Find the answers to your fraud protection and prevention questions

It takes an assortment of tools to prevent fraud. Reading through the rest of the FAQs listed here will help you determine what your business needs to do to reduce your fraud risk.

Below are some guidelines for preventing Internet, telephone or mail order fraud.

We request that cardholders provide the following information during the order-taking process:

• Cardholder name, exactly as it appears on their card
• Card number
• Card expiration date
• Card Identification Data (CID): the three-digit number located on the back of the card
• Card billing and shipping address (when necessary)
• Cardholder telephone number

For each transaction, be sure to:

• Validate the CID
• Verify the cardholder's billing address electronically or via our address verification system (AVS)
• Verify the cardholder's name, full billing address, email address, and phone number with the issuer, in real time, using our free fraud prevention solution, Verify+
• Check your delivery service contract for who is responsible for merchandise not delivered
• Require a signature for each delivery and keep all delivery records
• Refund sales on the same card (if the sale is on a credit card)
• Include your common DBA and customer service number on the customer's transaction receipt
• Clearly communicate all delivery charges, restocking fees, or other fees
• Clearly explain return policies and offer documentation of these policies with each sale
• Document customer service efforts when working on chargebacks
• Respond to all chargebacks
• Require authorization for duplicate charges or installment plans unless otherwise stated

Do not use key card information to force through a sale for which you have received a declined response to your authorization request.

The following behaviors indicate higher-risk transactions. One behavior alone may not be a concern.

• New customer attempts to make a large credit card transaction
• Customer doesn't know the CID, indicating they don't have the actual card
• Customer's address doesn't match the cardholder address when you're obtaining an address verification
• Customer ships to an address other than the billing address
• Customer tries lower dollar amounts when a decline message is received
• Customer tries different expiration dates when initial attempts fail
• Customer has difficulty supplying personal information
• Customer repeatedly sends email messages requesting confirmation of shipment
• Customer attempts to ship multiple orders using different cards to the same address
• Customer attempts to purchase large quantities of a single item
• Customer purchases several large-ticket items, which appear random
• Customer calls a few minutes before closing and wants several large-ticket items
• Customer splits up transactions to avoid paying import taxes or duty fees
• Customer requests shipment to an overseas destination
• Customer seems concerned about delivery time frames to overseas destinations
• Customer attempts to place a large order using several credit cards to obtain the total authorization amount
• Customer offers the phone number to an authorization center to speed up the credit card approval process
• Customer has little regard for price
• Customer shows little or no concern for return policies, manufacturer warranties, or rebates when purchasing in large quantities

These best practices apply to internet commerce.

• Clearly identify your company name on your website—on each page if possible
• Include your common DBA and customer service number on the customer’s transaction receipt
• Offer a street or P.O. box address as contact information on your website
• Offer a customer service telephone number
• Clearly identify all features of a product or service
• Clearly communicate all delivery charges, restocking fees, or other fees
• Clearly identify your company’s return policy and shipping time frames, and offer documentation of these policies with each sale
• Disclose your information security policies and processes

Protecting Customer Information

• Truncate all credit card information
• Avoid storing CID data in your records or within sales data
• Secure your site
  • Store data securely
  • Protect your data with firewalls
  • Limit authorized use and require passwords
• Avoid storing customer or credit card information on your web server

Refer to your Merchant Operating Regulations for further card-not-present (CNP) requirements for the submission of sales.

If there is a breach in your system, notify Discover Security within 48 hours by calling 1-800-347-3083 or emailing globalfraudsolutions@discover.com

The CID helps ensure that the cardholder possesses the card at the time of purchase. It may also help protect you against chargebacks in the event of a dispute.

Ensure that the proper person received the shipment by requiring documentation of delivery. In a chargeback dispute, you can then verify delivery information. Also refer to the requirements in the Merchant Operating Regulations, Section 4.

The best way to protect your business is to develop an information security strategy. The basics include but are not limited to firewalls, cryptography tools, and anti-virus software. The rule with data security is: you can’t be too careful.

Risk-focused organizations include:

Merchant Risk Council

Merchant Advisory Group

International Association of Financial Crimes

• Customer makes random purchases without paying attention to size, value, or price
• Customer presents a card taken from their pocket instead of their wallet
• Customer claims to have left photo identification at home or in the car
• Customer arrives near closing time and tries to hurry you through the sale
• Customer purchases a large item and refuses delivery
• Customer displays no interest in the warranty on expensive items
• Customer is slow and deliberate when signing the sales draft, perhaps because the signature is being forged

• Embossed card is missing the stylized "D" character
• Information has been altered (e.g., expiration date, card number, embossed name)
• Signatures on the card, and the sales draft, are different
• Validation date has expired
• Ultraviolet image of the word "DISCOVER" is missing from the front of the card
• Signature panel shows signs of tampering, or the word "VOID" is exposed by an erasure
• The word "DISCOVER" or "DISCOVER NETWORK" in the signature panel is unclear or not tilted at the standard 20-degree angle
• The hologram, or holo-magnetic stripe, is damaged or appears to have been tampered with

If a card's magnetic stripe can't be read, obtain an imprint of an embossed card. Ensure the imprint clearly shows the card number, expiration date, cardholder name, and stylized "D" character. Refrain from keying unembossed cards if you are suspicious.

