Ssp.rogers.com



center254000Fraud/Loss Prevention Best PracticesObjectives:In today’s environment, we will encounter two kinds of customers; legitimate customers, and those ready to hurt our business. Since members of the second group will not identify themselves as such, Rogers’ systems, policies and procedures need to work in concert to fill the void.Below are some best practices within our wireless industry that can help to prevent fraud:Validate Customer IDEnter customer ID accuratelyApply scrutiny for multiple activations, add to existing, and hardware upgradesAvoid the use of tentative BANsDo not share login credentials and dealer codesPerform user ID audits and password resetsConduct routine procedural reviewsProtect assetsCheck inventory shipmentsCustomer Identification and Authentication: Strong customer identification review and validation practices are necessary to protect customer information from unauthorized access and prevent financial losses. To do so, Rogers is required to have means to verify an individual’s identity. To support these objectives, SSP requires stores to follow a standard customer identification process for new activations, hardware upgrades and other applicable transactions.Please be sure to follow the instructions on the SSP ID entry screensCustomer Handling Procedures:In the event that ID Validation is successful, SSP will allow the sales agent to continue with the transactionIn the vent that supplementary validation is required, SSP will present a message directing sales staff to contact the Rogers Validation Team who will help to resolve the matter.Standard Credit Reference Requirements:All consumer and residential customers must provide a minimum of two credit references at time of activation. The first reference must be a Priority 1 ID, as these are more likely to produce an accurate match during credit evaluation.The second reference can be a Priority 1 or Priority 2 ID.All IDs must be issued in Canada by a Canadian government agency (federal, provincial or municipal), or by a Canadian bank, institution, or company (refer to exception for international students and workers)The following must be presented for all consumer and residential activations, either as part of or in addition to the regular credit references: Valid government-issued photo ID. (Excludes Provincial Health Care cards, as they can NOT be used as a credit reference or form of identification.) Valid ID showing Date of Birth (DOB) Valid ID showing Proof of Address (POA)If a proof of address cannot be identified on either provided IDs, a third reference can be usedValid Proof of Address (POA): Utility Bill, Property Tax Receipt, Lease AgreementOnly the following may be used as credit references: TypeConsumer AccountPriority 1Social Insurance Number (SIN) CardCredit Card: American Express MasterCard Visa Driver's License Savings or Chequing bank information: Account number Account type Branch number Bank numberPriority 2Birth Certificate Canadian Passport Canadian Citizenship CardPermanent Resident Card Provincial ID / Age of Majority CardNative Status Card Senior Citizens CardMilitary IDExceptional Credit ReferenceCustomers who are temporarily living in Canada with a work or study visa can use the following IDs for in-store activations: TypeConsumer AccountTemporary ResidentsForeign PassportWork / Study PermitNote: The foreign passport must match the passport number listed on the permit. These IDs must always be used together, and cannot be combined with any of the other credit references listed aboveValidating Customer ID: ID validation is identified as a contributing factor to fraudulent transactions. Fraudsters may present false, manipulated or stolen ID in an effort to gain equipment (i.e. smartphone, tablet) and/or servicesTo reduce exposure related to ID validation, the following procedures are strongly recommended:Ask for at least two pieces of ID for all transactions (i.e. Activations, HUPs, Account Changes)Ask for ID before disclosing any account informationEnsure at least one form of ID has a recent photograph of the customerCross reference ID with each other and systems (i.e. names, addresses should be identical)If you have a card reader that is capable of reading magnetic stripes, compare what your reader tells you to the actual values on the cardRun your thumb over the picture and the date of birth. Any raised area could indicate that the ID has been altered with fraudulent informationCompare signatures on any agreements with those on the IDDo not hand over hardware until you have signed the service agreementBe cautious of out of province IDThe following IDs are considered NOT acceptable:Health CardDebit Visa / Debit MastercardFirearms LicenseStudent IDAccepted Photo IDs that are expiredPhotocopies or Digital copies of IDs Enter Customer ID Accurately:To reduce exposure in this category, the following procedure should be followed:Carefully and thoroughly input the exact information from the ID into SSP (no deviations or nicknames)In the event of needing to contact RSG/EOS for an activation, read the ID exactly as it is noted on the documentIf a customer requests a name, address or any other piece of information be added to our systems that are in contradiction to the document, advise the customer the Rogers