuer makes sure the funds
authorization response, and VisaNet forwards are available, then:
completes the transaction Acquirer forwards the card issuer’s • Checks the exception file for
accordingly. the response to the authorization all “statused” accounts such
merchant. response to the as lost, stolen, counterfeit, and
acquirer. credit problems.
• Applies risk-based rules or
parameters, such as velocity
checks, or a neural network
to minimize fraudulent
transactions.
If a match is made, the
*In certain markets, CVV2 is required to be present for all card-absent transactions. transaction is declined and a
**Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading response is given to the merchant
device. If a chip reading device is available, preference must always be given to chip card processing which could include instructions
before attempting to swipe the stripe. to retain the card.
***In some markets, chip and Visa payWave allow for chip-based offline authorization.

10 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Code 10 Authorization Request


There may be times during a face-to-face transaction For further
authorization process when a merchant is suspicious information
about the Code
of a card or a cardholder. In these kinds of situations,
10 Call procedure, refer to
the merchant needs to make a Code 10 authorization Chapter 5: Fraud Prevention
request. for Card-Present Merchants
in this manual.
With a Code 10 call, a merchant can let the institution
that issued the card know that there is suspicious
activity—without alerting the customer. During a Code 10 call, the merchant
receives instructions on what, if any, action to take.
In most cases, the merchant actually speaks with the issuing bank’s special
operator. This type of authorization request is the most likely to result in a call to
law enforcement.

> Magnetic-Stripe and Chip Card—Clearing and Settlement


Acquirer credits the
merchant’s account and
electronically submits the
transaction to Visa for
settlement.

Merchant
deposits the
transaction
receipt with
acquirer.* VisaNet:
• Facilitates Card issuer:
settlement. • Posts the
• Pays the transaction to
acquirer and the cardholder
debits the card account.
issuer account, • Sends the Cardholder
then sends the monthly receives the
transaction to the statement to the statement.
card issuer. cardholder.

Issuers and
acquirers can
outsource various
payment, authorization,
clearing, and settlement
functions to Third-Party
Agents. Both sides,
however, are responsible
*Merchants or their Third-Party Agents that store, process, or transmit account information may
to Visa for proper
not store sensitive authentication data (full magnetic-stripe or chip), Card Verification Value 2
(CVV2),** data, or PIN Verification Value (PVV) data—even if it is encrypted. Once an authorization performance and Visa
is processed, such data should no longer exist. The only components of the magnetic-stripe or chip International Operating
that can be stored are the cardholder’s name, personal account number (PAN), and expiration date. Regulations compliance by
This information can only be stored if encrypted, suppressed, or masked—as to render it useless in the its outside agents.
event of a data breach.

Global Visa Acquirer Fraud Control Manual 11


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Visa Transaction Flow for PIN-Based Point-of-Sale and ATM

PIN-based POS or ATM transactions are typically authorized and cleared


(posted) at the same time within a single message. Settlement occurs from this
single message at certain cut-off times during the day. This is referred to as an
“online” debit transaction. The following diagrams illustrate the basic processing
steps for PIN-based POS (Interlink) and ATM (Visa/Plus) transactions.

> Interlink Authorization, Clearing and Settlement

Merchant or cardholder swipes Acquirer gateway or acquirer office


the card through a magnetic-card determines the network to which the
reader, dips the card into a chip- transaction should be routed.
reading device,* or waves the For Interlink, the acquirer or back
card in front of a Visa payWave office electronically sends the
reader. The merchant then enters authorization request to VisaNet.
the transaction amount. The All other transactions are Other networks
cardholder enters the PIN. A transmitted to the appropriate
transaction authorization request is network.
transmitted to the acquirer.

VisaNet
• Passes on the
request to the
Cardholder card issuer.
presents a card to
• Facilitates
pay for purchases.
settlement.

Card issuer
• Provides
an online
response.
• Posts the
transaction to
Merchant receives the the cardholder
authorization response account.
and completes the
Before approving a
transaction accordingly.
Acquirer forwards transaction, the issuer makes
VisaNet forwards the
the response to sure the funds are available
card issuer’s authorization
the merchant. and does the following:
response to the acquirer.
• Checks for all “statused”
accounts such as lost,
*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading stolen, counterfeit, and
device. If a chip reading device is available, preference must always be given to chip card processing available funds.
before attempting to swipe the stripe. • Validates the PIN.

12 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

> Visa/Plus Authorization, Clearing and Settlement

The ATM acquiring


2 bank routes the
cash withdrawal
Cardholder
presents Visa
1 authorization request
Other networks
based on ATM network
card at ATM, processing preferences.
enters PIN, and
makes cash 3
withdrawal
request. Visa/Plus
Network
On-Us (acquirer is
6 also the card issuer) Visa/Plus
• Passes on the
request to the
card issuer.
ATM
• Facilitates
dispenses cash
settlement.
to cardholder.

4
5
Card issuer
Visa/Plus
• Provides an online
forwards the card
response.
issuer’s response to the
ATM acquiring bank. • Posts the transaction to
the cardholder account.

Before approving a
transaction, the issuer makes
sure the funds are available
and does the following:
• Checks for all “statused”
accounts such as lost,
stolen, counterfeit, and
available funds.
• Validates the PIN.

Global Visa Acquirer Fraud Control Manual 13


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Cardholder A “chargeback” provides an issuer with a way to return a disputed transaction.


Disputes and When a cardholder disputes a transaction, the issuer may request a written
Chargebacks explanation of the problem from the cardholder and can also request a copy of
the related sales transaction receipt from the acquirer, if needed. Once the issuer
receives this documentation, the first step is to determine whether a chargeback
situation exists. There are many reasons for chargebacks—those reasons that
may be of assistance in an investigation include the following:
• Merchant failed to get an authorization
• Transaction receipt is altered or unsigned
• Merchant failed to obtain card imprint (electronic or manual)
• Merchant accepted an expired card
When a chargeback right applies, the issuer sends the transaction back to the
acquirer and charges back the dollar amount of the disputed sale. The acquirer
then researches the transaction. If the chargeback is valid, the acquirer deducts
the amount of the chargeback from the merchant account and informs the
merchant.
If the merchant cannot remedy the chargeback, it is the merchant’s loss. If there
are no funds in the merchant’s account to cover the chargeback amount, the
acquirer must cover the loss.

14 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Visa Fraud-Prevention Tools for Merchants

Payment Card The Payment Card Industry (PCI) Data Security Standard (DSS) is intended to
Industry (PCI) help protect Visa cardholder data—wherever it resides—ensuring that customers,
Data Security merchants, and service providers maintain the highest information security
Standard standard. As mandated by Visa, all issuers, merchant banks, Third-Party Agents,
(DSS) merchants, and service providers that store, process, or transmit cardholder data
are required to comply with PCI DSS.

Fraud Control Every Visa card contains a set of unique design


for Card- features and security elements developed by Visa to For further details
Present help merchants verify a card’s legitimacy. By knowing about Visa card
Merchants what to look for on a Visa card, merchants can avoid security features,
inadvertently accepting a counterfeit card or refer to Chapter 5: Fraud
processing a fraudulent transaction. Prevention for Card-Present
Merchants in this manual.
Merchants should train their sales staff to take a
few seconds to look at the card’s basic features and security elements after they
have swiped the card and are waiting for authorization. Checking card features
and security elements helps to ensure that the card is valid and has not been
altered in any way.

Fraud Control Card-absent merchants are perfect targets for payment card scams simply
for Card- because there’s no face-to-face customer contact, no tangible card, and no
Absent physical signature on the sales draft.
Merchants Today’s scam artists are savvy. They understand the
payment structure and the security processes involved For further details
with each type of transaction. They’re constantly about fraud
coming up with different ways to circumvent the prevention and
system, and they are always on the look out for detection tools for mail
vulnerable merchants who are susceptible to fraud. order/telephone order
(MO/TO) and Internet
This is why Visa has developed a “layered approach merchants, refer to
to security” in the card-absent environment that Chapter 6: Fraud Prevention
offers both merchants and consumers multiple for Card-Absent Merchants
security checkpoints. in this manual.

Global Visa Acquirer Fraud Control Manual 15


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Visa’s Layered The following Visa fraud prevention and detection tools are designed to
Approach to complement each other and work together as multiple services that can help
Card-Absent MO/TO, and Internet merchants verify the legitimacy
Security of a Visa cardholder and card to help better
combat fraud. AVS can only
be used to
• Address Verification Service (AVS)* enables confirm addresses
a card-absent merchant to verify the billing in the United States
and Canada. In other
address of a customer presenting a Visa card for
countries, card issuer
payment. It verifies the credit card billing address participation in AVS is
of the customer who is paying with a Visa card. optional.
The merchant includes an AVS request with the
transaction authorization and then receives a result code (separate from the
authorization response code) that indicates whether the address given by
the cardholder matches the address in the issuer’s file. A partial or no-match
response may indicate fraud risk.
• Card Verification Value 2 (CVV2)** is a three-digit code that appears
either on or in a white box to the right of the signature panel of all Visa cards.
Telephone order and Internet merchants use CVV2 to verify that the customer
has a legitimate Visa card in hand at the time of the order. The merchant asks
the customer for the three-digit code and sends it
to the issuer as part of the authorization request.
The issuer checks the CVV2 code to determine its In some markets
validity, then sends a CVV2 result code back to the CVV2 is required
merchant along with the authorization decision. for all card-absent
merchants.
The merchant evaluates the CVV2 result code,
taking into account the authorization decision and
any other relevant or questionable data.
• Verified by Visa offers an extra level of security for online transaction
authentication. It is an innovative service that verifies cardholder identity in
real-time so customers can shop more confidently and Internet merchants
can accept Visa cards with peace of mind while authenticating a cardholder’s
identity at the time of purchase.

*AVS is only available in the U.S. and Canada.


**In certain markets, CVV2 is required for card-absent transactions.

16 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

• CyberSource Advanced Fraud Screen (AFS)


enhanced by Visa is designed for Internet merchants Third-Party
who want to use third-party screening. It is an vendors offer a
effective fraud-screening program that suspends combination
processing if a transaction: of leading technology
and innovative tools for
– Matches data stored in the merchant’s internal detection and prevention
negative files. of fraud within the
various card-absent
– Exceeds velocity limits and controls. channels. These solutions
– Generates an AVS* mismatch or CVV2** no are designed to help
match. merchants protect their
customers and brand by
– Matches other high-risk attributes (customized reducing fraud losses. To
by the merchant). obtain a list of Third-Party
fraud-prevention solution
The Right The chart below highlights Visa’s layers of security by providers, contact your
Combination business type. merchant bank.
of Tools at the
Right Time
Verified by PCI
Merchant CVV2 AVS AFS
Visa DSS

Internet 4 4 4 4 4

Telephone
4 4 4
Order
Mail
4 4
Order

*AVS is only available in the U.S. and Canada.


**In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 17


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

Understanding E-Commerce Risk Exposures

Acquirers need to address the following issues in order to successfully adapt to


the e-commerce environment.
• Global audience. The Internet opens the door to legitimate buyers worldwide
and offers global opportunities to criminals who are intent on taking
advantage of security weaknesses in a merchant system.
• Powerful, cheap tools, and faster exposure to fraud. There is a relatively low
start-up investment for Internet merchants. Most businesses can open their
virtual storefront quickly. If a merchant does not take the time up front to
adequately protect its systems, serious security and fraud exposure can also
occur very quickly.
• Constant availability. Internet merchants are available for business 365 days
a year, 24 hours a day. Without proper monitoring controls, this accessibility
heightens their vulnerability to fraud and denial-of-service attacks.
• No centralized standards or legal authority. Because the Internet is global
and there is no central authority that dictates security or operational
standards, acquirers and merchants must be extremely careful in their
business dealings. Merchants intending to commit fraud tend to target
acquirers in countries with criminal justice systems that do not have the
legislation to convict credit card crimes, or that have a police force that
does not give priority to these types of financial crimes. Internet merchants
are also targeted by criminals and, as such, are more likely to see fraudulent
transactions originating from countries without these protections and with
weak extradition treaties.
• Critical information is more vulnerable to compromise. Interception of
account data is simpler during an e-commerce transaction compared to mail
or telephone orders. Computer technology makes it possible for criminals to
quickly collect massive quantities of credit card numbers and other account
information.
• Hackers intrigued by the challenges of advanced technology. For many
hackers, the challenge of infiltrating advanced technology is one of the chief
motivators for their malicious actions. Once a weakness is identified, it is
often quickly exposed to others worldwide through Internet communications
channels. Merchant system developers must proactively work to implement
site security and data protection.
• Personal information provided might be false. It is sometimes difficult to
verify whether the information provided by the customer is valid, particularly
if the merchant and customer are in different countries. Customers are
reluctant to provide accurate information because they:
– Do not trust that their information will be responsibly stored and/or used.
– Do not want to be contacted.
– Wish to mislead the merchant for fraudulent reasons.
18 Global Visa Acquirer Fraud Control Manual
© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

• Weak identification mechanisms. The Internet offers its users an


anonymous platform where it is difficult to trace messages back to their
original source. This can make fraud investigation extremely difficult.
• Selling virtual goods. Where digital content is being delivered to the
buyer, the transaction occurs very quickly. If the buyer is using a fraudulent
identification or payment method, it may not be detected until after the
transaction is completed and the buyer is untraceable. Digital content sites
(particularly adult websites) can also become the target of criminals who
want to test whether the account number(s) they have in their possession
are valid.
• Merchant ability to cross borders quickly. As with traditional payment
channels, acquirers must always guard against high-risk merchants that
initiate the relationship for the purpose of committing fraud. This is
especially important with Internet merchants because such businesses can
be easily established in new locations practically overnight. In some cases,
this is done simply by moving a website server. This typically occurs when
a merchant is terminated for excessive fraud behavior in one market and is
then immediately picked up in another, less experienced market that does
not adequately assess the risk or background of its merchants. Acquirers
that sign new merchants without a thorough application review process and
effective screening control can suffer losses.
• Cardholder fraud and disputes. The ability of a cardholder to successfully
dispute an e-commerce transaction is dependent upon the issuer’s
investigation process and the merchant’s ability to provide supporting
documentation for the transaction. Typical cardholder fraud and dispute
risks associated with e-commerce transactions are outlined below.

Area: Risk Possibilities:


Fraud • Customer uses a stolen card or account number to fraudulently
purchase goods or services online.
• Family member uses a payment card to order goods or services
online, but has not been authorized to do so.
• Customer falsely claims that he or she did not receive a shipment.
• Hackers find their way into an Internet merchant’s payment
processing system and then issue credits to hacker card account
numbers.
Customer • Goods or services are not as described on the website.
Disputes • Customer is billed before goods or services are shipped or delivered.
• Confusion and disagreement between customer and merchant over
return and refund.
• Customer is billed twice for the same order and/or billed for an
incorrect amount.
• Customer doesn’t recognize the merchant name on his statement
because merchant uses a Third-Party Agent to handle billing.
• Goods or services are billed without actual customer approval.

Global Visa Acquirer Fraud Control Manual 19


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 1: THE BIG PICTURE—PAYMENT SYSTEM FRAUD CONTROL AND RISK MANAGEMENT

20 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 2 Acquirer Strategy and Organization

Many risk management issues associated with the acquiring side of the payment
card industry are, for the most part, preventable when a strategic business
approach is in place. A sound, comprehensive plan sets forth specific goals and
objectives by which profitability, growth, operational efficiencies, service levels,
and most importantly, risk reduction can be measured. But even the best-laid
plans can fall short without the proper resources. To be effective, an acquiring
institution’s business strategies must have a strong organizational structure to
support it.
This chapter reviews the major components of an acquirer’s strategic business
plan with an emphasis on key risk management considerations. It also includes
suggestions for building and maintaining a risk-responsible Acquiring Center.

What’s Covered
n Building a Strategic Framework
n Acquiring Center Organizational Structure
n Organizational Roles and Responsibilities
n Acquirer Fraud Control Functions and Key Considerations
n Acquirer Fraud Control and Security Function Performance Review
n Tracking Organization and Fraud Loss Performance
n Fraud Control Relations with the Criminal Justice System
n Fraud Forums and Member Bank Participation
n Third-Party Agent Relationship Management

Global Visa Acquirer Fraud Control Manual 21


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

22 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Building a Strategic Framework

Developing All acquirers should have a documented, approved


a Strategic strategic plan; one that focuses on the future direction The effects of
Business Plan of the organization and establishes specific business fraudulent activity
goals and objectives to be met over a defined period must be
of time. accounted for in the
acquirer’s strategic
Acquirers will gain the greatest benefit from business plan and
developing a plan that addresses the following areas: functional costs.

• Effect of competition on strategy


• Impact on other banking relationships
• Management information
• Market segments
• Excluded or unacceptable merchant types
• Monitoring performance against strategy
• Pricing
• Products
• Profitability
• Relationship with branch network (if applicable)
• Risk management parameters and guidelines
• Fraud Control standards
• Service levels
• Technology at point of sale
• Third-Party Agent relationships
• Volume of growth
• Merchant portfolio credit risk

Key Success One secret to acquiring a profitable merchant business is to ensure that all key
Factors factors concerning the prospective merchant are fully understood and analyzed.
Among these factors, acquirers should consider the following:
• Merchant discount rate. Merchants pay for their ability to accept bankcards
through a fee. The rate varies depending on transaction volume, average
transaction amount, type of merchant, processing methods and costs, the
interchange fee for which transactions from the merchant qualify, and acquirer
profitability.

Global Visa Acquirer Fraud Control Manual 23


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

• Interchange rate. The Interchange Reimbursement Fee (IRF), which passes


from acquirer to issuer on purchase transactions, provides a balance
designed to both promote card issuance and usage, as well as maximize
merchant acceptance opportunities. Interchange rates are set based on the
merchant category, authorization and processing methods used, whether or
not additional information is provided in the transaction record, and the type
of card used at the point of sale.
• Credit and fraud efforts. Fraudulent merchant
activity prevention is a critical function because
acquirers are responsible for all the transactions For further details
accepted by their merchants. Merchant fraud about merchant
laundering (also
includes knowingly accepting counterfeit or stolen known as factoring), refer
cards, laundering (factoring) sales transaction to Chapter 7: Merchant
receipts, and fraudulent use of valid cards or Fraud and How to Recognize
cardholder data. Merchant business profiles It, in this manual.
can range significantly from high-volume, card-
present transactions that carry low risk to merchants who supply specialized
products having high-ticket values, but a low volume of sales.

24 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Acquiring Center Organizational Structure

Setting Successful merchant operations management requires the right people in the
Up a Risk- right positions throughout the organization. An essential part of this process
Responsible involves defining key organizational roles and responsibilities.
Merchant All too often, the people responsible for security and risk and/or fraud
Operation control management are not correctly positioned in the organization. Many
organizations don’t even have a dedicated risk management group. While it is
not the intention of this manual to show how an Acquiring Center should be
structured, the following diagram is offered as an example of a risk-responsible
organization.
Acquiring Center Manager

Sales Support Systems Operations Visa Risk Compliance


Manager Manager Manager Manager Manager

Account Setup Authorizations Systems Operations Merchant Approval

Settlement Back Office Support Fraud Control


Management

Collections &
Investigations

In the “ideal” Acquiring Center structure, Risk Management, the group


responsible for approving and monitoring merchants, is a peer of the group that
signs up new merchants, and the sales and marketing units. It is also a peer of
the groups responsible for day-to-day operations and information systems. This
helps keep the monitoring process objective and makes it easier for departments
to take decisive action when a merchant fails to comply with Visa standards.

Merchant In setting up a risk-responsible operational structure, an acquiring institution


Operation should consider these best practices:
Setup Best • Make sure ongoing management of the acquirer program is clearly assigned
Practices to individuals or organizational units.
• Separate sales operations and risk management functions to ensure built-in
checks and balances.
– Place sales, operations, and risk management at the same level—making
them peers—to provide an independent risk assessment environment.
– Ensure that the risk management group is responsible for reviewing new
merchants and monitoring all merchants in the member’s portfolio for
signs of financial difficulty and possible fraud.

Global Visa Acquirer Fraud Control Manual 25


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

• Set up a Risk Management Committee (RMC) to discuss and agree upon


specific risk issues and sign off on the overall business strategy. The RMC
is typically chaired by Risk Management and includes representatives from
Fraud Control Management.
• Train your Acquiring Center staff. Make sure they have a thorough
understanding of:
– Merchant fraud risk and security issues.
– Visa card chargeback rules and regulations.
– Your organization’s risk management policies and procedures.

26 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Organizational Roles and Responsibilities

Common There are a number of different positions found in the


Functions and Acquiring Center. Some of the more common ones It is not necessary
Responsibilities are listed in the following chart. These positions have to provide all
been included to help you evaluate how your center services
organization is staffed to meet Acquiring Center in-house; some of these
operational requirements. As you review the can be performed by third
parties that specialize in
positions, please note that the functional titles may these areas.
differ among acquirers, but the responsibilities
are fairly standard. For specific Acquiring Center
descriptions and codes, please refer to the Visa Membership Directory.

Position and Role: Responsibilities:


Acquiring Center • Supervise and monitor the work of • Submit reports to bank
Manager the managers in all operating areas. management and Visa regarding
Ensures an efficient, • Conduct meetings, set policies the activities and statistics of the
effective and profitable within assigned limits, delegate Visa card operation.
Visa card operation. responsibilities and recommend • Hire and review performance of
changes in operating procedures. managers. Make recommendations
• Answer correspondence and for promotion, termination and
inquiries from important customers. salary increases.
• Attend card and other industry • Develop, review, and ensure
meetings to keep up-to-date on adherence to center budget.
developments and legislation
affecting the card industry.
Credit Manager • Ensure that the credit department • Maintain control of credit
Coordinates all is properly staffed with personnel standards to ensure the quality of
activities related to capable of assuming the authority, credit extended; recommend and
credit granting through responsibility and duties required to implement changes in systems and
the issuance of Visa make credit decisions. procedures.
merchant accounts. • Advise and train supervisors, • Approve or decline applications
ensure compliance with all within assigned guidelines referred
legislation affecting credit granting, by supervisors and applications
coordinate work flow and schedules, from corporations and partnerships
recommend placement of new for business cards.
employees. • Prepare informative reports for
• Handle general personnel the Center Manager and senior
administration and make management.
recommendations for salary • Attend various credit organization
adjustments, transfers, promotions meetings, meetings with branch
and terminations. personnel, the Center Manager and
• Conduct meetings with employees senior management.
to educate them in proper methods
and procedures and discuss changes
in policies and procedures.

Global Visa Acquirer Fraud Control Manual 27


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Position and Role: Responsibilities:


Customer Services • Coordinate work received by • Make recommendations for
Manager customer service personnel daily. promotion, termination and salary
Supervises customer • Delegate authority, responsibilities increases.
service staff to ensure and duties to supervisors and • Monitor work of customer service
the efficient, prompt personnel. staff to ensure that customer
and courteous handling contact is efficient and courteous
• Recommend and implement new
of merchant inquiries. and that customer’s goodwill is
systems and procedures, as needed.
• Assist personnel in resolving difficult maintained.
customer service problems. • Evaluate the pending workload and
• Call customers, or correspond see that problems are resolved
with them regarding inquiries or within legal time frames.
problems. • Prepare reports for Center Manager
• Hire and review performance of and senior management on
personnel. problems and inquiries handled.

Marketing Manager • Establish marketing policies. • Participate in charitable and civic


Develops and • Approve advertising and activities to promote goodwill for
implements program promotional campaigns. the Visa merchant program and the
for the acquisition of • Visit branches, sponsored member bank.
new merchants and • Supervise preparation of statistical
banks and major merchants to
programme to increase reports for the information and
Visa volume at existing
promote Visa card business.
• Attend sales meetings and evaluation of the Center Manager
merchants.
conventions. and senior management.

Operations Manager • Develop procedures for effective • Supervise personnel and delegate
Supervises activities operations work assignments.
in the operations • Set up operating schedules and • Hire employees, recommend
areas of the center. coordinate workflow through the promotion, transfers, terminations
Establishes procedures, center. and salary adjustments.
prepares reports
for management,
• Maintain accounting records,
maintains safeguards compile reports.
and administers • Train, counsel, and inform staff
personnel policies. members on policies, goals,
practices and procedures through
individual meetings, staff meetings
and training programs.
Accounting • Report to operations manager, • Recommend procedural and
Supervisor supervise employees involved in equipment changes.
Supervises employees data entry, tabulating, accounting. • Supervise balancing, reporting,
engaged in servicing • Organize and coordinate workflow, aging of general ledger accounts,
and maintaining Visa delegate work assignments, hire process sales transaction receipts
merchant accounts. employees, recommend promotions, and remittances.
transfers, terminations and salary • Answer mail and telephone
adjustments. inquiries from merchants and
• Train and instruct employees in acquirers regarding servicing or
procedures and use of equipment. operating problems.
• Coordinate computer use.

28 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Position and Role: Responsibilities:


Authorization • Assign employee duties and arrange • Recommend the increase or
Supervisor work schedules. decrease of credit lines, if
Supervises activities of • Answer employee questions warranted.
authorizers engaged in regarding problems encountered, • Discuss reasons for decline of
approving or declining resolve operating problems and authorization with the cardholder
authorization requests instruct and train employees in or branch and recommend
from merchants correct procedures. corrective action.
for transactions
over floor limits-, • Approve or decline authorization • Answer correspondence regarding
and from branches requests from merchants and declined transactions.
for cash advances. branches when the transaction • Make recommendations regarding
Approves or declines brings the balance over-line, for employee requirements, salary
over-line or problem transactions when customer is using adjustments, transfers, promotions
transactions referred an expired card or is purchasing and terminations.
by authorizers. Refers without a card and for other
cases to investigators. questionable transactions.
Ensures after-hours
merchant authorization • Discuss large transactions with
monitoring and staff the cardholder or merchant to
training in obtain further purchase or credit
Code 10 procedures. information and, if necessary, verify
employment and credit references
before calling merchant back to give
authorization decision.
Authorizer • Approve or decline authorization • Give authorization numbers to
Approves or declines requests based on established merchants, branches or other
telephone requests guidelines. member banks.
from Visa merchants • For manual systems, maintain • Refer over-line or questionable
for sales transactions in records of authorizations given, requests to authorization supervisor
excess of floor limits. including account number, name for further review and decision.
of cardholder, card expiration date, • Discuss reasons for declined
amount of transaction, confirmation authorizations with customer or
of identity of cardholder, merchant branch and recommend corrective
name, merchant type and type of action to clear account status.
merchandise purchased. • Receive telephone calls regarding
• For cash advances authorized, the lost, stolen, or destroyed cards
name of the member bank or branch and refer pertinent information
and the officer’s name is recorded. to appropriate areas (security
department) for action.

Global Visa Acquirer Fraud Control Manual 29


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Position and Role: Responsibilities:


Credit Analyst • Review applications received • Approve or decline applications for
Reviews and analyses in accordance with required assignment of account numbers,
applications for procedures and regulations. issuance of equipment and
new Visa merchant • Call branch officers to discuss customer notification.
accounts to approve or application if branch has • Forward approved applications for
decline applications. recommended or rejected it and the assignment of account numbers,
reason is not clear. issuance of equipment and
• Evaluate credit information obtained customer notification.
by credit investigator, considering • Note reasons for rejection on
such factors as merchant’s length declined applications and have
of trading, type of business, letter of decline typed and sent to
outstanding obligations, ability to applicant.
pay and payment record provided by • Handle telephone inquiries and
references. correspondence regarding credit
policies and decisions.
Customer Service • Communicate with merchants by • Refer difficult or complex problems
Representative telephone and/or letters to answer to customer service manager for
Answers merchant questions and resolve problems. assistance and/or decision.
inquiries and resolves • Analyze problems, make decisions • Maintain records of problems and
complaints. and implement adjustments to inquiries handled.
merchant accounts. • Suggest means of improving
service based upon customer
inquiries and complaints.
Risk Management • Establish procedures, prepare reports • Set guidelines for merchant approval
and Security for management, maintain safeguards and terminal placement policies.
Manager and administer personnel policies. • Manage production of, and
Supervises activities in • Improve awareness of risk within the communicate, risk and fraud
the operations areas of bankcard center. information to senior management
the center. • Manage bankcard and branch staff on a regular basis.
training on fraud awareness.
Merchant Risk • Identify potential fraud and credit • Manage operational follow-up of
Detection Manager losses. cases identified by risk detection
Oversees merchant • Manage fraud and risk reduction team.
deposit monitoring and initiatives. • Implement actions to reduce fraud
risk detection team. • Develop systems to monitor in merchants.
merchant deposits.
• Develop systems to monitor
merchant activity.
Fraud Investigator • Review transaction and merchant • Testify in court, if necessary,
Performs investigative data to determine if there is regarding fraudulent bankcard
functions as necessary evidence to prosecute. merchants.
to gather data for • Work with law enforcement, card • Coordinate with other bank staff
law enforcement or associations and other sources to to gain information about suspect
attorneys to prosecute gather information about suspected accounts.
cases of merchant
fraud cases.
fraud.

30 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Position and Role: Responsibilities:


Fraud Investigation • Receive/prioritize cases identified by • Prepare documentation for court.
Clerk merchant deposit monitoring clerks. • Coordinate follow-up of cases and
Provides back-office • Conduct an in-depth desktop termination.
investigative support. analysis of suspect merchants. • Complete Risk Identification
• Freeze funds where necessary. Service (RIS)* questionnaires
• Provide support to external field • Coordinate initiatives to reduce
investigations. point-of-sale fraud.
Merchant Activity • Examine merchants identified by • Contact branches and card Issuers
Monitoring Clerk monitoring systems. regarding suspect activity.
Provides back-office • Conduct initial screening
examination of of merchant deposits and
suspicious merchant authorizations.
deposit activity to
prevent and detect
fraud.
Merchant Sales • Call upon prospective merchants to • Sign new merchants, complete
Representative demonstrate how Visa acceptance sales agreements and set up
Promotes and sells Visa can increase sales. deposit accounts.
to merchants. • Explain merchant service • Refer merchants to other officers or
charge, floor limits, depository departments for additional finance
arrangements and service. services.
Merchant Service • Visit assigned merchants regularly. • Keep the merchant informed of
Representative • Provide supplies, advertising and new, revised or expanded services.
Provides service to point-of-sale material. • Maintain merchant records.
existing Visa merchants • Answer questions and assist in
and serves as a liaison solving problems concerning misc.,
between merchants
customer disputes and procedures.
and the member banks.
Customer Service • Retrieve customer files, copies
Research Clerk of sales transaction receipts,
Obtains customer files statements etc., for customer
and other information service representatives.
required by customer • Prepare input for requested
service personnel adjustments to merchant’s accounts.
to answer merchant
inquiries.
Data Security • Set up policies and controls to • Consult with internal information
Manager protect internal systems. technology staff to ensure systems
Ensures systems, • Review the design and are configured and maintained
controls and implementation of connections with securely.
procedures are properly external connections and networks. • Provide subject matter expertise
in place to protect to merchant activity monitoring
• Conduct regular monitoring of
merchant and account clerk and merchant service
information and prevent
sensitive internal systems and
networks. representative to support secure
compromise.
operations at merchant locations.

*RIS is available in the U.S. only.

Global Visa Acquirer Fraud Control Manual 31


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Acquirer Fraud Control Functions and Key Considerations

Acquirers are responsible for maintaining full responsibility of the actions


(losses) of all of their merchants. If a merchant has chargebacks in excess of the
assets that the acquirer has on deposit and the merchant goes out of business,
the acquirer is held responsible for the remaining losses.
Fraud Control Fraud Control Management is intended to prevent and minimize losses. There
Unit Functions are typically three fraud controls: Fraud Prevention, Fraud Detection and Fraud
Investigations. Fraud reduction and mitigation of fraud losses is the goal of all
three fraud areas. These areas and related functions can either be in-house or
out-sourced to a Third-Party Agent. Effective fraud control activities requires
interaction with other departments in the member’s organization like Marketing,
Customer Service, and Collections.
Primary functions of each unit include the following:
Area: Key Functions:
Fraud Prevention • Maintain Management Information System (MIS), which
is necessary if unit is going to be alerted to new outbreaks
of fraud.
• Monitor daily MIS to detect new patterns of fraud and to
make sure all the prevention tools available to the financial
institution are in place and being used effectively.
Fraud Detection • Operate or use a system that alerts the unit to merchant
activities that have a high probability of being fraudulent.
Fraud Investigation • When suspicious activity is detected, investigate and
resolve the matter in an efficient and timely manner.
• Review all disputed accounts and each transaction to
determine responsibility.

Organizational How a member organizes its Fraud Control Department, or similar in-house
Placement function, depends on a variety of factors, such as the size of the member’s Visa
merchant program; its current organizational structure; and available physical,
human, and financial resources.
Wherever these functions are located, it is important that trained specialists
be dedicated to controlling fraud. Visa suggests the following options for
organizational placement of the fraud control function:
• Centralized Security Departments that exist in some medium–sized
institutions. This organization allows for more thorough investigation of
cases, as specialists with law enforcement experience are available to
investigate all types of fraud, including checks, deposit and card fraud. It is,
however, difficult to assign budget and performance goals as this unit may
not have responsibility for fraud loss budgets.

32 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

• The Merchant Division (in larger acquirer institutions). The Fraud control
function may fall under the Risk Management Department. This is preferred,
as the Risk Management will have budget responsibility for operations and
losses.
• A separate department in the Acquiring Center. This option establishes a
direct line of communication to the Center Manager. Control, responsibility,
and accountability are more clearly defined, which improves the
department’s ability to achieve desired results.
• A collateral function of the acquirer’s Credit or Collections Department.
When the amount and frequency of fraudulent activity does not justify full-time
personnel, members with smaller merchant programs frequently consolidate
fraud control with a related department, like credit or collections. In such cases,
staffing for the department must include individuals who have received special
training in fraud control and investigation. The risk to this type of organization is
that the managers of the department may not focus as many resources on the
fraud loss numbers.
Fraud Control Preventing and promptly detecting fraud requires personnel who are
Staff Skill/ immediately available to execute their assigned responsibilities in all three units.
Knowledge In smaller programs, the functions may be combined in fewer staff members
Requirements but all three functions must be performed continuously. The staff in a Fraud
Control Department generally consists of knowledgeable fraud prevention, fraud
detection, and fraud investigations personnel, along with support personnel.
• Fraud prevention staff members should be able to:
– Monitor MIS data that reflects loss trends.
– Stay knowledgeable of Visa fraud control products and how to effectively
implement them.
– Interface with fraud-prevention units in other organizations to stay abreast
of current fraud schemes.
– Interface with their third-party service or processor to ensure they are
providing effective fraud-prevention services.
• Fraud detection staff usually consists of individuals with the ability to:
– Manage an in-house fraud detection system.
– Manage the effectiveness of the fraud detection system and operation.
This includes changing strategies, implementing rules, and ensuring the
24 hour operation is effectively staffed seven days a week.

Global Visa Acquirer Fraud Control Manual 33


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

• Fraud investigators are responsible for the following:


– Obtaining information concerning fraud activity on Visa cards by
contacting branches, other card issuers, working with law enforcement
agencies, and interviewing customers, merchants, and suspects.
– Examining sales drafts and video footage for clues to the identity of the
person using a fraudulent or invalid card and the areas where the card is
being used.
– Signing criminal complaints and making court appearances.
– Preparing reports concerning fraud activity for the Acquiring Center
Manager and other senior management.
– Preparing reports for law enforcement and prosecutors that outline the
fraud committed and present the necessary documentary evidence.
– Recruiting investigators and other Fraud Control personnel with previous
law enforcement or card security experience. Although desirable, previous
card security experience is not essential, however, fraud staff should have
the following basic qualifications:
- Knowledge of merchant operations, including clearing and
authorization procedures.
- Prior experiences in the area they are employed in or made to
undertake a training program. Analytical and decision-making abilities
and good judgment.
- Proficiency with computers and their various applications, including
word processing, spreadsheet, and database programs.
- Effective oral and written communication skills.
• Fraud investigators require more specialized experience including:
– Knowledge of commercial law and the criminal code, including rules of
evidence, and police and court procedures.
– Investigation, interrogation, and evidence-gathering skills, including the
ability to follow leads.
– Analytical and decision-making abilities and good judgment.
– Proficiency with computers and their various applications, including word
processing, spreadsheet, and database programs.
– Effective oral and written communication skills.

34 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Fraud Control Because the incidence of fraud fluctuates and is unpredictable, acquirers
Staffing Levels should conduct a periodic review of staffing levels. Factors influencing staffing
requirements include the following:
• Size of merchant portfolios
• Number of disputed cases received and investigated
• Fraud loss experience and target goals
• Cardholder and merchant sales volume
• Volume and character of card fraud criminal activity in the member’s prime
marketing areas
• Effectiveness of cardholder and merchant education programs
• Effectiveness and cooperation of police and postal authorities
• Effectiveness and cooperation with other payment card issuers
• Quality and performance of the fraud staff
• Card distribution procedures
• Statutory criminal legislation and penalties relating to card fraud
• Cooperation of other Acquiring Centers
• Internet operation and how to investigate Internet fraud

Fraud Control Fraud personnel must be trained in the following skills and areas of expertise:
Staff Training • Bankcard center’s organizational structure, its policies, and operation
• Fraud abatement tools and their use
• Investigative techniques and procedures
• Cardholder and merchant education techniques to prevent fraud
• Visa International Operating Regulations, as well as applicable regional versions
of the regulations
• Data processing and analysis
• Card distribution procedures
• Liaison for, or communicating with, other bankcard centers and with Visa
regional fraud control contacts
• Liaison for, or communicating with, criminal justice system personnel
• Criminal statutes relating to card fraud
• Member’s prosecution policy
• Physical security of the bankcard center and related facilities. This may or
may not be a fraud department responsibility
• Use of the Visa Interchange Directory (VID)
• Visa authorization and settlement system
Continued training and education in fraud prevention and investigative
techniques must enhance the effectiveness of your Fraud Control staff.

Global Visa Acquirer Fraud Control Manual 35


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Acquirer Fraud Control and Security Function


Performance Review

Administrative Management should use annual personnel reviews to evaluate the effectiveness
Action of the fraud control and security functions. Periodic evaluations should also be
considered to compliment annual performance reviews in regard to providing
Fraud Control personnel with constructive suggestions for improving their
performance.
A managerial review should include a thorough check of selected fraud
investigation files as part of the annual personnel performance evaluations.
Specific criteria to be evaluated should include, but not be limited to the
following:
• A comparison between net annual fraud losses and statistics on local,
regional, and national fraud loss
• Case documentation including investigation, interviews, other contacts, and
physical evidence
• Periodic reviews of investigators’ initiative, ingenuity, and effort on assigned
cases
• Timeliness of the investigator’s response
• Selection of fraud abatement procedures
• Thoroughness of the investigation
• A review of the time required stopping fraudulent activity after detection or
notification
• Investigation, outcome, including the amount of restitution obtained, and the
results of prosecution
• Ability to effectively respond to and mitigate fraud in relation to incidents of
data compromise

36 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Tracking Organization and Fraud Loss Performance

Management Acquirers need ongoing information to run a profitable merchant program.


Information Key performance indicators can help management pinpoint early warnings of
and Key possible risk exposure. With a well-thought through Management Information
Performance System (MIS) approach, acquirers can track the organization’s overall business
Indicators performance and merchant fraud prevention effectiveness.

Importance of To properly control the acquiring business and identify the early warning issues
Proper Control of fraud losses, poor profitability or interchange margins; management needs
information to track and measure key performance indicators. Communication
between the Acquiring Center functional areas, as well as to senior management
is absolutely fundamental in running a profitable acquiring business because it
allows managers to:
• Make informed decisions,
• Focus on the risk issues that affect the whole acquiring business, and
• Commit to necessary resources to address issues.

