HSBC United Kingdom
Need help?

Business Internet Banking

Log on to Business Internet Banking

Find out more


HSBC Merchant Services – Card not present fraud

Card not present (CNP) fraud is perpetrated by telephone, mail order, fax or the internet and has seen a dramatic increase from £29.3m in 1999 to £290.5m in 2007. It is now the most prevalent category of fraud in the UK.

This figure is expected to continue to rise as fraud becomes more difficult to undertake in the face-to-face environment as a result of initiatives like chip and PIN. Nevertheless, the situation is likely to improve with an increasing number of retailers utilising initiatives such as AVS / CSC and Verified by Visa and MasterCard© SecureCode™.

How to reduce the risks associated with accepting a CNP payment

Ask yourself the following questions to help you identify potential fraud:

  • is the sale too easy?
  • why did the customer choose me when there are cheaper suppliers available?
  • is the value excessive compared to normal business?
  • is the cardholder buying several units of the same item?
  • are you delivering multiple orders to the same address?
  • if a transaction is declined, are you offered another card?
  • is the customer's address outside your normal catchment area?

How HSBC Merchant Services can help

HSBC Merchant Services' Secure ePayments service offers a simple, secure online payment solution for all CNP transactions, on-line, at the telephone or via mail order.

You can benefit from:

  • improved processing – you do not have to make telephone calls to gain authorisations for the transaction
  • reduced risk of chargebacks
  • improved security, including address verification (AVS/CSC response)
  • on-line reporting
  • multi-currency option
  • fraud controls (volume checking).

You may also want to:

  • employ address verification services
  • implement AVS/CVC checking systems
  • register and implement Verified by Visa and MasterCard Secure Code
  • avoid orders to overseas addresses unless you are absolutely satisfied that it is genuine
  • develop an internal database from chargeback history to identify problem card numbers/cardholder names/delivery addresses, etc
  • use the APACS CNP Guide
  • where possible, validate telephone numbers through Directory Enquiries and call the customer back to confirm the order
  • exercise caution with people only willing to provide mobile telephone numbers for contact
  • consider implementing a transaction "ceiling limit"
  • Utilise "Velocity" checking. E.g. How often would you expect the same card to be genuinely used through your site over a specified period? – Anything outside of these norms should be subject to additional scrutiny.

Finally, when delivering the goods you should:

  • always ask the courier to get signed proof of delivery
  • be wary of customer demands for next-day delivery or altering the delivery address at short notice
  • avoid delivering to addresses other than the cardholder's registered address – particularly hotels, temporary or multiple occupancy premises

If the customer first orders goods to be delivered but later calls back, advising he/she will now collect the goods – treat this with extreme caution. This is a common ploy used by criminals. Under these circumstances, the order must be treated as a face-to-face transaction. Merchants must follow card present procedures (cardholder and card should both be present) and carry out the necessary security checks.

NEVER release goods to a third party, such as a taxi driver.

Systems to fight Card-Not-Present Fraud

  • AVS/CSC (Address Verification Service and Card Security Code)

Since CNP merchants are unable to verify the card or the cardholder as neither is present in this environment, this system is available to authenticate the billing address of the cardholder and cross-check the unique security code on the reverse of the card (sometimes referred to as CVV or CV2).

All cards issued under the supervision of VISA, MasterCard and UK Maestro now have a three or four digit security code, which will only be found on the signature strip.

This information will not normally be available to the fraudster (typically they only have access to a receipt containing card details). These checks will give greater certainty that the caller is in possession of the card at the time of the transaction.

  • Verified by Visa and MasterCard Secure Code

Visa and MasterCard have introduced this service to improve confidence in internet transactions for both cardholders and merchants. Both services protect card details through the use of a secret password. Participating merchants register for the facility through their acquiring bank. Consumers must sign-up for the service with their Visa/MasterCard Card Issuer.

Reporting card fraud to the police

  • Regrettably, some retailers may still become victims of CNP fraud, despite following card processing guidelines and taking additional security measures. You should report all suspected fraud to the police.
  • The Police Fraud Report Form report is the preferred method for merchants to document CNP fraud to the Police. Please visit www.cardwatch.org.uk for copies of this form. The site also provides vital information and police guidelines on CNP fraud.
Personal Business
 

Legal information   |   Accessibility   |   About HSBC   |   Site map Issued for UK use only  |  © HSBC Bank plc 2002 - 2012