policy is to enter information as it appears on the document to ensure accuracy.Apply scrutiny for multiple activations, add to existing, and hardware upgradesTypical fraudsters will attempt to perform multiple activations or upgrades and generally target high-end devices. They may also attempt to process on a legitimate customer’s account to commit fraud.To reduce exposure, the following procedures are recommended:New ActivationsRequest a third form of ID be provided (i.e. utility bill with address). You can also ask for a home phone number that you can verify information.Implement an approval/verification process for multiple activations (i.e. have the store manager authorize). When subsequent approval is required, a fraudster may feel their attempt is in jeopardy and in some cases leave the store (i.e. advise you they need to run out to their car for a moment and not return). Ask the customer to provide the full postal code. A fraudster may have only memorized the first half of the postal code. If the customer cannot provide the full postal code, do not proceed.Consider implementing a waiting period (i.e. 24 hours).Hardware Upgrade / Add to ExistingDo not proceed with hardware upgrades or additional activations if the customer’s BAN/CTN is less than 30 days old as these accounts are usually fraudulent. Verify BAN tenure by reviewing the Customer Dashboard in SSP, and CTN tenure by selecting View Details under each CTN to establish the details of existing accounts.Do not proceed with hardware upgrade or additional activations if the authorized user’s tenure is less than 30 days old. Verify authorized user tenure by reviewing the Customer Dashboard in SSP. Call the Account Holder to confirm approval to proceed with upgrade or additional activation to their BAN. Only use the Account Holder’s contact information from SSP. Do not rely upon the person claiming to be authorized to provide you with the contact information AND do not be intimidated by their impatience. Remember that fraudsters tend to be in a hurry and often are assertive or rude. Check that the previous SIM/IMEI is in store, (i.e. call the CTN). Fraudsters will be quick to leave the store once they learn this is being validated.2813538128464003065584544635005368974515278Authorized Contact Tenure020000Authorized Contact Tenure54038504445BAN Tenure020000BAN Tenure92597733928600 50685709061450023837909061450054991043053000Note: Rogers’s HUP policy states that a minimum tenure of 30 days since initial activation or last hardware upgrade date is required for a HUP, and Transfer of Responsibility (TOR) does not reset tenure.Suspicion of FraudIf you suspect fraud while the person is in storeCall the Validation Line: 1-800-588-6718The Validation Team will ask you a series of questions over the phone, and will advise you on whether or not to proceed with the transactionIf you suspect fraud after completing an activationCall Fraud Management and leave a voicemail: 1-888-383-2080Provide the BAN, CTN, and reasons why you suspect fraudAvoid The Use of Tentative BANsFraudsters may have acquired information on an existing account in active or tentative status to perform a fraudulent transaction.To reduce exposure in this area, the following practices are strongly recommended:When processing an activation, always create a new BAN or add only to BANs that have “active” status in SSP. Adding CTNs to a tentative BAN should be avoided as they may have been manipulated for purposes of committing fraud. To verify whether a BAN is tentative, retrieve the BAN under “Customer Search” in SSP. The Status column will confirm whether the BAN is tentative or activeOnly active on a tentative BAN if your customer requires a credit override, cannot be completed same day, and is returning within 36 hours.528241820798700Protect Dealer Codes and use IDs within your storesInformation intended for store use only can be used to commit fraud if in the wrong hands. Credentials such as SSP user ID & Password or Dealer Codes are examples of information that fraudsters may attempt to use to their advantage.To avoid exposure associated with these credentials, the following practices are required:Do NOT share SSP user IDs. Each employee should have their own ID for accessing SSP.Guard SSP passwords. The system is currently only capable of authenticating the inputs of the user and will not know if the person keying in a user ID and password is not the owner of the ID.Do NOT disclose Dealer Code information beyond store employees.Perform User ID Audits and Password ResetsManaging user IDs and routinely managing passwords is a way to prevent fraudsters from targeting your stores.To minimize exposure in this category, the following best practices are recommended:Routinely reset passwords for SSP user IDsCentralize administration for SSP user IDs (i.e. limit who has the capability to issue IDs, reset passwords, etc.Include the cancelling of user IDs within the stores employee termination procedure (i.e. termination checklist)Routinely Audit User IDs and delete IDs not required Conduct Routine Procedural ReviewsIt is strongly recommended that stores hold quarterly reviews focused on fraud and loss prevention. Rogers will publish updates that stores may choose to leverage for these conversations.Review fraud prevention