Tracking To track overall business performance, acquirers need to:


Performance • Produce key operational indicators on a regular basis showing data such as:
– Exposure to high-risk merchants and industries,
– Number of merchant leads by source,
– Merchant service charge income,
– Terminal income,
– Interchange expenditure,
– Number of merchant exceptions,
– Profit or loss by merchant sector,
– Specific provisions raised against merchant losses,
– New fraud cases,
– Number of terminations, and
– Merchant attrition rate by reason.
• Use chargeback reporting as a leading indicator for fraud control and
investigations activity.
• Incorporate this information in their merchant acquisition strategy (e.g.
consider chargeback rate and investigations caseload by merchant categories
to determine low- and high-risk merchant categories).
• Use this information to help set policies regarding marketing and
authorizations.

Global Visa Acquirer Fraud Control Manual 37


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Fundamental Keeping in mind that there is no limit as to how acquirer performance data can
Risk Reports be sorted and reported, management should, at minimum, receive the following
“fundamental” risk reports on a monthly basis.
Reports: Data Elements:
Key Operational and • Request-for-copy transactions by merchant type
Leading Indicators • Request-for-copy transactions by merchant
• Chargeback volume by merchant type
• Chargeback volume by merchant
• Fraud-related chargebacks by merchant
– Alteration of amount
– Declined authorization
– Fraudulent multiple transactions
– Magnetic-stripe counterfeit
– Missing imprint
– Non-matching account number
– Risk Identification Service
(RIS)*
Merchant Floor
– Split sale Limits
– Canada Domestic Merchant Acquirers need
Fraud Performance Program to use the effective
(DMFPP)** assignment and
enforcement of floor limits
– Unauthorized signature to identify and monitor
• Consumer-disputed chargebacks fraud-prone merchants or
by merchant those in areas with high
fraud rates. For example,
– Defective merchandise merchants identified as
– Not as described high fraud risks can be
– Services not rendered assigned zero floor limits,
which require them to
Acquired Risk • Fraud-to-sales rate by merchant request an authorization
type for every transaction. In
cases where a perpetrator
• Fraud-to-sales rate by merchant
routinely charges
• Fraud by type, e.g., card not fraudulent transactions
received, counterfeit for an amount just below
• Fraud above versus below floor a specific merchant’s floor
limit, temporarily lowering
limit
the limit may enable the
• Investigations by merchant type member to identify and
• Investigations by merchant apprehend the suspect.

• Development of trend analysis


on acquired fraud data to manage point-of-sale fraud
Merchant Inactivity • Merchants inactive for three months or more

*Available in the U.S. only.


**Available in Canada only.

38 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Fraud Control Relations with the Criminal Justice System

An acquirer’s Fraud Control Department is responsible for maintaining good


working relationships with criminal justice system personnel who have
jurisdiction over fraudulent card investigations and prosecutions. In particular, the
Fraud Control Department must develop effective lines of communication with
local police or appropriate law enforcement agencies at other levels, as well as
prosecuting attorneys and judges.
Areas of Specific areas of cooperation between the Fraud Control staff and law
Cooperation enforcement personnel include, but are not limited to, the following:
• Fraud investigation and prosecution — Investigations conducted by the Fraud
Control Department can yield evidence, and other information, that may be
essential to apprehending and prosecuting criminal suspects. Fraud Control
staff members can also serve as expert witnesses in these plastic card fraud
cases.
• Communication and training seminars on payment card fraud — These
provide another avenue for fostering better relations between the Fraud
Control staff and law enforcement personnel. Acquiring members may
want to sponsor their own seminars or participate in training sessions
for law enforcement or criminal justice personnel. Member-sponsored
training programs should be developed at several levels; that is, for new and
experienced law enforcement personnel.

Global Visa Acquirer Fraud Control Manual 39


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Fraud Forums and Member Bank Participation

Inter-Bank Visa strongly recommends that both its acquiring and issuing members establish
Cooperation a fraud forum in their respective markets. These groups are extremely effective
in helping members increase the level of inter-bank cooperation in their market
place. In addition, fraud forums enable members to deal with the increasing
range of complex risk and fraud concerns that face both issuing and acquiring
institutions in the region.
Key objectives of fraud forums are stated below:
• Develop counter-measures to deal with fraud and criminal activity.
• Formulate cohesive and effective fraud and risk management strategies.
• Develop a “market” position for fraud/risk matters affecting the fraud forum
membership.

Key Principal In order for a fraud forum to operate effectively each participating member bank
must agree to adhere to the key principles of the fraud forum. These include the
following:
• Communication and cooperation,
• Endorsement and support from Senior For more
Management, information
regarding the
• Agreed upon objectives that have been fully establishment of a fraud
implemented, forum in your market,
please contact your Visa
• Appropriate representation,
Regional Risk Manager.
• Defined priorities, resources, and targets,
• Set deliverables, and
• Regularly held meetings.
In addition, all members should contribute and sign an agreement to a fraud
constitution.

40 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Third-Party Agent Relationship Management

The Situation As acquirers become increasingly focused on


Today strategic planning, competitive market positioning, Under the Visa
pricing, and payment processing technologies, they International
are putting more emphasis on credit and fraud Operating
controls. In addition, some are making use of Third Regulations, acquirers are
responsible for ensuring
Party Agents for a range of services, including account
that Third-Party Agents
solicitation, transaction processing and customer abide by specific operating
support. rules.

For acquiring member banks, this may result in new opportunities for increased
profitability. It also, however, adds another level of exposure to fraud. Close
monitoring of third parties and their bankcard-related activities is essential to
ensure that the security of the cardholder information they process is properly
protected throughout the life cycle.

Ensuring Visa members that make use of Third-Party Agents


Proper Agent are required to closely monitor these groups and their
For further details
Control payment-related activities to minimize fraud exposure on Third-Party
and protect cardholder information. To build and Agent
maintain proper agent control, Visa members must: requirements and risk
management standards,
• Ensure that all Third-Party Agents are registered refer to Chapter 13:
with Visa as outlined in the Visa International Working with Third-Party
Operating Regulations, and that they are compliant Agents in this manual.
with the Payment Card Industry (PCI) Data
Security Standard and Payment Card Industry
(PCI) PIN Security Requirements (as applicable).
• Provide data that is only necessary to Third-Party Agents. This may include
sales volume for the Third-Party Agent portfolio, but would not include card
account number of other sensitive information.
• Comply with established Visa Third-Party Agent
Due Diligence Risk Standards during the agent For details
registration process and throughout the life of the regarding the
agent registration
relationship. requirements, refer to the
• Execute a written contract with each third-party Visa Third-Party Agent Due
that performs cardholder or merchant solicitations Diligence Risk Standards.
and/or stores, processes, or transmits cardholder
or transaction data on behalf of the member. If the Third-Party Agent
is contracted by the member’s merchant, the member must conduct
appropriate due diligence to ensure compliance with Visa Third-Party Agent
Due Diligence Risk Standards, PCI DSS requirements, and Visa International
Operating Regulations.

Global Visa Acquirer Fraud Control Manual 41


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

• Develop policies and procedures that ensure appropriate controls are in


place to adequately monitor the Third-Party Agent relationship and protect
the payment system.
• Conduct periodic reviews of Third-Party Agent activities and perform on-site
inspections of Third-Party Agent business locations.

The Visa Third-Party Agent Due Diligence Risk Standards represent the minimum steps
members need to follow when evaluating new and existing agent relationships. Members
with ongoing agent relationships must conduct the Visa Third-Party Agent Due Diligence
Risk Standards reviews annually. These risk standards apply to all issuing and acquiring
agent relationships.
The Visa Third-Party Agent Due Diligence Risk Standards is available through your
Online regional site.

Who Does What


Third-Party Agents can be an effective resource for members to use when
managing their acquiring and issuing programs. As defined by the Visa
International By-Laws and Operating Regulations, an “agent” is an entity that acts as
a VisaNet Processor (VNP), Third-Party (TP), or both.
A VNP:
• Is a member, or a Visa-approved non-member that is directly connected
to VisaNet, and provides authorization, clearing, or settlement services for
merchants and/or members.
• Serves as a designated agent (not a Third-Party Agent).

A TP:
• Is an entity that is not defined as a VNP, but instead provides payment
related services, directly or indirectly, to a member and/or stores, processes,
or transmits cardholder data.
• Must be registered by all Visa members that are utilizing their services,
directly or indirectly.
It is important to note that Agent Banks are not considered Third-Party Agents.
An Acquiring Associate Member per Visa’s By-Laws cover what an Agent Bank can
and cannot do. As the Agent Bank’s sponsor, it is up to the acquirer to determine
how much an Agent Bank should be allowed to do based on the risk the acquirer
is ready to accept.
The chart on the next page categorizes and describes Third-Party Agents that
provide services requiring registration.

42 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Agent Category: Functional Description:


Independent Sales Organizations (ISO’s) have a • ISO Merchant—conducts merchant solicitation, sales,
direct relationship with issuing and/or acquiring customer service, merchant transaction solicitation
members. or merchant training activities.
• ISO Cardholder—conducts cardholder solicitation,
card application processing services and/or customer
service activities.
• ISO ATM—acts on behalf of a member to deploy
and/or service and/or maintain qualified ATMs.
May also act on behalf of a member for merchant
solicitation sales or service of Interlink capable POS
terminals.
• ISO Prepaid—solicits other entities (i.e., merchant,
corporate members, government entities, other
businesses etc.) to sell, activate, or load prepaid
cards on behalf of an issuer. Prepaid card sales and/
or activation is a primary function of their business.

Encryption and Support Organizations (ESOs) • ESO—maintains a business relationship with a Plus
perform cryptographic key management member that includes loading or injecting encryption
services to support member’s ATM programs keys into ATMs or loading software into an ATM
or to deploy point-of-sale PIN Entry Devices which will accept Plus cards. ESOs may also maintain
(POS PEDs) or PIN pads. Additionally, some a business relationship with an Interlink member
members outsource various cryptographic key that includes loading software into a terminal that
management responsibilities to ATM and PIN accepts cards, loading or injecting encryption keys
pad manufacturers to improve the efficiency of into terminals or PIN pads, performing merchant
their Visa programs. These entities would also be help desk support that includes re-programming of
considered as ESOs in this capacity. terminal software.

Merchant Servicers (MSs) store, process, or • An MS stores, processes, or transmits Visa account
transmit Visa account numbers on behalf of the numbers on behalf of a member’s merchants.
member’s merchants. The MS has a contract Function examples include providing such merchant
with the member’s merchant, not with the services as online shopping cards, gateways, hosting
member. The MS category closes the transaction facilities, data storage, authorization and/or clearing
loop between the merchant and the member’s and settlement messages.
processor

Global Visa Acquirer Fraud Control Manual 43


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 2: ACQUIRER STRATEGY AND ORGANIZATION

Agent Category: Functional Description:


Third-Party Servicers (TPSs) store, process, or TPS—stores, processes, or transmits Visa account
transmit Visa account numbers. The TPS has a numbers. Function examples include providing such
direct relationship with issuing and/or acquiring services as transaction or back-office related functions,
members. payment transaction processing (authorization
message, clearing message, batch transmissions and
data capture), chargeback/exception item processing,
fraud control, cardholder accounting, statement
processing, remittance processing, data warehousing/
capture, customer service, risk reporting/service, and
loyalty programs.
TPS PIN—stores, processes, or transmits Visa PIN
transactions on behalf of a member.

Internet Payment Service Providers (IPSPs) enter An IPSP accepts Visa transactions on behalf of a
into a contract with acquirers to provide payment sponsored merchant classified with any Merchant
services to sponsored merchants. Category Code (MCC), except MCC 5967.
A High-Risk Internet Payment Service Provider
(HRIPSP) is an IPSP that enters into a contract with
an acquirer to provide payment services to sponsored
merchants and signs one or more sponsored merchants
required to be classified with MCC 5967 (Direct
Marketing—Inbound Teleservice Merchant) in its
sponsored merchant portfolio.

44 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 3 Merchant Underwriting

By signing a merchant, an acquirer is agreeing to underwrite that merchant’s


credit and/or debit card transactions. In other words, the acquirer is granting an
unsecured, unlimited line of credit to the business and its owners. Thus, the task
of determining whether or not the merchant is a good risk—primarily through the
application review and approval process—is crucial.
This chapter contains requirements and best practices for defining portfolio
development policies, conducting a merchant application review, inspecting
merchant locations, and making final application approval or decline decisions. It
walks through the actions needed to conduct a thorough, efficient evaluation of
all merchants before an agreement is signed.

What’s Covered
n Portfolio Development
n Visa Transactions and the Law
n Making the Most of Your Merchant Application
n Merchant Site Inspections
n Merchant Website Requirements
n Merchant Approvals

Global Visa Acquirer Fraud Control Manual 45


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

46 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Portfolio Development

Critical Issues Effective underwriting begins with carefully defined portfolio development
that Affect policies that specify the markets, merchant categories, and levels of risk an
Portfolio acquirer is, and is not, willing to accept when approving new accounts. An
Profitability acquirer policy should also spell out minimum financial and credit requirements
for new merchants, as well as the level of management approval that will be
needed for specific kinds of businesses.
When establishing or reviewing portfolio development policies, acquirers should
take into account a range of critical issues that may affect portfolio profitability.
These include the following:
• Current portfolio size and sales volumes
• Geographic location relative to the acquirer’s location
• Short- and long-term financial goals
• Level of risk an acquirer is willing to accept in their portfolio
• Human and systems resources

Merchant Merchant diversification helps acquiring institutions


Diversification build portfolios that are more profitable by ensuring
Acquirers that
a sufficient percentage of card-present merchants use Third-Party
to balance out the higher risks often associated Agents for
with card-absent merchants. Acquirers are free to account solicitation
determine the specific types of companies they wish are also responsible
for ensuring that
to sign; however, Visa strongly recommends that a
these entities comply
new acquirer portfolio does not contain any card- with all member and
absent merchants for at least the first six months. merchant underwriting
requirements. However
Understanding Underwriting policies for specific markets or rigorous or trustworthy
categories of merchants depend on the level of risk an agent’s investigation,
Underwriting
final review of merchant
Risks they represent to an acquirer. In general, there are
applications and the
two kinds of risk exposure: decision to approve or
decline a new account
• Fraud risk is usually associated with certain kinds
must be made by
of merchandise and/or the nature of the business acquirers themselves.
activity of the merchant. Merchants are often
considered a high risk for fraud losses because
of the type of merchandise they offer. Such merchants can include travel
agents, jewelry stores, and computer outlets. Other merchants with higher
risk business activity include telemarketing businesses, escort services,
catalog sales, massage parlors, audio-text and videotext businesses, door-
to-door sales organizations, and businesses that sell goods at flea markets,
swap meets, and street markets.

Global Visa Acquirer Fraud Control Manual 47


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Core fraud risks include the following:


– Future Services. This is a payment made now A list of high-
for something to be delivered in the future. risk merchants
should be
These services can include deposits, often
communicated within the
made for holidays or possibly for furniture, or acquirer’s sales plan as a
full payments for such things as airline tickets, guide to help sales staff to
theatre reservations or sporting events. If the avoid high-risk merchants
final goods or services are not provided, then or recommend further
evaluation before signing.
full chargeback rights are available to the issuer.
– Ongoing services. Similar in effect to a
“guarantee,” these transactions are usually in payment of a service which
continues for a significant period of time. Examples would include golf or
health club memberships and even a timeshare—where risk can continue
for a large number of years.
– Guarantees. By providing a guarantee, the merchant can advise that
goods purchased today will still work for weeks, months, or years into the
future. A guarantee can radically increase the merchant/acquirer liability,
depending on how it is presented in the contract.
– Card-absent transactions. Currently, the most obvious high-risk transaction
is one that occurs in the card-absent environment, where in return for a
merchant being allowed to transact by mail, phone or Internet, chargebacks
generally exist for all transactions where fraud occurs or when goods and
services are not delivered. Both these risks are significant because card-
absent merchants may be targeted by fraudsters, if they are not taking
action to mitigate their risks. Also, in the event that the card-absent
merchant fails, there is a high probability that any orders taken by the failed
merchant within the last month will not have been fulfilled.
– Chip compliance and liability shift. As of January 2006, there was a
liability shift relating to non-chip based transactions. The liability for fraud
transactions transfers to the issuer or acquirer, as appropriate, if they do
not support chip cards and if the use of chip would have prevented the
loss. ATM transactions will be included as part of the liability shift as of
1 July 2008.
• Business failure risk is determined by looking at the merchant’s sales volume
and the time frame for the delivery of goods or services. The greater the sales
volume and the longer the time between credit transactions and product/
service delivery, the greater the risk. For example, when a local restaurant
closes its doors, an acquirer will have minimal exposure to chargebacks
for undelivered goods and services. On the other hand, exposure could be
considerable for an airline or travel agent, where business failure could leave
an acquirer liable for millions of dollars in prepaid ticket sales. This type
of risk can be the greatest area of loss to the acquirer. When it comes to
business failure risk, acquirers should also pay particular attention to the issue
of prepayment, especially in situations where prepayment options are not
obvious at first glance (e.g., insurance, goods with service contracts attached,
low-value phone cards, sporting event tickets, etc.).

48 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Visa Transactions and the Law

By submitting transactions into interchange, an acquirer warrants that no


applicable laws have been violated. Visa urges that acquirers understand the
following:
• Lottery ticket sales. Acquirers must adhere to country, state, and/or local
laws prohibiting the sale of lottery tickets by mail, telephone, or the Internet.
• Internet gambling. The issue of gambling over the Internet is not clear in
some markets. However, acquirers are advised that complaints from Visa
members, cardholders, and law enforcement about this type of activity are
increasing, especially from USA-based cardholders where Internet gambling
is deemed to be illegal.
• Child pornography. Acquirers must ensure that Visa payment products are
not accepted for purchase or trade in child pornography or other prohibited
content by any merchant. Any violations to this provision should be reported
to Visa for proper investigation. Audits are routinely conducted to ensure
acquirers are in complete compliance. Acquirers found in violation of
this provision may be penalized in accordance with the Visa International
Operating Regulations.
• Age-restricted products. Acquirers that sign merchants who sell
age-restricted products should take extra precautions to ensure that these
merchants comply with applicable laws. Because the issuance of Visa cards
is not restricted to individuals above 18 years of age, merchants may not rely
on possession of Visa cards or submission of Visa account information to
verify cardholder age. Acquirers must carefully check the sales practices of
their merchants and regularly review merchants that sell the following
age-restricted products:
– Alcoholic beverages
– Tobacco products
– Adult content materials
– Gaming transactions
– Weapons
• Internet pharmacies involved in the illegal sale of prescription drugs.
Online pharmacies that fill and distribute drugs without requiring a written
authorization from the customer’s physician are operating outside of
traditional state and federal laws and regulations. Before signing any online
pharmacy merchant, an acquirer must ensure that the pharmacy is properly
licensed, industry-certified, and meets all applicable state and federal laws
and regulations.

Global Visa Acquirer Fraud Control Manual 49


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Making the Most of Your Merchant Application

The Merchant The best way for acquirers to control fraud-related


Under the Visa
Application— losses and the possibility of merchant business failure International
An Essential is to thoroughly evaluate prospective merchant Operating
Tool business. Regulations, all acquirers
must evaluate a potential
Before entering into a formal relationship with merchant’s financial
a prospective merchant, an acquirer must verify condition. A list of high-
the merchant’s credit qualifications and assess its risk merchants should be
potential risk for fraud, excessive chargebacks, or communicated within the
acquirer’s sales plan as a
business failure. In addition, all high-risk merchants guide to help sales staff
must be registered according to Visa International avoid high-risk merchants
Operating Regulations. or recommend further
evaluation before signing.
The merchant application is an essential tool that can
be used to obtain detailed information about all aspects of a merchant’s business.
In fact, it is probably the most extensive contact that an acquirer has with a
merchant member and is the best opportunity to obtain pertinent information.

Merchant As part of the initial merchant review, the merchant


Application application should gather all relevant information on
Best Practices the business background, the merchant’s business
Certain merchant
model and its operations, the merchant location, and
types are
principals who are running the business. To obtain considered high
these details, ensure your merchant application form risk and are known to
requests the following: generate higher levels of
chargebacks and credits.
The following three
Merchant Business Background merchant types must
• Merchant history. Obtain the merchant’s be registered with Visa
before a member can
authorization to research its background, including accept and/or process
credit, banking, financial history, and how long the any transaction.
merchant has been in business. New businesses
• Direct Marketing of
frequently fail within the first few years of Travel Related Services
operation. If the business is a “start-up,” require a (MCC 5962)
business plan. • Inbound Telemarketing
(MCC 5966)
• Doing-Business-As (DBA) or trade name.
• Outbound
Compare the merchant’s “doing-business-as” name Telemarketing
to its legal name. Some merchants may conduct (MCC 5967)
their daily business activities under one name and
apply for legal registration under a different name.
If the names are different, it is important to know both names.

50 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

• Legal form of business. Inquire about the legal


form of the merchant’s business. For example, is The extent and
the merchant a corporation, partnership, or sole frequency to
proprietorship? which an acquirer
conducts its periodic
• Business license, registration numbers. Obtain reviews of a merchant’s
and verify the merchant’s business license number financial condition and
or any other license or registration numbers that business operation
may be required to own and/or operate a business. depends on the acquirer’s
initial assessment of the
Perform a search with the appropriate business
risks associated with the
bureaus to verify that the merchant owns or merchant’s business.
operates a legitimate business. Also look at any For further information
Value Added Tax (VAT) registration numbers, if about periodic merchant
applicable. reviews, refer to Chapter
8: Merchant Activity
• Credit history. Ask whether the merchant or its Monitoring in this manual.
principals have previously filed for bankruptcy, or
have been registered as having any other credit
difficulties now or in the past. If so, find out when. This may provide a good
indication of the financial stability of the merchant.
• Prior merchant agreement. Ask if the merchant and/or any other principals
involved have a prior merchant relationship with acquiring banks. If yes,
request credit and/or debit card statements for several months’ activity. If
another acquirer previously terminated the merchant, note the reason for
termination on the merchant’s application. If available, check any industry-
wide services such as Enforcement Management and Account System
(EMAS) or Terminated Merchant File (TMF).
• Other businesses. Ask the merchant to supply information for any other
businesses it, or the principals, currently owns or operates, or has owned in
the past or is involved as a director.
• Business references. Ask the merchant for other business references that
can support its financial responsibility. For example, invoices or billing
statements from suppliers and customers can provide evidence of the
merchant’s ability to meet financial payments. Also use any local credit
agencies for information on the business or Principals.

Merchant Business Operations


• Operating statistics. Ask the merchant for the
Under the Visa
following operating statistics to gain knowledge of International
the merchant’s expected business revenue: Operating
– Projected total sales volume per year Regulations, all acquirers
must evaluate a potential
– Projected credit and debit volume per year merchant’s financial
– Actual chargeback volume (if existing merchant) condition.

– Percentage of sales by mail order, telephone


order, or Internet
– Period between the purchase and actual delivery of goods

Global Visa Acquirer Fraud Control Manual 51


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

– Guarantees and ongoing services (copies of consumer contracts may be


required)
– If any guarantees or extended warranties are purchased from a third-party,
it is essential that the merchant purchases them immediately and can
show evidence of doing so.
• Cards honored. Determine what other (if any) bank or travel and
entertainment cards the merchant honors and the name of the acquiring
institution(s).
• Billing terms. Ask the merchant for its billing terms, if not immediate. For
example, does the merchant allow its customers to pay for purchases in
monthly installments?
• Credit and return polices. Ask the merchant for details of its credit, refund,
and return policy procedures to ensure the merchant is properly handling
exchanges and credits. It is important for the acquirer to obtain a copy of the
merchant’s standard contract.
• Inventory. Determine whether the merchant owns or finances its inventory.
• Contracts. Determine if the merchant has any significant contractual
relationships, such as a manufacturer’s agent or exclusive supplier that may
impact the merchant’s ability to meet its financial or operational obligations
if a contract is canceled.

Merchant Business Location


• Type of location. Determine the type of location of the merchant, such as
storefront, indoor shopping mall, or office. Is the merchant location suitable
for the type of merchant? Is the merchant location in a geographic area that
has demonstrated excessive levels of fraudulent activity?
• Own/lease. Ask whether the merchant owns or leases the location. If the
merchant owns the location, ask the merchant for the name and address
of the mortgage holder, if any. If the merchant leases the location, ask the
merchant for the name and address of the landlord.
• Time at location. Ask the merchant how long the business has operated at
the present location.

Merchant Principal(s) Information


• Principal name, address, identification number. Ask the merchant for the
name, address, Social Security Number or similar identification number, and
telephone number of each principal involved in the business.
• Ownership information. Obtain the percentage of ownership held by
each principal. Also find out how long each of the current principals have
owned the business. Consider getting a guarantee from the officers of the
corporation.
• Percentage of time. Ask the merchant for the percentage of time spent at
the business by each principal.

52 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Special Merchants whose business involves card-absent sales,


Application mail order/telephone order (MO/TO), and Internet Visa International
businesses can present special risks for acquirers. Operating
Considerations Regulations
for Card- If a cardholder denies ordering or receiving the
outline the criteria for
Absent merchandise and the chargeback amount cannot be determining a remote
Merchants covered by the merchant’s account, an acquirer could card-absent merchant
end up liable for the losses. outlet.

Card-Absent When investigating and signing card-absent businesses, take these measures to
Merchant reduce exposure:
Application • Ask for additional application information. This includes detailed business
Best Practices plans, samples of merchandise, and copies of all relevant marketing materials,
including catalogs, brochures, telemarketing scripts, and print and broadcast
advertisements.
• Carefully evaluate application information to
determine potential risk for chargebacks.
Acquirers must
• Beware of any merchant selling services, or a conduct a
product with a low manufacturing cost, but a high physical site
price. A thorough review is also recommended for inspection of all new
any merchant using selling methods associated merchant and card-absent
merchant locations to
with high-chargeback rates—specifically, sales
obtain a detailed
pitches involving gifts, cash prizes, sweepstakes, description of the
installment payments, multi-level marketing, business.
telemarketing and up-selling.
• Ensure that all business principals undergo a thorough background check.
Personal credit reports should be scrutinized, and addresses verified. If
appropriate, a criminal background check should also be performed.

For Internet Merchants:


• Require a separate application for all merchants establishing an
e-commerce presence. Whether the applicant is an existing merchant that
wants to add a website, or a new merchant that wants to join the program,
use a separate application or addendum for e-commerce services. For
example, this practice can help facilitate the special risk assessment actions
related to card-absent volume. It can also allow for merchant business name
and site content verification, as well as ensure that the correct business
name is displayed on cardholder statements. In addition, a separate
application form provides an easier way to track and report e-commerce
application volume. Transactions can be flagged and tracked by acceptance
mode.

Global Visa Acquirer Fraud Control Manual 53


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

• Collect and verify additional application data and financial documents for
Internet merchants. Risk exposure can be lowered by taking a few extra
steps during the application process to obtain additional information from
questionable merchants. Required data might include:
– Uniform Resource Locator (URL), also known as the website address
(e.g., www.merchant.com) and Internet Protocol (IP) server address for the
merchant website. By collecting this information, an acquirer is able to
review the actual website and confirm that the merchant is actually
conducting the business as described on its application.
– Contact details for the website hosting service. This information can be used
to contact the hosting service and verify that the merchant maintains a
legitimate business.
– E-mail addresses and phone numbers for merchant customer service.
Acquirers can verify that a merchant’s e-mail address is valid by sending
a message to that address. An alert should be triggered if the message
is returned as “undeliverable” or “bounced.” In addition, the acquirer
should check the merchant’s customer service for its quality response and
timeliness, as this will decrease customer disputes and chargebacks.
– Descriptions of any links on the merchant’s website to other sites to which
they may or may not be affiliated. This should raise a flag if the linkages do
not make sense or represent merchant types that you do not sign.

A sample merchant application has been included in Appendix A of this manual.

U.S. Only — The Visa Advanced ID Solutions, Issuers’ Clearinghouse Service (ICS)
supplements other risk management tools available to members such as credit bureau
reports and scoring systems. ICS is a centralized national database designed to reduce
issuers’ losses due to fraudulent applications, and other credit abuse such as bankruptcy
filings.
ICS can also be used by acquirers to help qualify sole proprietorship, or partnership
merchants where consumer social security is used for underwriting.

54 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Merchant Site Inspections

The Visa International Operating Regulations contain specific provisions for


conducting merchant site inspections of a prospective merchant’s physical
location to verify first-hand the legitimacy of the business and its ability to
generate projected sales volumes. A thorough site inspection can also give
acquirers a chance to see if there is anything suspicious about a merchant or its
operation.

Merchant Site • Always conduct the site inspection during normal business hours.
Inspection • Ensure that your site inspection covers all relevant aspects of a merchant’s
Best Practices business operations. Key considerations include:
– Location. Is the merchant’s location consistent with its business plan and
projected sales volume? For example, if a retail outlet depends mostly on
walk-in business, is it located in an area with good foot traffic?
– Premises and physical layout. Are the merchant’s signage and sales
fixtures consistent with an established legitimate business?
– Business documentation. Does the merchant have all necessary licenses,
permits, and other legal documents related to the business?
– Inventory. Does the quality and quantity of current inventory support
projected figures for average ticket prices and sales volume?
– Employees. Are staffing levels sufficient to support projected sales? Do
employees seem knowledgeable about the merchant’s goods and services
and customer service policies?
– Return policy. Does the merchant have a return policy? Is it clearly
disclosed on the cardholder’s transaction receipt and in close proximity to
the cardholder’s signature?
– Data security. Are transaction records or other confidential customer
information kept on the premises; and if so, are they stored in a secure
area? Is access to this information limited to authorized personnel? What
steps have been taken to ensure the security of computer and phone
lines, and electronic customer data? How long is confidential customer
information retained?
• If possible, take a photograph of the interior and exterior of the business
during the site inspection. File the photograph with the merchant
application and agreement upon completion of the application approval
process.

Global Visa Acquirer Fraud Control Manual 55


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Card-Absent • Make sure that site inspections of card-absent merchants include


Merchant Site warehouse, as well as office facilities.
Inspection • Carefully review shipping, billing, and return policies. Ensure that no
Best Practices customer is billed before merchandise is shipped.
• “Shop” prospective merchants by having one of your own employees place
and then return an order.
• If shipment and delivery are handled by a fulfillment house or other Third-
Party Agent, request complete information on this firm and perform a site
inspection.
• Ensure that all new card-absent merchant investigations are well
documented, and on file at the acquirer place of business. Complete
records should be kept on file a minimum of two years following the
termination of the company’s merchant agreement.

A sample Site Inspection Form is contained in Appendix A of this manual.

Signs of Experience has shown that merchant facilities can be set up for the express
Suspicious purposes of laundering of sales transaction receipts or key-entered transactions
Activity where there is no intent to supply goods to customers. In these situations,
the merchant facility is purely a front to import illegal transactions into the
acquirer’s processing and generate fraudulent credits.
During a site inspection, suspicions may be aroused when the:
• Merchant claims to have been trading for some time, but there is little or no
stock to be sold. This could indicate financial difficulties or potential fraud.
• Trading address is determined to be a private residence rather than being
in a recognized business area. This could indicate that the business is of ill
repute or lacks financial substance.
• Principals appear to lack a clear understanding of the business.

56 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Merchant Website Requirements

Acquirers should establish minimum Internet merchant site content


requirements for Visa card payments. This can help ensure a satisfactory
shopping experience for consumers, as well as minimize cardholder copy
requests, disputes, and chargebacks.
• Website content must include:
– Complete description of goods or services. For example, if selling
electrical goods, the merchant must state voltage requirements, which
vary around the world.
– Customer service contact information, including e-mail address or
telephone number. Since communication with a merchant is not always
possible using the merchant website, merchants must display a customer
service contact telephone number or e-mail address.
– Return, refund, and cancellation policy. This policy must be clearly
posted to inform cardholders of their rights and responsibilities (e.g., if the
merchant has a limited or no refund policy, this must be clearly disclosed
to cardholder on the merchant’s website before the purchase decision is
made to prevent misunderstandings and disputes).
– Delivery policy. Not all merchants are able to
support the delivery of goods worldwide and
may instead restrict sales to within their own The acquirer
country or to a limited number of countries, must enter
based on delivery experience or import and transactions
into VisaNet for clearing
export regulations. Because merchants may and settlement in the
sustain a loss when shipped goods fail to arrive, exact amount and in
they are entitled to establish their own policies the exact transaction
regarding the delivery of goods. However, when currency authorized by
a merchant does have restrictions or other the cardholder. Therefore,
neither the merchant nor
special conditions in place, those special the acquirer can convert
conditions must be clearly stated on its website. the agreed transaction
– Transaction currency or currencies. Since the amount into a different
currency. Merchants can
Internet merchant’s customer base is worldwide,
display equivalents of the
it is important that the cardholder be made transaction amount in
aware of the transaction currency before different currencies, but
proceeding with a purchase. The currency they must clearly indicate
should be clearly stated, including the country that the equivalents listed
are for information only.
name when the name of the unit of currency
is not unique. For example, a dollar can be an
Australian dollar, a New Zealand dollar, a Hong Kong dollar, a U.S. dollar,
or one of many more.

Global Visa Acquirer Fraud Control Manual 57


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

– Country of merchant domicile. Acquirers should check with their


representative and with local laws to determine how a merchant
location is legally defined. Visa International Operating Regulations
(as well as local laws) outline criteria for determining if a merchant
is legitimately operating in the country that it declares as its official
business location. It is up to the acquirer to define these requirements
up front to help merchants determine and declare their country of
merchant domicile, and to ensure that they do not violate cross-border
regulations.
– Export restrictions (if known).
• Additional items that ideally should be included on a merchant’s website
include:
– Privacy statements.
– Identifiers that easily match the website to the “doing business as” name.
– Statements that address when credit cards are charged. A best practice
is to wait until the merchandise has been shipped or service completed
before billing the cardholder.
– Commitments to process orders promptly and send an e-mail confirmation
and order summary within one business day of the initial order. Provide
up-to-date stock information if item is back-ordered.
– Commitment to respond to all customer service e-mails and phone calls
within two business days.
– A statement explaining the security controls in place to protect customers.
– A statement encouraging cardholders to retain a copy of the transaction
record.
• In addition to these requirements, an online gambling website must:
– Advise cardholders of their responsibility to know if their national or local
laws prohibit gambling on the Internet.
– Include a complete description of rules of play, cancellation policies, and
pay-out policies.
– Include a statement recommending that cardholders retain a copy of
transaction records.
– Indicate that online gambling is for adults only and use best efforts to
restrict participation by minors. This can include using commercial self-
rating software to designate the site as inappropriate for minors.
– Display an identifier that consists of the eight-digit Visa-assigned acquirer
Business Identification (BID) number combined with a merchant
identification number.

58 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

Merchant Approvals

Merchant To reduce risk exposure, acquirers should establish guidelines for reviewing and
Credit Review approving merchant applications. In this area, best practices are as follows:
and Approval • Set levels of authority for approval based on the merchant’s projected
Best Practices sales volume. For example, the application for a merchant with US $1 million
projected sales would require approval by a high-level executive of the
institution.
• Accept ONLY complete applications. All required documentation must be
enclosed.
• Establish separate application verification processes: one for low-risk
merchants and a more stringent process for high-risk merchants. This can
protect the organization from potential losses by:
– Requiring high-risk merchants to provide additional references.
– Verifying these references carefully.
– Performing a more detailed evaluation of business financials and physical
site inspections.

• Establish specific approval criteria for low-risk merchants and high-risk


merchants. By using more stringent criteria for high-risk merchants, an
acquirer can factor into its approval decisions any risks associated with the
merchant’s products or way of doing business. These criteria can also help
ensure that the merchant has the financial capability to handle returns and
chargebacks.
• Clearly designate merchant approval responsibilities and authorities based
upon risk. Requiring higher levels of authority based on a calculated risk-
exposure amount is an excellent risk management practice. In addition,
authority policies should be documented to ensure compliance.
• Establish merchant approval signature requirements. Internal signature
requirements should be consistent with the approval authority policies, and
clearly be documented to ensure compliance.
• Establish formal rejection override policies and procedures. This ensures
that employees do not approve a previously declined merchant unless a
legitimate override authority is exercised, new information has been obtained
to warrant approval, or additional risk control measures are being used.

Global Visa Acquirer Fraud Control Manual 59


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

• Maintain a database of all declined merchant


applications. Acquirers should compare all The ICS is a
applications against this database to help quickly centralized,
nationwide
identify applicants that they have previously database of bankruptcy,
declined. fraud, unauthorized use,
• Develop a policy for approving merchants that questionable data, and
credit application
offer prepaid goods or services. information. The service
• Submit an inquiry to the Visa Advanced ID provides Visa and
Solutions, ICS (U.S. only) to determine if Visa and MasterCard® issuers in
the U.S. with unique
MasterCard issuers have reported: information to assist them
– Fraud or excessive credit card applications, in making decisions about
whether to issue a card to
– The filing of previous bankruptcies, or a new applicant. Issuers
– The use of negative data, on an application may also query the
database on existing
(i.e., a deceased principal’s Social Security accounts prior to reissue,
number, address, or phone, etc.) for credit line increases,
and more. U.S. acquiring
members can also use the
Card-Absent • Increase monitoring and liability for card-absent ICS to check merchant
Merchant transactions. At a minimum, consider daily applicants during
Credit Review authorization and settlement monitoring, delayed merchant underwriting
funds access, and reserve requirements. to avoid possible fraud
and Approval losses.
Best Practices • Assess risk exposure quantitatively and determine
potential acquirer liability. The acquirer is liable for
consumer refunds if the merchant ceases operations. Such assessments
typically use actual or projected sales volume, estimated shipping delays, and
refund and chargeback rates.
• Define policies and standards for collecting and holding reserves on high-
risk card-absent merchants.
– To substantially reduce financial exposure, maintain merchant reserves
that are outside the merchant’s control. If the merchant ceases business,
the reserve amounts should be sufficient to cover any future chargebacks.
– Develop a merchant agreement clause that states that the acquirer can
hold the merchant reserves, even if the merchant declares bankruptcy.

For Internet Merchants:


• Use “accept or do not accept” criteria to determine whether a merchant
applicant is eligible for the e-commerce program. This quick check helps
ensure that the merchant’s products and marketing methods comply with an
organization’s signing policies.
• Use automated tools and government agency databases to verify business
owner application name. Automated tools can help confirm the merchant’s
business name, address, and telephone number, and validate that the
business is operating in the location indicated on the application.

60 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

• Use Internet merchant rating services, like


TRUSTe (www.truste.com), CNET (www.cnet.com) An Internet
and Bizrate.com (www.bizrate.com), to obtain Payment Service
additional information about existing Internet Provider (IPSP)
merchants. is an online entity that
contracts with an acquirer
• Review the merchant website to ensure it to provide payment-
complies with minimum requirements. This can related services to
help avoid unnecessary operational expenses and sponsored merchants.
The IPSP interfaces with
risk exposure after the merchant is established in the acquirer on behalf of
the program. See “Merchant Website Requirements” its sponsored merchants,
on page 57 for details. and must ensure that its
sponsored merchants are
• Copy and retain the merchant website source contractually obligated
code for periodic reviews. By retaining prints or to operate according to
saving the merchant’s original website content for Visa requirements. IPSPs
its primary pages (e.g., the original HTML code), are responsible for the
actions of their sponsored
an acquirer can periodically make comparisons
merchants, and bear
between it and the current website. This offers liability for their actions.
an easy way to identify significant changes in the An IPSP is only permitted
merchant’s business, (e.g., changes in products to sign sponsored
being sold or key affiliations to other websites). merchants.

• If working with an Internet Payment Service


Provider (IPSP), establish procedures to ensure
that terminated merchants are not signed as sponsored merchants. IPSPs
that sign sponsored merchants in Merchant Category Codes (MCCs) 5962,
5966, or 5967 must be registered with Visa.

