How to stop card fraud

Kevin Lancaster

MyBroadband Editor
Joined
Apr 4, 2014
Messages
13,564
Reaction score
136
How to stop card fraud

Card fraud has become as commonplace in South Africa as load shedding and, according to the SA Banking Risk Information Centre, losses due to fraud have increased by 23%
 
LOL this seems like a marketing punt for PayU

Not that there is anything wrong about the facts of 3DSecure. 3DSecure is sloppy and not consumer friendly. The merchants hate it, as it causes drop offs on their baskets.
 
Sure thing. Like most merchants would have processed transactions on Friday for 2 hours without 3d-secure, as BankServ suffered a massive outage. No-one mentions this or knows about it of course. 3d-secure is the biggest piece of junk and it is beyond logical understanding how Mastercard/Visa can come up with such a cocked up solution and how local banks give into it, where hardly anyone else (read: US) uses it.

For what it's worth, when people say, that all cards are enrolled, this is also non-sense, as there are many cases where cards are enrolled but not activated (so 3d secure will work, but the issuer will reject the transaction).

FWIW - most credit fraud is originating from within banks and is especially prevalent from those "pseudo" credit-cards where the cards are not enrolled into 3d secure (those are some special savings cards, but can transact online and via card-not-present transactions). As an insider, you will know how politics fly between merchants, issuers and acquirers and it is honestly shocking to see how banks, payment gateways and switching infrastructure operate. All the PCI compliance is white-wash as none of them have actually proper controls in place (i.e. a switching gateway will crash with a database corruption, and we would know about it before the actual support staff - that should make you think).
 
LOL this seems like a marketing punt for PayU

Not that there is anything wrong about the facts of 3DSecure. 3DSecure is sloppy and not consumer friendly. The merchants hate it, as it causes drop offs on their baskets.

I agree with it being not consumer friendly. I think Investec has the most progressive implementation (USSD session pushed to your phone and then fall-back to web). It's fascinating that BankServ is incapable of implementing a mobile friendly version (never mind providing a proper mobile native API or at least webservices).

With regards to drop-off, I don't think this is the case (at least we do not see it, and we have it running since 2013). For what it's worth credit card fraud were always isolated incidents for us and most chargebacks actually result from the wife/husband/kid annexing a card and going a bit crazy in shopping. 3d secure will not stop card fraud. We do see a latency in payment completion which is caused by OTPs arriving late - we had several cases where users received their OTP hours after requesting it which obviously can result in churn (but thankfully in our case, users seem to be sticky and push the payment through when they can - I guess, a advantage compared to other e-commerce players, where you can place an order without having to complete payment first).
 
Sure thing. Like most merchants would have processed transactions on Friday for 2 hours without 3d-secure, as BankServ suffered a massive outage. No-one mentions this or knows about it of course. 3d-secure is the biggest piece of junk and it is beyond logical understanding how Mastercard/Visa can come up with such a cocked up solution and how local banks give into it, where hardly anyone else (read: US) uses it.

For what it's worth, when people say, that all cards are enrolled, this is also non-sense, as there are many cases where cards are enrolled but not activated (so 3d secure will work, but the issuer will reject the transaction).

FWIW - most credit fraud is originating from within banks and is especially prevalent from those "pseudo" credit-cards where the cards are not enrolled into 3d secure (those are some special savings cards, but can transact online and via card-not-present transactions). As an insider, you will know how politics fly between merchants, issuers and acquirers and it is honestly shocking to see how banks, payment gateways and switching infrastructure operate. All the PCI compliance is white-wash as none of them have actually proper controls in place (i.e. a switching gateway will crash with a database corruption, and we would know about it before the actual support staff - that should make you think).

Yeh - PCI is just a money making scheme....

Surely the banks can come up with a more secure way for the consumer to authorise card-not-present transactions.... :whistling:
 
I agree with it being not consumer friendly. I think Investec has the most progressive implementation (USSD session pushed to your phone and then fall-back to web). It's fascinating that BankServ is incapable of implementing a mobile friendly version (never mind providing a proper mobile native API or at least webservices).

With regards to drop-off, I don't think this is the case (at least we do not see it, and we have it running since 2013). For what it's worth credit card fraud were always isolated incidents for us and most chargebacks actually result from the wife/husband/kid annexing a card and going a bit crazy in shopping. 3d secure will not stop card fraud. We do see a latency in payment completion which is caused by OTPs arriving late - we had several cases where users received their OTP hours after requesting it which obviously can result in churn (but thankfully in our case, users seem to be sticky and push the payment through when they can - I guess, a advantage compared to other e-commerce players, where you can place an order without having to complete payment first).

I've heard about an airline that was an early adopter of 3DSecure, and saw a massive drop off. They went to PASA to say "If we have to implement it, everyone (in the same industry) must implement it on the same day"
 
I've heard about an airline that was an early adopter of 3DSecure, and saw a massive drop off. They went to PASA to say "If we have to implement it, everyone (in the same industry) must implement it on the same day"

But also remember, many of the guys who sat in those PASA meetings in 2013 complained for all the wrong reasons. Half of them could not implement 3d secure properly in the first place (not really their fault, as the implementation is half-baked) and the other didn't even have the basic fraud mechanisms in place and some of the guys were running 20-30% charge-backs (most was not fraud related, but as you know, if you have a charge-back rate that high, your acquirer will send you nice letters).
 
