2 What is PCI-DSS?The Payment Card Industry Data Security Standards (PCI-DSS) are regulations that were created to ensure safe handling of sensitive information and to protect cardholder data.
3 Importance of Training Your customers will*Appreciate your ability to reduce the threat of identity theft*Trust you to complete transactions without creating duplicate or invalid charges*Enjoy peace of mind, knowing that their credit card information is in good handsThe university*Takes pride in a skilled workforce*Values your ability to build customer confidence*Needs your help in limiting potential losses, fines & penalties
4 …..and you*will have confidence in your ability to safely and efficiently do your job*will recognize and evaluate key security features on valid cards*will be alert to the warning signs of fraud*will know that you can make informed decisions under pressure
5 Agenda UGA Credit Card Policy and Procedure Overview of PCI DSS Yearly Scans and QuestionnairesWhat happens if a breach occursAuditsChanges and RevisionsGuest SpeakersQuestions
6 Policy and ProceduresDo NOT store, process or transmit credit card information on the UGA networkThird-party application for any new or updated changes to credit card acceptance.PCI Questionnaire and ScansDaily Batch Settlements (covering and cross training in case of absences)Daily Transmittals and ReconciliationsRetention policyIncident responseBackground checksImportant to remember that any changes to how you accept credit cards must pass thru the Bursar Office. If you are looking into new software or a new vendor where credit card information will be accepted, we ask that you involve our office from the beginning. The reason for this is that it is not just the approval of the software but the entire process that we must ensure is in compliance.PCI questionnaires and scans are very important. Every merchant is required to complete a yearly SAQ (self-assessment questionnaire). We will cover this more later in the presentation.Daily batch settlements must be completed daily. An important piece to this requirement is the cross training of staff members to ensure this takes place in the absence of an employee.Retention policy- due to recent chargeback activity this requirement is as important as ever. Our procedure states that “Daily sales totals, logs etc. substantiating revenue should be stored for 5 years in accordance with state record retention policies. Individual receipts slips and other documents with cardholder data should be stored in a locked filing cabinet or safe and only needs to be retained for 12 months. At the time of disposal, all documents containing sensitive cardholder data should be shredded using a cross-cut shredder.Background checks- A background check is required to any employee hired to be involved with credit card processing. Please refer to Human Resources for the university’s policy regarding background checks.
7 PCIThe core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information securityThe guiding principals of PCI are:Building and Maintain a secure NetworkProtect Cardholder DataMaintain a Vulnerability Management ProgramImplement Strong Access Control MeasuresRegularly Monitor and Test NetworksMaintain an Information Security Policy
8 Yearly Scans and Questionnaires Annual Assessment QuestionnaireRequired of all merchants – regardless of levelSelf Self-Assessment or performed by Qualified Security Assessor (QSA): A, B, C-VT, C, DSecurity Vulnerability Scan – QuarterlyRequired for External facing IP addressesWeb applicationsPOS Software and databases on networksApplies even if there is a re-direction link to third third-partyMust be performed by Approved Scanning Vendor (ASV)Validation based on Level assigned to merchant, based on transaction volumeVisa & MC schedules are differentVisa’s schedule is what most go by
9 Breaches BusinessZappos! – (January) 24 million records including partial credit card numbers illegally accessed. Estimated direct cost –$46,560,000,000.00Global Payments – (February) 1.5 million card numbers and other information stolen in a security breach which reportedly occurred between Jan. 21 and Feb Estimated direct cost –$291,000,000.00Some well publicized corporate breaches from 2012:Direct costs can include breach notification costs, lost productivity, and lost customer opportunityInfo used here is taken from several sources including Open Security Foundation’s - datalossdb.orgCurrent cost per record according to the latest U.S. Cost of a Data Breach report released in March 2011 is estimated to be $194.Global Payments, an Atlanta credit card processing company reported "Track 2 card data may have been stolen." Track 2 data often includes the card number, the user's encrypted PIN and the three-digit security code in the back of the card. The banking industry considers the loss of such data serious, because it provides thieves with enough information to create counterfeit cards.Visa removed Global Payments from a list of credit-card processors that comply with security standards.Global Payments experienced a stock loss of 9% between the time the breach was announced and trading halted.