Global Visa Acquirer Fraud Control Manual 61


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 3: MERCHANT UNDERWRITING

62 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 4 Merchant Contracting and Setup

Upon acceptance of a new merchant account, an acquirer and merchant must


sign an agreement specifying the terms and conditions under which Visa
transactions will be processed. This agreement is the contract between the
acquirer and the merchant that specifies pricing, procedures, and rules of the
acquiring service provided.
Visa International Operating Regulations define certain mandatory provisions
that must be included in all merchant agreements. In addition, Visa offers
recommendations for optional provisions that can help acquirers reduce their
fraud exposure. Once a merchant agreement has been signed, the merchant
business must be set up with the appropriate equipment for card acceptance, as
well as the proper information in the authorization and clearing records.
This chapter outlines Visa requirements and recommendations for developing
merchant agreements and offers a few practical suggestions for setting up new
merchants.

What’s Covered
n Developing Merchant Agreements
n Mandatory Agreement Provisions
n Optional Agreement Provisions
n Agreement Requirements for Chip Migration
n New Merchant Start-up and Preparation
n Merchant Fraud Prevention Communication and Education

Global Visa Acquirer Fraud Control Manual 63


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

64 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Developing Merchant Agreements

The merchant agreement is a legal document that binds the merchant to operate
under the rules and regulations established by Visa and the acquirer. This
agreement should be thorough enough to protect the acquirer from improper
card processing and include certain minimum provisions contained in the Visa
International Operating Regulations. Acquirers, however, may as appropriate, vary
the agreement form appearance, as well as the wording of these contracts.
Looking at the An acquirer’s merchant agreement should be designed from a risk perspective to:
Agreement • Reduce the institution’s exposure to fraud and
from a Risk business failure losses to the greatest extent
Perspective allowable by law.
The Visa
International
• Ensure the agreement makes clear the Operating
circumstances under which the acquirer has the Regulations state that
an acquirer must have
right of termination. These can include changes a signed merchant
in ownership or any activity that (in the acquirer’s agreement for each
opinion) might indicate increased risk of credit/ merchant account,
fraud loss. The agreement should specify—for and that all merchant
both sides—a maximum of 30 days’ notice of agreements must be kept
on file at the acquirer’s
termination, but indicate that either party may place of business.
terminate at any time for any reason. Note: Most
agreements have the “terminate for any reason” clause; the “restricted
termination” clause is the exception.
• Confirm the right of the acquirer to seize or withhold funds.
• Guarantee the safe and sound operation of merchant activities.
• Include provisions that add protection against fraud and credit losses
beyond the minimum requirements stated in the Visa International Operating
Regulations.
• Determine if merchant has ever been in the “enforcement” stages of a
Payment Plan’s Compliance Program.
• Outline all regulatory issues.

Most acquirers have a standard agreement for the majority of their merchants;
however, an acquirer may have a custom agreement with a larger merchant.
Acquirers that do use custom agreements should have a contract management
tool in place that tracks variations from the standard agreement.

Global Visa Acquirer Fraud Control Manual 65


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Mandatory Agreement Provisions

A merchant agreement must include some form of the following provisions. For a
full list of mandatory provisions, see the Visa International Operating Regulations.
Area: Provisions:
Data Security • Merchants shall not disclose cardholder account information to
third parties, except when needed to complete a transaction or
when required by law.
• All merchants and any Third-Party Agents that transmit, store,
or process cardholder data for the merchant must be compliant
with the Payment Card Industry (PCI) Data Security Standard
(DSS) Compliance program.
• Merchants must store all material containing account numbers—
including sales transaction receipts, credit vouchers, vehicle
leasing agreements and carbons—in a secure area accessible
only to selected personnel.
• The business’ disposal procedures must also ensure security;
materials containing account information must be made
unreadable before they are discarded.
• The merchant must not retain or store Card Verification Value 2
(CVV2)* data subsequent to the authorization of a transaction.
• Merchants (and their Third-Party Agents) must not retain
full-track magnetic-stripe data subsequent to authorization.
Financial • The merchant’s liability for chargebacks, credits, fees, and fines
Responsibility should be clearly stated.
• The merchant is liable to the bank for any losses that arise
from the merchant’s failure to comply with the merchant
agreement.
• The merchant will be liable for any sales transaction receipt
charged back to the acquirer if:
– The transaction was not performed in accordance with the
merchant agreement.
– Goods or services were purchased with an altered card.
• Chargebacks will be directly debited from the merchant’s
account, and the merchant may be required to maintain
account reserves to cover these payments. Reserve amounts
may be based on a percentage of sales to be determined by the
acquirer.**

*In certain markets, CVV2 is required for card-absent transactions.


**Some acquirers have an operations–type booklet that contains the chargeback, retrieval, and other process related items to keep those items
out of the agreement itself. Compliance with that manual is referenced in the agreement.

66 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Area: Provisions:
Split Sales Split sales transaction receipts are not allowed. Specifically,
Transaction merchants may not use two or more sales transaction receipts for
Receipts a single transaction to avoid or circumvent authorization limits.
Laundering of Laundering of sales transaction
Sales Transaction receipts is specifically prohibited by Acquirers are
Receipts the Visa International Operating responsible for
Regulations. To ensure new merchants ensuring that
understand the anti-laundering merchants who are
provisions of your agreement, you participating in Verified
should review this section with them by Visa operate in
accordance with product
and have them initial it. (See
rules and the Visa
“Laundering (Factoring)” in Chapter 7 International Operating
of this manual.) Regulations, and that such
requirements are included
Surcharges Merchants may not impose surcharges
in merchant agreements.
on transactions, unless local law
The merchant agreement
expressly requires that a merchant be must state that merchants
permitted to impose a surcharge. must not make the
use of Verified by Visa
Visa Marks The Visa Brand Mark or logo may only
a condition of Visa
be used on a merchant’s promotional
card acceptance at the
materials to indicate that Visa cards merchant’s online store.
are accepted as payment for the
business goods and services. The logo and mark may not be
used, either directly or indirectly, to imply that Visa endorses a
merchant’s goods or services; nor may a merchant refer to Visa
when stating eligibility requirements for purchasing its products,
services, or memberships.
Refund Vouchers Refund vouchers may not be submitted for noncredit transactions.
Specifically, merchants may not accept money from a cardholder
and then prepare and deposit a credit voucher for the purpose of
crediting the cardholder’s account.
Previous Cardholder payments for previous Visa transactions are prohibited.
Transactions

Global Visa Acquirer Fraud Control Manual 67


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Area: Provisions:
Cash Cash disbursements to cardholders are prohibited except if made
Disbursements by the following categories of merchants:
• Lodging merchants participating in Visa Hotel Services, or
cruise line merchants. These merchants may make cash
disbursements to Visa cardholders under the specific
circumstances defined in the Visa International Operating
Regulations.
• Disbursements made by merchants who sell travelers cheques
or foreign currency are limited to the value of cheques, travel
money, or currency sold in a single transaction, plus any
applicable commissions. Under no circumstances may the
transaction represent collection of a dishonored cheque.
Scrip Merchants may not accept Visa cards for the purchase of scrip.
Authorization Merchants must obtain authorization:
Requirements – For transaction amounts above the specified maximum floor
limits required by the acquirer; or
– In the event of a chip transaction when so requested by the
card, if the point-of-sale (POS) terminal is chip-capable.
Uncertain If cardholder identification or the card’s validity is uncertain, the
Cardholder merchant must contact its acquirer for instructions. If the acquirer
Identification asks the merchant to recover the card, the merchant must comply
according to established procedures.

68 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Optional Agreement Provisions

While not required by the Visa International Operating Regulations, the following
provisions can help acquirers reduce their exposure to fraud and risk losses. In all
cases, applicable local law should be observed.
Area: Provisions:
Termination of The acquirer reserves the right to
Agreement terminate the merchant agreement
for any reason at any time. Visa does not
provide legal
Right to Hold Payment of funds to the merchant is advice to its
Funds provisional. The acquirer has the right acquiring member banks.
to freeze or hold deposits whenever The optional provisions
fraudulent activity is suspected. listed here are intended
as only a partial checklist
Change in Merchants must notify the acquirer of terms that an acquirer
Ownership of any changes in ownership, such should consider including
as limited partnership agreements, in a merchant agreement.
or any other changes in business Acquirers are encouraged
practices or sales method—including to seek legal advice with
respect to their specific
expected changes in average draft
business and legal
or deposit amount. Specifically, a circumstances.
merchant must notify the acquirer
(and agree in writing) before adding and performing mail order,
telephone order, or Internet sales activity and/or making changes
to the products or services being sold.
Secured Interest The merchant must grant the acquirer a secured interest in all
its assets. This means the acquirer will be recognized as a legal
creditor in case the merchant declares bankruptcy.
Use of Personal Merchants may not use their own merchant accounts for personal
Accounts Visa card transactions. For example, merchants cannot use their
personal Visa cards to withdraw cash or to purchase goods and
services from their own business.

Global Visa Acquirer Fraud Control Manual 69


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Agreement Requirements for Chip Migration

Chip An existing merchant agreement may need to be updated to reflect the


Processing migration to chip processing. It is important to review the changes to the
Agreement merchant relationship relative to chip processing and then update the merchant
Updates agreement to include the following:
• Acquiring Center management review in view of potentially lower interchange
rates for chip transactions
• Terminal costs and installation, as well as any pricing changes
• Support for additional data for authorization and clearing messages
• Receipt of new information on reports
• Cost and competitive factors
• Merchant expectations for conversion to chip card acceptance, including
chargeback liability review
• Procedural changes to card acceptance processes
• Acceptance of Visa Electron cards at online-capable terminals for both chip-
initiated and magnetic-stripe transactions
• Acceptance of Visa Horizon cards at online PIN-capable terminals, if
appropriate

In updating the merchant agreement, be sure to obtain legal advice on regulatory


and business requirements and have your institution’s legal counsel review the
revised agreement.

70 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

New Merchant Start-Up and Preparation

Card-Present Acquirers should view the setting up of a new card-present merchant account as
Merchant an opportunity to establish strong fraud-prevention practices. To ensure terminal
Setup Best and transaction data security, as well as reduce overall fraud exposure:
Practices • Make sure all point-of-sale (POS) devices are fully Card Verification Value
(CVV)-capable and chip-capable (if applicable). Ensure that the devices
meet Visa International Operating Regulations for suppression of account
information on transaction receipts.

• Wherever possible, ensure terminals:


– Read/transmit full magnetic-stripe track 1 or Visa requires
2 data; but not display the full-track data (i.e., that all electronic
CVV) at any point. POS terminals
– Prompt the user to enter the last four digits of provide a suppressed
account number on the
the embossed account number (“read and transaction receipts.
compare”). This is an effective deterrent to This means that at
counterfeiting. least four digits of the
account number on the
– Ensure that software packages and systems do
cardholder copy of the
not contain data retention scenarios. transaction receipt must
• Educate merchant on card security features, card be suppressed. The
acceptance, key-entered transaction, Code 10 call, expiration date should not
appear at all.
and card recovery procedures.
• Equip merchants with reference materials to aid
with card acceptance and fraud prevention.
• Review the PCI DSS requirements and mandated
Visa compliance with the merchant.
For more
– Instruct merchants to restrict access to information
transaction data and limit payment system about PCI DSS
software to authorized personnel. requirements, refer to
Chapter 10: Cardholder
– Discuss data security issues and PCI DSS Information and Personal
requirements. Make sure arrangements have Identification Number
been made for verification of the PCI DSS Security in this manual.
compliance.
– Document that the merchant has received the
PCI DSS information, understands the issues, and accepts liability.
• Emphasize that full track, magnetic-stripe and chip data, must not be
stored on any system once a transaction has been authorized. Storage of
track data elements in excess of name, personal account number (PAN), and
expiration date after transaction authorization is strictly prohibited.

Global Visa Acquirer Fraud Control Manual 71


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

• Conduct terminal/authorization testing prior to your merchant launch.


• Ensure data quality, including merchant name, location, and Merchant
Category Code (MCC).
• Ensure Third-Party Agents that manage merchant relationships are
properly trained and knowledgeable regarding Visa International Operating
Regulations and risk programs.
Card-Absent For all card-absent merchants:
Merchant When setting up new card-absent merchants, apply Many card-absent
Setup Best these practices to ensure effective data security and merchants do
Practices avoid fraud/chargeback losses: not learn about
their risk exposure and
• Establish a clear merchant description for liability until they receive
cardholder statements. Ensure merchant name, their first chargeback.
By educating merchants
telephone number, or URL address appears on during the set-up process,
the cardholder statement. This will help to help an acquirer can help avoid
facilitate easier merchant name recognition. merchant confusion and
promote efficient and
• Maintain data integrity by ensuring that secure operations.
transactions include merchant names, location,
and MCC.
• Educate the merchant about the risk exposure and liability associated with
accepting Visa cards in the card-absent environment.
• Offer solutions to enable the merchant to block high-risk transactions for
review.
• Ensure merchants are aware of fraud-detection and monitoring tools
available in their country.
• Advise the merchants of available third-party, fraud-screening services.
• Review the PCI DSS requirements and mandated
Visa compliance with the merchant.
For more
– Discuss data security issues and the PCI information
DSS requirements. Make sure arrangements about PCI DSS
requirements, refer to
have been made for verification of PCI DSS
Chapter 10: Cardholder
compliance. Information and Personal
– Document that the merchant has received the Identification Number
PCI DSS information, understands the issues, Security in this manual.
and accepts liability.
– Emphasize that merchants and agents are prohibited from storing CVV2*
data. When asking a cardholder for CVV2 as part of an Internet or
telephone order, they should not document this information on any kind of
paper order form or store it on any database after transaction authorization.
• Clarify and support dynamic currency conversion/multi-currency support
activities.

*In certain markets, CVV2 is required for card-absent transactions.

72 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

• If the merchant is processing recurring transactions, make sure the


merchant is well trained in the use of recurring payment indicators.
• Ensure Third-Party Agents that manage merchant relationships are
properly trained and are knowledgeable regarding Visa International
Operating Regulations and risk programs.

For Internet Merchants: An acquirer must


• Ensure that the MCC reflects the merchant’s provide the
appropriate POS
principal line of business, rather than placing all condition code and
Internet merchants into a designated e-commerce electronic commerce
MCC. indicator (ECI) for all
e-commerce transactions
– Use the MCC to reveal the type of business in both authorization and
being transacted and the Electronic Commerce clearing records. The ECI
Indicator (ECI) to indicate that a transaction was value indicates the level
conducted on the Internet. In order to qualify of security used in the
for chargeback protection against fraudulent transaction and makes it
easy for an organization to
transactions, the merchant must indicate an ECI track and manage
value within the range of 1 through 6, along with e-commerce sales volume
the Cardholder Authentication Verification Value and chargebacks.
(CAVV) for Verified by Visa transactions. ECI
values 7 and 8 do not offer Internet merchant
chargeback protection.
– Do not place Internet merchants in the high-risk telemarketing MCCs
unless they meet the definition for high-risk telemarketing merchants as
defined in the Visa International Operating Regulations.
• In addition to the ECI, identify an online gambling merchant using these
mandatory data elements:
– MCC 7995. This MCC is applicable to any type of transaction that
facilitates online gambling activities including, but not limited to, the
purchase of virtual gaming “chips”, horse race betting, or the funding of an
account held by the merchant to be subsequently used by the cardholder
for gambling.
The use of MCC 7995 is required for all online gambling transactions,
even if gambling is not the merchant’s primary business activity. If
necessary, the merchant can be assigned more than one MCC to
accommodate its non-gambling activities.
– Quasi-Cash or Online Gambling Transaction indicator. Formerly known
as the “Quasi-Cash Indicator,” this flag must be used in authorization and
clearing messages.

Global Visa Acquirer Fraud Control Manual 73


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

• Encourage gaming merchants to adopt online


gaming industry “best business practices” and Acquirers must
codes of conduct. ensure that their
participating
• Notify the Internet merchant of the availability
merchants and any of
of Verified by Visa. If an Internet merchant elects their Third-Party Agents
to participate in Verified by Visa, ensure that the that process Verified
merchant understands all service requirements by Visa transactions
as specified in the Visa International Operating comply with the Visa
International Operating
Regulations. The merchant agreement must include
Regulations related to 3-D
the substance of these requirements. Secure and with PCI DSS
• Check the Internet merchant’s site after the requirements.
merchant has started processing Visa payments
to ensure that the merchant has not changed its
agreed upon products or service offerings.

74 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Merchants Fraud Prevention Communication and Education

Merchant Merchants are important partners in minimizing fraud


Education risk. As such, merchant training and ongoing education
Prevention
efforts are vital to ensure that merchant employees education
understand and continue to follow appropriate card materials for
acceptance and data security procedures for all merchants can be
transactions. With this in mind, acquirers should: presented in a variety of
formats including, but not
• Provide card acceptance, fraud prevention and limited to, the following:
data security training as soon as a new merchant • Advertising
account is opened. • Periodic service calls
• Ensure that merchants conduct periodic training • Newsletters
refresher courses for all sales staff. Fraud awareness • Training seminars
sessions should be especially encouraged prior to
any seasonal highs in a merchant’s business, when sales volumes and fraud
risks are likely to increase.

As part of merchant training and on-the-job support, acquirers should provide


merchant employees with quick reference aids and other materials covering key
steps and decisions.
Resource Visa, in its continuing effort to help acquirers and merchants reduce point-
Support of-sale fraud, offers a host of reference and education materials. Many of the
merchant fraud-prevention procedures outlined in this manual are covered
in more detail in various Visa fraud control risk management merchant
publications.

Acquirers are encouraged to communicate to their merchant the importance of


using these tools to reduce fraud.

Global Visa Acquirer Fraud Control Manual 75


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 4: MERCHANT CONTRACTING AND SETUP

Materials that support


U.S. domestic transactions
are available at
www.visa.com/merchants.
To access global merchant
publications for your
country, click the Global
Sites link at the bottom
of the screen.

Click “Global Sites” to


visit regional websites

http://usa.visa.com/merchants

This will take you to the


Visa Global Gateway
where you can select a
country.

Select a country

www.visa.com/globalgateway/

76 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Fraud Prevention
Chapter 5 for Card-Present Merchants

To increase profitability and reduce fraud losses, acquirers must ensure that
proper card acceptance procedures are being followed by all merchants in their
daily business. Collectively, these procedures, which are outlined in the Visa
International Operating Regulations, serve as a critical tool for loss reduction at the
point of sale. Routine fraud-prevention practices, can lead to tangible benefits
for merchants and acquirers. Chargeback rates can be minimized, even in cases
where fraudulent or other unauthorized transactions do occur.
All acquirers are responsible for providing card-present merchants and their
employees with appropriate card acceptance and fraud-prevention education.
This chapter is intended to assist in this effort.

What’s Covered
n Card-Present Transaction Procedures
n Checking Visa Security Features
n Authorization Processing
n Matching Cardholder Signatures
n Handling Cash Disbursements/Cash Advances
n Processing Visa payWave Transactions
n Processing Visa Easy Payment Service Transactions
n Looking for Warning Signs of Fraud
n Making a Code 10 Call
n Recovered Cards
n Using Visa Electron Cards in the Card-Present Environment
n Acquirer Support of Merchant Code 10 Efforts
n Acquirer Actions For Card Recovery
n Chip Acceptance Procedural Differences

Global Visa Acquirer Fraud Control Manual 77


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

78 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Card-Present Transaction Procedures

Whenever a Visa card is present at the time of a transaction, merchants are


required to take all reasonable steps to ensure that the card, cardholder, and
transaction are legitimate.
Basic card acceptance and fraud control for card-
present transactions include the following actions: Chip technology
1. If possible, check the Visa card security features to is designed to
help protect
make sure the card is valid and has not been visibly against skimming. Unlike
altered in any way. the magnetic-stripe on the
2. Obtain an authorization for transactions over the back of the card, the small
chip cannot be copied,
floor limit. thus preventing the card
– In most card-present transactions, an from being counterfeited.
authorization request is submitted by swiping
the card’s magnetic-stripe through the point-of-sale (POS) terminal, by
dipping a chip card into a chip-reading device*, or by waving a card in front
of a Visa payWave reader.
– If processing a chip transaction, preference must be given to the chip
before attempting to swipe the stripe.
– If a card cannot be read or swiped, then key-enter the account number into
the POS terminal and take a card imprint.
3. Compare card information (i.e., account number
or cardholder name) to the POS terminal signature
Merchants should
window display or sales transaction receipt.
keep the card in
4. For a signature-based transaction, check the their possession
cardholder’s signature on the imprinted sales until they have checked
the cardholder’s signature
transaction receipt or POS terminal signature and the transaction is
window display against the signature on the card. complete.
5. Be on the lookout for suspicious behaviors.
6. If you receive an authorization approval, but still
suspect fraud, make a Code 10 call.
These actions are explained in more detail on the following pages.

*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading device. If a chip reading device is
available, preference must always be given to chip card processing before attempting to swipe the stripe.

Global Visa Acquirer Fraud Control Manual 79


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Checking Visa Security Features

Every Visa card contains a set of unique design elements and security features
developed by Visa to help merchants verify a card’s legitimacy. A visual check of
the Visa card security features should be one of the first steps in all card-present
transactions. Any sign that a card design element or security feature is not
genuine or has been tampered with may mean that the merchant has been given
a counterfeit or invalid card.

Visa Brand Mark Card Security Features

The Signature Panel must appear on the back of the


card and contain an ultraviolet element that repeats the
word “Visa®.” The panel will look like this one, or have a
custom design. It may vary in length.
Card Verification Value
The words “Authorized Signature” and “Not Valid
(CVV) is a unique three-digit
Unless Signed” must appear above, below, or beside
The Magnetic-Stripe code that is encoded on the
the signature panel.
is encoded with the magnetic-stripe of all valid
If someone has tried to erase the signature panel, card’s identifying cards. CVV is used to detect
the word ‘VOID” will be displayed. information. a counterfeit card. Card Verification Value 2 (CVV2)* is a
The Mini-Dove Design three-digit code that appears either in
Hologram may appear a white box to the right of the signature
on the back anywhere panel, or in a white box within the
within the outlined signature panel. Portions of the account
areas shown here. The number may also be present on the
three-dimensional dove signature panel. CVV2 is used primarily
hologram should appear in card-absent transactions to verify that
to move as you tilt the customer is in possession of a valid Visa
card. card at the time of the sale.

Visa Brand Mark


Embossed/Unembossed or If you do not see a mini-dove on the back
must appear in
Printed Account Number on of the card, check for the traditional dove
blue and gold on a
valid cards begins with “4.” hologram above the Visa Brand Mark on
white background
All digits must be even, straight, the front of the card.
in either the
and the same size.
bottom right, top Flying
Four-Digit Bank Identification left, or top right Dove
Number (BIN) must be printed corner. Hologram
Expiration or “Good Thru”
directly below the account Ultraviolet "V"
date should appear below
number. This number must is visible over the
the account number.
match exactly with the first four Visa Brand Mark
digits of the account number. when placed under
an ultraviolet light.

Merchants should
always request
an authorization
on an expired card. If the
card issuer approves the
transaction, the merchant
can proceed with the sale.
A merchant should never
accept a transaction that
*In certain markets, CVV2 is required for all card-absent transactions. has been declined.

80 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Alternative Visa Brand Mark Applications

The Visa Brand


Mark can appear
in the upper left,
upper right, and the
lower right corner
location on the
front of the card.
Note: Upper left
placement allowed
only on cards with
a chip.

The two-color Visa Brand Mark (as shown here) does not have the The two-color reverse Visa Brand Mark (as shown here) does not
standardized white background. have the standardized white background and has been reversed to
white with a gold wing within the letter form of the V.

Visa Mini-Card

A Visa Mini Card is a miniature version of a standard size Visa Card


or Visa Electron Card.

*In certain markets, CVV2 is required for all card-absent transactions.

Global Visa Acquirer Fraud Control Manual 81


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Unembossed Visa Card Acceptance


The unembossed Visa card (e.g., prepaid card) may look and feel different, but it is a valid card that can be
accepted at any Visa merchant location which has an electronic terminal. Unlike an embossed Visa card with raised
numbers, letters, and symbols, the unembossed card has a smooth, flat surface. From a merchant perspective,
the processing of an unembossed card at the point-of-sale should be seamless. There’s no need for new software,
special hardware, or modified terminal procedures. You simply swipe the unembossed card just as you would an
embossed card, then wait for an authorization and obtain the cardholder’s signature. Because of the unembossed
card’s flat surface, it cannot be used for transactions that require a card manual imprint.
Full Magnetic-Stripe Data must be transmitted as part of the
unembossed Visa card transaction authorization. Merchants
are required to swipe an unembossed card through the
terminal to prove that the card was present at the time of the
transaction.

Unembossed 16-digit Account


Number, Cardholder Name,
and Expiration Date are laser-
engraved, thermal or indent-
printed securely on the front of
the card. The card’s flat, smooth
surface makes it impossible to
take a manual imprint.
If the Dove Hologram is on the
front of the card, the account
number will be printed outside
the hologram. The numbers may
be smaller and placed closer
together.

Cardholder Name or a
Generic Title may appear on
an unembossed card.

ELECTRONIC USE ONLY communicates to cardholders and merchants that this card
is a limited acceptance product and it can only be used at electronic point-of-sale
terminals. Merchants without an electronic terminal should ask for another form of
Visa payment. Electronic Use Only may be displayed on the front or back of the card.

Visa Chip Card

Visa Chip cards are embedded with a chip that communicates information to a point-of-sale terminal.
Upper left placement of the Visa Brand Mark is allowed only
on cards with a chip.

82 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Visa Electron Card*


Visa Electron cards feel flat; all information is printed or engraved, not embossed or raised. Some unembossed Visa
cards may have only a partial account number printed on the card. The Visa Dove Design Hologram may or may not
appear on Visa Electron cards.

*Visa Electron Card is only available in certain countries, but can be used in all countries.

Global Visa Acquirer Fraud Control Manual 83


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Authorization Processing

If a Card In some instances, the POS terminal will not be able to read the magnetic-stripe
Won’t Read or in order to perform an authorization. When this occurs, it usually means one of
Swipe four things:
• The terminal’s magnetic-stripe reader is not working properly.
• The card is not being swiped through the reader correctly.
• The merchant may have a counterfeit or altered payment card.
• The magnetic-stripe on the card has been damaged or demagnetized.
Damage to the card may happen accidentally, but it may also be a sign that the
card is counterfeit or has been altered.
When the card won’t swipe, merchants should first
check the terminal to make sure it is working properly.
An acquirer
If the terminal is operating correctly, and the problem must have
appears to be with the magnetic-stripe, merchants established
should follow the established procedures for procedures for its
key-entered transactions. In addition, they should merchants when the
check the card security features and match signatures, magnetic-stripe or chip
cannot be read by the POS
as outlined in this chapter. The merchant should also terminal.
take an imprint of the card.

If the Terminal Visa policies state that chip cards must be read as
Cannot Read chip at all times unless the card, chip-reading device,
For more
the Chip or terminal is malfunctioning. In the event that a chip information
cannot be read, the merchant should “fall back”to about chip
lesser method. Because the fallback transaction is acceptance refer to Chip
swiped or keyed, the normal rules of transaction Acceptance Procedural
processing must come into play. This means that a Differences section in this
chapter.
signature will be required, rather than a PIN. For key-
entered transactions, manual imprints will be required.

84 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Responding to An authorization is an indication that the account funds are available and a card
Authorization has not been reported lost or stolen. It is a process in which the card issuer
Messages approves or declines a transaction. An authorization is not proof that the true
cardholder or that a legitimate card is involved. Most sales are authorized quickly.
There are times, however, when a merchant may receive an authorization
message indicating a potential problem with a card or cardholder. Negative or
alert messages include the following:
• Decline. The transaction has been refused by the issuer (e.g., the credit limit
on the account has been exceeded).
• Call or Call Center Referral. The issuer needs more information before
approving the sale.
• Pick up. The issuer wants to recover the card.
• No Match. (U.S. Only) The embossed or printed account number on the
front of the card does not match the account number encoded on the
magnetic-stripe.
Whenever a negative or alert message is received, the response is displayed on
the POS terminal. A sales transaction receipt, however, is never printed.

Handling The merchant must take an imprint of the card. For


The Card
Authorizations “below-floor-limit” transactions, the merchant has the Recovery Bulletin
Below the option to: (CRB) is an
Floor Limit international list of lost/
• Seek authorization, unless a chip card is involved, or stolen, counterfeit, and
• Not seek the authorization, but compare the card other cards that Issuers
number to the current Card Recovery Bulletin have listed for pickup.
(CRB).
If the merchant is presented with a card that is listed on the CRB, the merchant
must:
• Not complete the transaction.
• Retain the card by reasonable, peaceful means, if safe to do so. Merchant
staff members should never put themselves at risk.
• Call their authorization center, state that the card number is on the bulletin,
give the account number, and ask for instructions.

Global Visa Acquirer Fraud Control Manual 85


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

If the card number is not on the bulletin and the


transaction amount is below the merchant floor limit, A “floor limit” is
it is not mandatory for the merchant to obtain an the transaction
online authorization. The merchant may proceed with amount above
the transaction. There are, however, some exceptions which merchants are
required to call their
to this rule. A merchant must obtain an online authorization center
authorization if the transaction involves manual cash, and request a voice
an Electron card, expired card, or it is an unattended authorization for the
terminal transaction. Online authorizations must also transaction.
be obtained for fallback transactions and for chip-
related transactions where the chip has requested the
online authorization. In the United
States, floor
limits are used
When a Voice For authorization requests made by telephone, the only by merchants without
Authorization merchant must make a manual imprint of the card electronic terminals that
is Used and write the authorization approval code on the automatically perform
sales transaction receipt. Other data relating to the authorizations for all
transaction must be handwritten onto the sales transactions.
transaction receipt, including the legend “Retain This
Copy for Statement” verification. Data requirements
include the following:
• Embossed card data
• Merchant name
• Merchant city and country and state/province, if applicable
• Transaction amount indicated in transaction currency
• Identification of transaction currency
• Transaction date
• Description of goods or services, optional
• Space for cardholder signature
• Authorization code, if applicable
• Transaction type, purchase

Comparing Most POS terminals also allow merchants to verify that the cardholder account
Card and number on the front of the card is the same as the account number encoded on
Terminal/ the card’s chip or magnetic-stripe. How the merchant checks these numbers will
Report depend on their POS terminal. In some cases, the partial number will be displayed
Information on the terminal or printed on the sales transaction receipt; in others, the terminal
may be programmed to check this information electronically. In such instances,
the merchant will be prompted to enter the last four digits of the embossed or
printed account number, which will then be matched against the last four digits of
the account number encoded on the chip or magnetic-stripe. If the numbers and/
or names do not match, the merchant should make a Code 10 call.

86 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Matching Cardholder Signatures

Obtaining and For a signature-based transaction, the final step in the card acceptance process
Comparing for magnetic-stripe transactions and some chip card transactions is to ensure
Signatures the customer signs the sales transaction receipt or POS terminal signature
window display, and to compare that signature with the signature on the back
of the card. Depending on the Visa card product and POS processing system,
the customer should be within the merchant’s full view when signing the receipt
or POS terminal signature window display. If possible, the merchant should
check the two signatures closely for any obvious inconsistencies in spelling or
handwriting.
If the signature on the receipt or terminal window display does not match
or closely resemble the signature on the card, the transaction should not be
completed. If the transaction is accepted and it turns out to be fraudulent,
the merchant may be liable for the chargeback, even if an authorization was
received for the sale.

Handling While checking card security features, a merchant should also make sure that the
Unsigned Card card is signed when a magnetic-stripe transaction is involved, and in some cases,
for chip card* transactions. An unsigned card is considered invalid and should not
be accepted. If a customer hands over an unsigned card, the following steps must
be taken:
• Check the cardholder’s ID. Ask the cardholder for some form of official
government identification, such as a driver’s license or passport. Where
permissible by law, the ID serial number and expiration date should be
written on the sales receipt before you complete the transaction.
• Ask the customer to sign the card. The card should be signed within your full
view, and the signature checked against the customer’s signature on the ID.
A refusal to sign means the card is still invalid and cannot be accepted. Ask
the customer for another signed Visa card.
• Compare the signature on the card to the signature on the ID. If the cardholder
refuses to sign the card, and you accept it, you may end up with financial
liability for the transaction should the cardholder later dispute the charge.

*When a chip card transaction is PIN-based, Visa’s best practice is not to print a signature line on the receipt. Merchants need to be aware that
they should not request a signature from the cardholder when a signature line is not present on the receipt.

Global Visa Acquirer Fraud Control Manual 87


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Requesting Although Visa rules do not preclude merchants from asking for cardholder ID,
Cardholder ID merchants cannot make an ID a condition of acceptance. Therefore, merchants
cannot refuse to complete a purchase transaction because a cardholder refuses
to provide ID. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several countries also make it
illegal for merchants to write a cardholder’s personal information, such as an
address or phone number, on a sales receipt.

88 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Handling Cash Disbursements/Cash Advances

Cash Disburse- Generally, cash disbursements/cash advances by merchants are prohibited by


ments/Cash the Visa International Operating Regulations. Under special circumstances, certain
Advances merchants may dispense cash.
For cash disbursement/cash advance transactions, merchants must ask for an
official government ID, and where permitted by law, also write the ID serial
number and expiration date on the sales transaction receipt. The four-digit
number appearing below the partial or complete account number on the front of
the card must also be recorded.

Visa Cash Back The Visa Cash-Back Service allows merchants to disburse a limited amount of
cash when cardholders buy goods at point-of-sale. The service can be offered to
all Visa cardholders. It supplements, rather than replaces, the use of ATMs.
When a Visa Cash-Back Service is offered, cardholders are asked and must
specify if they would like a cash disbursement to be added to their transaction
when they present their card at POS. They also decide on the amount they
would like. The merchant simply adds the cash amount to the bill and processes
a transaction for the total.

Global Visa Acquirer Fraud Control Manual 89


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Processing Visa payWave Transactions

What is Visa Merchants can take advantage of increased speed and convenience—and offer
payWave? them to cardholders—with Visa payWave, a payment method that uses the
latest technology to send card data wirelessly to a terminal reader. A cardholder
simply holds their card in front of the reader.
For many transactions, there is no need to sign a receipt or hand over the card.
Visa payWave provides merchants and consumers with a number of benefits.

Merchant Benefits
Cost Savings/Efficiency
• Decreased transaction time—up to half that of cash transactions.
• Customer initiates the transaction by simply holding the card in front of the
reader rather than swiping or handing the card to the clerk.
• Reduction in coin/cash handling.
Customer Loyalty
• Attracts new customers and builds loyalty with added speed and
convenience.
Competitive Advantage
• Sets merchants apart from their competitors in categories like fast food
restaurants where speed and convenience are compelling benefits.

How It Works 1. Merchant terminal is enabled with contactless


technology.

2. Consumer holds card in front of the reader and


terminal light indicates card has been read.

3. Transaction is completed like any card payment.

90 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Processing Visa Easy Payment Service Transactions

What is Visa Purchases of US $25 and under represent a significant share of all consumer
VEPS? spending. The Visa Easy Payment Service (VEPS) helps deliver greater efficiency
and convenience to both merchants and consumers.
The VEPS program provides face-to-face merchants with the ability to accept
a Visa card issued in any country for purchases without requiring a cardholder
signature or PIN and foregoing a receipt unless requested by the cardholder.
This program has the potential to increase speed at the point-of-sale, enhance
customer satisfaction and deliver operating efficiencies for merchants. It can
boost customer throughput and build customer loyalty by helping consumers
use their Visa cards safely, quickly and easily.

Program Effective 16 October 2010, transactions from over 98 percent of MCCs (except
Eligibility— those listed in the table on the next page) will be eligible to qualify for the
Transaction program.
Qualification For qualifying transactions, the Visa Easy Payment Service program:
• Eliminates the need for merchants to capture a signature or PIN.
• Eliminates the receipt requirement, unless requested by the cardholder.
• Allows reduced receipt data when a receipt is provided.*
• Eliminates the need for merchants to retain transaction receipts and prohibits
issuers from making retrieval requests.
• Provides chargeback protection for fraud**, and against the receipt
requirement.
Transactions qualify for the program if they meet the following criteria:
• Value is less than or equal to the country limit
• Face-to-face environment
• Authorized
• Applies in all MCCs, except those listed in the table on the next page
• Terminal must read and transmit unaltered magnetic-stripe track data,
unaltered chip data, or unaltered contactless payment data
If eligible, the merchant runs the transaction as they normally would and
eliminates the steps of PIN entry or checking and collecting the cardholder’s
signature. In addition, the merchant only needs to provide a transaction receipt if
the cardholder requests one.

*Except in the U.S. region, where merchants must use full transaction receipt data when a receipt is provided.
**EMV liability shift still applies to transactions in Canada and CEMEA regions.

Global Visa Acquirer Fraud Control Manual 91


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Merchant Category Codes (MCCs)


Table: MCCs Excluded from Visa Easy Payment Service Program
4829 Wire Transfer Money Orders
5542 Automated Fuel Dispensers
5960 Direct Marketing—Insurance Services
5962 Direct Marketing—Travel Related Arrangement Services
5964 Direct Marketing—Catalog Merchants
5965 Direct Marketing—Combination Catalog and Retail Merchants
5966 Direct Marketing—Outbound Telemarketing Merchants
5967 Direct Marketing—Inbound Telemarketing Merchants
5968 Direct Marketing—Continuity/Subscription Merchants
5969 Direct Marketing/Direct Marketers (Not elsewhere classified)
6010 Financial Institutions—Manual Cash Disbursements
6011 Financial Institutions—Automated Cash Disbursements
7995 Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track
Betting, and Wagers at Race Tracks
9405 Intra-Government Purchases (Government only)
9700 International Automated Referral Service (Visa use only)
9701 Visa Credential Server (Visa use only)
9702 GCAS Emergency Services (Visa use only)
9751 UK Supermarkets—Electronic Hot File (Region use only)
9752 UK Petrol Stations—Electronic Hot File (Region use only)
9950 Intra-Company Purchases

92 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Looking for Warning Signs of Fraud

Signs of Fraud In addition to following all standard card acceptance


at the Point of procedures, merchants should always: Merchants should
Sale • Be on the lookout for any customer behavior that never risk their
own safety or
may appear suspicious or out of the ordinary. the safety of others in the
• Be made fully aware that peculiar customer vicinity.
behavior should not be taken as automatic proof of
criminal activity.
• Use common sense and appropriate caution when evaluating any customer
behavior or other irregular situation that may occur during a transaction.
Certain customer behavior could point to credit or debit card fraud. But
remember, this doesn’t necessarily indicate criminal activity—your merchants
know their customers, so they should let their instincts steer them in the right
direction.

Merchants should watch out for customers who:


• Purchase high value or large amounts of merchandise without regard to size,
style, color, or price.
• Ask no questions on high value purchases.
• Try to distract or rush a merchant staff member during the sale.
• Make purchases, leave the store, and return to make more purchases.
• Make large purchases right at opening or at the last minute when the store
is closing.
• Refuse free delivery for large items.

If merchant staff see signs that make them suspicious, they should:
• Hold on to the customer’s card if they think they can do so safely.
• Follow company procedures and notify their supervisor.
• Call the voice authorization center and request a “Code 10” authorization
using a normal tone of voice. An operator will tell them what to do.

Global Visa Acquirer Fraud Control Manual 93


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Signs of Fraud Retail petroleum merchants should also be looking for suspicious behaviors at
at the Petrol/ petrol/fuel service stations.
Fuel Service
At the Counter At the Automated Fuel Dispenser
Stations
• Individual buying an unusual amount • A single customer activating
of convenience store items. multiple automated fuel dispensers.
• Limited or no eye contact from • Filling multiple vehicles from
customer and/or they are acting one automated fuel dispenser
“strangely.” transaction.
• Buying large amounts of alcohol, • Filling large non-vehicle containers.
cigarettes, and phone cards/gift • Fueling several times a day (system
cards. wide and location specific).
• Buying money orders and/or lottery • Card testing (inserting payment
tickets with credit card. card for authorization without
• Attempting to bribe the cashier. pumping).
• Requesting large amounts of cash • Island surfing (persons walking
back on small purchases. around offering to pump fuel with
their payment card in exchange for
cash).

