Accepting Credit Cards Online...
There are a number of different ways that credit cards can be accepted online – information about the general options is available from www.electronic-payments.co.uk:
PSP - Automatic handling of payment transactions online by a Payment Services Provider (or PSP) – the customer is transferred to a secure website hosted by the PSP, but customised to the same look and feel as the business’s website. The transaction takes place and is validated on the spot. The customer receives an acknowledgement and control is returned to the business’s website with an indication of whether the card was accepted or declined.
- The most common type of PSP acts as a gateway and passes the completed transaction to an Acquiring Bank that is providing the Internet Merchant Account. Payment to the business then proceeds in the normal way.
- Certain PSPs can also provide a complete end-to-end service – they provide an Internet Merchant Account and will complete the transaction, settling net funds directly into the business’s bank account on a weekly or monthly basis.
|
SSL - Encryption of credit card details online, that are sent to the business by e-mail – the business then validates the payment and enters it via a PDQ machine that is rented from the Acquiring Bank providing the Internet Merchant Account. Payment to the business then proceeds in the normal way.
- In order to accept credit card details online securely and encrypt them for transmission back to your office by e-mail, a special type of web space called SSL space is required in addition to the main website space. You will also need an email encryption facility.
|
Note that if you handle card details yourself as would be the case with the SSL approach, then you will need to comply with the PCI DSS Payment Card Industry Data Security Standard which can be quite onerous. If you use a PSP, then you need to ensure that they comply. For more information about PCI DSS see the special feature in our February newsletter. |
We can supply solutions for integrating PSP solutions or SSL space and email encryption. Our eCommerce solutions can be configured to integrate seamlessly with most major PSPs as well as work with SSL space.
SecureTrading was one of the first gateway PSPs to achieve full PCI DSS compliance. We use Secure Trading and we are a SecureTrading Partner, so if you would like to discuss switching to SecureTrading please contact us.
more details on Payment Solutions and Internet Merchant Accounts
|
Payment Card Industry Terminology...
Here are some of the more common terms that you will come across when dealing with the payment card industry...
| 3-D Secure |
Can be thought of as an online version of Chip & Pin. Verified by Visa and MasterCard SecureCode are the two versions currently in use. These systems invite cardholders to register when using a Visa or MasterCard to make a purchase on a website whose payment system supports 3-D Secure. Cardholders specify a user id and password. Once registered, if a card is used on a merchant site that support 3-D Secure, an extra window pops up requesting the card holder to enter four randomly selected characters from their password. |
Acquirer or
Acquiring Bank |
The providers of a merchant's Internet Merchant Account, e.g. Barclays Merchant Services, HBoS, Streamline, etc. The Acquirer settles the payments with the merchant. |
| Authentication |
The process of validating the details entered by the card holder when using a Chip & Pin terminal or using 3-D Secure online. |
| Card-holder not present |
Card transactions that take place without the physical presence of the card or the card holder on the merchant's premises - the card details are either entered online by the card holder or typed into a PDQ machine or Virtual PDQ by the merchant. |
| Card-holder present |
Card transactions that take place when the card holder is physically present and the card can be inserted into a merchant's PDQ machine |
| Chip & Pin |
Facility for entering a four digit pin number directly into a PDQ card terminal and used with card-holder present transactions to enhance the security of the transaction |
| Issuer or Issuing Bank |
The organisation that issues credit cards to consumers or businesses, e.g. Egg, Barclaycard, MBN, etc. |
| MasterCard SecureCode |
See 3-D Secure above |
| MOTO |
Mail Order or Telephone Order |
| PCI DSS |
Payment Card Industry Data Security Standard - if you accept credit cards, then you need to comply - see our February newsletter |
| PDQ |
"Process Data Quickly" terminals, which process credit and debit card transactions over a 'phone line or wireless link |
| PSP |
Payment Services Provider that handles online credit card transactions securely and interfaces with a merchant's Acquirer, e.g. Protx, SecureTrading, etc. |
| SSL |
Secure Sockets Layer - a method of providing secure encrypted Internet transactions - website addresses start with HTTPS instead of HTTP - you should also see a golden padlock displayed in the browser. |
| Verified by Visa |
See 3-D Secure above |
| Virtual Terminal or Virtual PDQ |
A secure online web page provided by a Payment Services Provider to enable a merchant to enter card details manually as an alternative to using a physical PDQ machine. |
If you have any questions, then contact us
|
Liability for Online Credit Card Fraud...