10 Schnucks Markets – (March) 2 Schnucks Markets – (March) 2.4 million credit and debit card numbers stolen. Estimated direct cost –$465,600,000.00Wyndham Hotels– (June) the FTC files a lawsuit against the hotel chain for failing to secure customer data. Chain was hacked three times in two years, resulting in the theft of more than 600,000 credit card numbers. Estimated direct cost –$11,640,000.00Schnucks markets are located in St Louis and the Midwest. 79 out of 100 stores were affected.The computer forensic firm that Schnucks engaged (Mandiant) found evidence of computer code that would capture the magnetic stripe data on the back of payment cards.The Wyndham credit card numbers were allegedly uploaded to some servers in Russia where they were reportedly used in more than $10.5 million in fraudulent transactions.
11 State of South Carolina– (September) The SC Department of Revenue lost 6.4 million taxpayer records that included Social Security Numbers, Credit Card Numbers, and Debit card numbers. Anyone filing an online tax return from 1998 to 2012 was potentially affected. Estimated direct cost –$12,416,000,000.00This does not include tax credits being offered to those affected.
12 Breaches 2012 – Higher Education University System of Maryland (January) – 8000 records of prospective students, some with credit card numbers were found on a public server. Estimated direct cost –$1,552,000.00Universities of Maine, Arkansas, and Rochester NY (May) 4617 records stolen from the computer stores that serviced the campuses. Estimated direct cost total –$895,698.00
13 Breach Example 1A Friday in September: an employee entering credit card information on a kiosk decides to check their .Their inbox contains an from a friend. The subject line reads “Still need tickets?” The message says “He needs to sale these!!! CHEAP!” It contains a link. The employee clicks the link& is taken to a website that has nothing to do with football tickets.They leave the site, but have already downloaded malicious software.This employee could just as easily have clicked an ad, installed a coupon printer, a toolbar, or downloaded a bad app on Facebook. Sadly this does happen.How might you detect this breach?(pick one or two to mention):Unknown or unexpected outgoing Internet network traffic from the payment card environment• Unknown or unexpected services and applications configured to launch automatically on system boot• Unknown files, software and devices installed on systems• Unexplained modification or deletion of data• Anti-virus programs malfunctioning or becoming disabled for unknown• Authentication event log modifications (i.e., unexplained event logs are being deleted)• Presence of a rootkit, which hides certain files and processes in, for example, Explorer, the Task Manager, and other tools or commands• Systems rebooting or shutting down for unknown reasons• Presence of archived/compressed files in system directories• Hidden malicious code lurking in your registry keys.
14 Breach Example 2Over the weekend an attacker manages to spoof a trusted IP address and gain access to a payment card network.The attacker quickly runs through a list of known manufacturer’s passwords and discovers that no one changed the password on a POS system.It is quick work for the attacker to introduce a backdoor to filter transaction details. It could be months or even years before the vulnerability is detected.How might you detect this breach (pick one or two to mention):Unknown or unexpected outgoing Internet network traffic from the payment card environment• Unknown or unexpected network traffic• Unknown files, software and devices installed on systems• Excessive failed login attempts in system authentication and event logs• Authentication event log modifications (i.e., unexplained event logs are being deleted)• Suspicious after-hours file system activity (i.e., user login or after-hours activity to Point-of-Sale (POS) server)• Unexplained new user accounts
15 Breach Example 3While in a checkout line, a customer accidentally knocks over her handbag, scattering its contents on the floor behind and under the counter.While the cashier is distracted by helping the customer, a second person switches out the Point of Sale unit with an identical one set up to skim pin numbers and card information.Thousands of debit and credit card numbers are intercepted before a new POS is installed and the switch is discovered.It takes less than a minute for a practiced thief to switch out an individual POS unit.Usually a large scale operation where thieves pretend to be from your processing company.In 2012:Barnes & Noble disclosed that data thieves got away with installing corrupted checkout terminals in 63 bookstores in nine states. No info is available regarding data loss.Michaels Stores replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs.How might you detect this breach?(pick one or two to mention):Presence of unexpected IP addresses or routing• Unexplained modification or deletion of data• Vendor or third-party connections made to the cardholder environment without prior consent and/or a trouble ticket• Authentication event log modifications (i.e., unexplained event logs are being Deleted)
