Online transactions are anonymous and, therefore, appealing to fraudsters – the cardholder and the card are absent; the chip cannot be read; physical card features cannot be examined; and the behaviour of the cardholder cannot be observed.
When the card issuing bank approves an authorisation request, it indicates that the account exists and is in good standing (i.e. that the card has not been reported lost or stolen, or the account is not closed) and that the cardholder has sufficient funds in the account to make the purchase at the time the authorisation request is made. However, an authorisation does not authenticate the cardholder or verify the card, it does not guarantee that the genuine cardholder participated in the transaction.
General Security Information (what VCS is required to do)
As a payment gateway Virtual Card Services does not and cannot verify, authorise or settle any transaction. Virtual Card Services provides the conduit (the messenger) for information between the merchant and the merchant’s bank. Virtual Card Services performs the exact same functions the ‘speedpoint/swipe device’ does in a retail environment. VCS is the speedpoint/swipe device for the online transactions.
Virtual Card Services has limitations or restrictions and it is the banks responsibility to approve or decline the transactions VCS passes to them.
Information security is critical to our business. VCS protects the security of information during transmission by using 128 bit Secure Socket Layer (SSL) encryption. The VCS servers are certified by Thawte, a public Certificate Authority, ensuring the cardholder and the merchant that nobody can impersonate VCS to obtain confidential information. The number of employees involved in the management of the VCS data centre that have physical access to the production servers is limited. VCS uses firewalls and other security technology to prevent access by unauthorised persons and against disclosure, alteration or destruction. VCS continually reviews and enhances its security systems in line with technological changes.
The merchant is never permitted access to the cardholder’s card details held on the VCS system. Even so it is extremely important that merchants protect against unauthorised access to their Virtual Terminal login ID and password. The merchant can assign different security access levels to his terminal users. Virtual Terminal’s Personal Authentication Message is a security feature that confirms to the terminal user that he’s connected to the real Virtual Terminal. Additional security features to prevent parameters from being modified and security alerts to block fraudsters are available to the merchant at no extra cost i.e. the MD5 hash feature.
Using the “Virtual Terminal” security alert configuration, merchants using the VCS secure payment page can block persistent attacks by particular fraudsters. The merchant can select from a range of security alerts and apply them to their payment facility. Users with access to more than one terminal can Copy Alerts from one terminal to another.
An additional security measure is for merchants to opt for payments from local cards only thus blocking foreign card transactions. The bulk of fraud attempts stems from foreign cards.
MasterCard/Visa International – 3DSecure
3DSecure is a security protocol implemented by MasterCard/Visa International. The principle behind 3D Secure is that the system should authenticate the cardholder and therefore their eligibility to use a card, before processing a transaction – if successful, there is a liability shift away from the merchant and their bank to the cardholder and their bank. Thus protecting the merchant against fraudsters.
3DSecure is a bank requirement for all eCommerce merchants and the bank registers the merchants with MasterCard/Visa International. 3DSecure is only active for card issued by MasterCard and Visa members. There are exclusions eg: business cards and private label cards. We have no indication as to when Amex and Diners will come on board.
Bank Security Information (what the bank will do)
The bank carries out their own security checks on transactions presented for authorisation and settlement. These include checks for lost cards, stolen cards, attempted fraud, hot cards etc. The verification, authorisation and settlement is handled between the merchants bank and the cardholders bank (and not by VCS).
Merchant responsibility (what the merchant must do)
The merchant has certain responsibilities, these include their own security checks. When delivering to ensure that the recipient actually resides at the delivery address for follow up in case of fraud, who will sign for the delivery and to check that the actual credit card used is in their possession. The merchant should also familiarise themselves with the Terms & Conditions under which they acquired a merchant facility from their bank. These are normal Card processing rules and requirements and are not dependant on the method of processing. The method of processing refers to speedpoint/swipe device or VCS.
You are not obliged to deliver, if you are uncomfortable ask for copy of front/back of card, proof of ID and proof of residence.
The delivery person or the store staff should insist on seeing the physical card when they delivering.
They must ask the cardholder to sign the receipt and check that the signature matches signature on back of card.
Don’t deliver to suspicious areas.
Don’t be forced into quick delivery by persistent phone calls demanding delivery.
Never ever refund to a bank account. Only refund to the original transaction.