Getting Started

Essential and optional security measures for merchants.
Getting Started
Retailers must follow specific data security requirements in order to accept MasterCard cards. MasterCard Worldwide rules and recommendations apply to all transactions – whether they occur in a store, online, or over the phone.

Millions of dollars are lost each year due to fraudulent use of payment cards. You can help protect your business from this costly crime by:
  • Incorporating fraud prevention into employee training sessions
  • Posting fraud prevention reminders and materials near tills and in employee areas
  • Offering rewards or incentives for employees who prevent a fraudulent transaction
1. Be Fraud Savvy - Here are some common types of card fraud:
  • Altered/Counterfeit Cards. On an altered card, the name, expiry date, account number, and/or the magnetic stripe have been changed in some way. Counterfeit cards bear a valid account number. A valid card number may appear on the front of the card, in the magnetic stripe on the back of the card, or in both places.
  • Lost/Stolen Card. A card is stolen from the cardholder and used fraudulently to purchase goods or services from a legitimate merchant.
  • Mail Order/Phone Fraud. Someone other than the authorised cardholder obtains a MasterCard account number (often with the expiry date of the account and card validation code from the back of the card) and uses it to purchase goods or services by mail or by phone.
Whether you are starting to accept cards or just need a refresher on security procedures and best practices, the following list outlines steps, checklists and tools to help protect your business.
2. Be on the Lookout for Card Fraud
Each time a customer presents a magnetic stripe MasterCard card, your staff should go through the following checklist:
  • Check the embossed numbers on the front of the card. All MasterCard account numbers start with the number 5 (five). If an account number is embossed, the embossing should be clear and uniform in size and spacing, and extend into the hologram (if a hologram is on the card face). The last four digits of the account number on the front of the card should match the four digits printed on the signature panel on the reverse of the card. These numbers should not be chipped away. And no “halos” of previous numbers should appear under the embossed account number.
  • Examine the hologram. A MasterCard hologram is usually on the front of a MasterCard card, either above or below the MasterCard Brand Mark. But on some new card designs the hologram may be on the reverse of the card or integrated into the magnetic stripe on the back of the card. The three-dimensional hologram with interlocking globes should reflect light and appear to move when the front of the card is rotated.
  • Compare signatures. The back of the card must be signed, and the signature should reasonably compare to the cardholder signature on the sales receipt. Check to make sure that it has not been taped over, mutilated, erased or altered in any suspicious manner. The word “Void” on the signature panel indicates that the signature panel has been tampered with.
  • Look at the magnetic stripe. The magnetic stripe on the reverse of the card should appear smooth and straight, with no signs of tampering.
  • Examine the expiry date. The card should not be accepted after the last day of the “expires end” date embossed on the card. Merchant sales assistants must validate the card expiry date.
  • Become familiar with new card designs. MasterCard recently introduced a new card called MasterCard Unembossed. These cards may look different – they have no raised (embossed) numbers, so you cannot make a manual imprint – but the brand behind them is the same. Your business must have an electronic terminal to accept these cards.

    MasterCard has also introduced new card designs that permit the hologram to appear on the back of the card or integrated into the magnetic stripe on the reverse.
  • Is the customer using the card the actual cardholder? A MasterCard card is non-transferable. Check to see that the signature on the sales receipt matches the name on the front of the card. Also, be observant of the customer’s behaviour – does it seem normal, or does the person appear uneasy?
MasterCard also provides a quick reference card which can help you and your employees identify valid MasterCard cards Download Reference Card
If you suspect any suspicious behaviour, you can ask for help. If an employee is at all suspicious about a card, call your Voice Authorisation Centre and request a Code 10 Operator. The Authorisation Centre will help you decide whether to complete the transaction.
3. Make Sure Your Systems Are Secure
The system in your store or business should comply with the following security requirements:
  • Safeguard cardholder PIN numbers. Cardholder personal identification numbers (PIN) are occasionally used to authenticate a customer’s identity during an ATM or point-of-service transaction. If your business requests a PIN from a customer, the PIN should be encrypted in accordance with published security standards. Merchants must never store PIN numbers.
  • Do not print full Primary Account Numbers on receipts. MasterCard requires retailers to truncate the Primary Account Number (PAN) on printed cardholder receipts. PAN truncation blocks out all but the last four digits of an account number. This security initiative reduces the possibility that a cardholder’s account number will end up in the wrong hands.
  • Store data properly. MasterCard requires issuers, acquirers, retailers and third party processors to comply with the Payment Card Industry (PCI) Data Security Standard. Learn more about the Payment Card Industry (PCI) Data Security Standard (PDF) For more details, read the Merchant Letter for Securing Cardholder Information (PDF)
    Retailers can assess compliance with the PCI Data Security Standard using the MasterCard Site Data Protection Programme. This programme applies to merchants and service providers that process, transmit or store cardholder data. Through the network scanning requirement, MasterCard Site Data Protection is also designed to protect against the compromise of account data. Remember that your acquirer should be closely monitoring your compliance with the PCI Data Security Standard. Learn More About the MasterCard Site Data Protection Programme and PCI Data Security Standard
4. Stay Abreast of New Developments and Security Challenges.
MasterCard continues to develop new ways to protect your business. Stay up-to-date with the latest security programmes and techniques and payment card enhancements.
  • MasterCard® PayPassTM MasterCard PayPass adds an embedded radio frequency chip and antenna to MasterCard cards or new contactless devices. With MasterCard PayPass, consumers speed through checkout with a simple tap, rather than a swipe or a dip of their card. As MasterCard PayPass cards and devices never leave their hands, consumers have an added sense of security; advanced chip-based cryptography (CVC3) delivers another layer of security to make this fast and convenient payment a safe option as well.
  • Chip Technology Payment cards containing chips are more powerful than traditional magnetic stripe cards because they contain tiny computers that make transactions safer. Chip technology also reduces the incidence of fraud by making cards more difficult to counterfeit. Although chip technology is widely used in some areas of the world, it is still emerging in other areas.
  • Making Remote Shopping More Secure
    For online shoppers, MasterCard offers OneSMART® Authentication, a chip-based solution that uses a card reader to generate one-time passwords for highly secure shopping over the internet. The same approach can be used to secure mail or telephone order payments and remote banking transactions.