But also remember, many of the guys who sat in those PASA meetings in 2013 complained for all the wrong reasons. Half of them could not implement 3d secure properly in the first place (not really their fault, as the implementation is half-baked) and the other didn't even have the basic fraud mechanisms in place and some of the guys were running 20-30% charge-backs (most was not fraud related, but as you know, if you have a charge-back rate that high, your acquirer will send you nice letters).

20% is massive. We've had a bank complain about 5%, which is big in any case. Probably depends on trx values. 20% on a little, is even less :p
 
20% is massive. We've had a bank complain about 5%, which is big in any case. Probably depends on trx values. 20% on a little, is even less :p

No, those are big e-commerce players in SA. So volumes and transactional values were high. Obviously not even the banks will disclose charge-back and fraud rates.
 
I thought I would highlight today's case of how 3d secure fails. For a period of time today Visa card transactions would have either failed processing online (if the merchant implemented it properly) or would have just gone through without 3d-secure enforced.

To understand how this happens, perhaps some background how a 3d secure transaction typically happens:
1. Once you capture your card details on a merchant platform, the merchant system will call a BankServ webservice which will determine the 3d secure enrolment status.
2. The enrolment status is quite simple: "Y"-enrolled, "N"-not enrolled. But wait, there is also a "funky" "A" status which can mean that the BIN-range is enrolled, but the specific card number is not.
3. If a card is enrolled via 3d-secure, the merchant would then call a specific BankServ URL, which would then show you that nasty 3d-secure screen where you enter your mobile number/email for OTP (this is all bank-specific and varies)
4. Once the consumer submits his secret code/OTP via BankServ, BankServ then redirects to the merchant with a result-token.
5. The merchant then takes the result-token and calls a webservice to get the actual result
6. Based on the result (authenticated/not authenticated), the merchant will then call the payment gateway and pass along 3d secure information (such as transaction id, merchant reference etc).

So today the issuer system for Visa was slow to query the enrolment status (step 1) and BankServ returns a "N" for all Visa cards due to technical timeouts. Remember "N" means "STOP, card not enrolled". And now you get 2 types of merchants:
- The ones which will push the transaction through as a non-3d secure transaction (some label it as a "mobile" transaction as there is still some exemption where 3d secure does not apply)
- The ones which will decline the transaction - bad for business and inconvenient for customer (the majority of the big players never do this)

As a consumer you will never hear about those issues and you will actually never run into those types of problems, as most platforms do not process transactions properly. For what it's worth, the above "timeout" issue shifts the liability from the merchant to the bank. So this answers your question of "How could they have banked the transaction without me authenticating it via 3d-secure".

For the consumer: The bank, BankServ and the payment-gateway all have access to detailed transactional data and will be able to identify how a transaction was performed. In the above "N" scenario however, it is not very transparent as on the surface the bank will come after the merchant with a charge-back as the transaction was not 3d-secure, although the issuer/BankServ will shift liability. So all in all, a huge mess.
 
I thought I would highlight today's case of how 3d secure fails. For a period of time today Visa card transactions would have either failed processing online (if the merchant implemented it properly) or would have just gone through without 3d-secure enforced.

To understand how this happens, perhaps some background how a 3d secure transaction typically happens:
1. Once you capture your card details on a merchant platform, the merchant system will call a BankServ webservice which will determine the 3d secure enrolment status.
2. The enrolment status is quite simple: "Y"-enrolled, "N"-not enrolled. But wait, there is also a "funky" "A" status which can mean that the BIN-range is enrolled, but the specific card number is not.
3. If a card is enrolled via 3d-secure, the merchant would then call a specific BankServ URL, which would then show you that nasty 3d-secure screen where you enter your mobile number/email for OTP (this is all bank-specific and varies)
4. Once the consumer submits his secret code/OTP via BankServ, BankServ then redirects to the merchant with a result-token.
5. The merchant then takes the result-token and calls a webservice to get the actual result
6. Based on the result (authenticated/not authenticated), the merchant will then call the payment gateway and pass along 3d secure information (such as transaction id, merchant reference etc).

So today the issuer system for Visa was slow to query the enrolment status (step 1) and BankServ returns a "N" for all Visa cards due to technical timeouts. Remember "N" means "STOP, card not enrolled". And now you get 2 types of merchants:
- The ones which will push the transaction through as a non-3d secure transaction (some label it as a "mobile" transaction as there is still some exemption where 3d secure does not apply)
- The ones which will decline the transaction - bad for business and inconvenient for customer (the majority of the big players never do this)

As a consumer you will never hear about those issues and you will actually never run into those types of problems, as most platforms do not process transactions properly. For what it's worth, the above "timeout" issue shifts the liability from the merchant to the bank. So this answers your question of "How could they have banked the transaction without me authenticating it via 3d-secure".

