Security
The PCI DSS (Payment Card Industry Data Security Standards) is a security standard developed and managed by an independent organisation set up in 2006 by the main international payment systems (Visa Inc., MasterCard, Discover Financial Services, JCB International and American Express). Its purpose is to:
- To protect cardholders in order to ensure the confidentiality and integrity of sensitive data associated with the use of payment cards, be it card data or authentication data;
- To protect traders from adverse financial and reputational consequences that could result from a breach of confidentiality;
- Standardising the security requirements to be met by all those involved in the payments industry, guaranteeing transversal control of the risk of data compromise and an increased degree of trust.
PCI DSS aims to protect cardholder and authentication data, taking into account the following restrictions:
| PCI sensitive data | Data element | Permitted storage | Make stored data unreadable, as required by the PCI |
| Cardholder details | Card number (PAN) | Yes | Yes |
| Cardholder's name | Yes | No | |
| Service code | SIm | No | |
| Expiry date | Yes | No | |
| Confidential authentication data 1 | Magnetic stripe data 2 | No | Not storable according to PCI requirements |
| CAV2/CVC2/CVV2/CID 3 | No | Not storable according to PCI requirements | |
| PIN 4 | No | Not storable according to PCI requirements |
- Confidential authentication data must not be stored after authorisation (even if it is encrypted).
- Full magnetic stripe tracking data, equivalent data on the chip, or elsewhere
- The three- or four-digit amount printed on the front or back of a payment card
- Personal identification number entered by the cardholder during a card transaction and/or encrypted PIN lock within the transaction message
All merchants must comply with PCI security requirements.
To find out which level of certification is required, each merchant should check the validation requirements for each merchant category on the website www.pcisecuritystandards.org. The classification of each category is based on the number of annual transactions made by the merchant, the acceptance channel used for the transaction and the merchant's level of risk.
The distinction between the validation requirements and the consequent proof of fulfilment required varies depending on the level of risk the trader falls into.
| Level | Annual number of transactions | Validation requirements | Proof |
| 1 | >6 million transactions (regardless of the acceptance channel) |
|
|
| 2 | 1 to 6 million transactions (regardless of the acceptance channel) |
|
|
| 3 | 20,000 to 1 million transactions e-commerce |
|
|
| 4 | <20 thousand transactions e-commerce | ||
| <1 million transactions |
|
|
|
Important!
Merchants who have suffered an attack on their computer systems that has resulted in the compromise of card data
of its Clients automatically require Level 1 validation requirements.
Unicre will ask Merchants for proof of fulfilment of the requirements on an annual basis and may, depending on criteria defined by Unicre, waive this requirement in the case of Level 4 Merchants.
PCI certification can be carried out using a qualified security advisor - QSA (Qualified Security Advisor), which is certified by the International Payment Systems, or by a merchant's own internal security auditor - ISA (Internal Security Advisor) who has completed the ISA training programme, developed according to the CIP criteria Council:
https://programs.pcissc.org/isaregistration.aspx
For more information on the PCI DSS, we suggest you consult the websites of the following organisations:
PCI Security Standards Council -> https://www.pcisecuritystandards.org/
Visa Europe -> https://www.visaeurope.com/receiving-payments/security/
MasterCard -> https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
Bank of Portugal - > https://www.bportugal.pt/sites/default/files/bpcartoes-comerciantes.pdf
[1] SAQ published on www.pcisecuritystandards.org
REDUNIQ never contacts Merchants to ask for their Customers' bank details, nor does it ask for debit/credit card numbers or any identification data of cardholder Customers.
REDUNIQ never provides the Merchant with information on the authorisation codes to be used before the Merchant submits its request for a transaction or authorisation with its Customer's card, as that authorisation code only exists after the Merchant submits that transaction.
Whenever there is any doubt about the identity or suitability of the person contacting the Merchant on behalf of REDUNIQ, they should contact the Unicre Call Centre, which is open 24 hours a day, on telephone number 213 132 900.
Other procedures can help reduce fraud.
