As an employee handling payment cards, you need to be able to identify counterfeit and stolen credit cards. This starts with knowing what to look for on the card itself.

Visa, MasterCard, American Express, and Discover have included a number of security features into the card itself. If you make a regular habit of checking these, you will be doing your part to stop payment card theft. After all, the more difficult it

becomes for criminals to use counterfeit and stolen payment cards, the less profitable the crime becomes.

Here are things to look for on the front of a card. Do not accept the card if:

• The hologram is missing or is of poor quality on a branded card (e.g. Discover, MasterCard or Visa. Note: on some cards, the hologram may appear on back), the account number is tilted or slanted, the embossed data spacing is off,

or if the printed information is on top of the laminated surface of the card.

• The card has tilted or slanted account number.

• Embossed data spacing is offset or uneven.

• There is printed information on top of the laminated surface.

Here are things to look for on the back of a card. Do not accept the card if:

• The customer’s signature on the receipt does not match the signature on the card.

• The CVV2 code (last three digits) is missing from the back of the card.

• The printing on the back of the card is blurry or distorted.

Overall, watch for these additional clues that a payment card may be fraudulent:

• The last 4 digits of the account number on the face of the card do not match the 4 digits on the back of the card.

• The account number or cardholder’s name has been ironed out and the card is embossed with a different number.

• The card looks warped or has a dull color and finish.

• Make sure that the name, account number and signature on the receipt matches the information on the card.

Sometimes your Point of Sale system will not be able to read a payment card. One of the most common reasons is that the card is expired. Make sure and check the ‘valid thru’ or ‘good thru’ date to ensure the card is still active. If the card has not expired, it may fail to swipe because the card is old and its magnetic stripe is damaged.

Other times, your Point of Sale system itself or the network connection may be down. If the card appears valid but cannot be swiped, you may have to take the transaction manually, either by keying the card number into your Point of Sale system.

The following is considered the best process for reducing manual transaction risk:

• Use a card swipe device when available

• Complete all of the data fields on the sales transaction screen, including the customer’s billing address if requested

• Consider having the customer sign the receipt and compare the signature with the signature on the card.

• Do not accept an unsigned card. If the card is unsigned, ask the cardholder to sign the card and then ask for identification. Compare the signatures on the receipt, the card, and the identification to ensure there is a reasonable match.

• Properly secure sale receipts and never accept anything that includes a full card number. Credit Card numbers should never be visible in a receipt, handwritten or stored in anyway. All privately identifiable information (PII) should be stored in a secure fashion. Along with Credit Card numbers, an individual’s personal information is also very sensitive and should never be shared and always stored securely.

The card itself is only one way to detect fraud, however you should also be aware of your customer’s behavior. Suspicious behavior such as a shaky voice or delayed and hesitant responses to questions may indicate that the customer is not being truthful. Watch out for customers who attempt to distract or rush you during the sale. Also, consider the information the customer is providing. If the customer gives a P.O. Box instead of a permanent address or a toll-free number as a day or evening phone number, that’s another bad sign.

Security starts with ensuring that sensitive data and the computer systems that process and store it are locked up. We often think of data thieves as sophisticated hackers who are able to pull off high tech crimes over the web. However, most incidents are the result of poor physical security practices, not poor computer security measures.

Every employee’s actions are critical to ensuring that sensitive data is physically secured. If one person fails to lock a door, monitor a camera, or question someone who appears out-of place, vulnerability is created that a criminal can exploit. Part of

maintaining a secure environment is understanding what parts of the environment are particularly sensitive and monitoring them.

For example, areas such as the backroom, storage areas, behind the counter access to Point of Sale (POS) systems and network equipment and wiring are all sensitive. Such areas should be locked when not in use.

No one besides employees and authorized vendors should be allowed in these areas, particularly if unsupervised. Any outside vendor should be able to provide identification. Without prior management approval or an approved vendor work order, no vendor should have access to payments devices such as computers, tablets and POS processing devices.

One of the most common techniques for stealing data is impersonating an employee or repair technician to gain access to POS systems or the network on which credit card data is transmitted. Other techniques involve installing a wireless device or skimmer to steal data. If you see someone who appears out-of-place, ask them if you can help. Usually, most thieves will be discouraged and leave if they are approached. If they ask for something reasonable such as directions to the restroom, offer to show them and escort them outside the sensitive area. Do not just offer directions and leave them unescorted to continue their search.

Finally, you should maintain a daily access log recording anyone you allow access to the backroom, storage areas, POS systems, and fuel dispensers.

