Merchant Credit Card Processing Best Practices
In spite of technological advances and other efforts, criminals are still finding ways to carry out fraudulent activity. Should they come your way, there are steps you can take to limit your risk.
We've outlined the basics to get you started, but also check out our whitepapers section for more best practices. And be sure to utilize the card brands (e.g. American Express®, Discover®, MasterCard® and Visa®) for reliable resources and the most up-to-date fraud prevention information.
In most POS situations, the cardholder, not the business owner, inserts the card into the terminal. Use the following best practices when accepting a chip card.
- Ask your customer to insert their card into a chip ready device and leave it in the device during the entire transaction.
- The chip card and terminal will determine if a PIN or signature is required for verification.
- If a PIN is required, the device prompts the customer to enter it. (When a PIN-based transaction is approved, the customer retrieves the chip card from the terminal. There is no opportunity for the business owner to examine the card.)
- If the transaction is PIN-verified, there is no need for a signature.
- If the customer does not know their PIN, ask for another form of payment.
- Print a copy of the transaction receipt for the customer.
- If the transaction is not PIN-based, the receipt will have a signature line for the customer to sign.
- Ask the customer for their card to compare signatures from the receipt and the back of the chip card. Do not accept an unsigned card.
If the POS terminal (or credit card terminal) cannot read the chip on the card, follow “fallback” acceptance procedures and swipe the card’s magnetic stripe or key enter the data. Warning: swiping or key-entering a transaction increases the risk of accepting a counterfeit card because the chip information is not available. And, with the October 1, 2015 liability shift, liability for chip card-present fraud shifts to whoever is not using chip technology.
- Check the card security features to make sure that the card has not been altered.
- Swipe the stripe through the terminal in one direction only.
- Check the authorization response and take appropriate action.
- Get the cardholder’s signature on the transaction receipt.
- Compare the name, account number, and signature on the card to those on the transaction receipt. They should match.
- Call or email the customer back verifying the order
- Include your phone number in the customer service field
If a card cannot be swiped, card account data must be entered into a POS terminal. Warning: key-entering a transaction increases the risk of accepting a counterfeit card because the magnetic stripe information is not available.
Use the following steps when key-entering a transaction:
- Check the POS terminal to ensure it is operating properly. If the terminal is OK and the problem appears to be with the card’s magnetic stripe, continue to step 2.
- Match the account number. Verify the embossed account number on the front of the cards matches the number indent-printed on the back.
- Check the expiration date. Look at the “good thru” or “valid thru” date to be sure the card hasn’t expired. If the card has a “valid from” date, be sure the card isn’t being used before it is valid.
- Follow any prompts, including requests for entering the CVV. If the card does not have a legible CVV, consider asking for another method of payment.
- Check the signature on the card to ensure it matches the signature on the sales draft. Do not accept an unsigned card.
If you suspect fraud, immediately make a Code 10 call to your voice authorization center.
- Get an authorization.
- Ask for the card expiration date and include it in your authorization request. An invalid or missing expiration date can indicate the person on the other end does not have the actual card in hand.
- Use fraud detection tools like Address Verification Service (AVS) and Card Verification Value (CVV) as part of your authorization process.
- Be on the lookout for questionable transaction data or other signs indicating an “out of pattern” order.
- If you receive an authorization but still suspect fraud:
- Ask for additional information (e.g., request the financial institution name on the card).
- Contact the cardholder with any questions.
- Confirm the order separately by sending a note via the customer’s billing address rather than the ship-to address.
Remember, an authorization is not a guarantee of payment. An authorization means funds are available and the card has not yet been reported as lost or stolen.
In all cases, if you suspect fraud, immediately make a Code 10 call to your voice authorization center.
For more tips and best practices for your merchant credit card processing program, we recommend these resources:
- Best Practices whitepapers
A full library of whitepapers with tips and information to help run your payment program.
- Understanding the basics
Short videos built to quickly catch you up on how transactions work, how to hold down fees, and tips for preventing chargebacks.
- PCI & Data Security basics
Easy-to-understand information to get you started or keep you moving in the world of PCI compliance.
- TSYS Payment PerspectivesSM Blog
Regulary updated posts on information, tips and trends happening in payments today.
- Card Acceptance Guidelines for Visa® Merchants and Chargeback Management Guidelines for Visa Merchants
Visa merchant guidelines for processing transactions and preventing or responding to cardholder disputes.
If you have equipment or services that are due for an upgrade, or to make implementing best practices easier, view our Merchant Solutions and browse the many product and service solutions available to TSYS Merchant Solutions customers.