For chip and PIN cards retailers are not required to perform visual checks of the card, as the cardholder
may retain control of the card while the transaction is performed. However, for other transaction types
it is important to check each card carefully to
ensure it is genuine.
Virtually all UK cards are chip and PIN cards. Extra vigilance should be taken when accepting cards that are not chip and PIN. Not all overseas card issuers have yet upgraded their cards to chip and PIN.
Non-chip and PIN transactions
There are lots of different card designs and card issuers both in the UK and overseas. BUT there are only a handful of valid card schemes which you need to recognise when examining a card. Focus on looking for the signs that tell you which card scheme the card belongs to and what functions that card is valid for.
Take time to look at your own cards so you know just what a valid card should look like; That way you are more likely to spot a fraudulent non-chip and PIN card.
Make sure that you know which card types your business accepts. If you are presented with an overseas non-chip and PIN card make sure you are particularly
vigilant and carry out the security checks outlined on the following pages.
If you follow the same routine every time you handle a non-chip and PIN card transaction you should be able to detect any fraudulent attempts.
A. Check the customer
- Is the customer nervous or distracting you?
A criminal may be nervous and seem agitated, or they may try to distract you by being overly friendly or rude. They can also invent stories and make conversation with you to avoid your suspicion and try to make you feel embarrassed about making the necessary checks.Someone committing a criminal act might behave with nervous glances, show an unnatural or forced smile, fidget or avoid eye contact with you.
- Watch out for random and careless purchases
Watch out for bulk or hasty purchases. Remember, a fraudster will ultimately be looking to make money. They probably don’t really want the goods except as a means to an end. So be wary of people buying large numbers of the same item, particularly if they are of high value or can easily be sold on for cash. Cigarettes, alcohol and designer goods are common fraudulent purchases, as are electrical equipment, tools, computer software and games etc.Also look out for people who do not bother trying on clothes or don’t show much interest in a product. Customers buying clothes, shoes or higher-value goods are usually interested in what they are buying, so someone who comes in and grabs a random selection of items without any apparent thought may be a fraudster.
- Does the title on the card match the gender of the person presenting it?
Check that the title on the card matches the gender of the person presenting it. For example, if the name on the card is Mr Smith and the card is presented by a woman, alarm bells should start ringing!
- Is the customer buying small-value items with a big cashback?
Another thing to look out for is customers buying low-value items using debit cards and asking for the maximum cash back.
B. Check the first four digits appear above or below the
embossed card number
On MasterCard and Visa cards, ensure the printed digits above or below the first four embossed card numbers are the same. On counterfeit cards, these four digits are often missing, or rub off if you run your finger over the digits. On genuine cards, which have been altered for counterfeiting, they appear but the numbers do not match.
C. Check the card under UV light
Ultra violet, or UV, lights are often used to spot fake currency – but they can also be used to help spot counterfeit cards. Most genuine cards have special inbuilt marks on them which only show up under a UV light. If these UV features are not visible and correct under a UV light, then the card is counterfeit.
Hold the card under the light. You should see the following marks appear:
- Visa – the letter ‘V’ on the Visa logo
- MasterCard – the letters ‘MC
- Maestro – the word Maestro
- Amex – the letters AM EX, often with the centurion symbol in the middle
Not all Visa Electron or international Maestro cards carry a UV image.
D. Check the number on the card matches the receipt
This is essential in checking if a card has been skimmed or cloned. Often when a criminal copies details from one card to another during the skimming process, they may not take the trouble to re-emboss the numbers on the card to match the numbers contained in the magnetic stripe. If this is the case, the number on the presented card will not match the number shown on the receipt print-out. Skimming occurs when the genuine data from the magnetic stripe on one card is copied without the cardholder’s knowledge and put on another card.
These criminals secretly copy customer card details with a small electronic gadget called a skimmer and then sell these on or use the details themselves to make counterfeit cards. The cardholder may not realise they have been a victim of fraud until their statement arrives showing transactions they did not make.
If you are suspicious that this kind of activity may be going on where you work, or you see unfamiliar equipment around the sales desk, mention it to a manager. There may well be a legitimate explanation, but don’t ignore it – you could stop innocent people from becoming victims of fraud.
E. Check the signature on the card matches the
signature on the receipt
For non-chip and PIN transactions, hold the card as you watch the cardholder
sign. Don’t leave the card on the counter so that a fraudster can copy the
signature more easily.
If you watch as they sign you can see if they have any difficulty. A fraudster might sign slowly or have trembling hands while signing and handling the card. If you don’t think they match, don’t ask the cardholder to sign again – this gives the fraudster a second chance to get it right. Instead you should make a Code 10 call (see below).
Check that the spelling is the same in the signature and on the card if possible – sometimes fraudsters don’t even spell the name correctly! Also look for big, messy writing on the signature strip which could be covering up the real signature beneath.
