Increased level of security planned for eCommerce
The future of online payment processing is coming under significant debate, both nationally and internationally. In the UK fundamental changes are happening. The major clearing banks are attempting to make online banking and credit / debit card clearance significantly more secure. This is both to reduce the current levels of fraud but also to give normal customers the confidence to spend more money online.
In order for online retailers to process Maestro cards from 1st July, 2007 all merchants will be required to be “3-D Secure enabled”. Inevitably this change will cause teething troubles.
For those of you not yet fully aware of “3-D Secure”, the process is actually quite simple; as part of the website checkout process, at the point when you seek to authorise payment from the customer's payment card, the customer is taken to a pin / password entry screen. This screen is hosted on their own card issuer’s servers. The customer will then need to enter the correct password (like a PIN number). If the wrong password is entered then the transaction will be rejected and the merchant will not get the authorisation of the order. However, if the password is correct the customer will be returned to the shopping site to finish their transaction.
While this promises a reduction in the level of charge-backs levied against suspect transactions, online retailers need to make sure that their sites will be compliant by 1 July.
In order for online retailers to process Maestro cards from 1st July, 2007 all merchants will be required to be “3-D Secure enabled”. Inevitably this change will cause teething troubles.
For those of you not yet fully aware of “3-D Secure”, the process is actually quite simple; as part of the website checkout process, at the point when you seek to authorise payment from the customer's payment card, the customer is taken to a pin / password entry screen. This screen is hosted on their own card issuer’s servers. The customer will then need to enter the correct password (like a PIN number). If the wrong password is entered then the transaction will be rejected and the merchant will not get the authorisation of the order. However, if the password is correct the customer will be returned to the shopping site to finish their transaction.
While this promises a reduction in the level of charge-backs levied against suspect transactions, online retailers need to make sure that their sites will be compliant by 1 July.
posted by John Diffenthal at 9:48 pm
2 Comments:
There is actually a much more serious problem looming for anyone who carries out payment card transactions of any sort - Visa, Mastercard, Diners Club, American Express, etc. From the same date the Payment Card Industry (PCI) security standards come into force in the UK which can result in significant fines being imposed on anyone who is found to operating a system that is not PCI compliant and particularly if it can be proved that they are responsible for a security breach. The rules apply to any business but are particularly applicable to companies making high volumes of transactions. To be compliant it is necessary to have the whole system professionally tested for vulnerablities by one of the few organisations that have PCI accreditation. This is all about the Card issuers shifting the responsibility for charge backs to the merchant which was also the reason banks introduced for Chip & PIN authentication. In a lot of cases where companies use a third party payment card service they may be covered under their compliance audit - but worth checking out.
What's interesting to me is that a system - 3-D Secure - which is touted as reducing the level of charge-backs to merchants is causing a great deal of confusion.
One forum post that I saw was complaining that transactions that had been offered to them as green flagged (after a 3-D Secure password had been submitted by the buyer) were subsequently subject to charge-back. Now, it may be that there is more in the story that the poster didn't share, but prima facie, that doesn't sound as though it is reducing the level of charge-backs.
I would have expected that in a transaction where the password was authenticated on the Bank's own servers that the sole reason for a charge-back would be the non-delivery of the product or service.
Post a Comment
<< Home