I received this question from one of our departments today regarding card acceptance procedures. I did some research to see if things had changed since I last looked, and thought some of you might find the following useful.
"Would you confirm whether or not PCI or the credit card industry requires a signature on the back of cards? Our current procedure requires that the card be signed and/or another form of ID is presented. While updating our procedures we thought we should confirm this."
All payment cards have words like
"Not valid unless signed" adjacent to the signature panel on the back of the cards. It means exactly that, regardless of what a customer may have seen somewhere on the Internet or on TeeVee. The signature needs to be on the card even if the customer has written
"See ID" on the back of their card. A payment card must be used according to the terms of the issuing bank (who actually owns the card) and the card brands. Those terms tell the customer they must sign the card or it is not valid for purchases.
The merchant is responsible for comparing the signature on the back of the card with the signature on the sales draft. This is a security check required by Visa, MasterCard and the other card brands. If the signatures don't match then call for authorization.
If the card is unsigned then you can ask the customer for government-issued photo ID and have them sign the card in your (the merchant's) presence. Then the purchase may be processed. If the customer refuses to sign the card it may not be accepted. Ask them for another form of payment.
This is addressed in each of the individual card brands' operating procedures. Here are some excerpts from the MasterCard and Visa programs.
MasterCard Rules
See
http://www.mastercard.com/us/company/en/whatwedo/merchant_rules.html for MasterCard's merchant documents.
Transaction Processing Rules
See Merchant Acceptance Procedures on pages 3-1 to 3-3.
Unsigned Cards
If a MasterCard Card is presented to a Merchant representative and the Card is not signed, the Merchant representative must:
- Obtain an authorization from the Issuer,
- Ask the Cardholder to provide identification (but not record the Cardholder identification information); and
- Require the Cardholder to sign the Card.
The Merchant must not complete the Transaction if the Cardholder refuses to sign the Card.
Visa
See
http://usa.visa.com/merchants/merchant-support/resources/library.jsp for a collection of documents for merchants.
Card Acceptance Guidelines for Visa Merchants
See Cardholder Verification and Identification p.32, 33
Unsigned Cards
While checking card security features, you should also make sure that the card is signed. An unsigned card is considered invalid and should not be accepted. If a customer gives you an unsigned card, the following steps must be taken:
- Check the cardholder’s ID. Ask the cardholder for some form of official government identification, such as a driver’s license or passport. Where permissible by law, the ID serial number and expiration date should be written on the sales receipt before you complete the transaction.
- Ask the customer to sign the card. The card should be signed within your full view, and the signature checked against the customer’s signature on the ID. A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed Visa card.
- Compare the signature on the card to the signature on the ID.
Please note: According to Visa, requiring a customer to provide a photo ID cannot be used as a condition for accepting payment cards, EXCEPT in the case where the card does not have a signature. Interestingly, this is different for MasterCard.
I strongly recommend reading the documents mentioned above. There many requirements and guidelines besides PCI DSS that merchants must follow. Don't rely on just the short snippets I provided here when updating your payment card handling procedures.