One step ahead of credit card crooks

MrWireless

Well-Known Member
Joined
Jun 24, 2006
Messages
328
Erm....

Their system is already outdated. M-Web safeshop developed the exact same thing years ago!

The latest and by far the most secure:

http://www.standardbank.co.za/SBIC/Frontdoor_02_02/0,2454,3447_16749801_0,00.html

Pin numbers can now be assigned to your Credit Card (Mastercard and Visa), which is needed each and everytime you buy online from stores supporting this system. All the stores I buy from require it now. It means that a store cannot now be "charge backed" and the risk now moves to the issuing bank!

Good move by the banks...
 

PeterP

Member
Joined
May 15, 2007
Messages
15
"It means that a store cannot now be "charge backed" and the risk now moves to the issuing bank!"

Yes - that's how it is supposed to work - we implemented the system on our site but cannot get the bank to confirm the supposed liability shift in writing (not sure if any of the banks do yet) - so we are still with the outdated merchant agreement which puts entire liability on us as merchant.

We phoned around to all the banks to ask for their 3D merchant agreements so we could make an informed decision on which provided the best system - guess how many we received....ZERO.

One bank insisted we moved our account to them and applied to be a merchant before they would show us their standard agrement....
 

Ap0c

ParcelNinja CEO Justin Drennan
Company Rep
Joined
Aug 15, 2005
Messages
759
PeterP is telling the truth, its not such a simple task to just implement 3d secure etc. Once you implement the 3d Secure technology, you can watch your sales numbers drop as most people dont know their PIN numbers etc.

This is a slightly different approach, by handling all the risks internally.
 

paoloc

Active Member
Joined
Jul 27, 2007
Messages
33
Account hijacking

Erm....
Pin numbers can now be assigned to your Credit Card (Mastercard and Visa), which is needed each and everytime you buy online from stores supporting this system.

As good a thing as that is, we're already getting chargebacks from transactions authenticated in this way, meaning that the fraudsters know the PIN. This is almost certainly the result of insecure workstations being compromised, or credit card owners transacting from Internet cafes and having their credentials sniffed. I predict that this will become prevalent enough that the banks/credit card companies will not end up taking responsibility, and the merchants will again have to take the knock.

Paolo
 

PeterP

Member
Joined
May 15, 2007
Messages
15
Your bank should not chargeback a fully authenticated transaction with PIN - if they do, they are breaking their 3D agreement with visa/mastercard.....what does your own merchant agreement state? Or is your merchant agreement the same as ours which states nothing about 3D and therefore theoretically allowing the bank to break their own agreements with card issuers.

If this doesn't get sorted out then this system will collapse.....
 

Veroland

Executive Member
Joined
Aug 24, 2005
Messages
6,072
PeterP is telling the truth, its not such a simple task to just implement 3d secure etc. Once you implement the 3d Secure technology, you can watch your sales numbers drop as most people dont know their PIN numbers etc.

This is a slightly different approach, by handling all the risks internally.

Not really, once the client enter's his/her's credit card number the "payment page" or gateway need to do a lookup through to the VISA or Mastercard to see if that specific card is enrolled in the V by V or Securecode program. If not the site continue with the normal payment else the client's browser needs to be re-directed to either Visa or Mastercard to enter the PIN/Password that the client selected.

Some of the theory behind this is that the merchant site must never be able to log the PIN/Password of the cardholder as that verification transaction does not pass through their servers.

And yes, if a bank is certified in VbV and secure code the financial risk does move to the bank. It's been a while since I was last involved with this but it was the bank's porogative to trust the merchant site "payment page" or not.
 

paoloc

Active Member
Joined
Jul 27, 2007
Messages
33
Your bank should not chargeback a fully authenticated transaction with PIN - if they do, they are breaking their 3D agreement with visa/mastercard.....what does your own merchant agreement state? Or is your merchant agreement the same as ours which states nothing about 3D and therefore theoretically allowing the bank to break their own agreements with card issuers.

If this doesn't get sorted out then this system will collapse.....

Hmm, I see I was wrong - we did have fraudulent authenticated transactions, but we refunded them before they could potentially become chargebacks. I'll try to dispute them next time, if a chargeback results.

Our merchant agreement: not accessible right now.

This Visa document seems to imply that liability shift is already active for CEMEA: https://partnernetwork.visa.com/vpn/global/retrieve_document.do?documentRetrievalId=32
 

Veroland

Executive Member
Joined
Aug 24, 2005
Messages
6,072
Our merchant agreement: not accessible right now.

Well, as far as I know, if the bank is certified for V by V and 3D, if fraudulent transactions does occur it becomes the bank liability and not the merchant. The key being certified!
 
Top