For the consumer: The bank, BankServ and the payment-gateway all have access to detailed transactional data and will be able to identify how a transaction was performed. In the above "N" scenario however, it is not very transparent as on the surface the bank will come after the merchant with a charge-back as the transaction was not 3d-secure, although the issuer/BankServ will shift liability. So all in all, a huge mess.

Good post.
 
What about credit cards which are ??not enrolled in 3DSecure but still return a successful response? I have a card which will fail at a particular offshore processor (Mitsubishi Bank) if the Bankserv OTP is not inserted within the prescribed time the transaction is refused, and yet another card returns a BankServ approval despite not requiring an OTP entry using the same processor.
 
Curious how this will also affect local PayPal transactions. PayPal does not do 3D secure....
 
Use 3D secure everywhere (merchants and customers) and don't be stupid enough to give out your personal information. Simple.

Edit: This applies mostly to online cc fraud though...
 
Last edited:
I'd love to see extensive use of 3dSecure...the fact that they combined it with a shift of liability to the consumer leaves a bad taste in my mouth though. Cheap ploy...

Anyway...I see the UK banks are issuing cards without mag stripes...and cashiers refuse to touch your card...SA could copy some of that
 
I'd love to see extensive use of 3dSecure...the fact that they combined it with a shift of liability to the consumer leaves a bad taste in my mouth though. Cheap ploy...

Anyway...I see the UK banks are issuing cards without mag stripes...and cashiers refuse to touch your card...SA could copy some of that

They should use 3D secure like the banks in the UK do. When you open an account you choose a 3D secure password and when you buy (online) it asks for that password, but only certain parts of it, eg. "Enter the fourth, fifth, and ninth character of your 3D secure password". It will make it more secure than using OTP I think. If someone steals your purse with your phone and cards in, they're ready to go! Only way to reset this password if you forget it is mostly by security questions. Mother maiden name, social security number, your house ZIP code, name of first child, etc...

Also, does anyone know if SA banks make use of AVS? (Address verification system)
Basically it checks if the address you entered as the billing address when checking out is the same as what the banks have on record, if it isn't, the transaction automatically gets declined. However, I know that certain banks overseas don't use this and a fraudster can use any address and have an item shipped there and buy it using a stole credit card or stolen credit card info.
 
They should use 3D secure like the banks in the UK do. When you open an account you choose a 3D secure password and when you buy (online) it asks for that password
Been through that recently...found the UK banking system thoroughly tedious. Some good security ideas sure...but man I miss SA private banking.

>>Also, does anyone know if SA banks make use of AVS? (Address verification system)

They do. Recent thread had an argument about it. Its definitely active on at least some of the cards (I had transactions fail with AVS errors) - afaik its active on all the SA cards...but only enforced if the seller has it activated their side.
 
I thought I would highlight today's case of how 3d secure fails. For a period of time today Visa card transactions would have either failed processing online (if the merchant implemented it properly) or would have just gone through without 3d-secure enforced.

To understand how this happens, perhaps some background how a 3d secure transaction typically happens:
1. Once you capture your card details on a merchant platform, the merchant system will call a BankServ webservice which will determine the 3d secure enrolment status.
2. The enrolment status is quite simple: "Y"-enrolled, "N"-not enrolled. But wait, there is also a "funky" "A" status which can mean that the BIN-range is enrolled, but the specific card number is not.
3. If a card is enrolled via 3d-secure, the merchant would then call a specific BankServ URL, which would then show you that nasty 3d-secure screen where you enter your mobile number/email for OTP (this is all bank-specific and varies)
4. Once the consumer submits his secret code/OTP via BankServ, BankServ then redirects to the merchant with a result-token.
5. The merchant then takes the result-token and calls a webservice to get the actual result
6. Based on the result (authenticated/not authenticated), the merchant will then call the payment gateway and pass along 3d secure information (such as transaction id, merchant reference etc).

So today the issuer system for Visa was slow to query the enrolment status (step 1) and BankServ returns a "N" for all Visa cards due to technical timeouts. Remember "N" means "STOP, card not enrolled". And now you get 2 types of merchants:
- The ones which will push the transaction through as a non-3d secure transaction (some label it as a "mobile" transaction as there is still some exemption where 3d secure does not apply)
- The ones which will decline the transaction - bad for business and inconvenient for customer (the majority of the big players never do this)

As a consumer you will never hear about those issues and you will actually never run into those types of problems, as most platforms do not process transactions properly. For what it's worth, the above "timeout" issue shifts the liability from the merchant to the bank. So this answers your question of "How could they have banked the transaction without me authenticating it via 3d-secure".

For the consumer: The bank, BankServ and the payment-gateway all have access to detailed transactional data and will be able to identify how a transaction was performed. In the above "N" scenario however, it is not very transparent as on the surface the bank will come after the merchant with a charge-back as the transaction was not 3d-secure, although the issuer/BankServ will shift liability. So all in all, a huge mess.

Quite informative
 
Use 3D secure everywhere (merchants and customers) and don't be stupid enough to give out your personal information. Simple.

Edit: This applies mostly to online cc fraud though...

3DSecure is only for online cc purchases. You can't 3DSecure at your local Pick n Pay.
 
Top
Sign up to the MyBroadband newsletter