Run your finger over the signature strip to look for a raised signature panel or any signs of tampering, like a new strip stuck over the original or “white-out” used to cover the real signature. The signature strip should be flush with the back of the card, not raised.
If a card is presented which has not been signed by the cardholder, ask for the card to be signed and secondary identification to support the signature.
What is a Code 10 call?
If the card or the customer fail any of your checks, or even if you think something doesn’t seem quite right, retain the card, if safe to do so, and call your bank’s authorisation centre and ask for a Code 10 authorisation.
A Code 10 call lets the authorisation centre staff know that you are suspicious of the card or the presenter and that you may not be able to speak freely in front of them.
During the call:
- have the card in your hand and be ready to answer the operator’s questions.
- handle the card by the edges if possible to preserve any fingerprints.
- the operator will probably ask you if the customer can hear what you are saying. If so, the operator will ask you questions which you can answer with ‘yes’ or ‘no’.
The banks won’t mind if it turns out to be a false alarm – it is better to be cautious than let a criminal get away with fraud.
Code 10 calls take longer than a normal authorisation call because you will be put through to the relevant fraud department for extra checks. They in turn will be in live contact with the card issuer. The operator may ask to speak to the customer. If so, make sure you take the phone back from them to complete the call and receive any final instructions from the Authorisation Centre.
You can make a Code 10 call for a chip and PIN transaction if you are suspicious of a customer or the transaction. Inform the operator that you are making a Code 10 call for a transaction using a chip and PIN card. Even if the customer has left the shop as a result of your checking procedures, or you feel threatened and do not consider it safe to make a Code 10 call at the time, make a normal authorisation call to your AuthorisationCentre immediately after the customer has left, as this may help to prevent potential fraudulent activity at the next retailer.
The fact that a transaction is authorised and an authorisation code is provided does not guarantee payment, whether it be a standard authorisation or a Code 10 call.Authorisation simply means that the card has not been reported lost or stolen and that there are sufficient funds available at the time of authorisation.
What to do if a customer forgets their PIN
A customer with a chip and PIN card has three attempts to enter their correct PIN.
If an incorrect PIN is entered three times the card will become locked. You can always ask the customer for an alternative method of payment.
If a card becomes locked during a transaction tell the cardholder to contact their card issuer immediately. They will advise the customer how to unlock the card.
If you capture a counterfeit card
Sometimes the police may be involved and will want to take the card for evidence. Make sure you take a note of the contact details of the police officer and the crime reference number. Ask the police officer for a receipt for the card. Then tell your acquirer what has happened.
You can also call Crimestoppers anonymously on 0800 555 111
if you have any information about illegal activity.
Protect Your Devices
The chip and PIN devices on your premises are valuable assets that, if not protected throughout their complete life cycle, could be compromised by criminals and used to perpetrate fraud that will
ultimately have a financial impact on the retailer and may also cause reputational damage that may further adversely affect business.
The need to secure devices begins from the moment they are released from the vendor to the retailer and the tracking of that asset, once delivered, becomes the responsibility of the owner (acquirer, third party provider or retailer) wherever it is stored, whenever it is in transit and wherever it is installed.
In the case of face-to-face card transactions (i.e. those in shops and stores where the cardholder is present during the transaction) the principal assets under threat are the personal payment card details and PINs used to verify the cardholder’s identity. Personal payment card details – referred to as sensitive cardholder information in the Payment Card Industry Data Security Standard (PCI DSS) – include the primary account number, start and expiry dates, service code and the CSC (card security code). Currently these values can be obtained from the magnetic stripe on a live credit or debit card and from the static data embedded in the integrated circuit of a chip card. This information is at risk when it is captured from the card in a reader or in the data messages passed to and from the point-of-sale. It is possible for fraudsters to use the data that can be captured in a live transaction to create a plausible magnetic stripe clone of the live card.
With the advent of chip and PIN, personal payment card data alone is of limited value for face-to-face transactions in the UK unless the associated PIN can also be obtained by the fraudster. However, the information, including the PIN is still valuable to fraudsters, particularly for use overseas. The industry has seen an increasing level of sophistication applied to the capture of these assets, either directly from the keypad of a PED or through recording the transaction using hidden micro-cameras. Fraudsters have successfully deployed examples of both attack methods in the past.
Criminals then use the captured card details along with the PIN to manufacture cloned magnetic stripe cards that are then used to withdraw cash from cash machines or at retailers in countries that have not yet upgraded to chip and PIN.
The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory security standard delivered by the global card industry for the protection and securing of card payment data.
Retailers and all other parties in the payment chain that handle card payment information are responsible under these standards for the protection and storage of this information. For parties in the payment chain, such as retailers, who do not comply with PCI DSS standards there can be severe financial and reputational consequences.
PCI DSS provides an aligned approach to safeguarding sensitive data across all cards and meets the need for a streamlined set of requirements across the payment industry.
For more information about PCI DSS visit the websites below or talk to your acquirer.