material on a quarterly basis and have staff sign off that the understand the materialCheck the references of every prospective employeeLimit to the number of employees who can authorize account or HUP cancellationsProperly dispose of paper that contains confidential information (i.e. customer info, store info, employee info)Place additional fraud prevention emphasis and monitoring on new employees and/or storesProtect AssetsBelow are some recommendations to help protect items such as valuable assets, networking equipment, servers, and equipment with customer information:Passage locks (including cipher locks) under key control with records of keys issued and regular inventory of keys, in combination with CCTV systems to monitor use of the keys and access to the environment.? Where CCTV is used, cameras are best installed in such a way as to provide a clearly identifiable image of an individual accessing and exiting the secured environment.? If the secured environment consists of a specific high-security cabinet that has been designated as a repository of sensitive or valuable equipment and/or network devices, the cabinet should be secured under its own key control process, and CCTV should be used to monitor access to the cabinet. Where CCTV is used, processes that govern access to the surveillance video and procedures by which the system is monitored should be implemented.Surveillance video should be available for a period of 90 days for investigative purposes.? CCTV systems should be reasonably protected from tampering.Card reader access controls systems (also known as Access Control Management Systems, or ACMS) with access configured to only those individuals with a requirement to regularly access the secured environment.? Where card reader systems are used, processes should be defined and in place which governs access to the administrative interfaces for enabling access.? Documented processes should be in place to disable access for individuals who no longer require access to the secured environment or no longer authorized. Documented processes should be in place to govern access by contractors or third parties under a visitor management program Card access system logs should be available for a period of 90 days for investigative purposes.? ACMS systems should be reasonably protected from tampering.Check Inventory ShipmentsPartial or entire shipments of inventory have been reported as stolen once they have been received. The package received does not contain devices (i.e. the packing slip has been swapped with another box), or devices are missing from the sealed box (i.e. the box has been opened, devices removed, and the box resealed). To minimize exposure in this category, the following best practices are recommended:Inspect boxes for any signs of tampering before signing and accepting the shipment.If there are any signs of tampering, do not accept the package (the package becomes the receiver’s responsibility once it is signed for).Invest in a scale to weigh the shipment to ensure that the weight reasonably resembles the weight of the expected hardware. # of iPhonesWeight11 lb54.5 lbs109 lbsFollowing the steps above are some of the ways you can safeguard your business.Fraud/Loss Prevention Summary – Top TipsThorough ID verification and entry Inspect all provided Customer ID for manipulation.Request and compare multiple pieces of ID (e.g. Virk Walters on DL, Kirk Walters on Credit card).Enter the government-issued ID into SSP. SSP ID ValidationIf a warning message appears (e.g. “Warning: Do Not Proceed with order, Do Not Change or resubmit order”), follow the instructions in the message and call the Rogers Validation team at 1-800-588-6718.Add to Existing & Hardware Upgrade TimelinesValidate how long the account has been activated before completing a hardware upgrade or add to existing account despite the credit and/or upgrade eligibility results, by checking Customer Profile (in SSP under Details in the Customer Dashboard). If the BAN or CTN activation date is within the past 60 days, do not proceed.Follow the procedures outlined in the Loss Prevention Best Practices document for accounts with a limited history.For hardware upgrades, check that the active SIM is in store, i.e. call the CTN.Authorized User Waiting PeriodContact RSG to verify the authorized user has been on the account for 60 days.If the authorized user has been on the account for less than 60 days, only account holders can perform Hardware Upgrades or Add a Line transactions.Review bulletin NDP 2013-07-68EN for full details.System User ID ManagementEnsure each employee has their own user IDs for SSP, POS systems, etc.Employees should not share their passcodes with fellow employees and/or their managers.Ensure all user IDs for all systems (SSP, RAP portal) are deleted/inactivated for all terminated employees.Asset SecurityEnsure storage rooms/cabinets containing devices remain locked at all times.Storage rooms/units should only be temporarily unlocked to retrieve devices for a transaction completed and immediately locked following the transaction.Where possible, keep devices in safes which also remain locked.Inspect and monitor cameras to ensure they are operational and placed in areas of risk. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download