Retail petroleum owners and operators can help reduce fraud exposure by communicating card
acceptance and risk management policies across the retail enterprise. The should also ensure
managers and employees are properly trained and fully informed on “Attended and in-store”
fraud-prevention procedures.
Refer to Appendix B for a sample of two Visa Quick Reference tools. Attended and In-Store Fraud
Prevention and Automated Fuel Fraud Prevention.

94 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Making a Code 10 Call

What Card- A merchant makes a Code 10 authorization request call to let the card issuer
Present know there is suspicious activity—without alerting the customer. During a
Merchants Code 10 call, the merchant receives instructions on what, if any, action to take.
Should Do If In this case, the merchant actually speaks with the card issuer’s special operator.
Suspicious Sometimes a merchant will not feel comfortable making a Code 10 call while the
cardholder is around, or the merchant may become suspicious of a cardholder
after he or she has already left the store.
It is important that merchants understand they can still make a Code 10 call
after a cardholder leaves. A Code 10 alert—even after a cardholder is gone—
may still help stop fraudulent card use at another location, or perhaps during
another visit to the store.

Code 10 Steps The following steps should be used by merchants


when making a Code 10 call. Merchant
education
If you receive an electronic authorization, but still materials should
suspect fraud: emphasize the importance
of personal discretion and
✔ Keep the card in hand to quickly respond to safety when deciding
questions. whether or not to attempt
a card pick-up. For
✔ Call your voice authorization center. additional details, refer
to Acquirer Support of
✔ The call will first be received by your acquirer who Merchant Code 10 Efforts
may need to ask you for some merchant and/or on page 99 of this manual.
transaction details. You will then be transferred to
the card issuer and immediately connected to a
special operator. A series of yes/no questions will be asked to determine
whether you are suspicious of the card or cardholder.
✔ When connected to the special operator, answer all questions calmly and in a
normal tone of voice.
✔ Follow all operator instructions.
✔ If the operator asks you to retain the card, comply with this request only if it
is safe to do so.

Global Visa Acquirer Fraud Control Manual 95


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

If you receive a “pick-up” response or are instructed


to recover the card during a Code 10 call:
Merchants
✔ Comply if you can do so safely—never take must clearly
unnecessary risks. understand
how and under what
✔ Tell the cardholder you have been instructed to circumstances a card
keep the card and that he or she may call the issuer should be recovered.
for more information. No matter how certain
a merchant may be that
✔ Remain calm and courteous. If the cardholder a card is fraudulent,
becomes threatening, return the card immediately. recovery should only be
attempted if it can be
After a card has been recovered: done by reasonable and
peaceful means.
✔ Notify your acquirer that you have recovered a card
and ask for further instructions.
✔ Cut the card horizontally, being careful not to damage the dove hologram,
the embossed account number, or magnetic-stripe.
✔ Send the card pieces directly to your acquirer.

96 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Recovered Cards

Reasonable In general, a merchant should recover a card if the merchant has reasonable
Grounds for grounds for believing the card is being used fraudulently or is altered or
Card Recovery counterfeit. The following situations are considered reasonable grounds for
recovery:
• Card security features are missing or irregular, or appear to have been
tampered with (see Checking Visa Security Features on page 80 of this
manual.)
• The account number on the magnetic-stripe does not match the number
embossed on the front of the card.
• The merchant has received a pick-up response when a card has been swiped
for electronic authorization, or the merchant has been instructed to recover
the card during a Code 10 call.

Card Recovery The following card recovery procedures apply to all Visa credit, debit, and
Procedures Electron cards. Merchants should be instructed to do the following:
• Recover the card only if you can do so safely. Never take unnecessary risks.
• Tell the cardholder you have been instructed to keep the card, and that he or
she may call the card issuer for more information.
• Remain calm and courteous. If the cardholder behaves in a threatening
manner, return the card immediately.
• Make a readable copy of the front and back of the card, if possible.
• Cut the card in half along the length, but be careful not to damage the
hologram, chip-embossed account number, or magnetic-stripe.
• Tell your acquirer that you have recovered a card and ask for further
instructions.
For cards that are inadvertently left at a merchant location and remain unclaimed,
merchants should follow the current acquirer procedures for contacting the
financial institution and sending in the card.

Global Visa Acquirer Fraud Control Manual 97


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Using Visa Electron Cards in the Card-Present Environment

A Closer Visa Electron is issued in different parts of the world* as a consumer debit,
Look at the credit, or prepaid card; however, it is usually issued as a debit product. The Visa
Visa Electron Electron card can be used for payment, at merchants with POS terminals, on the
Card Security Internet, and for cash withdrawals at ATMs.
Features The Visa Electron card’s security features and acceptance procedures, however,
are slightly different than the Visa card, as described below.
• The Visa Electron card is often unembossed, and the account number is
laser-engraved or indent-printed.
• To deter key entry, the issuer may print only the
first four digits of the Bank Identification Number Visa member
(BIN) and the last four digits of the account financial
institutions issue
number, instead of the entire 16-digit account
Visa Electron in Africa,
number. Asia, the Caribbean,
• The cardholder name and expiration date may not Europe, the Middle East,
and South America.
be displayed if the card was “instantly issued” at a
bank branch.
• The dove hologram and ultraviolet dove are optional.
• The words “Electronic Use Only” must be printed
on the front of the card.
• The signature panel may be on the front or back of the card.
• Electronic authorization is required for all Visa
Electron transactions. This means the merchant
Neither U.S.
must be able to perform the authorization by
nor Canadian
swiping the stripe through a POS terminal, financial
inserting the chip card into the chip-reading device, institutions issue Visa
or waving the card in front of a Visa payWave Electron, but Visa Electron
terminal. Key-entered authorizations are not cards are accepted at
electronic merchants and
allowed. If the magnetic-stripe is damaged or
ATMs in the U.S. and
cannot be read by the terminal, the card cannot be Canada.
used.

*Visa Electron Card is only available in certain countries, but it can be used in all countries.

98 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Acquirer Support of Merchant Code 10 Efforts

Internal and It is up to the acquirer to make sure that Code 10 call procedures are clearly
Merchant Staff defined and communicated to internal staff members and merchants. Best
Code 10 Setup practices in this area include the following:
Best Practices • Develop and provide “quick reference” aids for merchants. This can include
materials such as:
– POS stickers that provide contact telephone numbers.
– Merchant procedures for making Code 10 calls.
• Provide up-to-date educational resources to authorization center staff who
handle Code 10 calls. Make sure all staff members are familiar with the latest
card security features, changes in policy, etc.
• Consider implementing a speed dial service to make the Code 10 (and
referral) call process more efficient. This is particularly important for
overseas transactions.

Code 10 Call In the event of a Code 10 call, the acquirer should:


Processing • If possible, find out why the merchant is suspicious of the transaction. This
Best Practices can be done by asking for the following details:
– Cardholder name and account number
– Purchase amount
– Card expiration date
– Merchant name
– Merchant location/address
– Sales associate name
• Remind the merchant to tell the cardholder (if it is safe for them to so do)
that a routine security check is being undertaken which should only take a
few moments.
• Attempt to contact the issuer electronically or by phone to pass on the
Code 10 information. Try to wait for the issuer to reply, if at all possible.
• Follow the issuer’s special operator instructions or transfer the call to the
issuer.

Global Visa Acquirer Fraud Control Manual 99


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Acquirer Actions For Card Recovery

After a Card is Once a recovered card has been received, the acquirer must:
Received • Notify the issuer of the recovery situation.
• Complete a Recovered Card Advice and send it with the card, along with any
other pertinent information about the recovery.
• Mail the card to the issuer’s security contact within five calendar days.
Acquirers are also allowed to charge issuers a US $15 handling fee for each
returned card.

100 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Chip Acceptance Procedural Differences

Merchant Acquirers that offer chip access to Visa credit and


Conversion debit products can help minimize problems and any To help ease
Communication areas of confusion during the merchant conversion cardholder
and Training by conducting proper training. Because chip cards* transition to
introduce new POS functionality, merchants must be chip, acquirers should
evaluate the need to make
trained in chip-capable terminal operation and on the a cardholder pamphlet
basic procedural differences between chip card and available to merchants.
magnetic-stripe acceptance.
Acquirers should ensure that the following information is included as part of
their merchant training plan:
• Chip cards must be inserted into the chip-reading device and remain
inserted for the duration of the transaction. This differs from the magnetic-
stripe method where the merchant swipes the card and immediately removes
it, all in a single motion.
• The chip card must not be removed from the terminal until the transaction
has been completed. Early removal of the chip card from the reader will
terminate the transaction. Since terminal messages do vary, merchants need
to clearly identify the message supported by their terminals that signal when
a transaction is finished. Merchants, or where appropriate, their customers,
should be instructed to remove the card from the terminal only after seeing
this message.
• Merchants should clearly understand that the cardholder application
selection process is typically dependent on issuer requirements specified
in the chip. The card and terminal will either automatically agree on the
preferred application to be used or the chip card may request that the
cardholder select or confirm the use of a given application. When requested
by the card and made available to the terminal, the cardholder should be
allowed to select their preference.

*Many Visa cards have a chip that communicates information to a POS terminal with a chip-reading device. If a chip reading device is
available, preference must always be given to chip card processing before attempting to swipe the stripe.

Global Visa Acquirer Fraud Control Manual 101


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

• Merchants need to:


– Be aware that application selection will not occur on every transaction.
It will only take place when the card and terminal support more than
one application in common. For example, when both the card and
terminal support Visa credit and Visa debit, the cardholder will be asked
to select one of these applications for the transaction.
– Educate cardholders about chip-acceptance procedures in
environments where customers insert their own cards into the chip-
reading device. With the introduction of multiple applications on a single
card, some cardholders may be prompted to select which application they
want to use for a given transaction, if applications are supported by the
terminal.
– Be trained on how to explain the application selection process to their
customers. Merchants should also learn to guide their customers on how
to press the appropriate button or buttons to select the application or
account they want to use.
• At unattended devices, such as ATMs or Cardholder-Activated Terminals
(CATs), the terminal should have instructional prompts and signage to
support cardholders through each phase of the
transaction.
Some countries
Cardholder Merchants and cardholders typically understand the may require
methods of verifying a transaction in attended offline PIN
Verification verification and a
environments through the cardholder signature or PIN cardholder signature
entry. In unattended environments, the cardholder for domestic card
is also familiar with not having to sign and whether transactions over a
or not to enter a PIN. certain amount. Please
contact your Regional
In the chip environment, merchants and cardholders Risk Representative or
will rely on the chip-reading device and the chip Visa Account Manager to
card to agree on which Cardholder Verification understand your market
requirements.
Method (CVM) is required to complete the
transaction. Merchants must not be able to preempt
the option that has been selected.
The terminal and card interactive-design process and final selection is based
on a mixture of elements that are specific to that particular transaction, such as
amount, domestic or international transaction, offline or online authorized, other
transaction parameters, whether the issuer’s CVM preference can be met, as
well as and the other CVM options available.

102 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

CVM Options
• Signature. Visa card programs bearing a chip are required to carry a
magnetic-stripe and a signature panel on the card. The signature still
remains the international default for cardholder verification and is also the
default for many domestic card transactions. Requirements for checking
signature-verified transactions in the chip environment remain the same as
they are today in the magnetic-stripe environment.
• PIN. The convenience and additional security of PIN entry to verify the
cardholder identity will become more prevalent for both domestic and
international Visa card transactions. Where PIN pads are deployed,
merchant training should include these points:
– The card and terminal interaction determines the appropriate cardholder
verification method and whether to prompt for a PIN.
– Because the card determines whether PIN entry is required on each
transaction, the lack of a terminal PIN prompt should not be considered
an error. The terminal will prompt for the PIN when the chip card requires
a PIN. The merchant should not request a PIN entry from the cardholder,
unless the terminal issues this prompt.
– Where a cardholder is required to enter a PIN, the secrecy of the PIN entry
must be maintained.
– When a transaction is PIN-based, Visa’s best practice is to not print a
signature line on the receipt. Merchants need to be aware that they should
not request a signature from the cardholder when a signature line is not
present on the receipt.

No Cardholder A chip card issuer has the ability to specify that a transaction may be completed,
Verification subject to other processing checks, without the need for the cardholder to
Required provide a signature or enter a PIN. “No CVM required” is a valid cardholder
verification option where both the terminal and card agree on this as the CVM
option.
This option would typically be used in unattended terminal environments. An
issuer, however, may select this option in the event that fast processing of
offline-authorized transactions is required. Even when a card initiates a “No CVM
Required” for a particular type of terminal, that terminal may choose to default to
the cardholder verification method as specified for a magnetic-stripe transaction
to protect the transaction liability (e.g., signature at a POS or online PIN at an
ATM).

Offline In merchant locations where terminals with both offline and online authorization
Versus Online capability are deployed, merchants must be trained to understand that
Authorized some transactions will be processed offline, while others will require online
Transactions authorization. They should not view these differences as errors, or treat the
transactions or customers differently. Merchants, however, should be aware that
offline transactions may be faster than online transactions.

Global Visa Acquirer Fraud Control Manual 103


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 5: FRAUD PREVENTION FOR CARD-PRESENT MERCHANTS

Fallback The term fallback is defined as the acceptance of chip


Transactions cards via magnetic-stripe processing, key entry, or Fallback
paper vouchers at chip-capable terminals. This occurs requirements
in situations where a normal chip transaction cannot are governed
be completed at a chip-capable terminal. Visa policies by Visa International
Operating Regulations
state that chip cards must be read as chip cards at all
relating to the Visa and
times unless the card, chip-reading device, or terminal Visa Electron programs.
is malfunctioning. This means that chip cards may only For international and most
be accepted via the magnetic-stripe when the chip domestic transactions,
cannot be read. An acquirer may have more stringent fallback on Visa Electron
cards beyond the
policies than this for their domestic transactions
magnetic-stripe is not
based on market decisions related to fallback. For permitted and may not
example, some markets may not allow fallback under be possible as the full
any circumstances. account number may
not be printed on the
In the event that a chip card or chip-reading device is face of the card. Please
not functioning and the magnetic-stripe of the card is contact your Regional
read by the magnetic-stripe reader of the terminal, the Risk Representative
or Visa Account
terminal will read the service code from the magnetic-
Manager for market-
stripe and prompt the merchant to read the card as a specific information or
chip card. It is essential that merchants be trained on recommendations.
the activities they should perform and the sequence
of events they should follow when they are processing
fallback transactions. Typically, the sales staff member Merchants must
will be given a number of chances to read the chip on understand that a
the card before the terminal prompts for fallback to be declined chip
transaction is not a
performed using the magnetic-stripe, if permitted. candidate for fallback. A
If the magnetic-stripe functionality of the card or declined chip transaction
cannot be re-initiated
terminal is also not working, the merchant may then using the magnetic-stripe
fall back to key-entered or paper-based transactions. or any other means.
Depending on the fallback procedures in place, an Current procedures should
acquirer may need to re-state its market’s procedures then be followed for
on fallback related to key-entered and paper-based declines and failures, such
as asking the customer for
transactions. another form of payment.

Other Suspicious transactions, reversals and voids must be completed in the same
Transactions way they are performed today, but via the chip—subject to individual acquirer
requirements.
Other card security features may need checking at the point-of-sale, as
appropriate.

104 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Fraud Prevention for
Chapter 6 Card-Absent Merchants

For card-absent merchants, there are a large number of opportunities to enhance


customer relationships, attract new customers, and increase sales revenue. There
are, however, some additional fraud risk challenges. Card-absent merchants are
targets for payment card scams simply because there’s no face-to-face customer
contact, no tangible card, and no physical signature on the sales draft.
This is why merchants who do business online, over the phone, or through the
mail, should make security a top priority. This chapter covers Visa’s “layered
approach to security” in the card-absent environment. It can explain the various
tools that can help card-absent merchants prevent fraud and ensure their
customers are better protected.

What’s Covered
n General Card-Absent Transaction Procedures
n Specific E-Commerce Transaction Requirements
n Asking for the Card Verification Value 2 Code
n Using with the Address Verification Service (U.S. and Canada)
n Using Verified by Visa
n Looking Out for Suspicious Orders
n A Closer Look at Recurring Transactions

Global Visa Acquirer Fraud Control Manual 105


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

106 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

General Card-Absent Transaction Procedures

Mail order/telephone order (MO/TO), and Internet


merchants must verify—to the greatest extent Visa International
possible—the cardholder’s identity and the validity of Operating
the transaction. Merchant fraud control efforts include Regulations
these basic actions: specify that a merchant
or its agent must not
• Obtain an authorization. Avoid using a US $1 retain or store CVV2
authorization to verify if the account is in good data subsequent to
the authorization of a
standing. transaction.
• For Internet transactions, use Verified by Visa to
authenticate the cardholder’s identity at the time
of purchase. Do not submit an authorization request for transactions that
fail authentication.
• Ask the customer for card expiration date (or Good Thru date) and include
it in your authorization request to verify that the card and transaction are
legitimate. An invalid or missing expiration date can be an indicator that the
person does not have the actual card in hand.
• If participating in the Card Verification Value 2 (CVV2)* service, obtain the
CVV2 three-digit code from the cardholder. An issuer-validated CVV2 code
is a good indicator that the card is genuine.
• Where available, verify the cardholder’s billing address via the Address
Verification Service (AVS)**. This helps to validate the cardholder’s billing
address directly with the issuer.
• Submit the authorization request with the cardholder’s billing address and
necessary CVV2 code information. VisaNet® will return a CVV2 and AVS
result codes with the authorization.
• Perform internal screening or use a Third-Party tools to screen for
questionable transaction data or other potential warning signs indicating
“out of pattern” orders. Route transactions with higher risk characteristics for
fraud review.

*In certain markets, CVV2 is required for card-absent transactions.


**AVS is only available in the U.S. and Canada.

Global Visa Acquirer Fraud Control Manual 107


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

If a merchant staff member suspects fraud, he or she should:


1 Ask the customer for day/evening phone numbers,
then call the customer with any questions.
2 Ask for additional information (e.g., bank name on Report any
front of card). suspicious
activity to your
3 Separately confirm the order by sending a note via the merchant bank.
customer’s billing address, rather than the “ship to”
address

108 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Specific E-Commerce Transaction Requirements

Unique Data An Internet merchant must provide the cardholder with a transaction receipt.
Requirements Acquirers, however, need to be aware of the following unique data requirements
for Receipts for transaction receipts and copy fulfillments for e-commerce transactions:
• Concealed cardholder account number. For e-commerce transactions, the
cardholder account number must not appear on the transaction receipt.
• Unique identification number. To assist in dispute resolution between the
cardholder and merchant, the merchant must assign a unique identification
number to the transaction and display it clearly on the transaction receipt.
• Website address. The merchant must always include its website address.
In addition, it is suggested that the transaction receipt include wording to
indicate that the cardholder should print or save the receipt for his records.
The Internet merchant can choose to send a separate e-mail message to the
cardholder containing this required information, or—as with mail and telephone
order transactions—send a physical receipt in the mail, or both.
To minimize cardholder inquiries, merchants are encouraged to send an online
acknowledgment of the transaction in addition to the transaction receipt.

Global Visa Acquirer Fraud Control Manual 109


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Asking for the Card Verification Value 2 Code

CVV2* is an important three-digit security feature for merchants who accept


Visa® cards as payment over the telephone or online. Located on the back of all
Visa cards, the CVV2 code consists of the last three digits either printed on the
signature panel or on a white box to the right of the security panel.

In the card-
absent sales
In some markets,
environment,
CVV2 is required
CVV2 is an
for all card-absent
excellent tool merchants.
CVV2
for verifying
that the
customer has a legitimate
Visa card in hand at the
time of the sales order.**

How CVV2 CVV2 is an important three-digit security feature for merchants who accept
Works? Visa cards as payment over the telephone or online. Located on the back of all
Visa cards, the CVV2 code consists of the last three digits either printed on the
signature panel or on a white box to the right of the security panel.

CVV2 works as follows:

1 The customer contacts the merchant to place an order.


2 The merchant asks the customer for the CVV2
three-digit code and sends it to the card issuer as The merchant
part of the authorization request. or its Third-Party
Agent must
3 The card issuer checks the CVV2 code to not retain or store
determine its validity, then sends a CVV2 result CVV2 data subsequent
code back to the merchant along with the to authorization of a
authorization decision. transaction.

4 Before completing the transaction, the merchant evaluates the CVV2 result
code, taking into account the authorization decision and any other relevant
or questionable data.

*In certain markets, CVV2 is required for card-absent transactions.


**In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.

110 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Result Action
M – Match Complete the transaction (taking into account all transaction
characteristics and any questionable data).
N – No Match* View the “No-Match” as a sign of potential fraud and take it into
account along with the authorization response and any other
questionable data. Potentially hold the order for further verification.
P – Not Processed View the “Not Processed” as a systemic technical problem or the
request did not contain all the information needed to verify the
CVV2* code. Resubmit the authorization request.
S – CVV2 should Consider following up with your customer to verify that he or she
be on the card checked the correct card location for CVV2. All valid cards are
required to have CVV2 printed either in the signature panel or on a
white box to the right of the signature panel.
U – Issuer does Evaluate all available information and decide whether to proceed with
not participate in the transaction or investigate further.
the CVV2 service

CVV2 Without An Authorization Request


A merchant may also verify CVV2 without an accompanying authorization request
by using the Zero Amount Account Number Verification Service**, which is
available in all regions.

*In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.
**For more information regarding the Zero Amount Account Number Verification Service, contact your merchant bank.

Global Visa Acquirer Fraud Control Manual 111


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Using the Visa Address Verification Service (U.S. and Canada)

What is AVS? AVS* allows card-absent merchants to check a Visa cardholder’s billing address
with the card issuer. An AVS request includes the billing address (street address
and/or zip or postal code). It can be transmitted in one of two ways: (1) as part
of an authorization request, or (2) by itself. AVS checks the address information
and provides a result code to the merchant that indicates whether the address
given by the cardholder matches the address on file with the issuer.
AVS can only be used to confirm addresses in the United States and Canada. For
other countries it is optional for the card issuers to participate in AVS.

• When AVS Processed as Part of an Authorization Request


The AVS request can be processed either on a real-time basis or in a batch
mode using an electronic terminal or personal computer. Real-time requests
are typically used for transaction situations where the customer must wait
online for a response. The batch mode is geared more toward low-cost
processing in which no immediate response is required as is usually the case
with mail orders.
• AVS Processed As Part of Account Verification Request
A merchant may also send an AVS request without an accompanying
authorization request by using the Zero Amount Account Number
Verification Service**, which is available in all regions. For example:
– The merchant wants to verify the customer’s billing address before
requesting an authorization, or
– The merchant sends an authorization request with AVS data and
receives an authorization approval, but also receives an AVS “try again
later” response.
Merchants who want to send a stand-alone AVS request without an
accompanying authorization request, should use the Zero Amount Account
Number Verification Service, which is available in all regions.

*AVS is only available in the U.S. and Canada.


**For more information regarding the Zero Amount Account Number Verification Service, contact your Regional Risk Representative or Visa
Account Manager.

112 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

How AVS When AVS* is processed as part of an authorization request, or without it


Works using account verification, AVS works as follows:

1 The customer contacts the merchant to place an order.

2 The merchant:
– Confirms the usual order information.
– Asks the customer for the billing address (street address and/or zip
or postal code) for the card being used. (i.e., the address is where the
customer’s monthly Visa statement is sent for the card being used.)
– Enters the billing address and the transaction information into the
authorization request system and processes both requests at the
same time.
3 The issuer makes an authorization decision separately from AVS request
and compares the cardholder billing address sent with the billing address
for that account. The issuer then returns both the authorization response
and a single character alphabetic code result that indicates whether the
address given by the cardholder matches the address on file with the
card issuer.

AVS Result One of the following AVS result codes will be returned to the merchant
Codes indicating the issuer’s response to the AVS request. A merchant’s bank may
modify these single character alpha AVS codes to make them more self-
explanatory—for example, a “Y” response may be shown as an “exact match” or
as a “full match,” while an “N” response may be shown as a “no match.”

*AVS is only available in the U.S. and Canada.

Global Visa Acquirer Fraud Control Manual 113


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Code Applies to
Code Definition Cross-
Domestic
border
A Street addresses match. The street addresses match but the postal or ZIP
codes do not, or the request does not include the postal or ZIP code. a a
B Street addresses match. Postal or ZIP code not verified due to incompatible
formats. (Merchant bank sent both street address and postal or ZIP code.) a a

C Street address and postal code or ZIP code not verified due to incompatible
formats. (Merchant bank sent both street address and postal or ZIP code.) a a

D Street addresses and postal or ZIP codes match. a


F Street addresses and postal codes match. Applies to U.K.-domestic
transactions only.
a
G Address information not verified for international transaction. Issuer is not
an AVS* participant, or AVS data was present in the request but issuer did
not return an AVS result, or Visa performed address verification on behalf of
a
the issuer and there was no address.
I Address information not verified. a
M Street addresses and postal and ZIP codes match. a
N No match. Merchant Bank sent postal or ZIP code only, or street address
only, or both postal or ZIP code and street address. a a
P Postal or ZIP codes match. Merchant bank sent both postal or ZIP code and
street address, but street address not verified due to incompatible formats. a a

R Retry. System unavailable or timed out. Issuer ordinarily performs address


verification but was unavailable. Visa uses code R when issuers are a
unavailable.
U Address information is unavailable for that account number, or the card
issuer does not support. a
Y Street address and postal and ZIP code match. a
Z Postal or ZIP codes match, street addresses do not match or street. a a

*AVS is only available in the U.S. and Canada.

114 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Guidelines for Using U.S. and Non-U.S. Country AVS Result Codes
While Visa cannot recommend any particular approach, the following general
guidelines are drawn from card-absent industry practices and may be helpful.
Merchants should establish their own policy regarding the handling of
transactions based on AVS* result codes.

U.S. Int’l.
Definition Explanation Action(s) to Consider
Code Code
Y DM Exact Match Both street address Generally speaking, merchants will want to proceed
and ZIP or Postal with transactions for which they have received an
Code match. authorization approval and an “exact match.”
A B Partial Match Street address Merchants may want to follow up before shipping
matches, but ZIP or merchandise. The issuer might have the wrong
Postal Code does ZIP or Postal Code in its file; merchant staff may
not. have entered the ZIP or Postal Code incorrectly; or
this response may indicate a potentially fraudulent
situation.
Z P Partial Match ZIP Code matches, Unless a merchant sent only a ZIP or Postal Code
but street address AVS request and it matched, the merchant may
does not. want to follow up before shipping merchandise. The
issuer may have the wrong address in its file or have
the same address information in a different format;
the cardholder may have recently moved; merchant
staff may have entered the address incorrectly; or
this response may indicate a potentially fraudulent
situation.
N N No Match Street address and Merchants will probably want to follow up with
ZIP or Postal Code the cardholder before shipping merchandise. The
do not match. cardholder may have moved recently and not yet
notified the issuer; the cardholder may have given
you the shipping address instead of the billing
address; or the person may be attempting to execute
a fraudulent transaction. “No match” responses
clearly warrant further investigation.

AVS result codes and explanation provided here are meant to give merchants
enough information to make their own determination of what works best for their
environment. How one merchant treats these codes may be different than the
way another merchant may choose to interpret them.
On ZIP or Postal Code only requests and P.O. Box addresses, issuers may respond
either with a “Y” (Exact Match) or a “Z” (Partial Match — ZIP Code/Postal Code
Matches).

*AVS is only available in the U.S. and Canada.

Global Visa Acquirer Fraud Control Manual 115


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Using Verified by Visa

What is Verified by Visa was designed to serve as one of Visa’s “multiple layers of
Verified by security” by providing cardholder authentication for online, Internet transactions.
Visa? Based on the 3-D Secure protocol, the Verified by Visa service verifies the
authenticity of cardholders to participating merchants. It allows cardholders
to choose a password through their card issuer, and use it to authenticate
themselves while making a purchase. This helps ensure that their card number
cannot be fraudulently used at an Internet merchant website.
Cardholders sign up for the Verified by Visa service through their issuing financial
institution and choose their own personal password to authenticate themselves
online.

How Does Verified by Visa Activation


Verified by To use Verified by Visa, consumers must first activate Merchants
Visa Work? their existing card(s). There are a number of ways offering Verified
by Visa to
they may do this: their customers must
incorporate a software
• Card issuers typically provide an online activation
module called a Merchant
site. Plug-In (MPI), as part of
• Visa, card issuers, and participating merchants may their e-commerce server
application. Merchants
display “Activation Anytime”* banners or buttons
who opt to implement
that enable cardholders to activate their Visa card. Verified by Visa should
• Cardholders may also activate during the shopping use PCI compliant vendors
and payment solutions.
experience, where available.
If the cardholder chooses to activate during shopping, he or she provides
information to their Visa card issuer for identification purposes. The cardholder
then creates a password. On future purchases at participating online stores, the
cardholder’s Verified by Visa password will be required during checkout, reducing
fraudulent use of the card.

1 Cardholder uses Visa card to make purchase


2 Cardholder enters authentication information
requested by their issuing date
3 Cardholder creates password
4 Cardholder completes purchase

*Activation Anytime is only available in the U.S.

116 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Verified by Visa Shopping


Once Verified by Visa is activated, a consumer’s card is automatically recognized
when used for purchases at participating online stores. The consumer is asked for
their password; the password is verified; and the transaction is completed.

1 After activating their card, cardholder shops at


participating stores
2 Cardholder submits password at checkout
3 Cardholder identity is confirmed and they’re done!

Global Visa Acquirer Fraud Control Manual 117


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Looking Out for Suspicious Orders

11 Signs of Card-absent merchants should put into place in-house


Possible Fraud policies and procedures for handling irregular or Telephone order
When the suspicious transactions (e.g., unusually large orders). employees who
Sales staff should be trained to recognize suspicious request additional
Card is Not information to verify
Present orders and given clear instructions on the steps to take
orders must do so in
to verify these transactions. a conversational tone
so as not to arouse the
customer’s suspicions.
If the customer balks or
asks why the information
Experience suggests that there are certain characteristics that can be tip-offs to possible
is needed, simply say that
fraud. Each of these characteristics by itself is very seldom cause for alarm; rather, it’s
you are trying to protect
when several of these factors characterize a purchase that there may be suspicion that cardholders from the high
may indicate a fraud scheme. cost of fraud.

Develop/maintain customer database or account history


Be alert for transactions with several of these
files to track buying patterns and compare/evaluate
characteristics:
individual sales for signs of possible fraud:
1. First time shopper: 8. Orders made on multiple cards but shipped to a single
Criminals are always looking for new victims. address:
These orders can also be characteristic of a software-
2. Larger-than-normal orders:
generated account number or may have been made using a
(This requires knowledge of what a “normal-sized” order batch of stolen cards.
is.) Because stolen cards or account numbers have a
limited life span, crooks need to maximize the size of their 9. Multiple transactions on one card over a very short
purchase. period of time:
Criminals often attempt to run up purchases on a single
3. Orders consisting of several of the same item:
card until the account is closed.
Having multiples of the same item increases the criminal’s
profits. 10. Multiple shipping addresses:
In a similar fraud scenario, multiple transactions are
4. Orders made up of “big-ticket” items:
charged to one card or similar cards that have a single
These items have maximum resale value and therefore billing address but multiple shipping addresses. This
maximum profit potential. situation could be a sign of some organized activity, rather
5. Orders shipped “rush” or “overnight”: than one individual at work.
Crooks want these fraudulently obtained items as soon 11. Multiple cards used from a single IP (Internet
as possible for the quickest possible resale, and aren’t Protocol) address:
concerned about extra delivery charges. The Internet Protocol (IP) address identifies the computer
6. Orders from Internet addresses making use of free in a network from which an order has been made. In this
e-mail services: instance, fraud indicators may include multiple orders using
For these services, there’s no billing relationships and often different names, addresses, and card numbers, but coming
no audit trail or verification that a legitimate cardholder from one IP address.
has opened the account
7. Transactions on similar account number:
This is particularly useful if the account numbers being
used have been generated using software available on the
Internet (e.g., CreditMaster).

118 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

Order If a merchant staff member becomes suspicious about a card-absent order, he


Verification or she should first try to verify the transaction by obtaining additional customer
Procedures information.
The following steps may help merchant staff members verify card-absent
transactions:
• Ask the customer for the name of the issuing bank shown on the card or for
the printed four-digit number on the face of the card.
• Check the customer’s personal information. Request day and evening
telephone numbers and verify them through directory assistance or by
calling the customer directly. If possible, also compare the billing and ship-
to address on the order with the address used for mailing the customer any
catalogs or other marketing materials.
• Separately confirm the order with the customer. Send a note to the
customer via his/her billing address, rather than the “ship to” address.
Card-absent merchant staff members who suspect fraud should contact their
acquirer as soon as possible.

Global Visa Acquirer Fraud Control Manual 119


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

A Closer Look at Recurring Transactions

To address some of the more common causes of cardholder and issuer


complaints related to recurring payments, acquirers should train card-absent
merchants to follow these best practices:

Recurring • To set-up a recurring charge, obtain consent from


Transaction the cardholder. Include the following: Interchange
Set-up Best – Transaction amount or minimum or maximum rates are set
Practices based on the
transaction amounts, if the transaction may vary
authorization and
– Frequency of the recurring charges processing methods used
whether or not additional
– Duration of time that cardholder permission information is provided in
is granted the transaction record and
the type of card used at
• Retain a copy of the cardholder’s consent for the the point of sale.
duration of the recurring services and provide a
For security purposes Visa
copy if requested by the issuer. International Operating
• Obtain all relevant card payment details to Regulations prohibit
merchants from storing
complete the transaction. This includes:
CVV2 data.
– Cardholder name and billing address
– Card type/Account number
– Card expiration date The Visa Account
– CVV2* Updater (VAU)
service allows
• Obtain an authorization and a valid approval. Visa merchants,
acquirers, and issuers to
– Include the expiration date in the authorization electronically exchange
request the most current
cardholder information,
– Use Visa detection tools to verify the legitimacy card expiration dates,
and accuracy of the Visa cardholder and card. account status, and
more. This safety net
helps merchants retain
customers by reducing
declined card transactions
that can interrupt the
payment process.

*In certain markets, CVV2 is required for card-absent transactions.

120 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

To Verify: Then:
Card information Use Visa Account Updater (VAU) In determining the
number and
frequency of
authorization attempts,
Cardholder billing Use AVS* (if available) merchants should take
address into account, among other
factors, the incremental
Card authenticity Submit CVV2 as part of the cost of retrying the
authorization and the
authorization request
transaction amount. The
Cardholder’s Implement Verified by Visa Visa International Operating
authenticity online Regulations prohibit
depositing a declined
• Check the authorization response and take the transaction. To view a copy
appropriate action based on the response. If you of the Visa International
receive a decline response for any reason other Operating Regulations, visit
than “lost”, “stolen”, or “pick-up”, you may retry www.visa.com.
the authorization if it is cost-effective for your
business to do so. Note: An authorization may be
retried up to a maximum of four times within 16 Voice plus is often
calendar days of the original request. used by
merchants to
• Ensure that all applicable state or federal laws are capture the cardholder’s
followed when establishing this agreement with voice or key tones as
the cardholder. Visa recommends the merchant confirmation.
consult with their own legal counsel.
Customer • Provide customers with a toll-free phone number, an e-mail address,
Satisfaction and/or easy to find (and use) online procedures for cancelling recurring
Best Practices transactions.
• Train sales and customer service staff on the proper procedures for
processing recurring transactions. This is important as these transactions are
particularly customer service sensitive.
• Fully disclose all necessary transaction terms and conditions.

*AVS is only available in the U.S. and Canada.


**In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 121


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 6: FRAUD PREVENTION FOR CARD-ABSENT MERCHANTS

VAU Service Utilize the VAU service to verify that the cardholder’s on-file information,
Best Practices account number, and/or expiration date, are correct.
• Keep the expiration date on file and include the
expiration date in all authorization requests. To minimize
chargebacks and
• To reduce possible fraud, use the AVS (if available) transaction
on every transaction. processing costs, submit
transaction payment
• Ensure that all recurring transactions are information to your
identified with a unique processing code (“50”), processor in a timely
market-specific authorization data indicator manner.
(“B”) and electronic commerce indicator (“2” for
recurring or “3” for installment).
• Notify the customer of the transaction before or at the time of billing.
• Put proper controls in place to protect account and transaction information.
All merchants must meet the Payment Card Industry (PCI) Data Security
Standard (DSS) basic requirements.
• Do not store CVV2* data.

Recurring To cancel a recurring transaction, card-absent merchants should:


Transaction • Check customer logs daily for cancellation or non-renewal requests related
Cancellation to recurring transactions. Take the appropriate action and comply in a timely
Best Practices manner. Notify the customer that his/her recurring payment account has
been closed.
• Process all credits promptly. If a cancellation request is received too late
to prevent the most recent recurring charge from posting to the customer’s
account, process the credit and notify the cardholder.
• Flag transactions that exceed preauthorized amount ranges. Notify
customers at least ten days in advance of submitting a recurring transaction
billing.
• Check customer logs daily for customer complaints, especially those
relating to transaction amounts or failure to notify customers in advance of
a recurring transaction that exceeds the preauthorized amount range. Follow
up with customer.
• Provide the cardholder with the recurring transaction cancellation number.

*In certain markets, CVV2 is required for card-absent transactions.

122 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 7 Merchant Fraud and How to Recognize It

To protect profitability and reduce fraud losses in today’s fast-changing and


unpredictable merchant environment, acquirers must be able to identify and
investigate potentially risky business at the earliest possible moment. Where a
single scam can mean losses of hundreds of thousands or even millions of
dollars, close monitoring coupled with up-to-date information on the most recent
fraud schemes is essential.
This chapter describes the most current schemes and scams involving merchant
locations. It offers an insider’s view to the telltale signs that can help acquirers
spot merchant fraud activity. Guidelines for investigating potential fraud at a
merchant location are also discussed, as well as recommendations for ways to
reduce losses when a scam is confirmed or strongly suspected.

What’s Covered
n Merchant Fraud Defined
n Bust-Out Merchants
n Laundering (Factoring)
n Telemarketing Fraud
n Credit and Cash-Advance Schemes
n Counterfeit Cards
n Skimming Attacks
n System Intrusion and Data Compromise
n White Label ATM Scams
n Pinpointing the Common Point of Purchase (CPP)
n Account Testing
n Understanding Key-Entered Fraud
n Managing Inactive Merchant Accounts

Global Visa Acquirer Fraud Control Manual 123


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

124 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Merchant Fraud Defined

In the past few years, bankcard fraud globally has undergone a gradual, very
significant transformation for acquirers. Systems to detect cardholder fraud,
the types of fraud that primarily affect Issuers, have become more effective and
harder for criminals to circumvent.
As a result, fraud involving merchant locations, with and without a merchant’s
knowledge or active participation, has become more prevalent and the scams and
perpetrators committing them are more sophisticated and elusive. Old fashioned
laundering schemes, targeting smaller retail merchant outlets, still occur but they
are being steadily overshadowed by hi-tech scams run by international crime
organizations who often work in cooperation.
Underestimating the ingenuity or capabilities of these modern-day bandits is a
risk few acquirers can afford to take. While certain scams may be associated with
a specific sales environment, card-present, mail order/telephone order (MO/TO),
or Internet, current evidence suggests that criminals can and will quickly exploit
any market where merchants or acquirers seem vulnerable.

