Security must-do’s and can-do’s for merchants.
Retailers must follow specific data security requirements in order to accept MasterCard cards. MasterCard Worldwide rules and recommendations apply to all transactions—whether they occur in a store, online, or over the phone.
Millions of dollars are lost each year due to fraudulent use of payment cards. You can help protect your business from this costly crime by:
- Incorporating fraud prevention into employee training sessions
- Posting fraud prevention reminders and materials near registers and in employee areas
- Offering rewards or incentives for employees who prevent a fraudulent transaction
1. Be Fraud Savvy
Following are descriptions of different types of card fraud:
- Altered/Counterfeit Cards. On an altered card, the name, expiration date, account number, and/or the magnetic stripe have been changed in some way. Counterfeit cards are "fake" manufactured cards that bear a valid account number. A valid card number may appear on the front of the card, in the magnetic stripe on the back of the card, or in both places.
- Lost/Stolen Card. A card is stolen from the cardholder and used fraudulently to purchase goods or services from a legitimate merchant
- Mail Order/Phone Fraud. Someone other than the authorized cardholder obtains a MasterCard account number (often with the expiration date of the account and card validation code from the back of the card) and uses it to purchase goods or services by mail or by phone.
Whether you are starting to accept cards or just need a refresher on security procedures and best practices, the following list outlines steps, checklists, and tools to help protect your business.
2. Be on the Lookout for Card Fraud.
Each time a customer presents a MasterCard card, your staff should go through the following checklist:
- Check the embossed numbers on the front of the card. All MasterCard account numbers start with the number 5 (five). If an account number is embossed, the embossing should be clear and uniform in size and spacing, and extend into the hologram (if a hologram is on the card face). The last four digits of the account number on the front of the card should match the four digits printed on the signature panel on the back of the card. These numbers should not be chipped away. And no “halos” of previous numbers should appear under the embossed account number.
- Examine the hologram. A MasterCard hologram is usually on the front of a MasterCard card either above or below the MasterCard Brand Mark. But on some new card designs the hologram may be on the back of the card or integrated into the magnetic stripe on the back of the card. The three-dimensional hologram with interlocking globes should reflect light and appear to move when the front of the card is rotated.
- Compare signatures. The back of the card must be signed, and the signature should reasonably compare to the cardholder signature on the sales receipt. Check to be sure that it has not been taped over, mutilated, erased or altered in any suspicious manner. The word “Void” on the signature panel indicates that the signature panel has been tampered with.
- Look at the magnetic stripe. The magnetic stripe on the back of the card should appear smooth and straight, with no signs of tampering.
- Examine the expiration date. The card should not be accepted after the last day of the “valid through” date embossed on the card. Merchant clerks must validate the card expiration date.
- Become familiar with new card designs. MasterCard recently introduced a new card called MasterCard Unembossed. These cards may look different—they have no raised (embossed) numbers, so you cannot make a manual imprint—but the brand behind them is the same. Your business must have an electronic terminal to accept these cards.
MasterCard also has introduced new card designs that permit the hologram to appear on the back of the card or integrated into the magnetic stripe on the back of the card.
- Is the customer using the card the actual cardholder? A MasterCard card is non-transferable. Check to see that the signature on the sales receipt matches the name on the front of the card. Also, be observant of the customer’s behavior—does it seem normal, or does the person appear uneasy?
MasterCard also provides a quick reference card which can help you and your employees identify valid MasterCard cards.
Download Reference Card
If any suspicious behaviors occur, you can ask for help. If an employee is at all suspicious about a card, call your Voice Authorization Center and request a Code 10 Operator. The Authorization Center will help you decide whether to complete the transaction.
3. Make Sure Your Systems Are Secure.
The system in your store or business should comply with the following security requirements:
- Safeguard cardholder PIN numbers. Cardholder personal identification numbers (PIN) are occasionally used to "authenticate" a customer’s identity during an ATM or point-of-service transaction. If your business requests a PIN from a customer, the PIN should be encrypted in accordance with published security standards. Merchants must never store PIN numbers.
- Do not print full Primary Account Numbers on receipts. MasterCard requires retailers to truncate Primary Account Number (PAN) on printed cardholder receipts. PAN truncation blocks out all but the last four digits of an account number. This security initiative reduces the possibility that a cardholder’s account number will end up in the wrong hands.
- Store data properly. MasterCard requires issuers, acquirers, retailers, and third party processors to comply with the Payment Card Industry (PCI) Data Security Standard (PDF). For more details, read the Merchant Letter for Securing Cardholder Information (PDF).
Retailers can assess compliance with the PCI Data Security Standard using the MasterCard Site Data Protection™ Program. This program applies to merchants and service providers that process, transmit or store cardholder data. Through the network scanning requirement, MasterCard Site Data Protection is also designed to protect against the compromise of account data. Remember that your acquirer should be closely monitoring your compliance with the PCI Data Security Standard.
Learn More About the MasterCard Site Data Protection Program and PCI Data Security Standard
4. Stay Abreast of New Developments and Security Challenges.
MasterCard continues to develop new ways to protect your bottom line. Stay up-to-date on the latest security programs and techniques. You also need to stay abreast of payment card enhancements, such as the following.
- Quick Payment Service (QPS)
Consumers are using cash less often than they did five years ago (60% of consumers polled carry less than $20 in their wallet). To make the "go cashless" trend work for merchants, even for low value payments, we have introduced the MasterCard Quick Payment Service. For purchases under $25, signatures are no longer required by qualified merchants (to preserve chargeback rights). This added customer convenience shaves time at the point-of-sale. Shorter lines and increased efficiency at the checkout counter are likely to result in greater sales, without increasing costs for security. If your business depends on moving customers quickly through check-out, you can benefit from QPS.
- MasterCard PayPass®
MasterCard PayPass adds an embedded radio frequency chip and antenna to MasterCard cards or new contactless devices. With MasterCard PayPass, consumers speed through check-out with a simple tap, rather than a swipe or a dip of their card. When combined with the MasterCard QPS program, no signature is necessary for many purchases under $25, so consumers just Tap & Go™! As MasterCard PayPass cards and devices never leave their hands, consumers have an added sense of security; advanced chip-based cryptography (CVC3) delivers another layer of security to make this fast and convenient payment a safe option as well.
- Chip Technology
Payment cards containing chips are more powerful than traditional magnetic stripe cards because they contain tiny computers that make transactions safer. Chip technology also reduces the incidence of fraud by making cards more difficult to counterfeit. Although chip technology is widely used in some areas of the world, it is still emerging in other areas.
- Internet Protocols (IP) and Wireless technologies
IP communications and wireless technologies are revolutionarizing the Point of Sale (POS). They provide fast, flexible and low cost solutions to connect stand alone POS terminals to networks and acquirers. However IP enabled or wireless enabled stand alone POS terminals are exposed to the attacks perpetrated by the same hackers that plague the Internet.
Learn More About the Security Initiatives for Wireless and IP Enabled POS Terminals
Making Remote Shopping More Secure
For online shoppers, MasterCard offers OneSmart® Authentication, a chip-based solution that uses a card reader to generate one-time passwords for highly secure shopping over the Internet. The same approach can be used to secure mail or telephone order payments and remote banking transactions.