- Fraud Detection Systems
- Fraud prevention
- Good Practices
- Possible Risk Indicators
- Security Requirements PCI DSS
- Reinforce your virtual store ID card. Contribute to the raise of the consumers trust levels and increase your potential of contact:
- Provide clear and precise information about your company;
- Promote confidentiality/privacy policies;
- Certify your virtual store and make data encryption possible to the customer.
- Offer complete information about the products/services on your online store. Make it easier for your customers to buy.
- Provide support lines to the customer. Make it easier to contact you.
- Help the customers to move through the site. Make browsing easier. Don’t forget the potential customers that visit it for the first time.
- Tidy your store “shelves”. Make the search for products/services easier.
- Identify the questions most asked by your customers (FAQ) and provide answers.
- Give information about the Distribution Channels. Do not forget that the sale isn’t completed with the online purchase in the site.
- Explain clearly the delivery system performed by your store. You may be sending customers to the competition if you don’t do it.
- Make the logistics of delivery of your products easier. Communicate clearly the delivery times practised by your store.
- Invest in the relationship with your customers. Get to know your customers to the most so you can sell even better.
- Get a suggestion box;
- Provide and enable the subscription of newsletters;
- Provide news about your products/services;
- Answer questions and give information about your product/service;
- Collect opinions and provide polls;
- Provide distribution lists and reduce the average response time of the stores to requests of potential customers.
- Find business opportunities.
- Get to know the consumers.
In online or remote sales, your employees and/or computer systems must be prepared to recognise suspicious orders. Our experience shows that are certain common characteristics in frauds. If the transaction has one or more of the following indicators, it may be a sign of increased risk:
- Customer for the first time. The risk of fraud is smaller when you are dealing with regular Customers;
- Big orders. Orders that include several items of the same article;
- Suspicious cards combinations;
- Transactions performed with cards with similar numbers;
- Orders sent to the same address, but purchased with several cards;
- Multiple transactions performed with one single card in a brief period of time;
- Multiple transactions performed with several cards and different delivery addresses;
- One single transaction in which the Customer wants to pay with several cards;
- Hesitation. Be aware of the Customers that hesitate or feel insecure to give personal data;
- Sudden orders/ orders performed with hurry. Orders with an urgent delivery request. These last minute orders are a characteristic of “hit and run” fraudulent schemes to obtain goods to resell quickly;
- Random orders.
In Online Sales, the following procedures will help to diminish the risks of fraud:
Implement fraud detection systems to identify high risk transactions or transactions patterns.
Don’t make transactions with high risks characteristics, such as:
- Transactions that exceed your store’s normal sales standards;
- Orders to high risk addresses, such as PO boxes, prisons, hospitals;
Check carefully orders made with several cards or with cards that have sequential numbers, as it may be evidence of fraudulent activity.
Be aware of international transactions.
Assess the risk based on the type of goods, the amount of the transaction, country where the card was issued and to which the goods must be shipped.
You must check if the order has any suspicious, unusual names or spelling errors.
If the situation is suspicious, contact our support line 21 313 29 00.
In face-to-face sales, REDUNIQ may contact the store so it can proceed to the retention of a card in case of suspected attempts of misuse during the payment of a purchase.
In what concerns to Online Sales, to diminish the fraud situations we advise you to follow these procedures:
- Always get authorization for all the purchases orders. The authorizations show if the card is valid, in which conditions shall be used and if it has enough balance to perform the transaction; Always obtain the security code associated to the card of the customer (CVV2/CVC2);
- Keep a register of the purchases made by the Customer. Fraud is less likely to exist if you keep a regular business relationship with the Customer (greater than 6 months);
- Establish and analyse the maximum amounts of each Customer; Determine the frequency of the transactions performed by the same Customer;
- Keep registers of the deliver addresses used by the Customer; in case the goods are of high value, check the purchase with the Customer;
- Keep a list with registers of returns or complaints based on the delivery address;
- In case a return is requested, guarantee that it is always made for the card that performed the transaction, whenever possible, and if you specifically receive orders through fax, mail or telephone, always ask for a Customer’s signature on the order form.