Types of Here is a snapshot of the most common types of merchant fraud that acquirers
Merchant are currently encountering. Each of these merchant fraud classifications is
Fraud explained in more detail on the following pages.
• Bust-out Merchants. A criminal opens what appears to be a legitimate
merchant account with an acquirer, and after a brief period of seemingly
normal sales activity, suddenly processes a large volume of fraudulent
transactions—using fake or stolen account information. The merchant
receives payment and then disappears. Bust-out merchants often work in
collusion with other merchants using valid card information. A bust-out
merchant is just as likely to be found operating online as out of a traditional
storefront location.
• Laundering (Factoring). A business with a valid merchant agreement
with an acquirer deposits transactions for a company without a merchant
account. The unsigned business offers the valid merchant a percentage
of the sales amount (from one percent to 20 percent) to process the
unsigned company’s transactions. Usually these transactions are fraudulent
and involve stolen account information. The unsigned business abruptly
disappears, leaving the legitimate business to contend with chargebacks it
may not be able to cover.
• Telemarketing Fraud. Criminals make mail or telephone solicitations to
either obtain valid cardholder account information or to charge unauthorized
sales to a valid account.

Global Visa Acquirer Fraud Control Manual 125


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

• Credit Advance Schemes. Merchants or collusive employees deposit


apparently legitimate transactions—often charged to friends’ or family
members’ accounts, and then issue one or more credits to their personal
Visa accounts and other accounts. The credits zero out the deposits, making
such scams more difficult to detect.
• Cash-Advance Schemes. Merchants process a transaction against their own
bankcard account, then remove an equal amount in cash from the register.
This cash advance “appears” to be a legitimate transaction. Transactions are
sometimes offset first, with a credit to an “off-shore” account, followed by a
cash withdrawal at an ATM on a later date.
• Counterfeit. This category is used to classify losses that result from the use
of a card or encoded magnetic-stripe that is not produced and issued by the
financial institution. The counterfeit card is manufactured illegally to look like
a valid Visa card or by re-embossing and/or re-encoding the magnetic-stripe
on a once-legitimate lost/stolen, or expired card with different information.
Cardholder data used on counterfeit cards is obtained by criminals from
various sources:
– Skimming Attacks. Skimming is the illegal act of stealing account
information from a card’s magnetic-stripe, then putting it on a legitimate,
as well as a counterfeit or stolen card for fraudulent use. The very nature of
skimming can make counterfeit fraud especially hard to identify. Skimming
involves the use of a device that reads and stores magnetic-stripe
information when a legitimate transaction is conducted. The device is then
used to write the information onto another card, which is used for the
fraudulent transaction. Skimming allows criminals to take possession of
all cardholder data stored in the magnetic-stripe, which includes the Card
Verification Value (CVV), and other discretionary data.
– Point-of-sale (POS) terminals or PIN Entry Device (PED) Tampering. POS
terminals or PEDs are modified to facilitate the capture of full magnetic-
stripe data and, in some cases, PIN data. In most cases, device tampering
does not interfere with the device’s ability to process transactions. In some
cases, the terminal captures the data but does not actually process the
transaction, which makes the identification of the point-of-compromise
rather difficult. The most recent skimming trend to surface is the hacking
of vulnerable merchant processing systems (of all sizes). Criminals
are stealing “full track” data files created as an internal function of the
merchant’s point-of-sale software. This allows the criminal to tap a much
larger volume of accounts, to sell the account number or perpetrate the
fraud.
– Data Compromise via Server Intrusion. This involves the theft of
cardholder data from merchants, processors or Third-Party Agents,
normally via unauthorized server intrusions. Storage of unencrypted
cardholder data by these entities facilitates this criminal activity.

126 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

– Phishing. A social engineering scheme where criminals masquerade as


a legitimate financial services institution to obtain account data from
the cardholder. Phishing is normally conducted via electronic mail, but
telephone versions are also common. Because data is obtained directly
from the cardholder, it normally includes the PIN. This, in turn, enables
ATM fraud.
– Pharming. A social engineering scheme that is based on redirecting
website traffic to another illegitimate site where customers unknowingly
enter their personal data.
– Imprinting of extra (that is, multiple) transaction receipts by sales
personnel.
• White-label ATM fraud involves non-legitimate cash-dispensing machines
that have been set up by criminals for the sole purpose of capturing
cardholder bankcard account and PIN data.
• Account Testing. Criminals make a small purchase or submit an
authorization request on a stolen, skimmed, or computer-generated account
number to verify that the number can be used for fraudulent or other
unauthorized purposes. Account testing can involve a merchant’s collusive
employees.

Global Visa Acquirer Fraud Control Manual 127


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Bust-Out Merchants

What is a In a bust-out merchant scam, a criminal opens what appears to be a legitimate


Bust-Out merchant account with an acquirer. Following a brief period of seemingly
Scam? normal sales activity, the business then processes a large volume of fraudulent
transactions, receives payment, and closes down, or simply disappears.
These scams are often extremely sophisticated and complex, involving stolen
identities, false storefronts, and fraudulent applications submitted to several
acquirers at the same time.

How a Bust- A Typical Scenario


Out Works In a typical scam, criminals open a storefront, sales office, or website, and
submit applications to several different acquirers in a one- to two-week period.
The fraudulent applications present the “merchant” as a newly-formed business
with small to moderate sales and conveniently, no financial or credit history.
To ensure credit bureau reports on business principals also look legitimate,
the criminals use the names of creditworthy accomplices or stolen credit
information from valid cardholders or other unsuspecting individuals.
Once an agreement is signed, the merchant account deposits will correspond
with anticipated sales volumes for a few weeks, or even months. This is then
followed by a sudden “spike” of large deposits of fraudulent transactions. The
criminals then empty the account— leaving the acquirer liable for chargebacks on
the transactions. They typically disappear, usually moving on and repeating the
scam with other acquirers.

A “Spoof” Shop Scam


A variation on the bust-out merchant scam, a “spoof” shop is a fraudulent
merchant location set up for the sole purpose of stealing or replicating account
information from legitimate cardholders. A spoof shop may or may not have a
valid merchant agreement, but it will act as if it does. Merchandise or services
will be “sold” to customers—and in some cases, card transactions may be
put through for authorization, but few or no transactions will be entered for
settlement.
Spoof shops are frequently associated with skimming and account testing scams.
A typical spoof location might be a small storefront selling T-shirts or souvenirs,
or a web page which is set up to mimic or capture business intended for a
legitimate site. A criminal might put up a web page for a fake Internet server—
using a name similar to, but slightly different from, a known business—and
then steal account information from consumers who mistakenly sign up for the
“service,” thinking it’s the legitimate business. Account numbers obtained in this
way can then be turned over to bust-out merchants or other criminals who may
use them in laundering, telemarketing, or other merchant fraud scams.

128 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Identifying Some acquirers have reported that the following indicators can be helpful in
Bust-Out identifying ongoing bust-out schemes:
Merchants • Large, even-dollar transactions (this is common to many current schemes)
• Excessive deadlines
• Sudden excessive volume decreases
• ANI mismatch with a telephone number associated with that merchant
account
• Multiple merchant accounts using the same principal name, address, and
Social Security number
• Merchant types most often associated with merchant bust-out fraud:
– Small grocery store and meat markets
– Clothing, jewelry, or electronics stores
– Leather goods
– Limousine services
– Auto repair
– New insurance brokers
• Merchants are often signed by the same Third-Party Agent.

Confirmed • Close the merchant account/s immediately.


Bust-Out • Identify other, related, potentially fraudulent merchant accounts either
Merchant Loss through the merchant’s credit-bureau reports or by examining deposits to the
Reduction Best principal’s Demand Deposit Account (DDA).
Practices • File a Suspicious Activity Report (SAR) with the U.S. Treasury’s Financial
Crimes Enforcement Network (FinCEN)
• Make direct law-enforcement referrals where possible.
• Identify other creditors and work with them. Do a post mortem analysis on
account underwriting and false payments.
• Develop underwriting and credit profiles.
• Work with other members identified in your investigation.

Global Visa Acquirer Fraud Control Manual 129


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Laundering (Factoring)

What is The term “laundering” (also known as factoring) refers to any situation where
Laundering a business that has a valid merchant agreement with an acquirer deposits
(Factoring)? transactions for a company without a merchant account. These scams are used
to process fraudulent or other high-risk transactions through a legitimate
business location and are often targeted at small, less sophisticated merchants
who may be truly unaware of the financial and legal exposure they are facing.
The unsigned merchant may be a fraudulent business fronting for a criminal
organization, or a company which, for a variety of reasons, may be unable or
unwilling to get a valid agreement—for example, a high-risk telemarketer
operating on the edge of legality.

How A laundering (factoring) scam begins when the


Laundering legitimate merchant is approached by the merchant Businesses caught
(Factoring) without an agreement—or by a so-called “broker” in laundering
representing the unsigned company. The legitimate (factoring) scams
Works may lose their merchant
merchant is then presented with what appears to be a agreements and face
lucrative and tempting business proposition. In return prosecution under federal
for processing the unsigned company’s transactions, and state laws.
the signed merchant will receive a percentage of the
deposited sales. The amount offered may be anywhere from one percent to
20 percent, or more.
The signed merchant then begins processing transactions for the unsigned
business by key-entering the sales on a POS terminal. In many cases, the
laundered transactions will be counterfeit or unauthorized, using account
numbers that have been illegally obtained through data theft from an account
number-generating software program. In a typical scam, deposit activity
continues for several weeks and then stops abruptly. The unsigned merchant
disappears—usually moving on to victimize yet another legitimate merchant—
while the signed business is left to contend with a growing stack of chargebacks
it may not be able to cover. Laundering schemes are associated with chargeback
rates as high as 60 percent to 100 percent, and an inability to pay can easily
force legitimate merchants out of business.

130 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Telemarketing Fraud

What is Telemarketing fraud is a classic scam in which mail, telephone, or Internet order
Telemarketing solicitations are used for fraudulent purposes—either to obtain valid cardholder
Fraud? information for fraudulent transactions, or to charge unauthorized sales to a
valid account. The businesses involved in these schemes may be run by outright
criminals, or the perpetrators may simply be unethical merchants who are
pushing the limits of legality.

How There are many different kinds of telemarketing scams related to bankcard
Telemarketing fraud. Some of the more common scams include the following:
Scams Work • Phony Contests or “Too Good To Be True” Product Offers. In a typical scam,
consumers receive mail, phone calls, or e-mail messages announcing that
they have “won” a vacation to Hawaii, Acapulco, or some other exotic
location. In other cases, vitamins, water purifiers, or travel packages are sold
at “fantastic” discounts. There is, however, always a catch. The contest or
product is available for a limited time only, and another small purchase or
“handling fee”—which must be paid by credit card—is required immediately.
Using high-pressure sales tactics or trickery, the telemarketers persuade
consumers to give them their Visa account numbers and other personal
information. The cardholder is then billed for merchandise which is never
delivered or turns out to be shoddy and substandard.
• Lottery Ticket Sales. Generally these scams target the elderly, and often the
telemarketers don’t even purchase lottery tickets with the money they
collect.
• Credit Card Protection. While many firms offering credit card protection are
legitimate, there are criminals who will contact and misrepresent themselves
to cardholders as employees of Visa or a Visa member. The perpetrators use
deceptive practices to get cardholders to buy a “protection package” and
often make it difficult to cancel the sale.
• Pyramid Schemes. These plans purport to offer products—or even Visa
cards—in exchange for a membership fee and participation in a “multilevel-
marketing” plan. The new member must recruit others to the plan; often no
products exchange hands, however, and the acquirer is left with chargebacks
once consumers discover they have been defrauded.

Global Visa Acquirer Fraud Control Manual 131


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

• Advance Fee Schemes. Here, a consumer is asked to pay an up-front fee in


exchange for a service or information. It may be that:
– It is illegal to collect a fee for that particular
service or information. Recent evidence
– The information or service is readily available indicates that
elsewhere at no or little cost. fraudulent
telemarketing is tapering
– The merchant has no intention of providing the off in the United States,
information or service offered. One of the most but on the rise in overseas
common scenarios involves the Internet offering markets. Predictably,
of a Visa card or merchant processing account— scams are surfacing in
regions where acquirers
when in fact all the buyer will receive is a list of
and cardholders are less
banks that will issue such accounts to high-risk sophisticated and
customers. knowledgeable about
bankcard fraud, or where
• Free Trial Offer Schemes. This is a popular laws are inadequate or not
marketing technique for merchants today, well enforced.
however, not all businesses stick by their refund
commitments to those who are unhappy with the product or service. In
some free-trial offers, the merchant will ask consumers to pay for the
product or service up-front with the promise of a “money-back guarantee”.
The consumers are told that they can return the item for refund within a
certain time frame if dissatisfied, but the refund never happens.

Handling When the transaction is disputed with the cardholder’s issuing bank, the result
Telemarketing is usually a chargeback to the acquirer. Chargeback categories associated with
Fraud Disputes these scams include “Fraudulent Transaction – Card Absent Environment,” “No
Authorization,” “Not As Described or Defective Merchandise” and “Services
Not Provided or Merchandise Not Received.” Of course, by the time the acquirer
receives the chargebacks, the fraudulent telemarketers may have emptied their
account and disappeared. The valid account numbers they obtained will turn up
weeks or months later in other fraud scams.

132 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Credit and Cash-Advance Schemes

What is a Credit or cash-advance schemes involve improper use of personal bankcards to


Credit or obtain money from merchants’ direct deposit accounts (DDAs) for personal use
Cash-Advance or to provide temporary cash flow. These schemes can be perpetrated with or
Scheme? without the merchant’s (or an employee’s) direct involvement.

Schemes Cash-Advance Scheme. A merchant will process a A cash advance


With Direct transaction against his or her own bankcard account, scheme may be
Merchant removing an equal amount in cash from the register. the first sign of a
The “cash advance” appears to be a legitimate merchant at risk for
Involvement bankruptcy or other
transaction, and the merchant or owner generally
financial difficulties. In
intends to re-deposit the cash and issue a credit to the such cases, the “cash
account later, when the cash is available. advance” might be used
to cover the perpetrator’s
Credit Scheme. A merchant or employee deposits payroll or other business
credits to his or her own bankcard account, often and personal expenses.
in amounts that would not raise suspicion. Credit
schemes are often the work of employees who are simply out to embezzle
funds from the business by issuing credits to themselves without entering
corresponding sales. Merchants are prohibited from issuing a credit to any
account number unless they have first deposited a legitimate transaction against
that account.

Credit The latest fraud attack on acquirers involves scams where the perpetrator uses a
Schemes legitimate merchant’s account information to issue the credits. The perpetrator
Without then uses the credits to make large purchases or cash advances or—in the case
Merchant of debit cards—closes his or her checking account once the credits are posted
Involvement and the funds are withdrawn. In both cases, the acquirer is left with potential
liability for the fraud.
Three methods are currently being used to effect this fraud scheme:
• The perpetrator “takes over” a merchant account by either obtaining a new or
additional terminal through misrepresentation to the acquirer, or convincing
the acquirer to reprogram a “phantom” terminal over the telephone. The
individual then uses the terminal to deposit credits into his or her own, or
a co-conspirator’s personal Visa account, along with enough fraudulent
transactions using other account numbers to offset the credit amount. This
ensures against deposit spikes appearing in the acquirer’s monitoring system.

Global Visa Acquirer Fraud Control Manual 133


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

• The perpetrator clones or emulates a legitimate merchant by surreptitiously


obtaining the merchant and terminal ID numbers, then deposits credits to
his or her personal account.
• The perpetrator breaks into the merchant’s place of business and either
steals the POS terminal, or the previous day’s transaction receipts from the
register drawer.

Merchant To safeguard merchant accounts from credit scheme fraud exposure, the
Account following best practices are recommended:
Protection • Verify any requested change to a merchant account with the known
Best Practices business owner or an authorized merchant manager.
• Generate a call to the known business owner(s) to confirm the requests for
terminal service—e.g., adding, replacing, or reprogramming terminals.
• Conduct a site inspection when there is a merchant address change or the
addition of new locations.
• Conduct a new credit review and a call to the known business owner(s)
when there are changes to the merchant’s Direct Deposit Account. In
addition to fraud, these changes can signal an ownership change, bankruptcy,
or other credit-related issue. In today’s financial services environment, where
payments are made by wire, unauthorized changes to a merchant Direct
Deposit Account is an easy way to quickly and thoroughly defraud a
legitimate merchant.
• When confirming merchant ownership, make sure the information
gathered includes the current business tax ID, as well as the current
financial institution name and account number of the Direct Deposit
Account. All changes should be confirmed in writing on an original
document that includes a signature from the person currently authorized
to sign for any change request.

134 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Counterfeit Cards

Four Main There are four main categories of counterfeit cards:


Categories • A card that is printed, embossed, or encoded to look like a legitimate Visa
card without the issuing member’s authorization.
• A valid card issued by a member that is altered or re-fabricated. This category
does not include cards altered only to try to change or damage the signature
panel or the cardholder’s signature.
• Actual Visa cards that have had the magnetic-stripe re-encoded with
information skimmed, purchased from the Internet or compromised from a
merchant, processor or acquirer.
• A blank card with a magnetic-stripe that is encoded with full track data,
usually used at unattended terminals (UATs) or at collusive merchant
locations.

When Acquiring members should immediately notify Visa upon suspecting or


Counterfeiting confirming use of a counterfeit card. This notification can be made by telephone
is Suspected or fax within two business days.
or Confirmed

Global Visa Acquirer Fraud Control Manual 135


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Skimming Attacks

What is To circumvent the Card Verification Value (CVV)


Skimming? protection, criminals have migrated to “skimming” Chip technology
counterfeit. Through new, easy-to-use technology, is designed to
criminals are now capturing full-track 1 and 2 data help protect
contained on the magnetic-stripe of a legitimate card, against skimming. Unlike
the magnetic-stripe on the
and using it to either encode a counterfeit card or back of the card, the small
re-encode a lost or stolen card. When an electronic chip cannot be copied,
authorization attempt is made with the encoded or thus preventing the card
re-encoded card, it can result in an issuer approval of a from being counterfeited.
fraudulent transaction.

Different Skimming scenarios range from “spoof” shops—false


Skimming storefronts set up for the express purpose of obtaining
Merchant outlets
Scenarios valid magnetic-stripe data—to telephone taps aimed at considered at
capturing account information during authorization or high-risk for
terminal downloads. Any point from a merchant’s POS skimming are those
terminal to an acquirer’s or issuer’s host system may be businesses where the card
is temporarily out of the
vulnerable. Once full-track data is stolen, a valid card
cardholder’s sight, such
need not even be present. as restaurants and gas
stations.
While the details of individual scams may vary,
skimming scenarios generally fall into three basic
categories (differentiated by where track data is stolen or copied):
• At a Merchant Location. The most common skimming scenario involves track
data compromised at a merchant location where the owner or a collusive
employee skims full-track data during a legitimate transaction. Data theft
occurs either at the time a legitimate card is swiped for authorization—a
laptop or other electronic device is linked to the point-of-sale terminal to
capture magnetic-stripe information—or just after, with a second swipe of
the card through a separate, palm-size, stand-alone device. Full track data
obtained in this way can then be downloaded and re-encoded on a counterfeit
or stolen card.
• While Transmitting Data From One Organization to Another. In this
scenario, track data is compromised after it leaves a merchant location and
is passing between the various entities associated with the authorization
process, including:
– A merchant’s host system.
– An issuer’s or acquirer’s host system.
– At a software vendor’s switchpoint.
– An issuer’s or acquirer’s third-party processor.

136 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Account information is obtained by tapping into telephone lines or by


capturing satellite transmissions from the airwaves. Collusive employees at
these locations may, but need not, be involved, and management personnel
may be entirely unaware of any breach of security.
• When in Storage. Other potential points of compromise for skimming
include anywhere account information is stored either on a short- or
long-term basis. This includes POS terminals, personal computers, and
mainframes. As in the other skimming scenarios, criminals hack into these
data storage systems to retrieve and copy valid account data.
This information is subsequently encoded on counterfeit cards or re-encoded
on stolen cards. Potential points of compromise in these scams include the
following:
– Cardholder-activated terminals (CATs) or other POS devices prior to
downloading
– Merchant host systems
– Issuer or acquirer host systems
– Issuer or acquirer third-party systems
– Backup systems for any of the above
As in the previous scenario, collusive merchants and employees may, but need
not, be involved.
• At the ATM. ATM skimming is the process by which criminals rig an ATM
to copy the information contained on the magnetic-stripe of a bank card for
counterfeiting purposes. An ATM skimming attack can involve both internal
and external parasite devices. While skimming devices have evolved from
crude beginnings, many of the latest ones are nearly indistinguishable from
legitimate ATM hardware.
One of the most common ways to carry out an ATM skimming scam is
the phony-front ATM. The fraudster places a fake keypad directly over the
legitimate ATM keypad. This overlay allows the cardholder to use the ATM
to enter his or her Personal Identification Number (PIN), yet at the same
time it captures the numbers as they are entered. In addition, a phony ATM
card reader is placed over the card insert slot to skim the card’s magnetic-
stripe data. The cardholder unknowingly uses the phony-front ATM to
conduct a cash transaction. When the cardholder swipes the card and enters
the PIN, either an “unable to dispense cash” message appears, or cash is
dispensed and the actual transaction is completed, depending on the type of
phony ATM card reader used.

Global Visa Acquirer Fraud Control Manual 137


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

System Intrusion and Data Compromise

Types of It is often difficult to detect when a system has been attacked or a server
Attacks and intrusion has taken place. Distinguishing normal events from those that are
Intrusions related to an attack or intrusion is a critical part of maintaining a secure
payment processing environment.
Security breaches come in many different forms and, while detecting them
may be challenging, there are certain signs that tend to appear when a security
breach has occurred:
• Unknown or unexpected outgoing Internet network traffic from the payment
card environment
• Presence of unexpected IP addresses on store and wireless networks
• Unknown or unexpected network traffic from store to headquarter locations
• Unknown or unexpected services and applications configured to launch
automatically on system boot
• Unknown files, software and devices installed on systems
• Anti-virus programs malfunctioning or becoming disabled for unknown
reasons
• Failed login attempts in system authentication and event logs
• Vendor or third-party connections made to the cardholder environment
without prior consent and/or a trouble ticket
• SQL Injection attempts in web server event logs
• Authentication event log modifications (i.e., unexplained event logs are being
deleted)
• Suspicious after-hours file system activity (i.e., user login or after-hours
activity to POS server)
• Presence of .zip, .rar, .tar, and other types of unidentified compressed files
containing cardholder data
• Presence of a rootkit, which hides certain files and processes in, for example,
Explorer, the Task Manager, and other tools or commands
• Systems rebooting or shutting down for unknown reasons

138 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

White Label ATM Scams

What is White White-label ATM fraud involves non-legitimate cash-dispensing machines that
Label ATM have been set up by criminals for the sole purpose of capturing cardholder
Fraud? bankcard account and PIN data.

How Does a White-label ATMs are private cash-dispensing machines that can be legitimately
White-Label purchased by non-banking entities. These machines are typically installed in
ATM Scam various locations, such as malls, hotel lobbies, mini-markets, etc. In legitimate
Work? operations, private companies that own white-label ATMs contract with various
ATM network systems to accept and process their transactions. In a non-
legitimate situation, a criminal may purchase one of these machines and set it
up to skim the bankcards and capture the account numbers and associated PINs
for counterfeiting purposes.
This is a typical scheme used by Eastern European organized crime. In the past,
the industry has seen crime rings lease gasoline stations and post a performance
bond. In most cases, the gas station will operate for four to six months. During
this time, both credit and debit cards are skimmed as they are swiped at the
gas pump dispensers. None of the cards are fraudulently used while the gas
station is in operation. At the end of the four- to six-month operation, however,
the criminals walk away from the gas station and forfeit the bond. During the
next long weekend, a well-organized attack of the payment card system occurs;
hundreds of cards are used in a three-day span by multiple fraudsters. Most of
the transactions are ATM cash advances–withdrawn after the empty-envelope
deposits have been made to inflate balances. The debit cards are initially the
target of the group. The credit accounts are either sold to other crime groups or
are held for a period of time.

Global Visa Acquirer Fraud Control Manual 139


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Pinpointing the Common Point of Purchase (CPP)

What is a Common Point of Purchase (CPP) is defined as


CPP? a unique merchant location where three or more The very nature of
genuine cardholder transactions occurred within 30 skimming can
consecutive days or less, and each one subsequently make this type
had confirmed fraudulent skimmed counterfeit of counterfeit fraud
especially hard to identify.
transaction activity. Today the CPP can also be a
Authorization records
merchant, processor or acquirer where a massive for valid and skimmed
loss of stored data occurred due to an unauthorized counterfeit transactions
server intrusion. Cardholder data storage is a can be indistinguishable,
violation of Visa International Operating Regulations. and neither issuers nor
acquirers may know what
In these cases, the CPP transactions may have
to look for.
happened over a greater period of time but the
volume of accounts with similar activity would be
greater.

Issuer CPP Issuers are usually the first to detect the signs of suspicious activity
Requirements associated with skimming, but acquirers should also be familiar with the basic
characteristics of potentially skimmed transactions. Acquirers have to rely on
data provided by issuers. Consequently, issuers must have a process to confirm
fraudulent skimmed counterfeit transaction activity that includes the following
minimum criteria:
• The authorization data includes a POS Entry Mode Code 90.
• The CVV in the authorization message matches the code on file with the
issuer.
• The cardholder is in possession of all valid cards and can verify that the suspect
transaction was not made by him- or herself, or by anyone else with access to
valid cards, such as a family member or friend.
• All alternative fraud types have been eliminated.
Issuers must also prepare documentation about how the CPP was identified and
forward this documentation to the acquirer and the acquirer’s Visa region. The
documentation must provide the following information about the issuer:
– Issuer’s name.
– Issuer’s contact including:
- Name.
- Telephone number.
- FAX number.
– Acquirer’s BIN.

140 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

– Merchant’s name and number.


– Merchant’s city.
– Merchant’s state, province, or country.
– Number of accounts (to date) with confirmed fraud.
– Amount of confirmed fraud (to date) resulting from this CPP.
– Primary location of fraud transactions (optional).
– List of all legitimate transactions with subsequent skimmed counterfeit
fraud, including:
- Account number.
- Transaction amount.
- Transaction date.
- Authorization time.
- 23-digit acquirer reference number.

Acquirer CPP On the acquiring side, it is important to investigate CPPs. When notified of
Requirements an identified CPP, it is the acquirer’s responsibility to conduct a thorough
investigation of the alleged skimming activity at the identified CPP merchant and
ask the following questions:
– How was the account compromised? Was it an isolated case of skimming
or a data compromise?
– Who was responsible?
– What is the basis of determination?
Acquirers are also responsible for the following reports:
– A preliminary report is required within 10 calendar days from the date the
issuer or Visa region notified the acquirer.
– A final report is required within 30 days after the acquirer has taken
action.
If an acquirer terminates a merchant because of skimming activity, that acquirer
must list the merchant on the Terminated Merchant File (TMF).

Global Visa Acquirer Fraud Control Manual 141


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Account Testing

What is Account testing is an increasingly common and widespread scam used by


Account criminals to check the validity of lost, stolen, counterfeit, or other illegally
Testing? obtained account numbers. A criminal simply makes a small purchase or
submits an authorization request on a number they wish to test. If the
transaction is authorized, the account number will then be used for additional,
larger fraud transactions.

How Does Like skimming, account testing often occurs at merchant locations, but may not
Account involve a business’ principals or collusive employees. In a common scenario, a
Testing Work? criminal will test a stolen or counterfeit card on an Internet site to determine
whether the account is blocked and—in the case of counterfeit—whether the
issuer checks expiration dates in the authorization process. Then to determine
whether the CVV is checked, he/she will use a re-encoded card to buy a few
dollars’ worth of gas at a cardholder-activated pump. In other cases, lists of
account numbers may be run through a bust-out
merchant or spoof site. In these schemes, the
At many
accounts being tested will be submitted for authorization
authorization only; few, if any, completed transactions centers today,
will be processed from the site. calls are answered by
automated voice-response
Criminals may also test accounts by gaining access units, which makes early
to a merchant’s transaction-processing system in detection of these scams
other ways, for example, by getting a business’s even more difficult. The
merchant account number and the phone number lack of human interface
prevents authorization
for its authorization center. This information is often agents from speaking
posted near POS terminals and is relatively easy directly with customers
to copy down, or it may be provided by a collusive and identifying account
employee. Fake transactions can then be called into testing or other potentially
the authorization center from a public pay phone, suspicious calls.
stolen cell phone, or any other hard-to-trace location.

CreditMaster: CreditMaster is a computer program used by criminals, or renegade computer


Fraud You Can hackers, to generate lists of valid or potentially valid bankcard account numbers
Download for fraudulent use. The program first appeared in the mid-1990s, and since that
time, similar account number-generating software has become widely available
and easy to download from the Internet.
In general, these programs work by running a single, currently valid account
number through a mathematical formula called a check-digit algorithm. The
result is a list of valid or potentially valid numbers that could belong to legitimate
cardholders. The lists are then sold or provided to bust-out merchants or other
perpetrators who test the numbers and use them for fraudulent transactions.

142 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Understanding Key-Entered Fraud

Key-entered fraud, a method for processing fraudulent or unauthorized


transactions, is a frequently used component of many
merchant fraud scenarios, such as bust-out schemes,
laundering, or telemarketing fraud. In these scams: Key-entered
transactions are
• Cards are not present. prohibited in
• The merchant or perpetrator may be working off a some markets due to
the high fraud losses
list of counterfeit or fraudulently obtained account
associated with this
numbers. method of payment
• Transactions are key-entered by using the manual processing.
override function, which is a standard feature on all
POS terminals.
• The merchant then deposits the transactions normally, and payment is
generally received within 48 hours.
Key-entry is not, in and of itself, a sign of potential fraud; however, acquirers
do need to be aware of how current transaction-processing technology can be
exploited by criminals and collusive merchants. In “boiler room” scams, multiple
terminals are located in a single room or small office, allowing criminals to
key-enter and receive payment for hundreds or even thousands of fraudulent
transactions in a very short time, often without immediate detection. Working
on rows of terminals, criminals can process a large volume of transactions in
one day, receive payment and empty their account the next, and then disappear
before an acquirer is even able to review daily Exception reports for signs of
suspicious activity.

Global Visa Acquirer Fraud Control Manual 143


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 7: MERCHANT FRAUD AND HOW TO RECOGNIZE IT

Managing Inactive Merchant Accounts

Maintaining an inactive merchant account on file can result in unnecessary


operating costs, but of greater concern is the fact that it can represent potentially
significant exposure to fraud. If an account has been inactive for two to three
months, it could simply mean the merchant is seasonal, went out of business, or
signed with another acquirer—nevertheless, keeping the account open creates
expense to the acquirer.

Inactive On the other hand, an inactive account can signal one of two fraud schemes:
Account Signs • A bust-out scam. Where a fraudulent merchant signs with several acquirers
of Fraud simultaneously, moving from one to the next as the scam is perpetrated or
detected.
• The fraudulent diversion of the merchant’s deposits to a bogus merchant
account with another acquirer. In this scheme, an individual claiming to
represent the acquirer tells the merchant that he or she needs to replace or
reprogram the POS terminals. The funds are then routed to an account that
individual has set up elsewhere, and neither the merchant nor the legitimate
acquirer sees the deposit.
In some circumstances a genuine merchant may also become an inactive
merchant due to a number of reasons. Merchants that rely on tourism trade, for
example, will generally have very seasonally based active and inactive periods.
Inactivity could also be a sign of the merchants business failing, for this reason it
is essential to investigate periods of inactivity, as a merchant is more likely to act
collusively with criminals if the business is not doing very well. It is not always
profitable to keep inactive merchants as you have the costs and risks associated
with the POS equipment and services without the profit from a healthy level of
sales.
Acquirers should have exception monitoring in place to flag inactive accounts,
and follow up on all such exceptions with the known business owner (as
described in the next chapter).

144 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 8 Merchant Activity Monitoring

Merchant activity monitoring is an essential part of managing merchant


portfolios. Daily monitoring of a merchant’s deposit and authorization activity can
help an acquirer recognize any unusual or sudden change in normal merchant
deposit activity levels. Periodic reviews of merchant accounts should also be
conducted to re-evaluate financial status and business operations.
As merchant fraud scenarios, and the losses they can cause, seem to multiply,
acquirers must expand their monitoring efforts to identify these issues at the
earliest possible moment. This chapter recommends merchant monitoring best
practices and reports to help acquirers identify merchant fraud and keep losses
to a minimum.

What’s Covered
n New Merchant Monitoring
n Ongoing Merchant Monitoring
n Periodic Merchant Reviews
n Identifying and Following Up on Suspicious Activity

Global Visa Acquirer Fraud Control Manual 145


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

146 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

New Merchant Monitoring

However thoroughly an acquirer may investigate prospective merchants, the first


few months after signing a new account should be a time of heightened vigilance.
Acquirers need to be on the lookout for any evidence of suspicious activity
associated with bust-out or other merchant fraud scams, or any activity that is
out of line with the information on the merchant application and may indicate
higher risks. Criminals who set up merchant facilities will often make normal
deposits for a month or two before there is a sudden “spike” in the deposit of
a large number of counterfeit or laundered transactions, which result in a large
number of chargebacks.

Daily Reviews To ensure careful monitoring of new merchants, a daily review of merchant
of Merchant activity is recommended for a two- to three-month period. During this time, any
Activity variations or deviations in activity should be flagged and promptly investigated.
Suspicious activity may include any of the following:
• Deposit Variations. Check for any variations As specified in
in deposit amount, frequency, or type. Has a the Visa
merchant suddenly changed from weekly to daily International
deposits? In the case of manual deposits, are they Operating Regulations,
acquirers must monitor
being made at a branch office where the merchant
new high-risk merchants
normally doesn’t do business? Are paper drafts (which are registered as
handwritten or imprinted with another merchant’s such with Visa Inc.) on a
name—a sign of possible laundering? Do the daily basis.
deposit totals and average transaction size coincide
with projections on the merchant’s application?
• Large Deposits. Unusually large bankcard deposits
Criminals who
should be treated the same as any large deposit to
set up merchant
a checking or savings account; that is, they should facilities will often
be reviewed by bank personnel, and funds held make normal deposits for
when appropriate. Acquirers should pay particular a month or two before
attention to deposits containing large, even- there is a sudden “spike”
in the deposit of a large
monetary amounts or excessive credits, which may
number of counterfeit or
indicate that a merchant is making cash advances laundered transactions,
or other improper payments (see “Suspicious which results in a large
Credit Activity” on next page). Similarly, look for number of chargebacks.
multiple drafts with the same account number on
them or any sudden increase or decrease in a merchant’s average
ticket amount.

Global Visa Acquirer Fraud Control Manual 147


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

• Suspicious Authorization Activity. Like deposits, authorization records


should be monitored for any signs of fraudulent activity. For example, is a
merchant submitting a large number of authorization requests during non-
business hours? Is the authorization decline rate unusually high? Look for
discrepancies between the number of authorizations and transactions—
specifically, a high number of authorizations with few or no corresponding
transactions. Acquirers should also scrutinize any sales where the
transaction has been approved only after a merchant has made repeated
authorization requests for declining dollar amounts. Attempts to circumvent
authorization limits may indicate split sales or other improper transaction
processing.
• Suspicious Credit Activity. Check for large credits
or for discrepancies between sales and credits. If applicable, the
A merchant can commit fraud by depositing acquirer should
large or excessive credits into his or her own or review the
an accomplices’ personal account. The merchant merchant’s website
to identify changes
might issue a credit without a corresponding
in products, delivery
sale, or deposit several small- or medium-sized methods, or return
sales transactions, then issue a large credit to the policies. They should also
personal account to offset the total deposited check the site to ensure
sales. proper functionality.
If business or product
All other significant aspects of the merchant’s changes have occurred,
business should be monitored as well. Acquirers the risk exposures
should look for sudden changes in ownership, associated with the
merchant may have
location, phone number, product line, or selling
changed as well.
methods. Other signs of suspicious activity may
include requests for new accounts or for additional sales equipment—such
as terminals, imprinting machines, or sales transaction receipts—at new or
additional locations.

148 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Ongoing Merchant Monitoring

Merchant Merchant monitoring should be used as part of


Most acquirers
Monitoring a regular, ongoing program to identify potentially
have their own
Reports fraudulent activities. monitoring
programs in place
Experience has shown that an effective merchant to regularly monitor
monitoring program needs to go beyond the minimum merchant activity. To
requirements outlined in the Visa International enhance these programs,
Operating Regulations. The following charts provide Visa established the
Merchant Deposit
an overview of a recommended set of reports and
Monitoring Standards to
data review actions that make up a comprehensive help acquirers set up a
merchant activity monitoring program. Keep in mind warning system to detect
that these reports are likely to be manually intensive fraudulent activity at an
and probably ineffective for all but the smallest early stage. The minimum
requirements of this
acquirers.
program are described
There are, also a number of vendors who can provide in the Visa International
Operating Regulations.
sophisticated merchant monitoring solutions. It is
up to the acquirer to assess its ongoing merchant
monitoring needs and determine the reporting capabilities that will work given
the institution’s size and level of sophistication. Acquirers must also be realistic
when it comes to the types of reports that will actually be reviewed and used by
staff members.

Global Visa Acquirer Fraud Control Manual 149


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Deposit Report Normal Acquirers must gather on a weekly basis each merchant’s:
Monitoring Weekly • Gross sales volume
Activity • Average transaction amount
Reporting
• Number of transaction receipts
• Average elapsed time between the transaction date of
the sales transaction receipt and the endorsement date
(date a transaction receipt is prepared for clearing through
interchange)
• Number of chargebacks
Normal Daily Acquirers must gather on a daily basis each merchant’s:
Activity • Gross sales volume
Reporting • Average transaction amount*
• Number of transaction receipts
• Average elapsed time between the transaction date of
the sales transaction receipt and the endorsement date
(date a transaction receipt is prepared for clearing through
interchange)
• Number of chargebacks
Exception Acquirers must compare merchant activity to the normal weekly activity
Reporting established for each merchant at least once a week and generate reports
(Required)* for merchants who meet the following criteria:
• Weekly gross sales volume equals or exceeds U.S. $5,000
and/or any of the following exceeds 150 percent of the normal
weekly activity:
– Number of transaction receipts deposited
– Gross sales volume
– Average transaction amount
– Number of chargebacks
– Average elapsed time between the transaction date and
the endorsement date for a transaction, counting each as
one day respectively, exceeds 15 calendar days
Chargebacks Acquirers should monitor for the following chargebacks:
• High percentage of chargebacks month-to-date
• Total number by merchant type
• Dollar volume by merchant type, compared to merchant’s sales
volumes
• Types of chargebacks

*An average transaction amount is usually the single most obvious predictor of a significant change in merchant activity. While not necessarily
an indicator of risk, a radical change is a sign that something has happened and should be explored.