16 Breach Example 4Strange traffic is logged on your payment card network over Christmas break. A physical sweep of the area where the kiosk is located reveals an unauthorized wireless access point in a nearby closet.One of the custodial staff reports an IT guy doing some work in the closet a few months ago. They were in there early in the morning, and that was memorable.No one on your staff fits the description given.How might you detect this breach?(pick one or two to mention):Unknown or unexpected outgoing Internet network traffic from the payment card environment• Presence of unexpected IP addresses or routing• Unknown or unexpected network traffic• Unknown or unexpected services and applications configured to launch automatically on system boot• Unexplained modification or deletion of data• Vendor or third-party connections made to the cardholder environment without prior consent and/or a trouble ticket• SQL Injection attempts or strange code in web server logs• Suspicious after-hours file system activity (i.e., user login or after-hours activity to Point-of-Sale (POS) server)• Presence of a rootkit, which hides certain files and processes in, for example, Explorer, the Task Manager, and other tools or commands• Unexplained new user accounts
17 What is a Compromise or Incident? Malicious Code—a virus, worm, Trojan horse, or other malicious code that infects a computerInappropriate Usage—a person violates computing use policies or lawsUnauthorized Access—a person gains logical or physical access to a network, system, application, data, or other resource without permissionTheft - of data or devicesA compromise of incident is the loss of information confidentiality, integrity or availability; or violation of computer policy or law.Malicious code – these can be picked up in various ways - through spoofing, phishing, via malicious ads, or infected QR codes as well as insertion by attackers.Inappropriate usage – surfing the web on a designated kioskUnauthorized access – spoofed IPs, someone forgot to change the default password on some equipment or software, a break –in, or theft of a deviceDoS attacker floods the server with requests and no one can get through. Denial of Service (DoS)— an attack that prevents legitimate users from accessing information or services
18 Immediate ResponseShould you become aware that any cardholder data was subject to compromise, you alert the following IMMEDIATELY:UGA Office of Information SecurityUGA Bursar’s OfficeImmediately work with the Office of Information Security to limit the exposure.Bursar’s Office will work with you and Credit Card Processor regarding appropriate response to them as well as customers impacted.
19 Security Incident Reporting Contacting Information SecurityCall EITS Help DeskPhone : (press 2)If you cannot get assistance by calling the EITS Help Desk, you can report incidents by sending an toIf criminal violation, notify UGA PoliceThe Role of Information SecurityAssess the Situation & Extent of LossCollaborate on a Remediation PlanLegal and Policy CompliancePlease be prepared to provide details and contact information.Please be aware that response times may be slower for incidents reported via .Once they are aware of the situation, Infosec with assemble an incident response team to help you investigate.Do Not attempt to investigate or remediate on your own.
20 Compromised System Response Do not access or alter compromised systemsDo not turn the compromised machine offIsolate compromised systems from the networkPreserve logs and electronic evidenceLog all actions takenBe on high alert and monitor all systemsOnce again - Do not attempt to remediate on your own.Leave the machine powered up.Remove the system from the network by unplugging the network cable or disconnecting from PAWSWrite down the all steps taken; document your response: when the compromise was reported, how it was reported, etc.
21 AftermathThe Bursar’s Office will Provide all compromised accounts to the merchant services provider and to any other agency/company as instructed by the merchant services provider and/or card associationsProvide an Incident Response Report document to each Card Association (within the timeframe they specify)If required by the card associations, undergo an independent forensic investigationThe Bursar’s Office will:assist in notifying the 3rd party vendor if this is applicablecontact its Merchant services provider.The Merchant services provider will assist the Bursar’s Office in contacting each Card Association’s Fraud Control Group and the local office of the Secret Service.The Bursar’s Office should also contact the University’s Legal Affairs Office and Internal Audit at this time
22 Changes and Revisions Update to UGA procedure: All Point-of-Sale Terminals, that utilize a wired connection, must be done so with a Centrex Analog line. The UGA Office of Telephone Services can be consulted should you have any questions on a connection, new or existing.WARNING:NEVER ALLOW ANYONE TO INSPECT, PROGRAM OR REMOVE YOUR TERMINAL UNLESS YOU HAVE OBTAINED AUTHORIZATION FROM THE CREDIT CARD OFFICE.VISA and Card Industry Updates:Technology Innovation ProgramEffective October 1, 2012, Visa will expand the Technology Innovation Program (TIP)1 to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria.
