Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 912
- Points
- 113
I saw that many carders (including the author of the topic) have no idea how paying with bank cards on the Internet works. Guided by conjectures and assumptions, rather than facts, the author concludes that Sberbank cards are the most vulnerable to fraud on the Internet. Therefore, I decided to talk about how payment with bank cards on the Internet actually works, so that Habrapeople, based on facts, and not speculation, can imagine how it works, and where real, and not imaginary, dangers may await them.
Disclaimer: I work at Sberbank of Russia. My work is related to helping clients, not with cards, but I previously worked in the field of e-commerce, and I know very well how the card payment scheme on the Internet works.
1. So, the author of the above-mentioned topic reproached Sberbank for allegedly showing the client’s name when transferring to a card through a terminal or Sberbank Online, thereby making the work of card fraudsters easier. This statement is not true, and here's why:
When paying on the Internet with a card issued by an American bank, the acquiring bank (the name of the bank that services payments for online store cards) is able to check both the name of the card owner and his billing address (this the address where the bank that issued the card sends the monthly statement for this card). This happens if the acquiring bank or payment gateway through which the payment goes through uses a service called AVS (Address Verification System).
This service is usually provided by companies independent of banks, which ask the credit bureau whether the entered name and billing address correspond to a given card number, and receive a “yes” or “no” answer from there. In addition to the United States, acquiring banks or online stores themselves can use this service in Canada, Australia, Great Britain and New Zealand. In other countries, including Russia, AVS does not exist, so neither Russian nor foreign online stores can check whether a card with such and such a number really belongs to a person with such and such a name and surname.
Thus, the conclusion that displaying the cardholder's name creates a risk of card fraud is not true. Knowing the card details (and this is not just the card number), fraudsters can use any first and last name to make purchases in online stores, and the store, as well as its acquiring bank, will not be able to verify this. This is a systemic bug of international payment systems associated with their fundamentally outdated architecture, the foundations of which were laid at the beginning of the second half of the last century, and were not designed for either the advent of the Internet or the emergence of terminals that allow real-time authorization of a card offline.
2. The author of the topic in question blames Sberbank for allegedly coming up with the idea of making transfers between cards, whereas it would be possible to use the account number for these purposes. However, it was not Sberbank that invented transfers between cards, but international payment systems. Here is a description of such a service from the international payment system Visa. Posting your card details on the Internet (even if not full details) is not the best idea, but this is not done by the bank, but by the people themselves.
3. The author claims that in Amazon it is possible to select the expiration date of the card, and, based on this, concludes that the card number is enough to commit fraudulent card transactions. I am not familiar with how the fight against fraud works specifically in Amazon, but I assure you that this online store would have collapsed long ago if it had not fought such basic types of fraud as selecting a card number and expiration date. I think their automated anti-fraud system increases her risk score every time the card expiration date is entered incorrectly. Therefore, the statement that to make a payment on Amazon you “only” need to sort through “no more than 36 options” is nothing more than a figment of wild imagination.
4. Anyone who pays with a card on the Internet should know one thing for certain: in all disputes between the issuing bank (that is the name of the bank that issued the card) and the acquiring bank regarding Internet transactions, they are resolved in favor of the issuing bank (and therefore in favor of the card holder). There is one exception to this rule - it will be discussed in the next paragraph. It doesn’t matter whether the fraudsters entered the correct name of the cardholder, or even the correct CVC/CVV - the rules of payment systems for card not present transactions always favor the cardholder. Losses on disputed transactions fall on the acquiring bank, which passes them on to the online store. Moreover, for each protested transaction, a fine is imposed on the online store by international payment systems. Therefore, it is much more profitable for him to quickly return the money to the cardholder if he contacted the online store with a demand to return money for a transaction that he did not make, than in 100% of cases to do this after an official protest of the transaction, but with an additional fine in favor of the payment system .
5. The only exception is transactions using 3D Secure (as this technology is called by Visa) and MasterCard SecureCode (I think it’s clear that this is the technology of the international payment system MasterCard). It’s worth taking a closer look at how this technology works.
When both the issuing bank and the acquiring bank (necessarily both!) conduct Internet transactions using one of these technologies, the card holder, making a purchase, after entering the card details, sees a window from his bank, which issued him the card, with a request enter a password that only he and his bank know. Entering this password is equivalent to entering a PIN code for offline transactions, and these technologies were designed to provide additional protection to online stores.
However, this plan for international payment systems did not work, and here's why. The fact is that the scheme described above only works if both the acquiring bank and the issuing bank are certified in these technologies. If only one of them uses these technologies, then the bank that does not use them finds itself in a losing situation in the event of controversial transactions. Because of this, issuing banks, when they saw that they were receiving a request for authorization from the acquiring bank using Visa 3D Secure or MasterCard SecureCode, simply refused authorization so as not to “get caught” in the event of controversial transactions. And the stores, seeing that because of this the number of successful authorizations was decreasing, decided that it would be more profitable to “get caught” in some of the disputed transactions rather than to receive less profit due to the fact that the issuing banks give a “shank” ( you can do it yourself see how many banks in Russia are certified according to MasterCard SecureCode).
