What is Internet payment?
Oddly enough, in the terminology of payment systems there is no such thing as an Internet transaction. From the point of view of Visa and MasterCard, a transaction on the Internet is no different from a transaction in a terminal, by phone, IVR, etc. Payment systems view the Internet only as a transaction environment. And this introduces some confusion when the cardholder communicates with the bank that issued the card (issuer). The call center employee’s statement that your card is open for online payments, just like the statement that it is closed, may not be true.
I think many of you who regularly use cards have encountered a situation where the card seems to be open for online payments, but payments on some sites do not go through. The opposite situation is also possible, when the issuer does not indicate in the contract for opening a card that payment can be made online, but payment on some sites may still go through. This all has to do with the types of transactions that are allowed on the issuer side. The type of transaction depends on the parameters involved in authorization (CVV2, magnetic stripe, PIN, 3DSecure password, chip, cardholder address, etc.) and on the type of terminal (traditional POS terminal, e-commerce merchant, Mail/Phone order, ATM). You see, there is no such property that would indicate the transaction environment, in particular the Internet. So, for example, for security purposes, the issuer can allow only e-commerce type transactions with CVV2 input to be authorized, while some sites do not request CVV2 and form the transaction as a Mail/Phone order. In the latter case, payment will not go through. Or the issuer may prohibit e-commerce, but forget to prohibit Mail/Phone order, then payment in some online merchants will be allowed. Therefore, the only person who can be completely sure whether a payment will go through or not under certain conditions is perhaps an employee of the processing center who sees the settings of the authorization software in front of him, and even then not always.
Culture of using personal cards
In view of the above, you should always be careful with your salary, credit, business/corporate or any other card that has available funds. First of all, I would recommend not using these cards on the Internet, despite the convenience (there is always an available amount, as a rule, many types of transactions are allowed). Also, do not show the card number and the back side with CVV2 in queues at terminals (you can even erase the CVV2 with a blade or other improvised means) and do not let the card out of sight when handing it to the cashier/waiter/other staff. In some cases, the amount may be debited from the card even without entering CVV2. Those. An attacker will only need to spy on your card number and expiration date to make a payment online. To pay online, it is best to get a separate Internet card, or use an existing debit card, constantly monitoring the available balance on it (for example, by activating the SMS notification service). Also, if the issuing bank provides such a service, it is advisable to set an individual limit for online payments on the card.
Means of protection
Despite attempts by payment systems to promote the 3DSecure protocol, banks in the CIS are in no hurry to master it and are still inventing their own methods of protection against fraud. Why does this happen and what is the 3DSecure protocol?
In short, 3DSecure is a protocol of the Visa and MasterCard payment systems, which allows you to additionally authenticate the cardholder by redirecting him to the website of the issuing bank during an online purchase. At the same time, the issuing bank checks the password entered by the cardholder and gives an answer about consent or refusal to carry out the transaction.
It would seem obvious that the main goal of the 3DSecure protocol is to protect the cardholder from unauthorized use of his card. But in fact, this only works fully if both the acquiring bank and the issuing bank support the protocol. Those. If a fraudster tries to pay with your card connected to 3DSecure at a point of sale that does not support it, the protection will not work. Since most merchants in the CIS still do not support the 3DSecure protocol, or support it only in words, there is little benefit to the cardholder from such protection. In the event of unauthorized use of a secured card at a merchant that does not support 3DSecure, liability for fraud falls on the bank servicing the merchant. Although in this case the cardholder can fully count on a refund, this is little consolation, knowing what the red tape with a claim in our banks is fraught with.
Thus, the main advantage of 3DSecure at this stage of development of e-commerce in the CIS countries is the transfer of responsibility to the bank servicing the retail outlet.
Bottom line
Let's summarize how to protect yourself from the actions of scammers (after all, they still use simple rules, how not to infect your computer with viruses, how to not let a thief into your apartment, and there is nothing burdensome in following the rules for using cards):
- do not flash your card in public places
- do not lose sight of the card when paying for goods and services
- use the Internet only with cards that you have specifically opened for this purpose
- monitor the balances on the cards (preferably via SMS notification)
- set an individual limit for Internet payments on the Internet card
- connect card to the 3DSecure protocol
- enter card data only on trusted sites, preferably with the Verified by Visa and MasterCard SecureCode logos
- do not transfer card data to a third party (even relatives and friends)
Despite the seemingly deplorable situation with the protection of payment cards on the Internet, it's not that bad. The Visa and MasterCard payment systems establish uniform rules for handling claims, which usually protect the cardholder, and guarantee a refund in case of fraud, if there was no compromise and transfer of data to a third party. Although this does not always work in our “legal” state, it is a significant advantage compared to non-refundable local virtual payment systems. In addition, payment cards on the Internet are widely used all over the world and for us it is only a matter of time and speed of development of the culture of non-cash payments. Just a couple of years ago, a person paying with a card at a store terminal would cause indignation among those standing in line, but today only small stores in the outback do not have terminals. Therefore, who, if not you and me, the most active part of the Internet community, can direct the development of e-commerce in the right direction. Don’t be afraid to experiment, pay online and connect card payments to your merchants/startups. Maybe it will be convenient and cheap