23 Interchange & Market Trends Of Card Processing University of Georgia Presenter: Susan Peek, First DataApril 25, 2013
24 Credit Card Transaction: Process Flow Consumer(Cardholder)MerchantIssuingBankAcquiringProcessorImages Used in Presentation:Comstock images: c ; ks4998Microsoft.com: j ; j ; j ; jAssociations
25 Participants in the Credit Card Cycle Customers expect to pay for goods and services just as producers expect to be paid for the goods and services they provide.ConsumersDesire to purchase goods and services without making an immediatecash disbursement.MerchantsWant to provide customers with the broadest range of payment options possible with the minimuminvestment.Need the payment process to be as simple and fast as possible.Issuing BanksDesire to offer a broad range of financial services to consumers.Want to charge an annual fee for issuing the card and interest on the credit card balance.AssociationsWant to offer a broad range of payment options to consumers.Need to cover the cost of processing and the risk associated with the transaction.They are required to compensate the issuing bank with the proceeds of the interchange fee.Acquiring ProcessorDesires to provide merchants with the maximum range of payment options with minimum investment.Need to make a profit on the transactions processed.
26 What is Interchange?Interchange is a fee charged to Merchants for the service ofaccepting Association Branded Cards as payment forpurchases made by customers.Interchange is set by the Card Associations- The Interchange Fees are determined by the Associations based on aspecific set of rules published by each entity- Interchange rate schedules can change at any time- Changes generally take place in the fall and spring of each yearCharged by the Acquiring Processor- First Data/SunTrust Merchant ServicesPaid to the Issuing Bank- Examples : Wells Fargo, Chase, Bank of America, etc…- Processing today often includes using gateways and third party vendors to collect and store cc data. Interfacing with front end software can also be a factor. Mobile commerce is here and merchants need to be ready. is also often time
27 Components of the Interchange Fee The Interchange Fees charged by the Associations (Visa, MasterCard, and other entities) are composed of two basic partsPercentage %Flat transaction fee $0.00An Example:A student pays for lab fees that have a total cost of $ and is paying with a Visa Card. A typical Interchange Fee for this transaction under a university industry code would be 1.43% plus a transaction charge of $ Visa would charge the Acquirer (First Data) a total of $0.765 or $ when rounded up.$50.00 x = $0.715$0.765 or $0.77 rounded upOther fees charged to the merchant include:Card Association fees including the Assessment Fee and the Access FeeAcquiring Processor fees may include a per transaction processing feeWhat are the changes taking place in the credit card industry?With the available technology today we are seeing a dramatic increase in the convergence of online and offline commerce. Customers want to have a choice in how they shop and how they pay.-in-person, online, via their mobile devicesWith this increase in online commerce particularly, comes an increase in security threats. Many merchants are finding that being PCI compliant is not enough protection against security threats. Encryption and Tokenization which we will discuss later in the presentation is now the standard recommendation against credit card fraud.PCI compliance regulations are becoming increasingly stringent to protect cardholder information and meeting these regulations can be expensive and time consuming.
28 Key Interchange Terminology Interchange Program –A specific classification set by an Association with a given rate, qualifications and rules for downgrades.Example: Visa’s CPS Retail 2 (Emerging Market)Qualifications –The specific conditions required by an Association to be able to usea given Interchange Program.Example: Visa’s CPS Retail 2 requires (among other things), 2 day settlementDowngrades –The act of substituting a more expensive Interchange Program(and rate) when a specific qualification is not met.Example: Visa’s CPS Retail 2 becomes EIRF if settlement occurs within 3 days, otherwise, it becomes Standard. A transaction must meet the qualifications of the downgraded program or it will be downgraded again.What are the changes taking place in the credit card industry?With the available technology today we are seeing a dramatic increase in the convergence of online and offline commerce. Customers want to have a choice in how they shop and how they pay.-in-person, online, via their mobile devicesWith this increase in online commerce particularly, comes an increase in security threats. Many merchants are finding that being PCI compliant is not enough protection against security threats. Encryption and Tokenization which we will discuss later in the presentation is now the standard recommendation against credit card fraud.PCI compliance regulations are becoming increasingly stringent to protect cardholder information and meeting these regulations can be expensive and time consuming.