But this is a theory, but in practice you should know the following: if you use a Sberbank credit card, which is certified by both Visa 3D Secure and MasterCard SecureCode, then regardless of whether the acquiring bank that services this or that online store uses this technology, your transactions are completely protected.
I hope that this post helped everyone understand what to be wary of online and what is speculation and myths.
(c) Onair
Disclaimer: I work at Sberbank of Russia. My work is related to helping clients, not with cards, but I previously worked in the field of e-commerce, and I know very well how the card payment scheme on the Internet works.
1. So, the author of the above-mentioned topic reproached Sberbank for allegedly showing the client’s name when transferring to a card through a terminal or Sberbank Online, thereby making the work of card fraudsters easier. This statement is not true, and here's why:
When paying on the Internet with a card issued by an American bank, the acquiring bank (the name of the bank that services payments for online store cards) is able to check both the name of the card owner and his billing address (this the address where the bank that issued the card sends the monthly statement for this card). This happens if the acquiring bank or payment gateway through which the payment goes through uses a service called AVS (Address Verification System).
This service is usually provided by companies independent of banks, which ask the credit bureau whether the entered name and billing address correspond to a given card number, and receive a “yes” or “no” answer from there. In addition to the United States, acquiring banks or online stores themselves can use this service in Canada, Australia, Great Britain and New Zealand. In other countries, including Russia, AVS does not exist, so neither Russian nor foreign online stores can check whether a card with such and such a number really belongs to a person with such and such a name and surname.
Thus, the conclusion that displaying the cardholder's name creates a risk of card fraud is not true. Knowing the card details (and this is not just the card number), fraudsters can use any first and last name to make purchases in online stores, and the store, as well as its acquiring bank, will not be able to verify this. This is a systemic bug of international payment systems associated with their fundamentally outdated architecture, the foundations of which were laid at the beginning of the second half of the last century, and were not designed for either the advent of the Internet or the emergence of terminals that allow real-time authorization of a card offline.
2. The author of the topic in question blames Sberbank for allegedly coming up with the idea of making transfers between cards, whereas it would be possible to use the account number for these purposes. However, it was not Sberbank that invented transfers between cards, but international payment systems. Here is a description of such a service from the international payment system Visa. Posting your card details on the Internet (even if not full details) is not the best idea, but this is not done by the bank, but by the people themselves.
3. The author claims that in Amazon it is possible to select the expiration date of the card, and, based on this, concludes that the card number is enough to commit fraudulent card transactions. I am not familiar with how the fight against fraud works specifically in Amazon, but I assure you that this online store would have collapsed long ago if it had not fought such basic types of fraud as selecting a card number and expiration date. I think their automated anti-fraud system increases her risk score every time the card expiration date is entered incorrectly. Therefore, the statement that to make a payment on Amazon you “only” need to sort through “no more than 36 options” is nothing more than a figment of wild imagination.
4. Anyone who pays with a card on the Internet should know one thing for certain: in all disputes between the issuing bank (that is the name of the bank that issued the card) and the acquiring bank regarding Internet transactions, they are resolved in favor of the issuing bank (and therefore in favor of the card holder). There is one exception to this rule - it will be discussed in the next paragraph. It doesn’t matter whether the fraudsters entered the correct name of the cardholder, or even the correct CVC/CVV - the rules of payment systems for card not present transactions always favor the cardholder. Losses on disputed transactions fall on the acquiring bank, which passes them on to the online store. Moreover, for each protested transaction, a fine is imposed on the online store by international payment systems. Therefore, it is much more profitable for him to quickly return the money to the cardholder if he contacted the online store with a demand to return money for a transaction that he did not make, than in 100% of cases to do this after an official protest of the transaction, but with an additional fine in favor of the payment system .
5. The only exception is transactions using 3D Secure (as this technology is called by Visa) and MasterCard SecureCode (I think it’s clear that this is the technology of the international payment system MasterCard). It’s worth taking a closer look at how this technology works.
When both the issuing bank and the acquiring bank (necessarily both!) conduct Internet transactions using one of these technologies, the card holder, making a purchase, after entering the card details, sees a window from his bank, which issued him the card, with a request enter a password that only he and his bank know. Entering this password is equivalent to entering a PIN code for offline transactions, and these technologies were designed to provide additional protection to online stores.
However, this plan for international payment systems did not work, and here's why. The fact is that the scheme described above only works if both the acquiring bank and the issuing bank are certified in these technologies. If only one of them uses these technologies, then the bank that does not use them finds itself in a losing situation in the event of controversial transactions. Because of this, issuing banks, when they saw that they were receiving a request for authorization from the acquiring bank using Visa 3D Secure or MasterCard SecureCode, simply refused authorization so as not to “get caught” in the event of controversial transactions. And the stores, seeing that because of this the number of successful authorizations was decreasing, decided that it would be more profitable to “get caught” in some of the disputed transactions rather than to receive less profit due to the fact that the issuing banks give a “shank” ( you can do it yourself see how many banks in Russia are certified according to MasterCard SecureCode).
But this is a theory, but in practice you should know the following: if you use a Sberbank credit card, which is certified by both Visa 3D Secure and MasterCard SecureCode, then regardless of whether the acquiring bank that services this or that online store uses this technology, your transactions are completely protected.
I hope that this post helped everyone understand what to be wary of online and what is speculation and myths.
(c) Onair