150 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Refunds/ Acquirers should monitor the following credit return information:


Returns • Total daily refund amount
• Daily refund return-to-debit ratio
Deposit Acquirers should monitor the following deposit information:
Monitoring • Daily deposit amount over maximum limit as defined by
average daily volume for the merchant
• First deposit in six months or more
• Total turnover changes for paper merchants - chip-liability shift
• Total turnover changes for magnetic-stripe merchants - chip-
liability shift
Draft Acquirers should monitor the following draft retrieval information:
Retrievals • Number of copy/original requests by merchant
• Variations in weekly total by merchant
Sales Acquirers should monitor the following sales transaction receipt
Transaction information:
Receipts • Average ticket value (ATV) over maximum limit as defined by
average daily volume for the merchant
• High percentage of tickets below the floor limit or ATV
• Excessive key-entered transactions for a POS merchant
• Non-electronic data capture items from a merchant who has
electronic data capture terminals
• Multiple sales transaction receipts with the same amount
• Multiple transactions on the same card
• Chip cards falling back
• Excessive non-domestic transactions/authorizations
• Heavy proportion of transactions on single BIN
• Sequential card numbers, if they can be spotted

Authorization Exception Acquirers should monitor the following authorization activities:


Report Reporting • Daily authorized amount over the maximum limit as defined by
Monitoring daily volume for the merchant
• Multiple authorizations for the same cardholder account
number
• Total daily authorized count over the maximum limit
• Declined daily authorization percentage over the maximum
limit
• Daily approval percentage over the maximum limit
• Descending amounts for the same cardholder account number
• Daily transactions that are manually or key-entered on an
electronic data capture terminal

Global Visa Acquirer Fraud Control Manual 151


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Merchant • Establish automated velocity controls over high-risk transactions and deposits.
Activity Depending on needs and resources, elect to use any of these options:
Monitoring – Set an authorization limit for monthly volume or single transaction
Best Practices amount to avoid the risk of large-scale fraud. This approach protects
both the acquirer and the merchant, but may have an adverse impact on
the merchant’s business and generate negative merchant reaction. For
best results, clearly communicate the authorization velocity controls to
the merchant at the time of signing. Then, monitor authorization activity.
If the merchant comes close to the limit, conduct a review to determine
whether a limit increase is warranted.
– Prevent high-risk transactions or batches of settlement activity from
entering interchange until they have been reviewed. This second option
offers protection from the risk of chargeback and losses, but—unlike
authorization controls—would not protect a merchant from accepting
fraudulent transactions.
– Withhold funding from suspect batches. This third option also offers
protection from risk exposure, but would not prevent future chargebacks
since these transactions will have been submitted into interchange.
• Automatically suspend large credit transactions that do not have a preceding
debit transaction. In some cases, merchants try to reduce discount fees or
commit fraud by submitting credit transactions to their own or an accomplice’s
account. In this fraud scenario, the merchant submits a large credit batch
without sufficient funds in its account to cover the credit.
• Develop effective criteria for monitoring and reporting suspicious activity.
In addition to standard merchant monitoring parameters, the following
criteria should be applied:
– Unusual authorization activity. To mitigate risk, look for descending
authorization amounts, excessively high decline or referral rates, or a large
number of authorizations to same account number or the same Bank
Identity Numbers (BINs.).
– Unusual activity on other payment products. While Discover, American
Express, Diners Club, and other card products do not necessarily expose
an acquiring institution to risk, unusual activity on these card products
could indicate the likelihood of future merchant fraud on the acquirer’s
Visa or MasterCard products.
– Reduction in sales credits. This can be a sign of cash flow problems or
business failure for the merchant, leading to excessive chargebacks for
your institution.
– Increases in draft retrieval requests. Growing draft retrieval requests
with a fraud reason code may provide an early warning of future
chargebacks and potential problems.

152 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

– No merchant activity. Maintaining an inactive merchant account on file


can result in unnecessary operating costs, but of greater concern is the
fact that it can represent potentially significant exposure to fraud. If an
account has been inactive for two to three months, it could simply mean
the merchant went out of business or signed with another acquirer. On
the other hand, an inactive account can signal a bust-out scam or the
fraudulent diversion of the merchant’s deposits to a bogus merchant
account with another acquirer.
Acquirers should have exception monitoring in place to flag inactive
accounts, and follow up on all such exceptions with the known business
owner.
– Tighter exception parameters for new merchants. This will result in
a greater number of reviews for these new accounts and is a prudent
risk management practice for the first three to six months of a merchant
relationship.
– Credit transaction activity of gambling merchants. Acquirers must
ensure that online gambling merchants do not use the credit function
(Transaction Code 06) to pay cardholders’ winnings; they must be paid by
alternate mechanisms, such as wire transfers. Rules for credit transactions
to correct merchant error or reimburse the cardholder for a canceled
transaction remain unchanged.
• Monitor the chargeback-to-sales ratios of all merchants. This should
be done to help ensure that merchants stay below the chargeback-to-
interchange transaction ratio standards under Visa’s chargeback monitoring
programs.
• Follow up on merchants with excessive chargeback activity. This enables
the acquirer to minimize high-risk behavior to
reduce losses suffered by the Visa membership
and prevent the merchant from entering into a Visa For additional
chargeback monitoring program. details about
Visa’s chargeback
• Utilize online exception report queues that monitoring programs and
consolidate multiple alerts for a single merchant service, refer to Chapter 12:
into one exception listing. Visa Risk Control Programs
in this manual.
• Develop a scoring system to prioritize merchant
alerts for review. Merchant exception reporting
systems typically prioritize accounts based on gross deposit amount.
Another effective approach is to create a scoring system that considers the
multiple alerts received by a merchant in prioritizing the accounts for review.
• Implement automated controls to ensure that merchant alerts are properly
worked. Sophisticated merchant monitoring systems can distinguish
between queues that had been reviewed and queues that have not. This
capability helps ensure that no merchant alert is overlooked.

Global Visa Acquirer Fraud Control Manual 153


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

• Establish an ongoing “closed loop” feedback process to assess the


effectiveness of suspect activity reports. This practice can help refine
review criteria, prioritize exception reviews, and develop weighting factors
for scoring systems.
• Offer support for merchant fraud monitoring.
– Provide solutions that enable a merchant to effectively monitor high-
risk transactions. For example, merchants should be able to review
transactions prior to submitting them to the acquirer, especially if under
these circumstances:
- Internet Protocol (IP) address has been associated with fraud.
- Cardholder account number has been associated with fraud.
- Transaction request originates from countries with excessive fraud
experience.
– Help merchants define their fraud monitoring criteria. It is important
to develop criteria that can control risk without negatively affecting the
merchant’s profitability. Be sure that criteria are not so restrictive that the
merchant loses more in sales revenue than it gains in fraud prevention.

154 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Periodic Merchant Reviews

In addition to routine daily or weekly transaction monitoring, acquirers should


conduct periodic reviews of a merchant’s financial status and business operations.
The number and timing of these reviews should be based on the merchant type
and market practices. Acquirers should, however, conducted reviews annually (or
more frequently as needed) for a merchant who runs an intrinsic credit or fraud
risk. Again, any sudden or unexpected change in sales volumes, merchandise, or
profitability could be a sign of financial instability or potential fraud.
Acquirers should also be on the lookout for any change in a merchant’s
ownership, business principals, bank accounts, or sales method or market. For
example, a legitimate merchant might unknowingly sell a business to a criminal,
who will then request a new or different direct deposit account as part of the
bust-out merchant scheme. Similarly, a sudden change from card-present to card-
absent sales could be the first indication of a telemarketing scam.

Periodic To select accounts for periodic review:


Merchant • Establish risk-based criteria to select merchants for review and determine
Review Best the frequency of these reviews. Risk-based criteria are typically based on
Practices any one or a combination of considerations which can include: merchant
volume, projected credits and chargebacks, and merchant credit-worthiness,
product or service expansion, whether or not the merchant has entered a new
payment channel, and/or if new owners are involved, etc.
• Assign a scoring system to each criteria based on risk, then measure the
merchant’s performance against what is defined as acceptable. This is
known as developing risk-weighted criteria.
• After evaluating a merchant against all criteria, add all of the individual
scores together for a relative risk exposure calculation that can be used in
identifying potential problems and scheduling periodic reviews accordingly.

In conducting a periodic review:


• Re-evaluate the merchant’s financial condition. Look for notable changes in
the merchant’s sales volume, products, operations, or business practices.
• Conduct another on-site inspection to confirm that the merchant is
complying with the provisions of the merchant agreement and the Visa
International Operating Regulations.
• If applicable, review the merchant’s website to identify changes in products,
delivery methods, or return policies, and check the site to ensure proper
functionality. If business or product changes have occurred, the risk
exposures associated with the merchant may have changed as well.

Global Visa Acquirer Fraud Control Manual 155


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

• Obtain copies of the merchant’s financial statements and references to


verify that they are current.
• Look for and address immediately problems such as:
– Imminent merchant failure
– Own card usage
– Change of goods sold or laundering
– Refund fraud
– Supplier/fulfillment problems
• Understand your merchants’ transaction behavior. Target inactive
merchants for review on a monthly basis, and take action accordingly to
reduce fraud exposure. In some cases, inactive merchants are fronts for
criminals in need of a merchant account to deposit fraudulent transactions.

For Internet Merchants:


– Develop systematic methods to compare the Shopper
merchant’s original website content to current programs
content to determine whether merchant has can:
changed the product being offered or is doing • Provide assurance that
business as agreed. An automated check can a merchant’s products
are of reasonable
quickly identify whether the merchant is still quality and will not
operating under the terms of its contract with result in excessive
your institution. chargebacks.
– Develop automated, intelligent comparison • Let an acquirer test the
adequacy of merchant
routines to find significant changes in
refund practices.
business name or products.
• Help an acquirer
– Use merchant shopper programs, particularly provide feedback to
in the first three months after signing. These the merchant on the
types of programs use anonymous individuals entire shopping and
return process, and
who shop with merchants to evaluate customer
help them identify
service and validate whether the merchant offers areas for improvement.
the products it has claimed to the acquirer that it
sells. The shopper then reports his or her
findings back to the acquirer.
Both Bizrate.com (www.bizrate.com) and CNET (www.cnet.com) are
merchant shopper programs that the merchant can enlist to question actual
consumers about their shopping experience directly after they complete a
transaction. These services also conduct a follow-up with the consumer after
a period of time to ensure the products were received as expected. Data from
this relationship may be useful for determining whether a merchant should be
reviewed more closely.

156 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

Identifying and Following Up on Suspicious Activity

Recognizing In many, if not most cases, merchant fraud will result in a sudden, dramatic
the Signs of change in sales activity. To catch these unexpected shifts and fluctuations,
Suspicious Exception reports must be monitored daily—and if possible, before any
Merchant payments for the day’s transactions are deposited in a merchant’s account. In
Activity addition, all transactions from new merchant locations should be reviewed on
a daily basis for a two-to three-month period. Signs of suspicious activity may
include any of the following:
• An unusual or unexpected increase in the number or dollar amount of
transactions. Likewise, a sudden re-activation of a previously inactive account.
• A dramatic shift, up or down, in the average transaction size.
• A high or disproportionate amount of key-entered sales.
• A large number of high or even-dollar transactions, especially if they are
key-entered.
• A sudden drop or stop in sales deposits. Acquirers
• Discrepancies between a merchant’s authorization should establish
and transaction activity, specifically a high volume and document
procedures for
of authorizations with few or no corresponding investigating suspect
transactions. This may be a sign of skimming or activity.
account testing. For additional details
• Account numbers in a numerical sequence or on how to investigate
within the same BIN. Acquirers should also track suspect activity and follow
up accordingly, refer
deposits over periods of a few days or weeks to Chapter 9: Merchant
to check for transactions or authorizations with Fraud Investigation in this
account numbers in a single BIN. A string of manual.
account numbers may be the first sign of fraud
associated with CreditMaster or other account number-generating software.
• An unusual proportion of declined transactions. This could be another
indication of account testing.
• Authorization or transaction activity that takes place after hours, when the
business should be closed. After-hours sales are associated with several
types of fraud, including bust-out merchants and account testing.
• Excessive credits (especially to the same account number), or discrepancies
between sales and credits. Acquirers should check transaction records
for any discrepancies between the number and dollar amount of sales
and credits—often the first sign of a merchant credit scam. For example,
a business might issue a credit without a corresponding sale, or it could
deposit several small- or medium-sized sales and then issue a single large
credit to the merchant’s personal account.

Global Visa Acquirer Fraud Control Manual 157


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 8: MERCHANT ACTIVITY MONITORING

• Transactions charged against a merchant’s personal credit card account.


• At service stations with Cardholder-Activated Terminals (CATs), monitor for
a sudden reduction in the proportion of transactions that occur at the pumps.
Service stations are often a common purchase point in skimming scenarios
in which criminals disable the CATs, forcing the customers to take their cards
into the kiosk. While the customers pump gas, their cards are skimmed.

Holding a Establish a post-mortem analysis to evaluate causes of loss and determine


Post-Mortem whether the loss could have been prevented. Provide feedback to the entire
merchant operations staff for performance assessment and improvement
action(s).

158 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 9 Merchant Fraud Investigation

When signs of potential merchant fraud are discovered, or a scam is confirmed,


acquirers should initiate a prompt and rigorous investigation. The primary purpose
of an investigation is to develop sufficient evidence and information to stop
fraudulent activity and recover losses. Any evidence and information collected
during investigations must be carefully documented to provide law enforcement
authorities with sufficient data to arrest, prosecute, and convict suspected
individuals.
Beyond helping to control fraud, documented investigation policies along with
diligent investigative efforts may also improve relations with law enforcement
authorities. An investigation of fraudulent activity may result in the apprehension
of criminals involved in burglaries, robberies, and other violent crimes and can open
the way for future communication and cooperation with law enforcement personnel.
A successful fraud investigation requires a planned, systematic search for facts
and other supporting evidence. This chapter includes guidelines on how to obtain
all relevant information about a potential or confirmed merchant scam.

What’s Covered
n Fraud Control and Investigation Standards
n Components of a Successful Investigation
n Conducting an Investigation
n When a Scam Is Confirmed
n Case Prosecution
n When a Merchant Agreement is Terminated
n Merchant Communication During and After an Investigation

Global Visa Acquirer Fraud Control Manual 159


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

160 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

Fraud Control and Investigation Standards

As an acquirer, you maintain full responsibility of the actions (losses) of all your
merchants. If a merchant has chargebacks in excess of the assets you have on
deposit and the merchant goes out of business, you are held responsible for the
remaining losses.
The following fraud control and investigative standards have been included to
help acquirers control fraud losses through prevention, early detection, effective
investigation, and resolution of payment card fraud. These standards are
intended as recommendations only; Visa encourages individual members to
adapt them to reflect the specific needs of their organization and merchant
program.
Fraud Control A key to effective fraud control is to centralize the prevention and investigation
Performance functions in a Fraud Control Department or similarly defined organizational
Standards structure. At a minimum, a member’s Fraud Control Department, or specially
trained fraud control personnel, must be able to support the following basic
activities:
• Monitor, investigate, detect, analyze, and report fraudulent activity against
the Visa brand and products. Focus should be on these three primary
functions:
– Prevent by following best practice recommendations and using all the
fraud-prevention systems developed and made available by Visa for each
fraud type.
– Detect by using a system that alerts you to transactions that have a high
probability of being fraudulent.
– Recover by detecting “friendly fraud” at the time a dispute is reported,
reviewing transactions for chargeback opportunities, and recovering
fraudulent activity resulting from compromised account information.
• Plan and supervise security for the production, storage, and distribution of
Visa products.
• Safely and securely maintaining all account information.
• Act as an interface with the criminal justice system, along with educating
and maintain effective working relationships with criminal justice personnel.
• Make sure all facilities involved in operating the member’s Visa merchant
program are physically secure.
• Make sure merchants are educated about fraud prevention.

Global Visa Acquirer Fraud Control Manual 161


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

Investigation Investigating payment card fraud is one of the primary functions of a member’s
Performance Fraud Control Department or specially trained fraud control personnel. Members
Standards that routinely and rigorously investigate fraud cases send a strong message of
deterrence to potential perpetrators.
Compliance with the following standards can help
ensure timely and effective fraud investigations. Visa may take
appropriate
Specifically, acquirers and/or assigned risk
actions to ensure
management personnel should do the following: that a member complies
with these performance
• Establish a 24-hour contact phone, fax, or telex
standards and the Visa
number to support investigative inquiries from International Operating
other Visa members, law enforcement, or criminal Regulations. Such actions
justice personnel. may include, but not
be limited to, assigning
• Subject to applicable local law, have access to, and appropriate resources
be authorized to provide, at least the following to bring the member
details to other members or law enforcement and into compliance at the
other criminal justice personnel: member’s expense.

– Cardholder data
– Card expiration date
– Status of the card and account
– Suspected or reported fraudulent activity
– Full details of the loss or theft of the card
• When a subject is in custody, provide the following information to other
members or law enforcement and other criminal justice personnel within
12 hours:
– Identity of the cardholder and authorized users
– Card expiration date
– Status of the card and account
– Suspected or reported fraudulent activity
– Full details of the loss or theft of the card
• Provide a substantive response to all inquiries from other members or law
enforcement within 72 hours of receiving the initial request.
• Document all inquiries and responses when requested.
• Notify their designated Visa regional fraud control contact of any other
member’s failure to comply with investigative support performance
requirements.
• Have access to cardholder and merchant transaction data for at least the
prior six months’ activity.
• Maintain documented investigative procedures governing all phases of a
fraud investigation.

162 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

• Conduct an investigation when advised that account or transaction


information is not maintained safely and securely or when advised the
information was compromised. The member’s investigation must determine:
– Why the account or transaction information was not maintained safely and
securely.
– How the account or transaction information was compromised.
– What was done to ensure the safety and security of the account or
transaction information.
– Whether the merchant/processor/Third-Party Agent was compliant with
the Payment Card Industry Data Security Standards (PCI DSS)
• Report losses or theft of account transaction data to Visa Fraud Control by
phone, fax, or secure e-mail (Visa Online). The report must contain all of the
following information (or as much of it as possible):

Issuer name

Form, number, and range of missing account or transaction information

Specific account numbers missing

Type of account information on the missing material (i.e., PAN only, full
track data, CVV2*, cardholder name and address)
– Pertinent details about the loss or theft and the ensuing investigation
– Contact name and telephone number for additional information
– Name and telephone number of the person reporting the loss or theft
– Law Enforcement investigating agency, if applicable
• Maintain all documentation relating to each investigation initiated by, or
on behalf of, their fraud control or other personnel for at least three years
following the last update to the respective case file.

*In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 163


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Components of a Successful Investigation

Taking a A good fraud investigation requires a planned, systematic approach to gathering


Systematic facts and supporting evidence. Once fraud is suspected, further investigation
Approach is required to confirm or refute these suspicions. The following are included
among the basic skills and techniques required for a successful investigation:
Planning. Create a plan that facilitates the easy acquisition of information and
evidence that supports an arrest and subsequent conviction.
Data collection. Either desk or field research to gather information to establish the
facts surrounding the transactions in question. This would include the collection
of available transaction information, cardholder information and cardholder
reports.
Fact finding. This usually involves conducting telephone and field interviews
with the cardholder, merchant, and witnesses, to obtain further details of the
fraud activity. This information also assists in determining the direction of the
investigation, as well as verifying and corroborating evidence where possible.
During witness interviews, investigators should try to obtain enough personal
information so that these individuals can be located at least one year after the
fraudulent transaction occurred.
Analysis. Review the information collected through data collection and fact-
finding and any other documentation (such as the lost or stolen card report,
cardholder affidavit, and sales receipts) for suspected fraudulent transactions.
Report and recommendations. Based on the information gathered, interviews and
analysis, a recommendation regarding further action must be made as part of the
report. Report writing is an essential part of the investigation, as the information
must be recorded for possible criminal or civil action.
Documentation. Create a file folder for documentation and evidence gathered in
each investigation. Maintain the results of the investigation for future reference
Resolution. Determine what action will be necessary to resolve the case once the
evidence is collected. Resolution may be achieved by:
• Presenting the evidence to the police. The report presented should
include succinctly written comments and the details of any interviews. All
transaction information, sales drafts, receipts, must be included in the report
to the police.
• Seeking restitution (when there is not enough evidence to prosecute,
obtaining financial restitution from suspected perpetrators members may be
successful).
• Closing the case due to lack of sufficient evidence to prosecute.

164 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

Conducting an Investigation

Suspect When suspicious activity is detected, an acquirer


Activity must be ready to investigate and resolve the matter in Suspect activity
Investigation an efficient and timely manner. investigation
Best Practices • Establish sound policies for investigating suspect
policies help
prepare an acquirer to
activity. handle exceptions and
manage their associated
– Define the exception criteria that must be risks as effectively as
reviewed. possible.
– Designate specific responsibilities and authority
levels for reviewing cases and taking action to resolve them.
– Establish strict timelines to ensure timely resolution.
• Develop an effective investigation and resolution process. To mitigate risk,
this process should enable an acquirer to:
– Record suspect activity in a merchant history database and review previous
exception conditions.
– Develop appropriate investigative steps, such as contacting issuers to verify
the transactions in question.
– Partner with issuers to handle calls related to questionable transactions.
– Pre-define steps to bring rapid closure to investigations.
– Establish the internal and external notifications that will be necessary to
document the completion of an investigation.
• Where possible, acquirer investigators should
contact the merchant directly and request all
available information about the fraud. Most During a
merchant fraud
merchants will be cooperative—and truly surprised
investigation,
that fraud has been discovered at their business it may be necessary to
location. If a merchant seems reluctant or refuses involve the issuer if a
to answer your questions, you may want to seek subpoena is sought, since
assistance from local law enforcement or, in the issuer is typically the
injured party.
extreme cases, go to court for a subpoena.
A careful investigation may, but need not, include
an on-site inspection. In fact, most investigations can be based on information
derived from an acquirer’s routine merchant monitoring and transaction records,
such as regularly updated merchant profiles, authorization records, Exception
reports, and chargeback monitoring.

Global Visa Acquirer Fraud Control Manual 165


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

• Examine the merchant profile—if kept up-to-date—to detect irregularities.


Key indicators that could point to a program problem include the following:
– Account history. This includes basic information on how long the account
has been open, the business’ track record, any previous incidents of fraud,
excessive chargebacks, or other suspicious activity.
– Business type. Look for any signs of risk—a high-risk business category,
location, or sales method. For example, a shift from card-present to
card-absent selling may be the first sign of telemarketing fraud.
– Terminal type. Find out the type of point-of-sale (POS) devices and
software the merchant uses, and the account information these terminals
read and display. Make an inventory of the number of terminals, their
locations, and their serial numbers. This information may be vital when
investigating a counterfeit skimming scam or any other merchant fraud
where account data theft occurs.
– Transaction-processing procedures and infrastructure. Look for other
potential points of compromise in a merchant’s transaction-processing
system. Are cards ever out of customers’ sight during transactions? How
many other systems or entities are involved in transaction processing—the
merchant’s host system, a third-party processor, acquirer systems, etc.?
Who has access to account data at the different locations involved in
transaction processing?
– Number of terminals and employees. A merchant’s size can be a key
element in how fraud is committed and concealed. Fraud often occurs after
a business opens a new location, expands its workforce, or takes on a new
partner. Similarly, criminals may attempt to conceal a scam—for example,
laundering—by processing transactions through different terminals or
different locations in a large business.
– Average sales volumes. Tracking changes in a merchant’s gross sales
volume, average ticket amount, and number of transactions can help an
acquirer determine the “dimensions” of a scam: when it began, the type of
fraud involved, and potential losses.
• Carefully scrutinize all authorization and sales records for fraudulent
transactions and look for common characteristics. Additional details may
also be obtained by having the merchant review these records. Acquirer
investigators should look for:
– Time of Transaction. Did the fraud occur during or outside of regular
business hours? What shift? Who was working?
– Department and Terminal ID. This information can help you pinpoint a
potentially collusive employee, or faulty card acceptance procedures in a
particular area.
– Entry Mode. Was the card swiped, or was the transaction key-entered?
– Other Characteristics. Any potential similarities on authorization and
sales records may help you document the basic details of a scam and
identify the perpetrators. Check sales amounts, types of merchandise
purchased, and the account numbers used.

166 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

• When reviewing chargeback records, be on the lookout for chargeback


codes that indicate customer disputes, such as “Non-Receipt of
Merchandise,” “Merchandise Not As Described,” and “Defective
Merchandise.” A sudden, dramatic rise in the number of chargebacks or
Requests for Copy is often the first sign of a change in the way a merchant is
doing business.
• Examine the merchant’s data security practices. Since most counterfeit
schemes will, at some point, involve the theft of valid account information,
the investigation should also:
– Document what account information is stored, where, how, and who has
access to it.
– Determine if any merchant employees have recently brought a laptop
computer to work. Laptops are often used in skimming or other scams where
data theft occurs.

Global Visa Acquirer Fraud Control Manual 167


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

When a Scam is Confirmed

Fraud Loss If a fraud scam is confirmed or seriously suspected, acquirers should consider
Reduction Best the following possible actions, if consistent with the acquirer’s legal and
Practices contractual rights:

• Consult with their legal counsel about how to minimize losses.


• Freeze the merchant’s Direct Deposit Account (DDA) or other accounts. If
the merchant’s DDA is with another financial institution, initiate ACH action
to pull funds from the DDA.
• Suspend the merchant account pending an investigation. If fraud is
confirmed, terminate the business’ merchant agreement immediately.
• Block the merchant DDA or cease paying the merchant for transactions in
order to capture funds and cover losses.
• File a civil suit to recover losses, and, if appropriate, freeze other assets of
the business or its principals.
• Alert local and federal law enforcement agencies about the scam, and
cooperate in their efforts to prosecute the perpetrators.
• Notify the National Merchant Alert Service (NMAS), if applicable in your
market/region.
• Contact the issuers of any account numbers stolen, copied, or used for
fraudulent transactions in a confirmed scam. This will allow the issuers to
conduct their own investigations, and monitor or close the accounts if
necessary.
• In cases where a merchant is truly unaware that a scam has occurred, or
where collusive employees were involved, work with the merchant business
to develop a comprehensive fraud-prevention plan. Additional merchant
training should be provided if necessary. Employees should be aware of
proper card acceptance procedures, card security features, and what to do if
suspicious about a card or a transaction. In addition, acquirers should ensure
terminals and equipment are set to ensure optimum data security.

168 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

Case Prosecution

Acquirer If the fraudulent use of a Visa card is considered a crime, criminal justice system
Cooperation personnel may ask for cooperation from the acquirer’s fraud investigators in
prosecuting the offender. While the decision to prosecute suspected fraud
perpetrators is usually left up to an individual member’s discretion, a consistent
policy of prosecution can provide substantial benefits.
• First, routinely prosecuting suspected fraud deters potential fraud
perpetrators.
• Second, it also gains the respect of law enforcement authorities and helps
ensure their future cooperation.
After requesting assistance from law enforcement authorities in apprehending
suspected fraud perpetrators, acquiring members should proceed with
prosecution of the case and advise legal counsel of all cases taken to prosecution,
if appropriate. In the course of a prosecution, witnesses (including the legal
cardholder and the member’s representatives) may be subpoenaed to appear in
court, possibly at the member’s expense.
Do not drop charges because of the expense involved in providing witnesses or
because the suspect has offered to make restitution.

Global Visa Acquirer Fraud Control Manual 169


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

When a Merchant Agreement is Terminated

Loss Control Whether a merchant agreement is terminated for simple business reasons,
Best Practices fraud, or credit risk issues, actions should be taken to protect the acquiring
organization and the payment system from losses. The following best practices
should be applied:
• Establish pre-defined authorities to suspend merchant processing and hold
funds, as well as formal internal responsibilities, policies, and procedures
for terminating merchants. This formal approach will minimize indecision in
terminating merchants.
• Develop an effective and timely merchant termination process that protects
Visa, the payment system, and the acquiring institution’s interests.
• If owned by the acquirer, remove POS terminals from the merchant
location.
• To preclude the processing of further transactions, suspend settlement to
the merchant’s account. Authorization processing should be blocked as well.
• If a processor is used for authorizations or settlement, notify the processor
and request that the merchant account be blocked to prevent account
testing and any further deposits.
• Add merchant name to the Terminated Merchant File (TMF) when the
merchant account has been closed for cause, as specified in the Visa
International Operating Regulations.
Attention to these details will preclude time spent investigating account testing
and can help prevent fraud in the long run.

170 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

Merchant Communication During and After an Investigation

Merchant fraud investigation efforts can be reinforced through written


communications that alert the merchant to any deviations from standard
operating procedures, or of any actions taken by the acquirer in response to
merchant investigation findings.
Merchant Acquirer investigators should use merchant letters as part of a regular program
Letters to advise the business of:
• Actions they can take to reduce losses due to fraud. Advices are also used to
notify merchants of upcoming changes in polices or procedures.
• Some anomaly noted or action taken regarding the handling of a transaction.
• Noted improper or excessive fraudulent activity has been noted and that
corrective action needs to be taken immediately.
• A cancelled contractual relationship.
Merchant letters provide a record of merchant notification.

Global Visa Acquirer Fraud Control Manual 171


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 9: MERCHANT FRAUD INVESTIGATION

172 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Cardholder Information and
Chapter 10 Personal Identification Number Security

Every piece of cardholder account information that passes through the Visa
payment system is vital to our business. Without proper safeguards in place, this
information can be vulnerable to internal and external compromise, leading to
fraud and loss of consumer confidence. The goal of Visa’s security programs is to
ensure the highest standard of due diligence to protect sensitive cardholder data
from hackers and fraudsters. This chapter explains the Payment Card Industry
(PCI) Data Security Standard (DSS) Compliance Program. It also covers the
security measures needed to protect cardholder PINs and prevent the possibility
of compromise in the acquiring environment.

What’s Covered
n Information Security—Who, What and Why
n Cardholder Data Storage and Security
n What is the Payment Card Industry Data Security Standard?
n Visa PIN Security
n Minimizing Third-Party Agent Branded ATM Risk
n Visa White Label ATM Compliance Program
n Acquiring Center Security

Global Visa Acquirer Fraud Control Manual 173


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Information Security—Who, What, and Why

Visa members, merchants, and their Third-Party Agents have always been
accountable for putting into place effective controls to protect account and
transaction information. Maintaining the confidentiality, integrity, availability,
and authenticity of this information has always been the highest priority of
the payment industry. These assets must be protected from unauthorized
modification, disclosure, and destruction.
• For members, merchants, and their agents. Data security should be a key
component of all policies and practices related to the acceptance and
processing of transactions.
• For Visa cardholders. It is a matter of selecting and doing business with a
reliable, reputable entity. They want assurance that their account information
is being guarded and that their personal data is safe.
• For Visa. It means identifying the requirements and tools that encourage
members, merchants, and their agents to establish appropriate cardholder
and transaction information security and privacy controls and measures.

Potential Without proper information security controls, threats to account and transaction
Costs and Risk information can expose an organization to several different types of risk.
Exposure • Financial Exposure. Direct theft, destruction, or other loss of assets.
• Reputation Exposure. The loss of brand equity, customer relationships, or
competitive position in the market due to weakened trust, and customer
relationships, resulting from an enterprise’s vulnerability to threats.
• Regulatory and/or Legislative Exposure. Loss, or loss potential based on
unresolved or unmitigated exposures, may result in an enterprise being
penalized, depending on local laws. Many countries and regional jurisdictions
have introduced legislation dictating how organizations must protect sensitive
information.

1 74 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Cardholder Data Storage and Security

Today, an internal or external compromise of any


system where cardholder data has been retained It is the
can result in the perpetration of counterfeit fraud, responsibility of
fraudulent use of account data, and identity theft. It is all acquirers to
critical to limit the storage of cardholder data to the maintain transaction data
minimum necessary business purposes. To prevent integrity and minimize
potential fraud by
compromise and protect the integrity of the payment conforming their practices
system, members, merchants, and Third-Party Agents to the Visa International
that store, process, or transmit cardholder data must: Operating Regulations.

• Keep all material containing account numbers—


whether on paper or electronically—in a secure area accessible to only
selected personnel. Merchants with paper receipts should be extremely
careful during the storage or transfer of this sensitive information. Merchants
should at all times:
– Promptly get drafts to their acquirer.
– Destroy all copies of the drafts that are not delivered to the acquirer.
• Render cardholder data unreadable, both in storage and prior to discarding.
• Never retain full-track, magnetic-stripe, CVV2* or chip data subsequent
to transaction authorization. Storage of track data elements in excess of
name, personal account number (PAN), and expiration date after transaction
authorization is strictly prohibited.
• Use payment applications that comply with the PCI Payment Application
Data Security Standard (PA-DSS). A list of validated payment applications is
available at www.pcissc.org.

*In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 175


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

What is the Payment Card Industry Data Security Standard?

Tactical, The Payment Card Industry (PCI) Data Security Standard (DSS) is a
Practical, and comprehensive set of international security requirements for protecting
Necessary cardholder data. The PCI DSS was developed by Visa and the founding payment
brands of the PCI Security Standards Council to help facilitate the broad
adoption of consistent data security measures on a global basis. These 12
requirements are the foundation of Visa’s data security compliance program
known as the Account Information Security (AIS) Program. This program was
formerly known as the Cardholder Information Security Program (CISP) in the U.S.
• Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
• Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data and sensitive information
across open public networks
• Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
• Maintain an Information Security Policy
12. Maintain a policy that addresses information security

176 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Visa Member All Visa acquirers and issuers must comply, and must also ensure the
Responsibilities compliance of their merchants and service providers who store, process, or
transmit Visa account numbers. This program applies to all payment channels
including card present, mail/telephone order, and e-commerce. Visa members
must:
• Designate an individual or group of individuals to play an active role in fully
implementing and enforcing PCI DSS.
• Adequately inform merchants and agents of their PCI DSS-compliance role
and responsibilities and the penalties of non-compliance.
• Ensure that merchants and agents contractually require all associated
third parties with access to cardholder data to adhere to PCI DSS security
requirements.
• Provide tools and training opportunities to ensure merchants and agents
understand the PCI DSS requirements, as well as specific data security
measures and procedures.
• Validate that their merchants and all supporting agents comply with
the program.

Why Comply? Consumer trust in the security of sensitive information is more critical than
ever. To build the confidence of mutual customers, all Visa constituents need
to be vigilant in their efforts to maintain data security. The PCI DSS helps Visa
members, merchants, and agents meet the obligations to the Visa payment
structure. Other compelling reasons for fully implementing and validating
compliance with the PCI DSS include:
• Maintaining the integrity of cardholder information — Customers
seek out merchants that they feel are “safe.” Confident consumers are
loyal customers. They come back again and again, as well as share their
experience with others.
• Minimizing both direct losses and associated operating expenses —
Appropriate data security protects your customers, limits risk exposure, and
minimizes the losses and operational expense that stem from compromised
cardholder information.
• Maintaining a positive image — Information security is on everyone’s mind…
including the media’s. Data loss or compromise not only hurts customers, it
can seriously damage a business’s reputation.

How Separate from the mandate to comply with PCI DSS is the validation of
Compliance compliance. Validation identifies vulnerabilities and ensures that appropriate
Validation levels of cardholder information security are maintained. Visa has prioritized and
Works defined validation levels based on the volume of transactions and the potential
risk and exposure introduced into the Visa system.
Some businesses validate compliance through an Annual On-Site Security
Assessment and Quarterly Network Vulnerability Scan; others complete an Annual
Self-Assessment Questionnaire and Quarterly Network Vulnerability Scan.

Global Visa Acquirer Fraud Control Manual 177


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Acquirers and Issuers


All Visa acquirers and issuers must comply with the PCI DSS and will be advised
by Visa of applicable validation requirements. At minimum, acquirers are
responsible for ensuring the compliance and validation of their merchants. Issuers
and acquirers must also ensure that their Third-Party Agents­—and the Third-
Party Agents used by their merchants—are registered with Visa and are PCI DSS
compliant.

Merchants
Merchants who store, process, or transmit Visa cardholder data generally fall into
one of four merchant levels based on Visa transaction volume over a 12-month
period. Transaction volume is based on the aggregate number of Visa transactions
(inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA).

Merchant
Description
Level
1 Merchants processing over six million Visa transactions annually (all channels)
or Global merchants identified as Level 1 by any Visa region.
2 Merchants processing one million to six million Visa transactions annually (all
channels).
3 Merchants processing 20,000 to one million Visa e-commerce transactions
annually.
4 Merchants processing less than 20,000 Visa e-commerce transactions
annually and all other merchants processing up to one million Visa transactions
annually.

Service Providers
Service providers that store, process or transmit Visa cardholder data on behalf of
Visa acquirers, issuers, merchants or other service providers fall into one of two
service provider levels. Level 2 service providers are not posted on Visa’s list of
compliant services providers unless they opt to undergo a Level 1 onsite security
assessment.

Posted
on Visa’s
Service
Global List
Provider Description
of Validated
Level
Service
Providers
1 VisaNet® processors or any service provider that stores, processes Yes
and/or transmits over 300,000 Visa transactions annually.
2* Any service provider that stores, processes and/or transmits less No*
than 300,000 Visa transactions annually.

*Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa’s Global List of Validated Service
Providers.

178 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

PCI Payment Payment Application Security


Application The PCI Payment Application Data Security Standard (PA-DSS), developed to
Data Security create security standards for payment application vendors, mitigates the risk
Standard of compromises through vulnerable payment applications, prevents storage of
(PA-DSS) sensitive authentication data (i.e., full magnetic-stripe data, CVV2* and PIN
data) and supports overall compliance with the PCI DSS. Visa developed a series
of payment application mandates that require acquirers to ensure that their
merchants and service providers do not use vulnerable payment applications
known to retain sensitive authentication data and also ensure the use of PCI
PA-DSS compliant applications.

Ongoing Through ongoing communication and education efforts, Visa members can
Information ensure that merchants and Third-Party Agents are up to speed on the front-line
Security defense they need to avoid internal and external security compromises.
Communication

A detailed description of Visa’s payment system security compliance programs


including PCI DSS compliance and validation requirements, payment application
security mandates, and PIN security and key management requirements can be
found at www.visa.com/CISP. In addition, Visa publishes data security alerts,
bulletins and webinar presentations; all are available for download. Members should
encourage their merchants and Third-Party Agents to visit this site to access details on
compliance and validation, and learn more about information security measures.

*In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 179


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Visa PIN Security

The Visa PIN Security Program is a global acquirer program designed to support all
participants in the acquiring transaction processing chain to maintain the highest
level of PIN security. The program is based on the PCI PIN Security Requirements,
a set of mandatory requirements for the secure
management, processing and transmission of
All participants
cardholder PINs during transaction processing at ATM
in the acquiring
and point-of-sale (POS) PIN-entry devices (PEDs). transaction
Today, Visa initiatives and controls continue to evolve processing chain that
to safeguard PIN transactions. manage cardholder PINs
and encryption keys must
be in full compliance
Visa PIN Today, Visa initiatives and controls continue to evolve with the PCI PIN Security
Security to safeguard PIN-based transactions. Requirements.
Initiatives and
Controls Visa PIN Security Program
The Visa PIN Security Program supports all participants in the acquiring
transaction processing chain as they work to maintain the highest level of PIN
security. The program helps merchants, Third-Party Agents, processing, and
encryption and support organizations adequately protect the confidentiality of
cardholder PINs through educational workshops on the management of encryption
keys used in PIN pads and hardware security modules. The program also includes
special publications such as the PCI PIN Security Requirements and the Visa
PIN Security Program: Auditor’s Guide. These publications are available to all PIN
accepting entities free of charge and can be accessed at www.visa.com/pin and look
under “Security and Authentication.”

Triple Data Encryption Standard (TDES) Requirements


Visa has put into place several mandates for Triple
Data Encryption Standard (TDES) usage to protect
TDES is the
on-line PIN-based transactions being processed within industry standard
POS and host systems. cryptographic
process required to
• Effective 1 January 2004, all newly deployed support PIN-based
attended POS PEDs (i.e., newly purchased devices transactions that are
from the original equipment manufacturer; not transmitted on-line.
previously acquired devices being installed for the
first time) must support TDES.
• Effective 31 December 2007, all VisaNet/Interlink endpoint Acquirer
Working Keys (AWK) must use TDES. Merchants directly connected to
VisaNet/Interlink must meet this requirement.
• Effective 1 July 2010, all transactions originating at POS PEDs must be
encrypting PINs using TDES from the point of transaction to the issuer
(end-to-end).

180 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

PCI POS PED Evaluation Program


Visa first introduced PIN PED testing mandates in
2003 in support of the PIN Security Requirements All Visa-approved
for all point-of-sale (POS) PEDs. In 2005, the POS PEDs are
evaluation program was expanded to ensure that all listed on the
Visa PIN-Entry Device
merchants and ATM deployers use fully compliant Approval List at
devices that support both physical and logical security www.visa.com/pin.
requirements, as well as TDES. Now working in
conjunction with the Payment Card Industry (PCI)
PED Security Program organization, Visa is helping to further refine testing
criteria for unattended POS PEDs.
• Effective 1 January 2004, all newly deployed POS PED models (i.e., newly
purchased devices from the original equipment manufacturer; not previously
acquired devices being installed for the first time) must be evaluated by a
Visa-recognized laboratory and approved by Visa.
• Effective 1 October 2005, all newly deployed Encrypting PIN Pads (EPPs),
including replacements of those in newly deployed ATMs or cash dispensing
PEDs, must have passed testing by a Visa-recognized laboratory and been
approved by Visa.
• Effective 1 October 2007, all newly deployed unattended POS PIN
acceptance devices must contain an EPP that has passed testing by a
PCI-recognized laboratory and is approved by Visa for new deployments.
Additionally, if the device is used for offline PIN acceptance, it must contain
a lab-evaluated and Visa-approved secure smart card reader.
• Effective 1 July 2010, all POS PED models must be TDES-capable and Visa-
approved/lab-evaluated.