When it comes to face-to-face sales, we recommend that you follow these guidelines:
- Guarantee that your customers enter the security code (PIN) away from obtrusive eyes;
- Sensitize your employees to, when they are dealing with your customers, comply the security rules of the bank cards;
- Always check the expiration date of the card;
- Always check the condition of the card;
- Always be very careful reading the messages on the terminal;
- Keep the invoices in a safe place;
- As a security add-on, in case of doubt/suspicion about the identity of the user of the card, ask for a valid identification document to confirm it;
- Never look away from the terminal and always check if the data of the receipt are correct (amount, data and time of the transaction…).
REDUNIQ never contacts merchants asking for their customers’ bank data, or asks for debit/credit card numbers or any other identification data of the cardholders.
REDUNIQ never gives the merchant the information about the authorization codes to be used before the merchant submits the transaction request or authorization with his customer’s card, because that code only exists after the merchant submits the transaction.
Whenever there are questions about the identification or suitability of the person that contacts the merchant in behalf of REDUNIQ, you shall contact the Unicre Service Centre, that operates 24/7, by calling the number 213 132 900.
Other procedures may help to diminish the fraud situations.
Every merchant must fulfil the PCI security requirements.
To assess which certification level to perform, each merchant must read in www. pcisecuritystandards.org the validation requirements mandatory to each merchant category.
The classification of each category crosses the merchant’s number of annual transactions, the acceptance channel where the transaction occurs and the merchant’s level of risk.
The distinction between the validation requirements and the subsequent proof of compliance required varies according to the level of risk at which the merchant fits.
|Level||Criterion||Proof of compliance|
||AOC – Attestation of Compliance|
|2||Merchants that perform between 1 to 6 million transactions per year, independently of the acceptance channel;|
|3||Merchants that perform between 20 thousand and 1 million e-commerce transactions per year;|
|4||E-commerce merchants that perform less than 20 thousand transactions per year;|
The PCI certification may be performed using a qualified security consultant – QSA (Qualified Security Assessor), that is certified by the international Payment Systems or by an internal security auditor of the merchant – ISA (Internal Security Assessor), that has concluded the ISA training program, developed according to PCI Council criteria:
For more information about PCI DSS, further reading of the websites of the following entities is suggested:
PCI Security Standards Council -> https://www.pcisecuritystandards.org/
Visa Europe -> https://www.visaeurope.com/receiving-payments/security/
MasterCard -> https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
Banco de Portugal – > https://www.bportugal.pt/pt-PT/pagamentos/BoasPraticas/Paginas/Cartoes-de-Pagamento-Comerciantes.aspx
 SAQ publicados em www.pcisecuritystandards.org
The PCI DSS (Payment Card Industry Data Security Standards) is a security standard developed and managed by an independent entity created in 2006 by the main international payment systems (Visa Inc., MasterCard, Discover Financial Services, JCB International and American Express). Its purpose is:
- Protect the holders of payment cards, in way to assure the confidentiality and integrity of the sensitive data associated to the using of payment cards, whether they are data of the card or of authentication;
- Protect the merchants of adverse consequences, financial and to his reputation, that may result in the breach of that confidentiality;
- Uniform the security requirements to be used by all the intervenients in the payment industry, guaranteeing a transverse control of the risk of compromising data and a greater trust level.
PCI DSS has the purpose to protect the data of the cardholder and of authentication, considering the following restrictions:
|PCI Sensitive data||Data elements||Storage allowed||Making the stored data unreadable, according PCI requirement|
|No. of the card (PAN)||Yes||Yes|
|Confidential Authentication 1||Magnetic stripe data 2||No||Not able to store, according to PCI requirement|
|CAV2/CVC2/CVV2/CID 3||No||Not able to store, according to PCI requirement|
|PIN 4||No||Not able to store, according to PCI requirement|
- The encryption data are confidential and must not be stored after authentication (even if encrypted).
- Complete tracking data of the magnetic stripe, equivalent data on chip, or in another place
- The three or four-digit value printed on the front or on the back of a payment card
- The personal identification number inserted by the cardholder during a transaction with a card and/or the block of the encrypted PIN within the transaction message.