Transcript
merchantmail
issue 4
Your EFTPOS and merchant services update
March 2013
Welcome Welcome to the fourth edition of Westpac’s quarterly Merchant newsletter. We’re back again to keep you up-to-date with market changes in the world of EFTPOS and credit card processing, to help you avoid pitfalls and to assist you with maximising new opportunities. We’d love to hear what you think and what you’d like to see in future issues, so please email your feedback and input to the Merchant team at
[email protected].
Card Not Present – Best Practice Guide for Merchants There are a number of benefits for merchants who operate in the card-notpresent (CNP) environment, including various opportunities to enhance customer relationships, attract new customers, and increase sales revenue. There are, however, some additional fraud risk challenges. Thieves are primarily interested in two things: stealing your sensitive payment data to re-sell on the black market, and/or using that payment data to steal goods and services from you or your customers. Hackers are constantly testing systems to identify and exploit points of weakness in security, with increasing success. Here are some key points to look out for when taking orders in a CNP environment: Warning signs for card not present transactions You should be wary of any internet, mail or telephone order transactions, where one or more of the following indicators are present • The contact person’s name is different from the name on the credit card used
For more information call 0800 888 066
Westpac New Zealand Limited
for the purchase • Orders placed where the purchaser admits that it’s not their card being used • Larger than normal purchase orders • Purchase order(s) for several of the same item, or big ticket items • Orders placed where card numbers used are very similar and/or use sequential card numbers • Orders originating from Internet addresses using free email services • Orders that are requested to be shipped rush or overnight delivery or customer is in a rush to pick up the goods. • Multiple orders shipped to a single address • Orders that request that the cost of the transaction to be split across one card or several cards • Orders going to an international delivery address • Orders shipped to a country which you don’t normally deal with
• Orders shipped to a country where the goods would be readily available in the local market • Orders originating from suspect countries including Russia, Indonesia, Malaysia, Nigeria, Singapore and Ghana.These countries have the highest rate of fraudulent transaction orders • Orders of an irregular type for your business (for example fraudsters were ordering mobile phones and laptops through businesses that did not provide these goods).Treat these requests as suspicious. What do I need to do? For orders delivered in New Zealand • Check the telephone directory (available online) to verify the customer’s name, address and telephone number. Be wary of mobile phone numbers • Request the customer to provide the name of their employer, street address and telephone number. Check the details in the telephone directory – if the phone number matches, call
Card Not Present – Best Practice Guide for Merchants Continued from P1 that number to verify the person is employed there and then speak to that person to verify order • Inform customers your courier will not deliver unless they sight appropriate photo identification. Ensure deliveries are made by your couriers and that they deliver the goods inside the premises or see the person come from inside the premises • If the person comes to your place of business to collect the goods, advise the cardholder to bring their credit card, so that the transaction can be completed in person (i.e. complete a normal card present transaction).
For orders delivered overseas • Request the customer provides the name of their employer, street address and telephone number. Contact Telecom International Directory Assistance to check the telephone number (normal Telecom charges will apply). Call the company supplied by the customer – if the phone number matches, call that number to verify the person is employed there and then speak to that person to verify order • Repeat with the customer’s personal name, address and telephone number. A legitimate customer will not mind and in most cases will appreciate the extra care in protecting the account from fraudulent use.
‘Code 10’ or suspicious transaction procedure If you’re suspicious of a card transaction follow the procedures below: • Dial 0800 888 066, press ‘1’ • Press ‘4’ for suspicious cards • Press the # key to confirm • The call will be transferred to a Customer Service Representative • Advise that you’re suspicious of the transaction • If the presenter of the card can hear your conversation, state this is a ‘Code 10’ call – the Customer Service Representative will instruct you what to do from there.
Terminal Risk Management For merchants with EFTPOS terminals, below is some useful information covering Electronic Offline Vouchers (EOV), terminal security and fallback (when a chip card isn’t working as it should). Please take the time to read the following information, and share it with your team. You can also find extra information on these topics on the Paymark website www.paymark.co.nz
Electronic Offline Vouchers (EOV) What is EOV? EOV comes into effect when connection
Points to note • First check the terminal’s cables and phone line to ensure they haven’t caused the loss of connection with the Paymark network • Try a manual logon • Transactions over $300 cannot be processed in EOV mode so contact the Authorisation Centre and process these transactions on a manual voucher • Refunds and cash out transactions cannot be processed in EOV mode
For more information call 0800 888 066. JN9926
with the Paymark network has been lost (such as a telecommunications issue). When an EFTPOS terminal is in EOV mode, transactions are stored in the terminal memory and are processed once connection to the Paymark network has been restored. How do I know the terminal has switched to EOV mode? The terminal will display the message EFTPOS OFFLINE and will ask PROCESS TRANSACTION OFFLINE Y/N? to which you’ll need to make a selection. Each receipt will have AUTH xxxx printed on it (below the card type).
What do I need to do? Transactions will process as normal (i.e. you swipe or insert the card and proceed normally), however you’ll need to check the card type to ensure it’s a valid type that you would normally accept. You must also ensure the card hasn’t expired, and have the cardholder sign the receipt as they’ll not be able to enter their PIN - even for EFTPOS transactions.
• EOV transactions must be uploaded once connection to the Paymark network has been restored – don’t leave them stored in your terminal’s memory
• You must stop using the EOV process to accept transactions as soon as practicable after the technical problems are resolved. (from CECS rules)
• Also don’t make any changes to your terminal until the stored transactions have been uploaded – if the terminal ceases to operate or the software is replaced before the upload process is completed, you’re at risk of losing your stored transactions.
For more information please visit www.paymark.co.nz/eov
Terminal Security It’s vital that you do everything in your power to secure your customers’ payments and protect their personal information, thus reducing the likelihood of credit and debit card fraud.
or replacement terminals you may have
We’ve come up with some best practice:
• Never allow your terminal to be maintained, swapped or removed without advance notice from your terminal provider – be aware of
• Always ensure that your terminals are secure and under supervision during operating hours. This includes any spare
• Ensure that only authorised employees have access to your terminals and that they are fully trained on their use
unannounced service visits, check their credentials • Inspect your terminals on a regular basis - check there are no additional cables running from your terminals and that the casing has not been tampered with. For a complete list of best practices, go to www.paymark.co.nz/fraudprotection
Fallback – Chip card not working Cards with chips embedded in them should always be processed by “dipping” (inserting) the card into the terminal. There are however, occasions where the chip cannot be correctly read by the terminal, resulting in the terminal
prompting for the card to be swiped. This is known as a fallback transaction and may be a caused by a faulty chip card or a faulty terminal. Merchants who force a transaction into fallback in other circumstances increase
the risk of fraudulent activity. The chip card must only be swiped if the transaction is unable to be processed via the chip.
References to non-Westpac websites are provided for your convenience only. Westpac accepts no responsibility for the availability of such websites. Westpac New Zealand Ltd. For more information call 0800 888 066. JN9926