Call 1-800-347-1111 and ask for a Code 10 authorization if you suspect a transaction is fraudulent.

Help protect your cardholders and your profits through our multilayered fraud prevention programs and services.

Card Identification Features—for Major Card Brands (#33844)

Card identification features for the major credit card types can help. Order them by contacting your acquirer.

Card Identification Data (CID)

The three-digit CID provides an additional layer of security to reduce authorization testing. The CID may also be entered into your point-of-sale (POS) system for a swiped or keyed transaction to further authenticate the validity of the card.

Address Verification Services (AVS)

To limit fraud on CNP transactions, we require merchants to capture the cardholder's address for verification.

Fraud Prevention Solution: Verify+

Enroll in our free fraud prevention solution, which compares the customer's full name, complete billing address, up to three phone numbers, and an email address with the issuer's records. You will receive an immediate match/no-match response from our website.

Address Change Notification (ACN)

Minimizes the risk of account takeover fraud. When supported by your acquirer or processor, merchants requesting an AVS are sent an ACN. The ACN indicates the number of days since the last cardholder billing address change (if the change was within the last 45 days).

Card Verification Value (CVV)

A unique value is encoded on the magnetic stripe of the card; the issuer provides it as protection against counterfeit cards.

Code 10: Suspicious Situations

Merchants who become suspicious during a card-present transaction can phone in a Code 10 authorization request, which alerts the issuer and protects the cardholder. Our automated authorization line will connect the merchant to the appropriate issuer.

100% Authorization Requirement

We protect profits by requiring authorization on all transactions.

Stand-In Functionality

Assists participating issuers with merchant authorizations when systems are down.

Fraud Prevention Seminars

Discover sponsors seminars and lectures on fraud prevention. To learn more, call 1-800-347-6634, or email us

Other Important Reminders:

• Your authorization code does not eliminate the possibility of a fraudulent sale
• You are the first line of defense against fraud
• Discover is here to assist you in the fight against fraud

Discover Network supports efforts to combat misuse of intellectual property. If you are an intellectual property right holder and want to report a merchant violation of your intellectual property rights, email us at riskoperations@discover.com

Please include the following information in your email (if available):

• A description of the alleged infringement, including the identity of the site allegedly engaged in the sale of illegitimate products and evidence proving the allegation
  • If only certain items on a website are alleged to be illegitimate, the request must clearly identify those specific products and their location on the website
• Evidence that the illegitimate products could be purchased using a Payment System Operator's services, for example, by providing a screenshot of the Payment System Operator’s logo on the merchant website
  • Test transactions are helpful but not required
• A copy of the right holder's cease & desist letter, a DMCA notice that the website operator is engaging in infringing activity, or an attestation that, to the best of the right holder's knowledge, the site isn't licensed or otherwise authorized to sell the alleged illegitimate products
• Evidence demonstrating that the right holder owns a copyright or trademark in question

The Discover Information Security & Compliance (DISC) program helps implement and maintain efficient data security and procedures for its constituents and promotes the adoption of secure transaction processing of cardholder data on the Discover network.

As part of DISC, Discover partnered with other major payment card brands to form the Payment Card Industry Security Standards Council, LLC (PCI SSC). The PCI SSC launched on September 7, 2006, to manage the PCI security standards, which focus on improving payment account security throughout the transaction process. Discover is committed to the PCI security standards as the industry standards for the payment card industry. The DISC program promotes compliance to PCI security standards by helping safeguard cardholder data and limit data compromises.

To find out more, please visit the PCI SSC website

Merchants

In addition to requiring compliance to PCI security standards, Discover requires that each new implementation of payment applications by merchants, and their agents, is compliant with the Payment Card Industry Payment Application Data Security Standard (PA-DSS).

For a list of PA-DSS-compliant applications, or information on PA-DSS, visit the PCI SSC website

Acquirers & Service Providers

There are separate compliance requirements for acquirers and service providers. In addition to requiring compliance to the PCI security standards, Discover supports the PA-DSS and recommends that acquirers ensure that their merchants, service providers, and agents use payment applications that have been validated as compliant with PA-DSS.

For more information on PA-DSS, visit the PCI SSC website