29 Interchange Fee Qualification Factors Card Type Used By Customer For PaymentExample: Consumer Card, Rewards Card, Business Card, Commercial Card, PurchasingCardPayment Channel Used To Accept PaymentExample: In Person Face-To- Face, Hand Keyed, OnlineMerchant Category Code (MCC) Of Accepting MerchantExample: Government & Higher Education generally qualify for lowerinterchange rate than retail storesTimeliness of SettlementExample: Best interchange rate may require 2 day settlement from date of authorizationWhat are the changes taking place in the credit card industry?With the available technology today we are seeing a dramatic increase in the convergence of online and offline commerce. Customers want to have a choice in how they shop and how they pay.-in-person, online, via their mobile devicesWith this increase in online commerce particularly, comes an increase in security threats. Many merchants are finding that being PCI compliant is not enough protection against security threats. Encryption and Tokenization which we will discuss later in the presentation is now the standard recommendation against credit card fraud.PCI compliance regulations are becoming increasingly stringent to protect cardholder information and meeting these regulations can be expensive and time consuming.
30 Prepaid Card Acceptance Prepaid Card acceptance is the same as any other type of credit card acceptance as long as the prepaid card presented has a card brand logo on the front of the card such as a Visa, MasterCard, American Express or Discover Card logo.Card Branded Prepaid Cards run through your point of sale device or solution just as any other credit card transaction so there is no need for a different point of sale device.Prepaid Cards generally qualify at a higher interchange rate than consumer credit cards. Their interchange qualification rate is much like other special cards such as the rewards, business, corporate and purchasing cards.Prepaid Cards may be considered a higher risk card particularly for card not present transactions and mostly in high fraud industry type merchants. Universities are generally not considered high fraud merchants.Fraud protection for Prepaid Cards is the same as other payment cards.Use of fraud protection tools like collecting the Card Verification Value (CVV and CVV2) or using Address Verification Services (AVS) particularly for card not present transactions is considered a best practice for all card types.
31 Industry & Market Trends What is Changing?Convergence of online & offline commerceIncreased security threatsIncreased levels of regulatory changeChanging technologiesConsumer expectations are risingNew emerging shopping behaviorsWhat are the changes taking place in the credit card industry?With the available technology today we are seeing a dramatic increase in the convergence of online and offline commerce. Customers want to have a choice in how they shop and how they pay.-in-person, online, via their mobile devicesWith this increase in online commerce particularly, comes an increase in security threats. Many merchants are finding that being PCI compliant is not enough protection against security threats. Encryption and Tokenization which we will discuss later in the presentation is now the standard recommendation against credit card fraud.PCI compliance regulations are becoming increasingly stringent to protect cardholder information and meeting these regulations can be expensive and time consuming.
32 Industry & Market Trends Today’s card processing environment is much more sophisticated and complex than just swiping a card at the point of sale.Example: ecommerce, mobile payments, gateway (API’s and Hosted Pages)Consumers are increasingly expecting an integrated buying experience that ispersonalized, secure, and smart.Example: Offers sent via smart devices based on buying habits or current locationToday’s customer wants to pay whenever and wherever they want and expect tobe able to do so.Example: in-person, online, via smart device, wireless or stand alone terminalMerchants need to be ready to provide the payment types and payment channels theircustomers want to use while meeting compliance regulations and protecting againstfraud.Example: Alternative payment types (Pay Pal, Google Pay) , mobile commerce, EMV chip cards- Processing today often includes using gateways and third party vendors to collect and store cc data. Interfacing with front end software can also be a factor. Mobile commerce is here and merchants need to be ready. is also often time
33 American Express and The University of Georgia 2013 Credit Card ConferenceApril 25, 2013March 2013AXP Beginning & End Slides
34 American Express Overview A Variety of Different Charge, Credit, & Prepaid Products to Meet the Needs of Our CustomersCo-Branded Cards – Costco, Delta SkyMiles, Hilton, Starwood, Jet Blue, Dillard’s, and others.Consumer & Business Cards via Other Issuers – Bank of America, Citi, etc.Charge CardsCorporate and Small Business CardsPurchasing Cards“Cash-Back” CardsPrepaid, Gift, Stored-Value, Reloadable CardsAnd one of our newest offerings …..