Visa International Operating Regulations prohibits merchants from storing the full
contents of any magnetic-stripe, CVV2*, or PIN block payment card data. Merchants can
mitigate the risk of exposing cardholder data through compromise by utilizing vendors who
offer payment applications that meets the Payment Application Data Security Standard
(PA-DSS), a PCI Standard Security Council (SSC) managed program formerly known as the
Payment Application Best Practices (PABP).
The PA-DSS is intended to help software vendors and others develop secure payment
applications that do not store prohibited data and support compliance with the PCI Data
Security Standard (DSS). To learn more about Visa’s PA-DSS mandates please visit
www.visa.com/cisp site, click on Risk Management, then Payment Applications. For a
downloadable list of payment applications that meets PA-DSS log onto to the Council’s
website at www.pcisecuritystandards.org.

*In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 181


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Minimizing Third-Party Agent Branded ATM Risk

ATM Risk The connection of privately owned (Third-Party Agent) ATMs to the Visa’s Plus
Controls ATM Network has raised a number of operational and risk management
concerns for Visa members. Visa has instituted new rules to help manage
the risks introduced by third-party branded ATMs. To properly address this
situation, Plus System Inc. By-Laws and Operating Regulations and Visa International
Operating Regulations were revised and policies introduced to ensure that ATM
acquirers maintain adequate risk controls to safeguard the Visa’s Plus ATM
Network. These include the following:
• Minimum Tier One Capital Requirements for members to sponsor Plus Third-
Party Agents
• Quarterly Reporting by sponsoring Plus members of all sponsored ATMs,
including make, model and location
• ATM Labeling Requirements stating who the acquirer is for Plus transactions
with a call in phone number to report suspicious activity
• Required submission of PIN Security due diligence for all new Plus Third-
Party Agent registrations
• Active compliance monitoring program to ensure Plus agent compliance with
applicable rules
• Mandatory education requirements for Plus Third-Party Agents and their
sponsoring members
• ATM operator agreement requirements

ATM Operator The ATM operator rules are designed to help Visa members:
Rules • Establish consistent operational and risk management requirements for ATM
acquirers to manage entities that own or operate their own ATMs.
• Ensure that entities connected to the Visa’s Plus ATM Network have been
subjected to an adequate due-diligence review.
• Ensure that entities connected to the Visa’s Plus ATM Network have a
written agreement with a member.
• Clearly define member responsibility for ATM operators.
• Safeguard the Visa’s Plus ATM Network from unregistered Third-Party Agents
or other entities that have not been properly screened for risk.

182 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Summary of Member Responsibilities - ATM operator Agreements


Visa ATM A member must:
Operator
Agreement • Prior to entering into an ATM operator agreement, determine that a
prospective ATM operator does not have any significant derogatory
Rules
background information about any of its principal owners.
• Collect certain ATM operator information for all ATM operators and Third-
Party Agents and make this information available to Visa upon request.
• Have a written ATM operator agreement with each of its ATM operators.
• Only process Visa Plus Network transactions from an ATM operator with
which it has a valid ATM operator agreement.
• Ensure that the ATM operator complies with the substance of the applicable
sections of the Visa and Plus Operating Regulations.
• Ensure that applicable amendments to the Visa International Operating
Regulations are incorporated into its ATM operator agreements and ensure
adequate communication of these changes to their ATM operators.
• Ensure that its ATM operators and Third-Party Agents maintain the integrity
and safety of PIN data in conformity with the PCI PIN Security Requirements.

Global Visa Acquirer Fraud Control Manual 183


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Visa White Label ATM Compliance Program

Third-Party All Visa members that use Third-Party Agents to deploy cash disbursement
Agent Branded machines (Third-Party Agent branded ATMs) are required to:
ATM Controls • Track and report on a quarterly basis to Visa the
physical location of each device sponsored. All Third-Party
• Determine whether such devices comply with PCI Agent branded
PIN Security Requirements. cash
disbursement machines
These controls ensure sponsoring members are bearing the Plus and/
prominently identified on each device and enable or Visa marks are also
required to display a
cardholders to report suspicious activity. label that identifies the
Members must report on a quarterly basis to Visa sponsoring financial
institution and must
Corporate Risk information on the physical location of include a customer service
each Visa/Plus cash disbursement machine deployed phone number for
through a Third-Party Agent. The reports contain the cardholders to contact in
following: the event of operational
problems, or to report
• Physical street address of each device suspicious activity.
Member–branded ATMs
• An indication whether or not the device meets PCI are exempt from this
PIN Security Requirements requirement.
• Device manufacturer and model number
• Software and firmware versions
This detailed tracking information helps Visa and its sponsoring members to
quickly identify devices in the event of a compromise, as well as further ensure
full device compliance with the PCI and PED Security Requirements.
Members that fail to comply with Visa’s reporting and labeling requirements are
eligible for fines and the imposition of conditions as specified in the Plus System
Inc. By-Laws and Operating Regulations.

184 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

Acquiring Center Security

Physical Acquirers need to ensure the physical security of the Acquiring Center. Measures
Security must include access control, surveillance, and monitoring of the following
operational areas:
• Building access, both entry and egress
• Filing areas, including fraud investigation and cardholder credit files
• Data processing area
• Payment processing area
• Embossing area
• Mailing area

Business Acquirers must also develop procedures to ensure the safety and security of the
Continuity Center and personnel in case of fire, natural disasters, bomb threat, or riot. This
Planning requires a review and drill on a regular basis, the documenting of problems, and
any necessary corrective action.

Center Acquirers are expected to conduct a thorough background check of all


Personnel prospective Acquiring Center employees to screen out undesirable individuals.
It is highly recommended that acquirers use police records, credit reports, and
former employment checks in these investigations.

Global Visa Acquirer Fraud Control Manual 185


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 10: CARDHOLDER INFORMATION AND PERSONAL IDENTIFICATION NUMBER SECURITY

186 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 11 In the Event of a Compromise

Recognizing what constitutes a data compromise incident is crucial to minimizing


the impact it might have on your organization. In general, incidents may be
defined as deliberate electronic attacks on the communications or information
processing systems that results in cardholder data being exposed to compromise.
Whether initiated by a disgruntled employee, a malicious competitor, or a
misguided hacker, deliberate attacks often cause great damage and disruption.
In the event of a data compromise incident, the affected entity must take
immediate action to investigate the incident, limit the exposure of cardholder
data, notify their acquirer and Visa, and report investigation findings. Acquirers
are responsible for merchants’ compliance with security requirements to protect
cardholder data – specifically, the Payment Card Industry (PCI) Data Security
Standard (DSS) requirements. They must support all containment efforts
and ensure that the merchant conducts a thorough and prompt investigation.
Impacted issuers must move rapidly to protect at-risk accounts and prevent fraud
losses
This chapter describes the steps that Visa acquirers, merchants, and service-
providers must take in the event of a security incident.

What’s Covered
n Steps and Requirements for Compromised Entities (Members, Merchants, and
Third-Party Agents)
n Steps and Requirements for Visa Acquirers
n Forensic Investigation Guidelines
n Using the Compromised Account Management System (CAMS)

Global Visa Acquirer Fraud Control Manual 187


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

188 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

Steps and Requirements for Compromised Entities


(Members, Merchants, and Third-Party Agents)

Entities that have experienced a suspected or


confirmed security breach must take prompt action to
To minimize the
help prevent additional exposure of cardholder data
impact of a
and ensure compliance with the PCI DSS, PA DSS, and cardholder
PCI PIN Security Requirements. information security breach,
Visa has put together an
Acquirers should make sure that these steps and Incident Response Team to
requirements are clearly communicated to all assist in forensic
merchants and Third-Party Agents. investigations. In the event
of a compromise, Visa
1. Immediately contain and limit the exposure. will coordinate a team
Minimize data loss. Prevent the further loss of of forensic specialists to
data by conducting a thorough investigation go onsite immediately
of the suspected or confirmed compromise of to help identify security
deficiencies and control
information. Compromised entities should consult exposure. The forensic
with their internal incident response team. To information collected by
preserve evidence and facilitate the investigation: the team is often used
as evidence to prosecute
– Do not access or alter compromised system(s) criminals.
(i.e., don’t log on at all to the compromised
system(s) and change passwords; do not log in
as ROOT). Visa highly recommends compromised system not be used to
avoid losing critical volatile data.
– Do not turn the compromised system(s) off. Instead, isolate compromised
systems(s) from the network (i.e., unplug network cable).
– Preserve evidence and logs (i.e., original evidence, security events, web,
database, firewall, etc.)
– Document all actions taken.
– If using a wireless network, change the Service Set Identifier (SSID)
on the wireless access point (WAP) and other systems that may be
using this connection (with the exception of any systems believed to be
compromised).
– Be on “high” alert and monitor traffic on all systems with cardholder data.

Global Visa Acquirer Fraud Control Manual 189


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

2. Alert all necessary parties immediately:


– Your internal incident response team and information security group.
– If you are a merchant, contact your merchant bank.
– If you do not know the name and/or contact information for your merchant
bank, notify Visa Incident Response Manager immediately:
- U.S. – (650) 432-2978 or usfraudcontrol@Visa.com

- Canada – (416) 860-3090 or CanadaInvestigations@Visa.com

- Latin America & Caribbean – (305) 328-1713 or lacrmac@Visa.com

- Asia Pacific – (65) 96307672 or APInvestigations@Visa.com

- CEMEA – +44 (0) 207-225-8600 or CEMEAFraudControl@Visa.com


If you are a financial institution, contact the appropriate Visa region at
the number provided above.
3. Notify the appropriate law enforcement agency. Contact the Visa Incident
Response Manager above for assistance in contacting local law enforcement
agency.
4. Consult with your legal department to determine if consumer or regulatory
laws apply.
5. Provide all compromised Visa, Interlink, and Plus accounts to the Visa
acquiring bank or to Visa within ten (10) business days. All potentially
compromised accounts must be provided and transmitted as instructed by
the Visa acquiring bank and Visa. Visa will distribute the compromised Visa
account numbers to issuers and ensure the confidentiality of entity and non-
public information. Note: If you are an issuer, provide foreign accounts or
accounts from other financial institutions to Visa.
6. Within three (3) business days of the reported compromise, provide
an Incident Report to the Visa member or to Visa. If you are a financial
institution, provide the Incident Report to Visa.
Note: If Visa deems necessary, an independent forensic investigation by a
Visa-approved Qualified Incident Response Assessor (QIRA) will be initiated
on the compromised entity.

190 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

Step and Requirements for Visa Acquirers

Security In the event of a security breach, the Visa International Operating Regulations
Breach require members to immediately report the breach and the suspected or
Reporting confirmed loss or theft of any material or records that contain cardholder data.
A member must, upon completion of the investigation, demonstrate its ability
or its merchants’ or agents’ ability to prevent future loss or theft of transaction
information consistent with the PCI DSS requirements. Visa, or an independent
third-party acceptable to Visa, must verify this ability by conducting a
subsequent security review.
1. Immediately report the suspected or confirmed loss or theft of Visa
cardholder data. Members must contact Visa Fraud Control immediately.
2. Obtain at-risk account numbers from compromised entity. Within 48 hours,
advise Visa whether the entity was in compliance with PCI DSS requirements
at the time of the incident and, if so, provide appropriate proof.
3. Participate in all discussions with compromised entity and Visa.
4. Ensure that a Visa-approved Qualified Security Assessor is engaged to
perform the forensic investigation.
5. Obtain information about the compromise from the entity.
6. Determine whether compromise has been contained.
7. Inform Visa of investigation status within 48 hours.
8. Ensure that entity has taken steps necessary to prevent future loss or theft
of account information, consistent with PCI DSS requirements.

Global Visa Acquirer Fraud Control Manual 191


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

Forensic Investigation Guidelines

Investigation Entities must initiate investigation of the suspected or confirmed loss or theft of
Actions account information within 24 hours of compromise. The following actions must
be taken as part of the forensic investigation:
• Determine cardholder information at risk. This includes:
– Number of accounts at risk, identify those stored and compromised on all
test, development, and production systems
– Type of account information at risk:
- Account number
- Expiration date
- Cardholder name
- Cardholder address
- Card Verification Value 2 (CVV2)*
- Track 1 and Track 2
- PIN blocks
- Any data exported by intruder
• Determine if payment application is retaining full track data, including PIN
blocks.
• Perform incident validation and assessment:
– Establish how compromise occurred Identify the source of compromise
Determine timeframe of compromise.
– Review entire network to identify all compromised or affected systems,
considering the e-commerce, corporate, test, development, and production
environments as well as VPN, modem, DSL and cable modem connections,
and any third-party connections.
– Determine if compromise has been contained.
• Check for CVV2, Track 1 and Track 2 storage. Examine all potential
locations— including payment application—to determine if CVV2,
Track 1, or Track 2 data are stored, whether encrypted or unencrypted—e.g.,
in duplicate or backup tables or databases, databases used in development,
application logs, transaction logs, stage or testing environment data on
software engineers’ machines, etc.

*In certain markets, CVV2 is required for card-absent transactions.

192 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

• If full track data is being stored by a payment application, identify the


vendor name, product name, and product version.
• If applicable, review VisaNet endpoint security and determine risk.
• Preserve all potential electronic evidence on a platform suitable for review
and analysis by a court of law if needed.
• Perform remote vulnerability scan of entity’s Internet facing site(s).

Global Visa Acquirer Fraud Control Manual 193


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

Using the Compromised Account Management System (CAMS)

What is The Compromised Account Management System (CAMS) offers a secure and
CAMS? efficient way for acquirers, merchants, law enforcement agencies, and financial
institutions to transmit compromised and recovered account data to and
from Visa through an encrypted site. Using CAMS, acquirers, merchants, and
law enforcement officers can upload potentially compromised and recovered
accounts directly to Visa.
Subscribing financial institutions can access CAMS by logging on to their
regional Visa Online site and receive compromise alerts via e-mail regarding
their accounts.

How to Use To Upload File(s):


CAMS 1. Access the “Submit CAMS Alert” screen to upload your file data. At this
screen, you must enter a description, indicate whether you are providing an
expiration date, and select a file to upload from your hard drive.

2. From the drop down menu, select your assigned Visa contact. This field is
required.
3. Enter a brief description of the files you are uploading for the compromise.
4. If applicable, indicate whether the file includes an expiration date. (Indicating
an account expiration date will help the issuer identify which accounts are
good candidates for monitoring.)

194 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

5. Click “Browse” to select a file from your local hard drive.


• Files must be either plain text or a .zip file containing plain text files.
• Files cannot exceed 100 MB in size.
• The uploaded file should contain 11-19 digit account numbers.
6. Click the “Upload” button to begin the file transfer process. The progress box
will display how much of the upload has been completed.
7. To stop the file transfer, click the “Cancel” button at any time.

To Upload Additional File(s):


After a successful upload, the “Submit CAMS Alert” screen will reappear with a
message that confirms that your upload has been completed successfully. You
will also be asked if you would like to add another file to the same alert. If you
add another file, please remember that you will only be allowed to submit one
description for each alert; the first description that you submit will apply.
If an error occurs during the upload, an error message will appear and you will
be asked to upload the file again. You should also receive an e-mail message
describing the upload error.
In response, you can either resubmit the file or contact the CAMS Administrator
at VAA-VRM@visa.com for assistance.

Global Visa Acquirer Fraud Control Manual 195


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 11: IN THE EVENT OF COMPROMISE

196 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 12 Visa Risk Control Programs

The ingenuity of today’s criminals means that even the most conscientious and
careful acquirer may at times miss crucial evidence of a scam and suffer the
resulting losses. To fight fraud more effectively, system-wide support is needed.
In response, Visa has implemented a range of services and programs aimed at
helping acquirers identify risky transactions.
This chapter provides an overview of Visa’s services and programs developed
specifically for acquirers.

What’s Covered
n Merchant Fraud Performance Program
n Global Merchant Chargeback Monitoring Program
n Acquirer Monitoring Program
n Brand Protection Programs
n High-Risk Chargeback Monitoring Program (U.S. Only)
n Visa Fraud Reporting System

Global Visa Acquirer Fraud Control Manual 197


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

198 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Merchant Fraud Performance Program

The Merchant Fraud Performance (MFP) program is a monitoring program that


identifies merchant with exceptionally high levels of fraud. It includes a set of
global standards, as well as intra-regional and/or domestic thresholds.
The program objectives are to:
• Reduce fraud, protect the Visa brand, and ensure
the integrity of the Visa payment system. The MFP program
is supplemental to
• Help acquirers to identify concentrations of fraud any other
at merchant locations and take appropriate actions authority in the Visa
to reduce losses and avoid negative impact to by-laws, operating
regulations, and other
acceptance and business operations.
Visa standards that
• Allow issuers to recover fraud losses as a result address merchant fraud
of inadequate acquirer and/or merchant risk activity and the risks to
Visa from that activity.
management practices.

How the • Identifications – The MFP program includes global minimum standards that
MFP Program address inter-regional merchant fraud problems. Additionally, domestic and
Works intra-regional fraud performance thresholds are established regionally to
address local market needs.
Each month, Visa monitors the fraud performance of merchant outlets against
program thresholds. The performance thresholds are subject to periodic
review and are adjusted as needed. Advance notifications of changes to the
thresholds are provided through updates to the Merchant Fraud Performance
Program Guide.
The current global thresholds are as follows:
– Minimum Thresholds:
- US $25,000 of reported inter-regional fraud*, and
- 25 inter-regional fraud transactions, and
- 2.5% inter-regional fraud-to-sales ratio.
– Excessive Thresholds:
- US $250,000 of reported inter-regional fraud, and
- 2.5% inter-regional fraud-to-sales ratio.
• Remediation – Visa will notify an acquirer of any merchant that meets or
exceeds the program performance thresholds. The acquirer must then work
with the merchant to address the fraud exposure and reduced fraud so that it
is below the performance thresholds.

*Fraud accepted on cards originally issued by clients outside the merchant country and region.

Global Visa Acquirer Fraud Control Manual 199


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

• Compliance – Financial sanction in the form of


chargeback liability and escalating fines can be The MFP is a
imposed to acquirers whose merchant fraud global Visa
performance is excessive or do not fall below program; however,
the MFP thresholds within specified remediation almost every region has its
own regionally-managed
timelines. If performance problems continue,
thresholds and exceptions
penalties will escalate and can include restriction for this program. For
and revocation of acceptance privileges. more information about
the global and regional
MFP program, refer to
the Merchant Fraud
Performance Program
Guide or contact
your Regional Risk
Representative or Visa
account executive.

200 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Global Merchant Chargeback Monitoring Program

Visa operates the Global Merchant Chargeback Monitoring Program (GMCMP)


to reduce high customer dispute levels and increase consumer confidence in
using Visa cards.
The program objectives are to:
• Identify merchants that generate a disproportionate number of international
chargebacks.
• Allow issuers to recover chargeback processing costs as a result of
inadequate acquirer/merchant risk management practices.
• Encourage adoption of sound risk controls by merchants and acquirers.

How the • Identifications – The GMCMP program includes merchant-level and acquirer-
GMCMP level minimum standards.
Works Each month, Visa identifies merchants and acquirers whose chargeback levels
are in excess of the GMCMP thresholds. The performance thresholds are
subject to periodic review and are adjusted as needed. Advance notifications
of changes to the thresholds are provided through updates to the Global
Merchant Chargebacks Monitoring Program Guide
• The global thresholds effective June 2010 are:
– Merchant-level Thresholds:
- 200 international sales* count, and
- 200 international chargeback count, and
- 2 percent international chargeback-to-sale count ratio.
– Acquirer-level Thresholds:
- 500 international sales count, and
- 500 international chargeback count, and
- 1.5 percent international chargeback-to-sale count ratio, and
- 1 merchant identified in the program during the same reporting
month.
• Remediation – Visa will notify an acquirer if its monthly chargeback
performance, or its merchant’s chargeback performance exceeds or meets
the program thresholds. Once notified, an acquirer should take prompt and
rigorous action to investigate the cause of the excessive chargebacks activity.

*Visa may levy penalties for trailing chargeback activity for up to 4 months after merchant termination, regardless of sales volumes.

Global Visa Acquirer Fraud Control Manual 201


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

• Compliance – Fines can be imposed on acquirer


whose ‘high-risk’ merchants* are identified by the The Merchant
program, or if the acquirer or merchant chargeback Chargeback
performance does not fall below the GMCMP Monitoring
thresholds within the specified remediation Program (MCMP) is a U.S.
only regional program. For
timelines. If performance problems continue,
more information about
penalties will escalate and include restriction and the GMCMP and/or the
revocation of acceptance privileges. U.S. regional MCMP, refer
to the Global Merchant
Chargeback Monitoring
Program Guide or contact
your Regional Risk
Representative or Visa
account executive.
The Global Merchant
Chargeback Monitoring
Program Guide is available
through Visa Online
(VOL).

*Merchants whose MCCs are specified under the ‘high-risk’ category as specified in VIOR Section 2.3.J.3.a.

202 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Acquirer Monitoring Program

The Acquirer Monitoring Program (AMP) identifies acquirers with


disproportionate levels of acquired fraud compared to their peers. The program’s
goal is to reduce fraud and the cost of fraud to Visa members.

How AMP • Identifications – AMP includes global minimum standards and regionally-
Works managed thresholds.
Each quarter, Visa identifies acquirers who exceed
3 times the worldwide or regional fraud-to-sales The AMP is a
ratio. The performance thresholds are subject global program;
to periodic review and will be adjusted as needed. however, almost
every region has its own
• Remediation – Visa will notify an acquirer if its regionally-managed
quarterly fraud performance exceeds the program thresholds and exceptions
thresholds. Once notified, an acquirer should take for this program. For
more information about
prompt and rigorous action to investigate the cause
the global and regional
of the excessive fraud activity. Acquirer Monitoring
• Compliance – Fines would be imposed on acquirer Program, contact
your Regional Risk
if the acquirer’s performance does not fall below the
Representative or Visa
AMP thresholds within specified timelines. If Account Manager.
performance problems continue, penalties will
escalate and include restriction and revocation of acceptance privileges.

Global Visa Acquirer Fraud Control Manual 203


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Brand Protection Programs

Illegal Cross- The growth of Internet distribution has increased the possibility that merchants,
border while acting in accordance with the laws of their own country’s jurisdiction,
Transaction may be acting contrary to the laws of a cardholder’s legal jurisdiction. Such
Program transactions may have legal or regulatory impact on Visa and its members,
which may adversely affect their reputation.
Visa operates the Cross-border Illegal Transactions Program to ensure Visa
acquirers and merchants do not process illegal transactions in the Visa payment
system, as specified in the Visa International Operating Regulations.
To avoid the program fee assessment of for each URL found non-compliant, the
acquirer must:
• Carefully review the sales practices of merchants when they are selling
products to customers outside of their own country,
• Ensure that merchants are properly coding all transactions to correctly
identify their nature, and
• Not accept any illegal transactions from a merchant for submission into the
Visa payment system, or any transaction that the merchant could have known
was illegal.

Electronic In February 2002, the Electronic Commerce Merchant Monitoring Program


Commerce was implemented to address concerns with the Visa Brand being associated
Merchant with illegal activities or activities that can have negative brand impact. The
Monitoring focus of this effort is to prevent Internet child pornography and e-commerce
Program transactions that depict bestiality, rape, and/or any other non-consensual sexual
behavior, and/or the non-consensual mutilation of a person or body part from
being submitted into the Visa payment system. Under this program, merchant
sites displaying Visa marks that engage in the above activities are identified.
Acquirers must terminate the merchant within 7 business days from the date of
notification to avoid sanctions.

204 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Online The Online Gambling Audit Program was introduced in 2001 to ensure Online
Gambling Gambling merchants properly identify authorization transactions so that issuers
Audit Program are able to make appropriate authorization decisions.
Under the program, Internet Gambling merchants are required to use the
following authorization data elements to correctly identify their transactions as
“Online Gambling”:
• Merchant Category Code (MCC) – 7995
• POS Condition Code (POS CC) – 59
• Processing Code positions 1 and 2 – 11
• Mail/Telephone or Electronic Commerce Indicator – 05 through 09
Visa assesses a fee to acquirers whose merchants violate the established criteria
and fail to rectify the violation within a stipulated correction period.

Global Visa Acquirer Fraud Control Manual 205


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

High-Risk Chargeback Monitoring Program (U.S. Only)

The High-Risk Chargeback Monitoring Program (HRCMP) is designed to


reduce the increasing number of chargebacks generated by high-risk merchants.
The program applies to merchants in MCCs 5962, 5966, 5967, and 7995. To
underscore the importance of addressing excessive chargeback activity, the
program assesses fines to acquirers whose merchants exceed program ratios.
Under the HRCMP, there is no warning period and fees are assessed immediately
at US $100 per chargeback.
The program objectives are to:
• Ensure that acquirers thoroughly understand high-risk merchant business
models before setting up an account.
• Encourage acquirers to ensure that their high-risk merchants use sound
business practices that do not generate excessive chargeback activities.
• Motivate acquirers to focus their approval criteria on sound business
practices and financial responsibility, rather than on the merchant’s ability to
provide reserve deposits.
• Reimburse issuers for some of the expense incurred in handling excessive
numbers of cardholder disputes.
• Promote consumer confidence in the Visa brand.

How the As defined in the Visa International Operating Regulations, when a merchant
Program equals or exceeds a one percent overall chargeback-to-interchange transaction
Works ratio, the acquirer is notified in writing.
To qualify for the HRCMP, the merchant must have 100 or more interchange
transactions, 100 or more chargebacks, and a one percent or greater
chargeback-to-transaction ratio.

Remedial The HRCMP penalties, parameters and requirements are defined in the Visa
Action and International Operating Regulations. Under the HRCMP, there is no warning period
Penalties and fees begin immediately when the merchant has excessive chargebacks.

206 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Visa Fraud Reporting System

The Visa Fraud Reporting System (FRS) has been developed to provide members
with risk management information and services specifically aimed at pinpointing
sources of risk and fraud activity and combating payment card fraud and fraud
losses. The fraud reporting process normally begins when a cardholder notifies
an issuer about a disputed transaction on the cardholder’s Visa account. The
issuer then reports the details of the fraudulent transaction to Visa.

Fraud Report Fraud reports include information on the cardholder, the merchant, and how the
Categories transaction was processed. The issuer identifies the type of fraud committed
using one of the following fraud categories:
• Lost.
Acquirers
• Stolen. may request
customized
• Not received.
analysis of fraud activity
• Fraudulent application. that is tailored to meet
their risk management
• Counterfeit. needs. For example,
reports can be designed to
• Fraudulent use of an account number. pinpoint specific sources
of risk by geographic area
• Miscellaneous/undefined. (city, state, or country),
merchant, or fraud type.
How the Visa The Visa FRS operates in this manner:
FRS Works 1. Visa-issuing members use VisaNet to report their fraudulent transactions
to Visa.
2. Based on reported fraud, Visa sends daily or weekly, monthly, and quarterly
Fraud Activity Reports to members. These reports advise members of the
acceptance status of the reports they submitted (if the member’s fraud
reports were entered correctly and accurately), and provide summaries of
fraud reported to date.
3. The reports enable all Visa members to track their organization’s fraud
activity, analyze risk potential, and take specific action.
Visa FRS can help acquirers identify sources of high-risk transactions and develop
merchant fraud control systems and programs tailored to meet their specific needs.
If activity reports show high levels of fraud or certain categories of fraud, members
may be required to take further action with regard to specific kinds of transactions
or merchants.

Global Visa Acquirer Fraud Control Manual 207


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 12: VISA RISK CONTROL PROGRAMS

Fraud data is used by Visa for the following purposes:


• Analyzing fraud concentration.
• Analyzing fraud trends.
• Managing fraud information reports.
• Monitoring member reporting compliance.

Reports The following reports are available to all acquiring members.


Available to
Title: Description:
Acquirers
Bi-Weekly Acquirer Provides a detailed listing of all issuer-reported confirmed
Merchant Activity fraud transactions occurring on the acquirer’s merchant
Report base. A separate report is produced for each BIN used by an
(FRDBMC51) acquirer. If a merchant’s fraud activity is higher than average,
the merchant’s procedures should be reviewed. Continued
high-fraud activity can result in RIS-related chargebacks.
Bi-Weekly Acquirer Provides a summary of all issuer-reported confirmed fraud
Merchant Summary transactions for the acquirer’s merchant base. A separate
(FRDBMS52) report is produced for each BIN used by an acquirer. The report
summarizes the fraud transaction amounts (expressed in
the acquirer’s currency) and fraud transaction counts on the
acquirer’s merchant base by fraud type and for each of the top
15 Merchant Category Codes.
Quarterly Acquirer Provides a summary of all issuer-reported confirmed fraud
Merchant Summary transactions for the acquirer’s merchant base.
(FRDQMS53)
A separate report is produced for each BIN used by an
acquirer. This report summarizes the fraud transaction
amounts (expressed in the acquirer’s currency) and fraud
transaction counts on the acquirer’s merchant base by fraud
type and for each of the top 15 Merchant Category Codes.

Why Fraud A commitment to regular and rigorous fraud reporting by individual members
Reporting is So protects the entire Visa membership from excessive fraud losses. Analyzing
Important worldwide patterns of fraudulent activity enables Visa to develop new fraud
control strategies and work with members, law enforcement, and government
agencies to identify and contain new sources of fraud. Members benefit also
through chargeback rights on fraud-related transactions that have been correctly
reported to Visa.

For more information about the Visa FRS, refer to the Visa Fraud Reporting System User
Guide or contact your Regional Risk Representative or Visa Account Manager.

208 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Chapter 13 Working with Third-Party Agents

Third-Party Agents perform specific functions for Visa acquiring members.


While these agents may provide operational support, members retain overall
responsibility for the establishment of risk control policies and procedures. This
chapter contains guidelines on how acquirers can protect their relationships with
these entities through careful evaluation, clarification, and internal controls.

What’s Covered
n What are the Risks?
n Acquirer Responsibilities in Reducing Agent Risk
n Adhering to Visa Third-Party Agent Due Diligence Risk Standards
n Establishing Reserves
n Tri-Party Agreements
n Agent Monitoring and On-Site Review
n Agent Education and Communication
n Merchant Monitoring and Control

Global Visa Acquirer Fraud Control Manual 209


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

210 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

What Are the Risks?

Reputational Acquirers need to be cognizant of the potential damage that can occur to their
Risks reputation if they should engage in a relationship with a disreputable Third-Party
Agents. The majority of these agents are established, well-known entities that
contribute to the continued growth of the payment industry. However, there are
some whose practices may not only harm a member’s reputation, but also result
in other negative actions. For example, a disqualification proceeding can be
initiated by Visa if a member is unwilling or unable to prevent the entity from
harming the Visa payment system or goodwill of the Visa brand. Some key
reputational risks include the following:
• Hidden fees and costs for merchants
• Long-term high-rate leasing contracts for terminals
• Improper use of and misrepresentation of the member and Visa’s name
and logo
• Bait and switch pricing schemes
• Contract cancellation penalties
• Internet advertising that can include “spamming” practices
Operating If an acquirer fails to control the Third-Party Agent relationship, Visa may place
Regulation conditions on the member or assess fines to a member as an enforcement
Violation Fines action. Visa will take such action if the member’s failure violates the Visa
and Conditions International Operating Regulations and is such that it poses a risk to the payment
system or creates harm to the goodwill of the Visa brand. These conditions may
include, but are not limited to the following:

• Signing restrictions
• The disqualification of a Third-Party Agent
• An independent review of the member or the other Third-Party Agent
practices
Who Holds Third-Party Agents often assume the liability for the processing activities of
the Financial merchants that they have solicited and signed. While this is often used to
Liability mitigate a member’s risk, it is important to remember that a shift in liability will
only be enforceable to the limit of the third-party organization’s financial means.
Visa holds the member financially liable for all payment system obligations.
Therefore, acquiring members need to review all processing-related exposures
before approving the agent, and then implement proper risk reduction tools to
help mitigate the member’s loss potential.

Global Visa Acquirer Fraud Control Manual 211


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Acquirer Responsibilities in Reducing Agent Risk

While acquiring members should refer to Visa International Operating Regulations


for specific guidance regarding the management and control of Third-Party Agent
relationships, the following responsibilities have been included in this manual to:
• Help clarify compliance requirements for member use of Third-Party Agents.
• Reinforce financial institutions obligations and accountability.
• Enhance control mechanisms to mitigate risk to the payment system.

In This Area: The Member Must:


Policies Have a policy or a group of policies—approved by their Board
of Directors—for each merchant and Third-Party Agent.
Third-Party Agent Execute a written contract with each third-party that performs
Contracts cardholder or merchant solicitation and/or stores, processes,
or transmits cardholder or transaction data on behalf of the
member. This agreement, to the extent permitted by applicable
law, is executed by an authorized officer of the member and
must insure that the Third-Party Agent is compliant with the
Visa International Operating Regulations, Interlink Network, Inc.
and Plus System, Inc. Operating Regulations, and the Payment
Card Industry (PCI) Data Security Standard (DSS). The
member is responsible for informing the agent of the governing
requirements. In the case of a merchant servicer, the merchant
can hold this contract.
Merchant Agreements Ensure that merchant agreements meet Visa’s minimum
requirements for disclosure and clearly define both the
member’s and the merchant’s obligations.
Funding Control all funds related to Visa merchant acceptance,
including settlement, reserves, holdbacks, and other funds.
Monitoring Have adequate controls to monitor their Third-Party Agent and
merchant activity to ensure compliance with Visa rules and
prevent undue harm to the payment system.
Education Provide their Third-Party Agents with the necessary education
and training to ensure they are aware of their obligations to
the payment system and remain in compliance with those
requirements, as well as the member’s own internal policies
and guidelines.

212 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Adhering to Visa Third-Party Agent Due Diligence Risk Standards

The Visa Third-Party Agent Due Diligence Risk Standards have been established to
ensure that acquiring members meet Visa’s minimum requirements for mitigating
risk to the payment system. All members must comply with these standards
during the Third-Party Agent registration process and throughout the life of the
business agreement.

Reputational In adhering to these standards, an acquiring member


Risks is required to register Third-Party Agent entities
Members may not
in accordance with the Visa International Operating proceed with
Regulations. As part of this process, the member must: transaction
activity until the
• Conduct an adequate risk review “prior” to registration has been
engaging in any transaction activity with a Third- recorded, and the member
Party Agent. The documentation must prove that is notified—in writing—
the following actions were taken: by Visa.

– Financial Review. The acquirer must


demonstrate that the institution has completed an adequate financial
review of the Third-Party Agent. This should
include a review of current audited (if available)
business financials, a Dun & Bradstreet check, For Third-Party
and the two immediate preceding years’ tax Agent
classifications,
returns. If dealing with a start-up company, then refer to Chapter 2: Acquirer
a complete and thorough business plan must Strategy and Organization—
be submitted to satisfy this documentation Third-Party Agent
requirement. Relationship Management
in this manual.
– Principal Review. An acquirer must complete an
adequate review of all Third-Party Agent business principals. Supporting
documentation should include tax returns, a statement of net worth that
lists all assets and liabilities, an adequate proof that anyone accepting
financial liability will be able to support that liability, a credit report, and
criminal/civil background investigation.
– On-Site Review. An acquirer is responsible for conducting a thorough
on-site review that covers all major services. This should include an
inspection of the Third-Party Agent organization’s physical security
measures, data access control, equipment, processes, policies, etc.

Global Visa Acquirer Fraud Control Manual 213


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

– Business Background Check. The acquirer


should: Visa periodically
- Perform a thorough background check publishes the list
on the Third-Party Agent principals to of disqualified
entities in a Visa Business
ensure that they are in good standing. Review (VBR) article for
Documentation must show that a criminal the member’s reference.
and civil background investigation has been
properly conducted.
- Check and review the Third-Party Agent organization’s current and
previous acquirer business relationships—both foreign and domestic
(including all DBAs). The organizations should also be checked
against the list of disqualified entities at Visa.
• Appoint appropriate officers to review all documentation and approve the
Third-Party Agent. The approval must be based on sound business practices
that will not compromise either the member or Visa, and may not be based
solely on the language of the service agreement that limits the member’s
financial liability.
• Be accountable for activities of the Third-Party Agent, including
compliance with applicable Visa International Operating Regulations. For
the purposes of these standards, including fines and participation in the
Visa payment system, the acts of the Third-Party Agent will be treated as if
performed by the member.
• Upon request, provide a copy of the executed agreement with the Third-
Party Agent.
• Submit quarterly reporting on the Third-Party Agent activity in a timely
manner as required.
• Implement prompt and appropriate action if Visa monitoring programs
identify the Third-Party Agent as creating substantial risk to the Visa
payment system.
• Disclose any current or future:
– Equity positions it has or may take in the Third-Party Agent.
– Loans it has made or may make to the Third-Party Agent.
• Ensure that any service provided by the Third-Party Agent on behalf of the
member is stipulated in the written contract by that entity itself and are
not subcontracted to any other entity.
• Conduct an on-site review of the Third-Party Agent’s PIN security controls
to validate compliance with the standards established by the Visa PIN
Security Requirements manual.

214 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Establishing Reserves

Acquiring members should perform a complete financial review of any third-party


that will be soliciting merchants on their behalf. This is
especially important if a member intends to share or
pass along all liabilities to that entity. If the member Acquiring
members must
believes financial condition of a Third-Party Agent is hold all merchant
such that will not support a liability that may arise reserves in an account
from the merchant(s) brought in by the agent, then that can be linked to the
the member should secure a reserve before merchant. Third-Party
establishing a business relationship. Agents are prohibited
from accessing merchant
settlement funds or
Merchant There are many different methods available for from initiating or
Reserve calculating a merchant reserve. However, some controlling merchant
common considerations include the following: reserve accounts.
Calculation
Considerations • Potential sales volume of the merchants being solicited
• Types of merchants being solicited (e.g., Retail, mail order/telephone order,
Internet)
• Risk factors associated with the business models of the merchants being
solicited (i.e., immediate delivery, future delivery, free trial offers, negative
renewals, long-term contractual obligations, build to specification, etc)

Global Visa Acquirer Fraud Control Manual 215


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Tri-Party Agreements

The acquiring member must be a principal to all merchant agreements. Even


though tri-party contracts are currently permitted in the Visa system, a member
may not delegate its Visa obligations to a Third-Party Agent. Whenever a member
engages in a tri-party agreement with an agent and merchant, a disclosure page
must be used to clarify and reinforce the member’s
role in the merchant relationship. Failure to use the
disclosure page as required will be deemed a serious All tri-party
violation of the Acquirer Risk Program and could agreements
must include a
be sufficient cause for the imposition of fees or risk
disclosure page which
reduction conditions. contains statements on
important member and
Tri-Party The disclosure page is a separate, stand-alone merchant responsibilities.
Agreement document that contains the following:
Content • The Visa member is a principal party to the agreement, and is the only entity
Requirements authorized to offer or extend Visa products or services to the merchant.
• The Visa member (acquirer) is responsible for:

– Merchant education regarding pertinent Visa International Operating


Regulations with which merchants must comply.
– Settlement funds (and providing these funds to the merchant).
– All funds held back or in reserve that are derived
from settlement.
Acquiring
• The Visa merchant is responsible for: members must
ensure the
– Ensuring compliance with the cardholder data merchant understands
security and storage requirements. that the acquirer has
complete responsibility for
– Reviewing and understanding the terms of the the merchant relationship
merchant agreement. and is available to assist
– Complying with those Visa International when needed.
Operating Regulations as described in the
merchant agreement.
The disclosure page must also contain a contact address and phone number for
the member, along with an explanation that the member is primarily responsible
for the merchant relationship and may be contacted at any time and for any
reason. In addition, the disclosure page must include the following items, which
must be completed:
• Merchant’s printed name
• Position of the individual signing the document
• Business address/phone number
• Agent name/salesperson’s name

216 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Tri-Party The disclosure page must be dated and signed by the principal owner or senior
Agreement authorized officer of the merchant at the time of solicitation to indicate they
Sign-off have received and reviewed the document. A copy of the executed disclosure
Requirements page must be provided to the merchant at the time that it is signed, and must be
maintained by the member in the merchant’s file as a part of the required due
diligence. The merchant is also required to retain a copy of the disclosure page.