In the case of online sales, we recommend the following procedures to minimise fraud:
- Always obtain authorisation for all purchase orders. Authorisations indicate whether the card is valid, under what conditions it should be used and whether it has sufficient limit to carry out the transaction;
- Always obtain the security code associated with the customer's card (CVV2/CVC2);
- Keep a history of purchases made by the Customer. Fraud is less likely to occur if you have a regular business relationship with the Customer (more than 6 months);
- Establish and analyse the maximum amounts for each Client and determine the frequency of transactions made by the same Client;
- Keep records of the delivery addresses used by the Customer. If the goods are of high value, confirm the purchase with the Customer;
- Keep a list with records of returns or complaints based on the delivery address;
- In the event that you are asked for a refund, ensure that it is always made out to the card that originated the transaction whenever possible and, in the specific case of receiving purchase orders by fax, post or telephone, always ask for the Customer's signature on the order form. If purchase orders originate abroad, ask for a copy of the front and back of the payment card.
In the case of In-Person Sales, REDUNIQ may contact the shop to withhold a card in the event of suspicion of attempted misuse during payment of a purchase.
In the case of Internet Sales, the following procedures will help reduce the risk of fraud:
Implement fraud detection systems to identify high-risk transactions or transaction patterns. Check for multiple orders originating from the same IP address but with different data.
Do not process transactions with high-risk characteristics, such as:
- Transactions that exceed your shop's normal sales patterns;
- Deliveries to high-risk addresses, such as post offices, prisons and hospitals.
Carefully check orders placed with multiple cards or with cards that have sequential numbers, as this could be an indication of fraudulent activity.
Be aware of international transactions.
Evaluate the risk based on the type of goods, the amount of the transaction, the country where the card was issued, and where the goods are to be sent.
You should check the order for suspicious or unusual names or spelling mistakes.
In situations where you feel suspicious, contact our helpline 21 313 29 00.
In the case of online or remote sales, your employees and/or IT systems must be prepared to recognise suspicious orders. Our experience shows that there are certain characteristics common to fraud. If one or more of the following indicators appear in the transaction, it may be a sign of increased risk:
- First-time customer. The risk of fraud is lower when dealing with regular customers;
- Large orders. Larger than usual orders may indicate fraud;
- Multiple orders. Orders that include several items of the same article;
- Suspicious card combinations;
- Transactions made with cards with similar numbers;
- Orders sent to the same address but bought with different cards;
- Multiple transactions with a single card in a short space of time;
- Multiple transactions made with several cards and different delivery addresses;
- A single transaction in which the Customer wants to pay with several cards.
- Hesitation. Beware of customers who hesitate or feel insecure about providing personal data;
- Rush orders or orders with an urgent delivery request. These last-minute orders are one of the characteristics of "hit and run" fraud schemes to obtain goods for quick resale;
- Random orders.
1. Strengthen your online shop's identity card. Help increase consumer confidence and increase your contact potential:
- Provide clear and precise information about your company;
- Promote confidentiality/privacy policies;
- Certify your online shop and enable customer data encryption.
2. Offer complete information about the products/services in your online shop. Make it easy for your customers to make a purchase.
3. Provide customer support lines. Make it easy to get in touch.
4. Help customers move around the site. Make it easy to navigate. Don't forget potential customers who are visiting for the first time.
5. Arrange the 'shelves' in your shop. Make it easy to find products/services.
6. Identify your customers' most frequently asked questions (FAQ) and provide the answers.
7. Provide information on distribution channels. Don't forget that the sale doesn't end with the online purchase on the website.
8. Make it clear which delivery system your shop uses. You could be driving customers to your competitors by not doing so.
9. Facilitate the logistics of delivering your products. Clearly communicate the delivery times practised by your shop.
10. Invest in relationship models with your customers. Get to know as much as possible about your customers so that you can sell better and better.
- Add a suggestion box;
- Make it possible to subscribe to newsletters and post news about your products/services;
- Clarify doubts and information about the product/service;
- Collect opinions and hold votes;
- Provide distribution lists and reduce the average response time of shops to requests from potential customers.
11. Detect market opportunities.
12. Get to know your customers.