35 Accepting an American Express Prepaid Card 35All American Express Prepaid Cards show the American Express “Blue Box” logo either on the face or back of the Prepaid Card. Prepaid Cards may or may not be embossed.Most Prepaid Cards can be used for both in-store and online purchases.Prepaid Cards are valid through the date on the Card.Simply swipe the Card at the point of sale just like any other Card.A Prepaid Card must be tendered for an amount that is no greater than the funds available on the Card.Because Prepaid Cards are pre-funded, if you receive a Decline when seeking Authorization, ask the customer to call the toll-free number on the back of the Card to confirm that the purchase price does not exceed the available funds on the Prepaid Card.If the Prepaid Card does not have enough funds to cover the purchase price, process a Split Tender Transaction or request an alternative form of payment.You must create a Charge Record for a Prepaid Card as you would any other Card.
36 The Basics of Offering American Express as a Customer Payment Option Current Cost of Accepting American Express CardsOne “all-in” Discount Rate for Charge/Credit Card Transactions = 2.15%Same Rate for …..all charge/credit card transaction types (Rewards Cards, Business Cards, etc.)and all acceptance methods (online, mail, in-person, etc.)No Additional Fees charged by American Express !!!1.65% for AXP Prepaid Card TransactionsOtherNo Additional Equipment NeededComplimentary AXP-Only or Multi-Card Decals, Plaques, and Other Point-of-Purchase Items
37 Solutions to Help Reduce Inquiries and Chargebacks Inquiries are expensive for all parties involved. Follow these general steps and you may avoid unnecessary Inquiries and Chargebacks:Keep track of all Charge Records.Issue Credits immediately after determining that Credit is due.Disclose all terms and conditions of your sale/return/exchange/cancellation policies at the point of sale, on all Charge Records and customer receipts and on your website.Contact your Processor or us to make sure the name that you provide to us in your Submission matches your business name.Submit Charges only after goods have been shipped or services have been provided.Advise Cardmembers when goods or services will be delivered or completed, and always advise the Cardmember of any delays.Obtain a Cardmember's signature whenever completing a service or work order.
38 Solutions to Help Reduce Inquiries and Chargebacks: Card-Not-Present Obtain the Following from the Customer:Signature on fax order formsCard NumberExpiration DateCard Identification Number (CID) …… this is a 4-digit number on the front of the card for American Express Cards, and a 3-Digit number on the back of other cardsName as it appears on the CardBilling Address for the Card for Automatic Address VerificationAuthorization / Approval Code (very important!)is the number to call to get approval codes for American Express transactionsWrite down approval codeEnter approval code when keying-in Card number and other information into terminalOptional:You can also ask customers to include a copy of the front and back of their Card if they FAX in their order, however I understand that you may not want to maintain this type of information.
39 Recommendations to Help Reduce Customer Disputes CUSTOMER STATEMENT DESCRIPTOREnsure that the Descriptor of the charge that the Customer will see on their card statement is as specific to the charge as possible. (e.g. Utility Payment)The Descriptor that appears on an American Express Cardmember’s Statement is driven by what is in “Data Field 20 – Merchant Contact Information” (40 bytes of alphanumeric information allowed) that we receive in the Financial Settlement File from your processor.State at the Point-of-Sale how the charge will appear on the Customer's statement Example: “This charge will appear on your statement as Utility Payment”)Add a Phone# to the Descriptor on the Customer's statement. Sometimes a quick call to an in- house merchant will completely clear-up a matter of confusion and completely eliminate a dispute.Ensure terms and conditions (and refund/cancellation policies, if applicable) are highlighted at the Point-of-Sale, and have Customer agree, such as by checking a box, to the acceptance of the terms and conditions.
40 Help Reduce Counterfeit and Card-Not-Present Fraud The Card Identification Number (CID) fraud reduction tool is designed to ensure Cards that are manually keyed and/or swiped have not been altered or counterfeited.Card Identification DigitHelp reduce counterfeit card fraud by validating the CID numberHelp combat Internet and mail/phone order fraudLower costs associated with chargebacks and fraud investigations
41 Automatic Address Verification The Automatic Address Verification (AAV) service can help you reduce fraudulent charges. When you submit the Cardmembers’ billing address and zip code, the issuer will verify that the information provided matches the billing information on file for the account.Automatic Address VerificationHelp reduce card-not-present Card fraud by validating the address providedHelp combat Internet and mail/phone order fraud with an effective solutionLower costs associated with chargebacks and fraud investigations