Card payment security

Guidance on card security and taking card payments

On this page

Is your business taking card transactions? Open in new window

What is card fraud?

Criminals use stolen cards, card details or stolen personal information to attempt fraudulent card transactions. Card information can be captured from company data breaches, compromised cash machines, compromised webpages, and bogus texts and emails.

Another common ploy is fraudulent competitions and the ‘sale’ of discounted goods to entice customers into sharing their card details for non-existent products which never materialise.

How to avoid card fraud

Always shield your PIN in shops or at cash machines.
Don’t tell anyone what your PIN is and don’t write it down.
If you notice anything unusual or suspicious about a cash machine, don’t use it. Report it to the bank or cash machine operator.
Pay with your debit or credit card. If a seller tells you they can’t accept a card payment and asks you to send them money directly, don’t do it, it could be a scam.
When using your card online, ensure that the website is secure. The web address should begin with 'https://'. The 's' stands for 'secure' which indicates that the link between you and the website owner is secure and not that the site or company itself is authentic.
Be wary of public Wi-Fi and the risks of unknown hotspots.
Contactless cards are embedded with multiple layers of security and transactions have the same protection as chip and PIN, making them safer than cash. And for added protection you’ll also be asked to enter your PIN to verify your identity from time to time.

Is your business taking card transactions?

Information on how to take card payments securely, what to look out for and some guidance on general card security.

Open in new window

Card security guidance

Useful links

Entering the PIN - always ask the cardholder to enter their PIN. Nobody else should do this on behalf of the customer.

Locked cards - when a customer enters an incorrect PIN three times in a row, the card is locked. Tell the customer to contact their card issuer. It’s vital you don’t swipe the transaction instead.

Cards without Chip and PIN

Not every card has Chip and PIN. When you’re presented with one of these cards, make sure you check all visual security.

Check the card to ensure it looks genuine by following the steps on the Card Watch website.
Use an ultraviolet lamp to spot the security mark on most cards. Some Visa Electron cards don’t have a security mark.
Name and gender - check the title on the card with the gender of the person using it.
Signature - check the spelling of the name on the signature strip against the spelling on the front of the card.
Check the long number - make sure the number on the front of the card matches the card number you’ll see on the till receipt. Sometimes, when fraudsters ‘clone’ a card, the number held in the magnetic strip doesn’t match the one printed on the card.

Your responsibility

If a Chip and PIN card is not processed correctly, you could be liable for the transaction if it is confirmed to be fraudulent. Even if a card is authorised, if you've not carried out all the correct checks - there's a chance you may not receive the payment.

Remember, authorisation is only designed to show two things: that enough funds are available to cover the payment and that the card has not been reported lost, stolen or compromised in any other way.

For more information on preventing card fraud, visit the Worldpay website.

Customers who use two cards for one purchase

Card scheme rules don’t allow the use of two different cards for one purchase.

Is the customer purchase behaviour suspicious?

Be wary of the following signs. If you suspect something is wrong, make a ‘Code 10’ authorisation call.

A 'Code 10' call is an additional security check that’s available, should you become suspicious about a transaction. This can be done at any time, even if the transaction has been processed through the terminal and has been authorised. If you’re suspicious about the card, the authenticity of the cardholder or something just doesn’t feel right, we recommend you make a 'Code 10' call to your merchant acquirer.

Advice on making ‘Code 10’ calls is often available in the user operating instructions, or published on the merchant acquirer’s website.

Indiscriminate purchases - does it almost look as if the customer doesn’t really care what they buy? If the goods could easily be sold on, you should be suspicious.
Easy sales - is the customer too good to be true? For example, they are not even interested in the price or details about the goods.
Large sales - ask yourself if the sale is much higher than your usual sales. Is the customer buying lots of different items at random?

Does the signature show sign of tampering?

If you notice a felt pen signature on a card, it could be a sign that fraudsters are trying to hide the real signature. The card signature should always be in ballpoint pen.