In the event that a POS system becomes inoperable, contact your supervisor or OSMS Help Desk for further direction.

Never connect the POS to an analogue phone line, unauthorized network connection or separate card processing device unless you have confirmed the action with a supervisor AND have authorization. Some OSMS applications are designed to run on Mobile phones and these applications are designed to address Mobile security requirements but cannot address physical security challenges at your locations.

Ad-hoc network connections can be very unsecure. All a hacker needs is a brief opportunity when normal computer security measures are not in place to be able to compromise the network. All OSMS payment data is secured and encrypted from application to processor but the risk to physical card number skimming or device compromise maybe possible without proper diligence at the site location to secure credit card swipe devices and physical access to actual credit cards being charged.

While you can generally restrict who can get behind the counter and access the backroom, customers may have access to swipe facilitations devices and kiosks. This exposes them to significant risk as payment card thieves can tamper with the device, potentially installing skimmers to capture credit card data, devices to capture transactions as they are transmitted, or even cameras to capture the customer entering the card number. By staying vigilant, you are the best defense against

such techniques.

Here are some practices you should follow to protect payment systems:

• Report unusually high levels of bad card reads or problems accepting cards to your supervisor or OSMS Help Desk. This can be an indication that the system has been

compromised.

• Be sure to investigate the reason for any ‘Unit offline’ messages.

• Familiarize yourself with what payment devices and kiosks are in use, including the credit card swipe, card entry keyboard, and PC in general, depending on the payment platform implemented.

• Look for subtle changes or scratches that may indicate tampering. Photos can be an excellent aid to ensure you know what the dispenser should look like.

• Be suspicious of “technicians” performing unscheduled work on dispensers.

• Monitor the POS system and credit card swipe devices and have a plan to periodically review serial numbers. In the case of mobile credit card swipes, thieves often will attempt to steal the device and replace it with their own looka-like device. This type of fraud typically occurs when there is minimal traffic and the swap can be executed in less than a minute.

• Security cameras can help you keep tabs on sensitive equipment and areas that would otherwise be difficult to view.

When a receipt is generated electronically by a POS or dispenser, it must mask all but the last four digits of the credit card and the expiration date. It is important to periodically check receipts to confirm that the customer copy is masking the credit card number and the expiration date.

In some cases, when the POS system is inoperable or when the card does not swipe properly, you may need to enter the card manually. It is important that you do not record sensitive data such as the customer’s PIN or the CVV2 value which is typically found on the back of the card. There is never any reason to capture this information. Paper documents with the full credit card number or imprint should never be used. When ever possible, have the customer swipe or enter their credit card number without staff intervention.

You should follow your organization’s data destruction procedures for any personally identifiable information (PII). You cannot just throw PII data in the trash. ‘Dumpster divers’ have been known to steal data. Instead, sensitive documents such as sales tickets with parent and student data need to be shredded or otherwise rendered unreadable.

Unfortunately, payment card thieves also may attempt to recruityou and your co-workers to steal data. If anyone offers you money to record payment card data, report the incident to your supervisor immediately.

Payment card thieves have a way of making credit card theft sound like a harmless way to make some extra cash. Do not be fooled. Stealing payment card data is an illegal act with serious consequences, including termination and jail time.

If you see anyone using a device that is not part of normal day-to-day activities, report the incident to your supervisor immediately. Likewise, if you see anyone ask for payment card data over the phone or write account numbers down, report the incident to your supervisor immediately.

Why should you report an incident? What if the thief has already made off with the data? Your organization is in a better position to manage the incident if it knows about it. Even if data has already been stolen, quick action can usually limit the fallout. Payment cards can be monitored or reissued, law enforcement can be notified, and additional security precautions can be taken to ensure the incident does not happen again.

Unfortunately, insiders such as contractors and fellow employees may attempt to steal sensitive data. No one likes to report on their peers, but stealing data is just as much a crime as stealing cash and you have an obligation to report it.

The Secret Service and Carnegie Mellon University analyzed insider data theft cases and found that in approximately one quarter of the cases, co-workers knew about the crime in advance but took no action to report it. These were not accomplices, they were co-workers who did not know how to report the incident or for some reason decided not to. Data theft affects us all–-reporting crimes and potential crimes is the only way we are going to get this crime wave under control.

If you have access to credit card information, you are accountable for maintaining the security of that information. We hope that you will apply the lessons covered in this training document to your job on a daily basis. If you require additional information or need clarification regarding your responsibilities or the procedures outlined in this document, please see your supervisor for assistance or contact the OSMS Help Desk.