Last month we talked about the importance for online merchants of signing up
to 3-D Secure to avoid being liable for the cost of credit card fraud. However, this has raised a number of questions about the exact circumstances in which merchants are held liable and when they are not liable.
Traditionally, merchants have been liable for e-commerce chargebacks due to fraud when a transaction is disputed by the card holder. So in the event of a fraudulent transaction, the card holder would get a refund and the payment would have been charged back from the merchant.
3-D Secure brings the benefit of liability shift. This means that the liability for the chargeback loss shifts from the merchant to the Issuer for e-commerce transactions that are deemed fraudulent, (i.e. those transactions where the cardholder has denied involvement in the transaction). The issuing bank, in most cases, is no longer allowed to pass such chargebacks back to the merchant.
Liability shift is dependent on various factors, such as the type of card (personal or commercial), the authentication result, as well as the card issuing and merchant countries. For example, with transactions involving personal cards Visa and MasterCard offer global protection for non-enrolled cardholders/issuing banks.
It is a complex area and merchants really need to check with their Acquirer
to be certain. However, we have set out the liabilities as we currently understand them below:
| 3-D Secure only applies to Visa, MasterCard & Maestro - other types of card are not covered. |
A merchant that is enrolled in 3-D Secure is generally not liable if:
- Cardholder Authenticated - (i.e. the card is registered for 3-D Secure and the password was entered correctly by the card holder). The card Issuer becomes responsible for the chargeback for Visa, MasterCard and Maestro.
- Cardholder/Issuer not Enrolled for Authentication (or card holder opts out of registration during checkout) - Because full enrolment is not yet universal, Visa and MasterCard offer global protection for personal cards where authentication has been attempted even if the issuing bank is not participating or the cardholder is not enrolled in 3-D Secure. However, Commercial cards are only covered if issued in the EU, while Maestro only offers protection for personal cards issued in the UK.
- Cardholder Authentication System not available and card is Personal MasterCard (issued anywhere) or is a Commercial MasterCard issued in the EU, or is a Maestro card issued in the UK
|
Merchants enrolled in 3-D Secure are liable when:
- Cardholder Authentication System not available and card is Visa (issued anywhere) or Maestro issued outside the UK, or is a Commercial MasterCard issued outside the EU
- Cardholder Authentication fails but the merchant accepts the transaction
- (i.e. authentication was attempted, but failed).
- All other circumstances!
|
| Merchants not enrolled in 3-D Secure are always liable |
| Note 1: If the brand is Visa and either the enrolled or status indicators are returned as Unknown this means that the merchant is not covered by the 3-D Secure scheme. In this case the merchant is still liable for any fraudulent transactions.
Note 2: There are some cases where the liability is not covered by the Card Issuer; for example non-European commercial cards under both brands. For more information please contact your acquirer.
Note 3: Even if a transaction meets the criteria, the issuing banks can still chargeback for other reasons, such as non-delivery of goods or faulty goods. |
| From the 1st July 2008 MasterCard and Visa are mandating 3-D Secure, preventing Merchants from accepting Maestro (formerly Switch) payments online legitimately after this time. Without 3-D Secure Merchants will be breaking card scheme rules and could be liable to pay heavy fines. |
All of this means that you need to be very careful when you check the responses to online card authorisations. It is good practice to set up a default delay before transactions are captured for settlement so that you have time to validate the transaction and reject it if it fails the criteria, (or if your normal checks on the order show it to be suspicious).
Of course, it would be very difficult for small businesses to implement 3-D Secure themselves to a standard that would meet card industry requirements. So if you are not already using an online Payment Services Provider that provides 3-D Secure, you really need to think about moving to one that does.
We are a SecureTrading Partner, so if you would like to discuss switching to a fully compliant supplier using 3-D secure, please contact us.
more details on Payment Solutions and Internet Merchant Accounts
|
Contact us if you would like any further information about the items in this newsletter.
Please let us have any feedback you might have, and also let us know if there are any articles you would like
to see covered in future issues by sending an
email to sales@wise.co.uk.
 Best regards,
Tim Weaver
Weaver Information Services (Europe) Limited trading as WISE.CO.UK,
Telephone +44 (0) 1438 453013. Email info@wise.co.uk
Registered office 11 Watton Road, Knebworth SG3 6AH.
Registered in England no. 2618391. VAT registration GB 573 1139 51. |