Global Visa Acquirer Fraud Control Manual 217


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Agent Monitoring and On-Site Review

Monitoring All acquiring members are responsible for monitoring the performance of third-
Third-Party party entities that solicit merchants on their behalf. A monthly recap can provide
Agent the member with data that is crucial to maintaining a profitable relationship. This
Solicitation data would include, but is not limited to the following information for each entity:
Performance • Number of existing merchants at the beginning of the month,
• Number of merchants voluntarily closed,
• Number of merchants on the books at the end of the month,
• Sales volume for the merchants,
• Number and amount of credits and chargebacks, and
• Amount of residuals paid to the Third-Party Agent.
The acquirer’s Senior Merchant Services Officer should review and approve the
monthly performance recap to ensure continued portfolio profitability and to
maintain an appropriate business relationship balance.
Quarterly Visa’s current requirements for reporting on agent performance were revised to
Reporting for includes specific information on each agent.
Agents Members must maintain a file on each agent and review their performance on
an annual basis. The report must be signed by a senior officer and be made
available to Visa upon request.
Members must provide summary-level performance data for each agent. Failure
to provide the report within 30 days may result in the assessment of fees.
As part of their agent activity quarterly report to Visa, acquirers must include the
following solicitation agent performance level:
• Sales count and amount
• Chargeback count and amount
• Number of existing merchants
• Number of new merchants
• Number of accounts closed
Acquirer Acquirers must conduct an on-site review of all Third-Party Agent entities at
Risk Program least once a year. More frequent reviews may be advisable, however, based on
Compliance the services provided by the entity. The on-site review can provide an acquirer
and On-Site with first hand knowledge of the entity’s practices and operations.
Reviews

218 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Remediation Visa Enterprise Risk and Compliance will work with members whose
Mechanisms independent report of their operations indicates non-compliance with the
Acquirer Risk Program requirements. Members must provide an acceptable
plan to address the deficiencies identified. Visa’s response is determined by
the severity of the deficiency issues identified and the member’s ability and
willingness to rapidly address them. This response could include specific
corrective actions, fees in various amounts, and ultimately, if a member fails to
implement an approved plan, suspension from acquirer activities or expulsion
from membership.

PCI DSS Any agent that stores, processes or transmit


Requirements cardholder data must be registered with Visa and To find out more
validate PCI DSS compliance. Members are held about the
responsible for their agent’s initial compliance and PCI DSS
ongoing revalidation. Members must validate that requirements, refer to
Chapter 10: Cardholder
their agent is actively working toward or has validated Information and Personal
PCI DSS compliance. Visa’s Global List of PCI DSS Identification Number
Validated Service Providers can be found at Security in this manual.
www.visa.com/third-party-agent.
Merchants must notify their acquirer of any Third-Party Agent that will have
access to cardholder data. The acquirer is required to notify Visa if its merchant
is using a Third-Party Agent and that the agent meets the PCI DSS requirements.
An acquirer that discloses transaction information or allows its merchant to
provide the information to a Third-Party Agent that is not PCI DSS-compliant may
be liable for fees.

Global Visa Acquirer Fraud Control Manual 219


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Visa acquirers and issuers must register all Third-Party Agents with Visa.
Registration of Third-Party Agents can be accomplished through the Visa
Membership Management (VMM) application, which is accessible through the
Visa Online site for your region.

Compliance
Validation Actions:
Actions:

Comply with On-Site Security Self-Assessment


Group Level Network Scan*
PCI DSS Assessment Questionnaire

Merchant Required Required


1 Required
Annually Quarterly
Required Required
2&3 Required
Annually Quarterly
Required
4** Required Recommended
Quarterly
Service Required Required
Providers 1 Required
Annually Quarterly
Required Required
2 Required
Annually Quarterly
*Network scanning is applicable to any Internet facing system.
**Validation requirements are determined by the merchant’s acquirer.

220 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Agent Education and Communication

Educating Through prompt and proper training, acquirers need to ensure that all Third-
Agents Party Agent organizations fully understand the Visa International Operating
Regulations that pertain to their roles and responsibilities, as well as those of the
merchant. Agent education coverage must include, but are not limited to the
following:
• Merchant solicitation
• Merchant underwriting criteria
• Prohibited merchant categories
• Merchant Category Codes (MCCs)
• PCI DSS requirements
Acquirers must also provide a copy of their relevant corporate policies and
procedures to all Third-Party Agents that are offering services on the member’s
behalf in support of the merchant portfolio.

Communicating All Third-Party Agents that engage in merchant solicitation must be provided
Merchant with the acquiring member’s merchant underwriting criteria. In doing so, the
Underwriting member should clearly describe all prohibited merchant types and the required
Criteria documentation for each. Certain merchant types are considered high risk and
are known to generate high levels of chargebacks and credits. The following
three merchant types must be registered with Visa before accepting and/or
processing any transactions:
• Direct Marketing of Travel Related Services (MCC 5962)
• Inbound Telemarketing (MCC 5966)
• Outbound Telemarketing (MCC 5967)

A complete description of these high-risk merchant types and MCCs can be obtained in the
Visa Merchant Data Manual.

Global Visa Acquirer Fraud Control Manual 221


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
CHAPTER 13: WORKING WITH THIRD PARTY AGENTS

Merchant Monitoring and Control

Merchant Many Third-Party Agent entities are capable of monitoring merchant exception
Exception activity. While acquirers allow these entities to perform some merchant
Activity monitoring services, this does not absolve the member of its responsibilities.
Monitoring Members must monitor all merchants in their portfolio (including where the
Third-Party Agent has accepted the liability) as outlined in the Merchant
Monitoring Standards in the Visa International Operating Regulations.

Merchant Failure to make timely merchant data changes and/or control volume may
Control expose an acquirer to losses. Merchant data changes include the following:
• Doing Business As (DBA),
• Demand Deposit Account (DDA),
• Business structure (Sole Prop, Partnership, Corp, etc.),
• Address,
• Phone number, and
• Business type.
Requests for sales volume increases must be controlled and approved by the
acquirer, and preferably, reviewed by Credit/Risk Management.

Merchant Acquirers need to provide clear merchant pricing guidelines to all Third-Party
Pricing Agents that source merchants. All pricing and fees must be disclosed in writing
to the merchant at the time the application is signed and submitted.

Merchant Fee An acquirer must collect all merchant fees directly from the merchant. Third-
Collection Party Agent entities are not permitted to touch or hold the merchant settlement,
reserve, or processing fee funds.

222 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Glossary

Global Visa Acquirer Fraud Control Manual 223


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

224 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Glossary

Access Control Issuers participating in Verified by Visa support the ability to activate cardholders during
Server (ACS) online purchases using an Access Control Server (ACS). An issuer may operate an ACS
itself or contract with an ACS Processor. The issuer ACS processes authentication
transactions received from participating merchants.

Account Visa’s data security compliance program. This program was formerly known as the
Information Cardholder Information Security Program (CISP) in the U.S.
Security (AIS)
Program

Account Account and transaction information that is necessary to process Visa transactions
Information correctly, including all information recorded electromechanically or otherwise on a Visa
card.

Account Number The 16-digit account number that appears on the front of all valid Visa cards. The
number is one of the card security features that should be checked by merchants to
ensure that a card-present transaction is valid.

Account Testing A fraud scam used by criminals to verify whether an account number is currently valid.
To “test” an account, the perpetrators make a small purchase on it—for example, a few
dollars’ worth of gas—or they will submit an authorization request but not a sales
transaction receipt. If the account is valid, it will then be used for additional, larger
fraudulent transactions.

Acquirer A three-letter tag or label consisting of the letters “ACQ” used to identify financial
Identifier institutions as acquirers for credit bureau listings. For example, an acquirer with the
name First National Bank would be listed as “Frst Natl Bnk-ACQ.” The use of acquirer
identifiers is recommended by Visa to help acquiring institutions spot potential fraud
scams involving multiple applications.

Acquirer Identifies acquirers with disproportionate levels of acquired fraud compared to their
Monitoring peers. The program’s goal is to reduce fraud and the cost of fraud to Visa members.
Program (AMP) AMP includes global minimum standards and regionally-managed thresholds.

Address AVS allows merchants that accept card-absent transactions to compare the billing
Verification address (the address to which the card issuer sends its monthly statement for that
Service (AVS)* account) given by a customer with the billing address on the card issuer’s master file
before shipping an order. AVS helps merchants minimize the risk of accepting fraudulent
transactions in a card-absent environment by indicating the result of the address
comparison.

*AVS is only available in the U.S. and Canada.

Global Visa Acquirer Fraud Control Manual 225


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Agent A Visa-sponsored program that ensures proper oversight and monitoring of members’
Registration business relationships with Third-Party Agents. Members must register all Third-Party
Program Agents with the program and file quarterly reports with it on the activities and
performance of these agents.

Authenticate To verify the identity of an Internet user, computer, or person. For example, some
merchants will use advanced security systems to authenticate the consumer before
accepting an online order.

Authorization The process by which bankcard transactions are approved by issuers. Authorizations
occur at the point of sale before a transaction is completed. With point-of-sale (POS)
and other electronic transaction-processing devices, authorization is automatic.
Telephone authorizations are also available from authorization centers.

Authorization A facility established by a member, either in-house or through a third-party processor, to


Center respond to merchants’ or other members’ requests for authorizations for transactions or
cash advances. Authorization centers also respond to referral and Code 10 calls.

Automated A computerized phone system used by voice authorization centers to respond to


Voice-Response merchant phone calls requesting a transaction authorization. Authorization occurs
Units without the caller speaking to an authorization agent, making it more difficult to identify
potentially suspicious calls or transactions.

Bank The Bank Identification Number (BIN) is a unique six-digit number Visa assigns to
Identification members for identification purposes. BINs always begin with a “4” and are the first six
Number (BIN) digits in bankcard account numbers.

BASE II The VisaNet system that provides clearing and settlement services to members.

Boiler Room A single room or small office used by criminals to enter fraudulent transactions on
multiple POS terminals or similar transaction-processing devices. Boiler rooms are most
frequently associated with telemarketing and account testing scams.

Business Principal See Principal.

Bust-out A seemingly legitimate merchant, who opens a valid account with an acquirer and after
Merchant a brief period of normal sales activity, deposits a large number or high-dollar amount of
fraudulent transactions. Once payment for the transactions is received, the merchant
disappears. Bust-out merchants often make applications to several acquirers at the
same time.

Card-Absent A merchant, market, or sales environment where transactions occur without a valid
Visa card being present. Card-absent is used to refer to mail order/telephone order
merchants and sales environments, as well as the Internet.

Card Acceptance The procedures a merchant or merchant employee must follow at the point of sale to
Procedures ensure a card and cardholder are valid. Both card-present and card-absent merchants
are required to take all reasonable means to ensure the validity of the transactions
they process.

226 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Card A unique value transmitted by an issuer in response to an authorization request from a


Authentication 3-D Secure merchant.
Verification Value
(CAVV)

Card Expiration See Good Thru Date.


Date

Card-Present A merchant, market, or sales environment where a transaction can be completed only
if both a valid Visa card and cardholder are present and the sale is processed by an
individual representing the merchant or acquirer. Card-present transactions include
face-to-face retail sales and cash disbursements.

Card Recovery International printed list of lost, stolen, counterfeit, or other cards that issuers in
Bulletin countries outside the United States have listed for pickup. The Card Recovery Bulletin is
printed only in countries outside the United States.

Card Security The alphanumeric, pictorial, and other design elements that appear on the front and
Features back of all bankcards. These features must be checked by merchants for all card-present
sales to ensure the card is valid. The exact physical dimensions and placement of the
card security features are specified by the Visa International Operating Regulations and are
difficult to copy exactly.

Card Verification A unique three-digit code included on the magnetic-stripe of all valid Visa cards. The
Value (CVV) CVV is checked during the authorization process for card-present sales to ensure that
the card is valid. When setting up a new merchant account, an acquirer should ensure
that the point-of-sale (POS) terminals used by the business are CVV-capable.

Card Verification A Visa fraud-prevention system used in card-absent transactions to ensure that the card
Value 2 (CVV2)* is valid. The CVV2 is the three-digit value that is printed on the back of all Visa cards.
Card-absent merchants ask the customer for the CVV2 and submit it as part of their
authorization request. For information security purposes, merchants are prohibited from
storing CVV2 data.

Cardholder- A POS terminal that can only be activated when a cardholder swipes a bankcard through
Activated it. CATs are commonly found in gas pumps and have been used by criminals for account
Terminal (CAT) testing scams.

Cash A bankcard transaction involving the payment of cash or travelers cheques to a


Disbursement cardholder. In general, only financial institution branches are allowed to make cash
disbursements.

Chargeback A transaction returned by an issuer to an acquirer. A sudden increase in a merchant’s


chargeback rate is often the first sign of fraud or other high-risk sales activity.

*In certain markets, CVV2 is required for card-absent transactions.

Global Visa Acquirer Fraud Control Manual 227


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Check-Digit A mathematical formula used to create and verify the validity of Visa bankcard account
Algorithm numbers. These formulas can also be used by criminals to create counterfeit account
numbers, for example, by running a valid number through an account number-generating
computer program such as CreditMaster.

Chip An integrated microchip that is embedded into a plastic credit or debit card. It is virtually
impossible to copy, facilitates the evolution of security methods and processes, and is
capable of holding many applications.

Chip card A plastic credit card with an embedded computer chip that communicates information
to a chip-reading device during the transaction process.

Chip-initiated An EMV and VIS-compliant chip card transaction which is processed at a chip-reading
transaction device using full-chip data, and limited to Visa and Visa Electron Smart Payment
Applications, or EMV and VIS-compliant Plus applications.

Chip-reading A point-of-transaction terminal capable of reading, communicating, and processing


device transaction data from a chip card. The chip card and chip-reading device work together
to determine the appropriate cardholder or verification method for transaction (either
signature or PIN).

Code 10 Call The telephone call merchants make to their authorization centers when they have
reason to believe that a card or transaction is not valid, but do not wish to alert the
customer of their suspicions. The merchant dials the center and requests a “Code 10
authorization.” In most cases, the call is then referred to the account issuer for special
handling.

Common The merchant location or other site at which data theft or replication occurs in a
Purchase Point skimming scam.
(CPP)

Compromised Visa operated notification system to alert Visa issuers of recovered, compromised
Account account numbers and requesting that the issuer take steps to prevent their use
Management fraudulently.
System (CAMS)

Credit Voucher A transaction receipt for a refund or price adjustment to be credited to a cardholder’s
account. Credit vouchers can only be issued to an account for transactions previously
charged to that account. Improper use of credit vouchers by merchants is a violation
of the Visa International Operating Regulations and can result in the termination of the
merchant agreement.

CreditMaster A computer program used by criminals to generate lists of potentially valid bankcard
account numbers for fraudulent use. CreditMaster is the most well-known of several
account number-generating programs that can now be downloaded from the Internet.
These programs are not illegal; however, criminals can be arrested for using computer-
generated account numbers in counterfeit or other fraud scams.

228 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

DBA A DBA (Doing Business As) is a merchant’s legal business name as differentiated from
the names of a company’s principals or other entity that owns or manages the business.
If a merchant’s DBA is different from the principal’s or business name on a merchant
application, both should be submitted to a credit bureau and matched during the
application review process.

Direct Deposit A business bank account that a merchant establishes with an acquirer for the deposit
Account (DDA) of payments for bankcard transactions. Prospective merchants should open a Direct
Deposit Account with an acquirer before or at the time a merchant agreement is signed.

Dove Hologram A three-dimensional hologram of a dove in flight that may appear on the front of valid
Visa Brand Mark or Visa logo cards. When the card is tilted back and forth, the dove
should appear to “fly.” The dove hologram is one of the card security features that
merchants should check to ensure a card-present transaction is valid.

Draft See Sales Transaction Receipt.

Electronic A transaction data field used by Internet merchants and acquirers to differentiate Internet
Commerce merchants from other merchant types. Use of the ECI in authorization and settlement
Indicator (ECI) messages helps Internet merchants meet Visa processing requirements, and enables
e-commerce transactions to be distinguished from other transaction types. Visa requires
all Internet merchants to use the ECI.

Electronic Data An electronic system that uses a data capture terminal located at a merchant’s place of
Capture (EDC) business to record and authorize transactions. Authorized transactions are automatically
stored and then processed at the end of each business day. Funds are transferred
directly to the acquirer’s account, and then to the merchant, within 48 hours.

Embossed The 16-digit account number that appears in raised print on the front of all valid Visa
Number cards. The embossed number is one of the card security features that should be checked
by merchants to ensure that a card-present transaction is valid.

Encrypting PIN A device for secure PIN entry and encryption without a display or card reader. An EPP is
Pad (EPP) typically used in an ATM for PIN entry and controlled by an ATM device controller. An
EPP has a clearly defined physical and logical boundary, and a tamper-resistant or
tamper-evident shell.

Encryption The translation of data into a secret code. Encryption is the most effective way to
achieve data security. To read an encrypted file, you must have access to a secret key or
password that enables you to decrypt it. Unencrypted data is called plain text; encrypted
data is referred to as cipher text. There are two main types of encryption: asymmetric
encryption (also called public-key encryption) and symmetric encryption.

Encryption An organization that performs cryptographic key management services to support their
and Support member’s ATM programs or to deploy point-of-sale PIN Entry Devices (POS PEDs) or
Organization PIN pads. Additionally, some members outsource various cryptographic key
(ESO) management responsibilities to ATM and PIN pad manufacturers, which would also be
considered ESOs in this capacity, to improve the efficiency of their Visa programs.
Even-monetary A bankcard transaction for an even-dollar amount, for example, US $10.00 rather than
Transaction US $10.25. A large number of even-dollar transactions deposited by a single merchant
may be the first sign of a fraud scam.

Global Visa Acquirer Fraud Control Manual 229


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Exception Report Reports on unusual or suspicious sales activity—such as a sudden change in the number
or average dollar amount of transactions—generated by an acquirer’s host system or
third-party processor. Visa strongly recommends that acquirers monitor all merchant
deposits and review exception reports daily.

Face-to-Face See Card-Present.

Floor Limit A specific dollar limit established for a single transaction over which a merchant must
obtain authorization.

Flying V A stylized, embossed “V” located to the right of the Good Thru Date on all valid Visa
cards. The “flying V” is one of the card security features that should be checked by
merchants to ensure that a card-present transaction is valid.

Full-track Data A cardholder’s complete account information, including CVV, encoded in one or two
tracks on the magnetic-stripe on the back of a valid bankcard. Acquirers should ensure
that merchants’ POS terminals are set up so that full-track data can be read but not
displayed during authorization and transaction processing.

Global Merchant A Visa-operated program that reduces high customer dispute levels and increases
Chargeback consumer confidence in using Visa cards by:
Monitoring
• Identifying merchants that generate a disproportionate number of international
Program
chargebacks.
(GMCMP)
• Allowing issuers to recover chargeback processing costs as a result of inadequate
acquirer/merchant risk management practices.
• Encouraging adoption of sound risk controls by merchants and acquirers.

Good Thru Date The date after which a bankcard is no longer valid, embossed on the front of all valid
Visa cards.

Hacker A person who deliberately logs on to other computers by circumventing the log-on
security system. This is sometimes done to steal valuable information or to cause
irreparable damage.

High-Risk A merchant whose business includes telemarketing activity that presents a financial
Telemarketing or goodwill risk to Visa and its members. Businesses designated by Visa as “high-risk”
Merchant telemarketing merchants include direct marketing travel-related arrangement services,
inbound teleservices, and outbound telemarketing firms. Before signing a business of
this type, acquirers must submit a High-Risk Telemarketing Merchant Registration and
Certification Form to Visa.

Identification An element of the Risk Identification Service (RIS); a report triggered by excessive fraud
Report or suspect activity at a merchant location and sent to the merchant’s acquirer, who may
then be required to take remedial action to help the merchant reduce fraud losses. RIS
issues four types of identification reports: Advices, Notifications, Alerts, and Warnings.
The remedial action an acquirer takes will depend on the type and number of alerts
received in a six-month period.

230 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Independent An organization that has a direct relationship with issuing and/or acquiring members.
Sales Members contract with ISOs to provide specific services such as merchant solicitation,
Organization cardholder solicitation, customer service and card application processing. Plus ISOs act
(ISO) on behalf of members to deploy and/or service qualified ATMs. Prepaid ISOs have
relationships with issuers to solicit other entities (i.e., merchant, corporate members,
government entities, etc.) to sell, activate or load prepaid cards.

Internet Gateway Third-party vendor that supplies a computer network to the merchant that forwards
Vendors transaction activity to the acquirer.

Internet Payment An online entity that contracts with an acquirer to provide payment-related services to
Service Provider sponsored merchants. The IPSP interfaces with the acquirer on behalf of its sponsored
(IPSP) merchants, and must ensure that its sponsored merchants are contractually obligated
to operate according to Visa requirements. IPSPs are responsible for the actions of their
sponsored merchants, and bear liability for their actions. An IPSP is only permitted to sign
sponsored merchants.

Internet Protocol A unique number that is used to represent every single computer in a network. All the
(IP) Address computers on the Internet have a unique IP address, which is used to route messages
to the correct destination within the Internet’s worldwide web of computers and other
related devices. The format of the IP Address is four sets of numbers separated by dots
(e.g., 198.123.124.7).

Issuers’ A centralized, nationwide database of bankruptcy, fraud, unauthorized use, questionable


Clearinghouse data, and credit application information. The Issuers’ Clearinghouse Service (ICS)
Service (ICS) provides Visa and MasterCard® issuers in the U.S. with unique information to assist
them in making decisions about whether to issue a card to a new applicant. Issuers may
also query the database on existing accounts prior to reissue, for credit line increases,
and more. To avoid potential fraud losses, U.S. acquiring members can also use the ICS
service to check merchant applicants during the merchant underwriting process.

Key-entered The use of key-entered transactions for depositing fraudulent sales transaction receipts.
Fraud Key-entered fraud often occurs in bust-out scams, laundering, and telemarketing
schemes.

Key-entered A bankcard transaction that is entered on the alphanumeric keys of a POS device by
Transaction using the terminal’s manual override feature. Key-entering is used for card-absent sales
and for card-present sales where the terminal cannot “read” a card’s magnetic-stripe.

Laundering Any situation where a business with a valid merchant agreement deposits transactions for
a company without an agreement. Whether or not the transactions processed are actually
fraudulent, laundering is a federal offense and a violation of the Visa International Operating
Regulations. It can result in a business losing its merchant agreement and being liable for
criminal prosecution.

Magnetic-Stripe A strip of magnetic tape on the back of all bankcards that is “read” when a card is
(Mag-stripe) swiped through a POS terminal. The stripe is encoded with identifying account
information as specified in the Visa International Operating Regulations. On a valid card,
the account number on the magnetic-stripe matches the embossed number on the front
of the card.

Global Visa Acquirer Fraud Control Manual 231


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Mail Order/ A merchant, market, or sales environment where mail or telephone sales are the primary
Telephone Order or a major source of income. Such transactions are frequently charged to customers’
(MO/TO) bankcard accounts.

Member An organization that is a member of Visa and which issues cards and/or signs
merchants.

Merchant A unique number assigned to merchants by their bank.


Account
Identification
Number

Merchant The contract between a merchant and an acquirer permitting the merchant to accept
Agreement Visa cards for payment of goods and services, and requiring that the merchant abide by
certain rules governing the acceptance and processing of Visa transactions.

Merchant A form acquirers use to obtain necessary personal and financial information about
Application a merchant before signing a merchant agreement with the merchant’s business. As
specified in the Visa International Operating Regulations, individual acquirers determine
the design of the merchant application and the specific information requested.

Merchant Fraud A monitoring program that identifies merchant with exceptionally high levels of fraud. It
Performance includes a set of global standards, as well as intra-regional and/or domestic thresholds.
(MFP) Program

Merchant Profile A report compiled and periodically updated by acquirers on each of their merchants,
which is used to evaluate ongoing risk exposure and to investigate suspected instances
of fraud. The merchant profile should contain basic information on a company—
including its current financial health, number of employees, type of POS terminal used—
and document its account history, previous incidents of fraud, and any recent changes in
ownership, sales methodology, and transaction volumes.

Merchant An organization that stores, processes, or transmits Visa account numbers on behalf of
Servicer (MS) the member’s merchant. The MS has a contract with the merchant, not the member.

Mini-Dove Design The mini-dove design hologram may appear on the back anywhere within the outlined
Hologram areas shown on page 80 of this manual. A three-dimensional dove hologram should
(May appear on the reflect light and seem to change as you tilt the card. Most counterfeit cards contain a
back of Visa Brand one-dimensional printed image on a foil sticker.
Mark Cards)

Multiple The practice, used by criminals in bust-out merchant and other fraud scams, of
Applications submitting applications for merchant accounts to several acquirers at the same time.

National National databases that list information on terminated or high-risk merchants. The
Merchant Alert NMAS is available only in participating country markets in the Asia-Pacific and Latin
Service (NMAS) America regions; each country has its own service. Acquirers in countries with an NMAS
can query the file for information before signing a merchant.

Non-Face-to-Face See Card-Absent.

232 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Normal Weekly Parameters established by acquirers to identify and monitor merchant transaction
Activity activity and detect any unusual or suspicious patterns in merchant deposits. Acquirers
are required to set Normal Weekly Activity parameters as part of the Merchant Deposit
Monitoring Standards program.

Payment Card A set of comprehensive requirements for enhancing payment account data security. The
Industry (PCI) PCI DSS was developed by the founding payment brands of the PCI Security Standards
Data Security Council, including American Express, Discover Financial Services, JCB, MasterCard
Standard (DSS) Worldwide and Visa International, to help facilitate the broad adoption of consistent data
security measures on a global basis. The PCI DSS is a multifaceted security standard
that includes requirements for security management, policies, procedures, network
architecture, software design and other critical protective measures.

Payment An open global forum for the ongoing development, enhancement, storage,
Card Industry dissemination and implementation of security standards for account data protection.
(PCI) Security
Standards Council

Payment Gateway A system that provides e-commerce services to merchants for the authorization and
clearing of Secure Electronic Transaction Specification-compliant transactions.

Pick-up Response An authorization response instructing a card-present merchant to refuse a transaction


and recover the card. In all circumstances, card recovery should only be attempted if it
can be done by reasonable and peaceful means.

PIN Entry Device A keypad, laid out in a prescribed format, combined with electronic components housed
(PED) in a tamper-resistant or tamper-evident shell that can capture and encrypt cardholder
PINs.

Point of Sale The physical location at which a bankcard transaction takes place.
(POS)

Point-of-Sale The electronic device used for authorizing and processing bankcard transactions at the
Terminal (POS point of sale.
Terminal)

Potentially A counterfeit fraud transaction in which skimming is suspected as the source of the
Skimmed counterfeit account number. A potentially skimmed transaction can be identified by
Transaction three characteristics: a POS Entry Mode Code 90, a verified CVV, and confirmation that
the legitimate cardholder is still in possession of the valid card.

Principal The individual or individuals who hold legal ownership and who manage and are
financially responsible for a business with a merchant account with an acquirer. When
underwriting a new account, acquirers should conduct a thorough financial investigation
of the business’ principals.

Printed Account The 16-digit account number that may appear in print on the front of valid Visa cards.
Number The printed number is one of the card security features that should be checked by
merchants to ensure that a card-present transaction is valid.

Global Visa Acquirer Fraud Control Manual 233


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Printed Number A four-digit number that is printed below the first four digits of the printed or embossed
account number on all valid Visa cards. The four-digit printed number should begin
with a “4,” and be the same as the first four digits of the account number above it. The
printed four-digit number is one of the card security features that merchants should
check to ensure that a card-present transaction is valid.

Referral A “Call” or “Call Center” response to a merchant’s or member’s request for an


Messages authorization. A referral message indicates that the issuer needs more information about
the transaction or cardholder before an approval can be issued.

Risk Identification A Visa loss control program for acquirers that compiles fraud data and identifies
Service (RIS) merchant locations where fraud or other risk-related activity exceeds parameters set by
Visa. Acquirers receive identification reports on merchants with excessive fraud activity
and are required to take remedial action to help the merchant reduce losses.

Sales Transaction A paper or electronic record of a bankcard transaction, which a merchant submits to an
Receipt acquirer for processing and payment. In most cases, paper drafts are now generated by
a merchant’s POS terminal. When a merchant fills out a draft manually, it must include
an imprint of the front of the card.

Scrip Paper currency or a token issued for temporary use.

Security Module A physically and logically secure computer that performs cryptographic processes.

Signature Panel The panel for the cardholder’s signature on the back of all Visa cards. The words
“Authorized Signature” and “Not Valid Unless Signed” must appear above, below, or
beside the signature panel. A three-digit CVV2 code appears either in a white box to the
right of the signature panel, or in a white box within the signature panel.

Site Inspection A thorough, physical investigation of a prospective merchant’s primary business


location or locations. A site inspection is required prior to signing a new merchant, and
if an acquirer uses a Third-Party Agent for account solicitation, the inspection should be
conducted by an independent Third-Party Agent. Site inspections are required for Third-
Party Agents as part of the agent Registration Program and may also be appropriate
when merchant fraud is strongly suspected or confirmed at a business location.

Skimmed See Skimming.


Counterfeit Fraud

Skimming The replication of account information encoded on the magnetic-stripe of a valid card
and its subsequent use for fraudulent transactions in which a valid authorization occurs.
Full-track data is captured from a valid card and then re-encoded on a counterfeit card.
The term “skimming” is also used to refer to any situation in which electronically
transmitted or stored account data is replicated, and then re-encoded on counterfeit
cards or used in some other way for fraudulent transactions.

*In certain markets, CVV2 is required for card-absent transactions.

234 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Spike A sudden, dramatic increase in a merchant’s daily sales activity—usually an unexpected


jump in the number or dollar amount of transactions—which is often the first sign of
a potential fraud scam. A spike will occur over a very brief period of time, two or three
days or a week, after which the merchant will empty its Direct Deposit Account and
disappear. Spikes are associated with a number of merchant fraud scams, including bust-
out merchants, laundering, and telemarketing fraud.

Split Sale The preparation of two or more sales transaction receipts for the purchase of a single
item charged to a cardholder’s single account, in order to avoid authorization limits. Split
sales are a violation of the Visa International Operating Regulations.

Sponsored An online seller that contracts with an Internet Payment Service Provider (IPSP). The
Merchant IPSP performs some or all of the sponsored merchant’s payment-related operations on
its behalf. The sponsored merchant must meet all card acceptance requirements in the
Visa International Operating Regulations, with the single exception that it may have a
contract with an IPSP, rather than an acquirer.

Spoof Shop A fraudulent merchant location—such as a storefront or website—set up for the sole
purpose of stealing or replicating account information from legitimate cardholders. A
spoof shop may or may not have a valid merchant agreement, but will act as if it does;
merchandise or services are sold to customers, but few or no transactions are entered
for settlement. Spoof shops are most often associated with skimming and account
testing scams.

Telemarketing A type of fraud in which false or inflated offers of merchandise or services, such as
Fraud vacations, vitamins, or luggage, are “sold” over the telephone by high-pressure
salespeople promising fabulous prizes. In many cases, the true goal of the scam is to
get individuals to give out their bankcard account numbers, which are then used for
fraudulent transactions.

Third-Party Agent An entity that provides payment related services, directly or indirectly, to a member
and/or stores, processes, or transmits cardholder data. A Third-Party agent must be
registered by all Visa members utilizing their services, directly or indirectly.

Third-Party An organization that stores, processes, or transmits Visa account numbers. The TPS has
Servicer (TPS) a direct relationship with issuing and/or acquiring members.
Track Data See Full-track Data.

Transaction The act between a cardholder and merchant or cardholder and financial
institution which results in the sale of goods or services.

Transaction Draft See Sales Transaction Receipt.

Transaction Regular review of a merchant’s transaction records by an acquirer to check for any
Monitoring sudden changes in sales activity. A pattern of unusual or suspicious transactions
discovered by rigorous daily monitoring is often the first sign of a fraud scam.

Unauthorized Use A fraudulent card-absent transaction charged to a bankcard account number by a


perpetrator posing as a valid cardholder. In most cases, the account numbers used in
these scams are valid, but have been illegally obtained by the perpetrators.

Global Visa Acquirer Fraud Control Manual 235


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
GLOSSARY

Unsigned Card A seemingly valid Visa card that has not been duly signed by the legitimate cardholder.
Merchants cannot accept an unsigned card until the cardholder has signed it, and the
signature has been checked against valid government identification, such as a driver’s
license or passport.

Unusual Activity Any sales activity that exceeds 150 percent of a merchant’s Normal Weekly Activity
parameters, or an elapsed time of over 15 days between a transaction’s deposit and
processing dates. Acquirers must process merchant deposits so that an Exception report
is generated whenever unusual activity occurs.

Verified by Visa Validates a cardholder’s ownership of an account in real time during an online Visa
card transaction. When the cardholder clicks “buy” at the checkout of a participating
merchant, the merchant server recognizes the registered Visa card and the “Verified by
Visa” screen automatically appears on the cardholder’s desktop. The cardholder enters
a password to verify his or her identity and the Visa card. The issuer then confirms the
cardholder’s identity.

Visa Cardholder A Visa program that establishes data security standards, procedures, and tools for all
Information entities—merchants, agents, issuers, and acquirers—that store Visa cardholder account
Security Program information. Now known as the Account Information Security (AIS) Program.
(CISP)

Visa Electron A Visa International debit card that is currently accepted, but not issued in the United
Card States and can only be used for card-present transactions. Electron cards have slightly
different security features than other Visa cards: the front of the card contains an
Electron rather than dove hologram, and the 16-digit account number is printed, not
embossed.

Visa Brand Mark Visa Brand Mark must appear in blue and gold on a white background in either the
bottom right, top left, or top right corner.

Visa payWave A payment method that uses the latest technology to send card data wirelessly to a
terminal reader. A cardholder simply holds their card in front of the reader.

Visa Easy Provides face-to-face merchants with the ability to accept a Visa card issued in any
Payment Service country for purchases of US $25 or under without requiring a cardholder signature or
(VEPS) PIN and foregoing a receipt unless requested by the cardholder.

VisaNet The systems and services, including BASE II, through which Visa delivers authorization
and transaction processing services to its members.

VisaNet Access Visa equipment and software used to access the VisaNet system.
Point (VAP)

VisaNet A member, or a Visa-approved third-party that is directly connected to VisaNet, and


Processor (VNP) provides authorization, clearing, or settlement services for merchants and/or members.
Voice An authorization obtained by telephoning an authorization center.
Authorization

236 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Appendix A

n Sample Merchant Application


n Sample Third-Party Site Inspection Tools

Global Visa Acquirer Fraud Control Manual A-1


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX A

A-2 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX A

Sample Merchant Application

Global Visa Acquirer Fraud Control Manual A-3


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX A

A-4 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX A

Sample Third-Party Site Inspection Form

Global Visa Acquirer Fraud Control Manual A-5


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX A

A-6 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
Appendix B

n Quick Reference — Attended and In-Store Fraud Prevention


n Quick Reference — Automated Fuel Dispenser Fraud Prevention

Global Visa Acquirer Fraud Control Manual B -1


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
B-2 Global Visa Acquirer Fraud Control Manual
© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX B

Quick Reference — Attended and In-Store Fraud Prevention

Manager/ • Always get a signature or PIN for all in-store transactions, except when the
Employee transaction is processed under the Visa Easy Payment Service (VEPS).
Best Practices • Compare and match the account number. If your terminal does not prompt
for key entry of the last four digits, compare the number on the Visa card
to the number shown on the POS terminal display or the sales receipt.
If the numbers do not match, you may have a counterfeit card. (This
recommendation does not apply to multi-application EMV chip cards.)
• Take appropriate action based on the authorization message response.

Response Action
Approved Ask the customer to sign the sales receipt and compare
signatures.
Declined Return the card to customer and ask for another Visa
card.
Call Call your authorization center and tell them you received
a “call” message. Be prepared to answer questions. The
operator may ask to speak with the cardholder.
Pick Up Keep the card if you can do so safely.
• For all key-entered and manually authorized transactions (Unable to
process authorization using card-swipe):
– Imprint payment card after receiving issuer authorization, add all required
data elements and verify Visa card security features.
– Obtain cardholder’s signature on transaction receipt and compare it to the
signature panel located on back of the Visa card.
• While processing a transaction, always check the card security features.
Any sign of tampering may mean that you have been given a counterfeit
card.
• Be aware of suspicious activity at the counter.
– Individual buying an unusual amount of convenience store items.
– Limited or no eye contact from customer and/or they are acting “strangely.”
– Buying large amounts of alcohol, cigarettes, and phone cards/gift cards.
– Buying money orders and/or lottery tickets with credit card.
– Attempting to bribe the cashier.
– Requesting large amounts of cash back on small purchases.
• Monitor levels of key-entered transactions. Managers of multiple stores
should monitor the number of key-entered transactions for unusual activity.
While higher than normal levels of key-entered transactions may indicate a
faulty card-reader (which may impact the MDR), they may also indicate an
attempt at fraudulent activity by store personnel.
Global Visa Acquirer Fraud Control Manual B-3
© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
APPENDIX B

Quick Reference — Automated Fuel Dispenser Fraud Prevention

Manager/ • Monitor suspicious activity at automated fuel dispensers. Managers and


Employee employees should be continually on the lookout for the warning signs of
Best Practices automated fuel dispenser fraud, which can include:
– A single customer activating multiple automated fuel dispensers.
– Filling multiple vehicles from one automated fuel dispenser transaction.
– Filling large non-vehicle containers.
– Fueling several times a day (system wide and location specific).
– Card testing (inserting payment card for authorization without pumping).
– Island surfing (persons walking around offering to pump fuel with their
payment card in exchange for cash).
• Routinely inspect automated fuel dispensers to ensure skimming devices
and foreign hardware/software are not present.
• Eliminate “church key” access to mitigate automated fuel dispenser
tampering. Some older automated fuel dispensers share common keys that
allow service station employees and service technicians to easily gain access
to the dispenser’s interior. Unfortunately, fraudsters have exploited this ease-
of-entry feature, using copies of the keys to gain unauthorized access.
• Routinely walk around automated fuel dispensers to spot suspicious activity.
• Apply system offline (authorization system not available) procedures as
needed.
– Alert owner/operator headquarters of all offline issues.
– Verify transmission is not blocked or purposely interrupted.
– Temporarily have dispensers direct cardholders to “See Attendant” for all
transactions.
– Call the Visa Authorization Center for authorization requests that
exceed predetermined transaction amount (set lower limits at high-risk
locations).
– Make sure to imprint front of card for all manually authorized transactions.
– For manually authorized transactions, retain card while receiving
authorization and verify card security features.
– Obtain cardholder signature and compare to back of card.

B-4 Global Visa Acquirer Fraud Control Manual


© 2010 Visa. All Rights Reserved. Notice: The information herein by Visa is CONFIDENTIAL and may not be disclosed or published without the prior written permission of Visa. Information is to be
used solely for acceptance of Visa payment products.
© 2010 Visa. All Rights Reserved. VRM 10.02.10

S-ar putea să vă placă și