What you need to know about payment by bank cards via the Internet
After reading this topic , I saw that very many habra people (including the author of the topic) do not know how payment by bank cards works on the Internet. Guided by speculation and assumptions, rather than facts, the author concludes that the Savings Bank cards are most vulnerable to fraud on the Internet. Therefore, I decided to talk about how payment by bank cards on the Internet actually works, so that habra people based on facts, rather than speculation, can imagine how this works and where they can face real, not imaginary, dangers.
Disclaimer: I work in Sberbank of Russia. My work is connected with the help of clients, not with cards, however I used to work in the field of e-commerce, and I know very well how the card payment scheme works on the Internet.
1. So, the author of the aforementioned topic reproached Sberbank with the fact that it, by showing the name of the client when transferring to a card through a terminal or Sberbank Online, thus facilitates the work of card fraudsters. This statement is untrue, and this is why:
When paying on the Internet with a card issued by a US bank, the acquiring bank (the so-called bank that serves payments on the online store’s cards) is able to verify both the cardholder’s name and his billing address (this is the address to which the bank that issued the card sends the monthly statement on this card). This happens if the acquiring bank or the payment gateway through which the payment passes uses a service called AVS (Address Verification System).
This service is provided, as a rule, by companies independent of the banks that make a request to the credit bureaus whether the entered name and billing address match the given card number and receive the answer “yes” or “no”. In addition to the United States, such a service can be acquired by acquiring banks or online stores in Canada, Australia, the United Kingdom and New Zealand. In other countries, including Russia, AVS does not exist, therefore neither Russian nor foreign online stores can verify whether the card with such a number belongs to a person with such a certain name and surname.
')
Thus, the conclusion that displaying the name of the cardholder poses a threat of card fraud is not true. Knowing the card details (and this is not only the card number), fraudsters can use any name and surname for purchases in online stores, and the store, as well as its acquiring bank, will not be able to verify this. This is a systemic bug of international payment systems associated with their fundamentally outdated architecture, the foundations of which were laid at the beginning of the second half of the last century, and were not designed either for the Internet or for the emergence of terminals that allow real-time authorization of the card offline.
2. The author of the topic in question charges Sberbank with the idea that he invented making transfers between cards, whereas one could use the account number for these purposes. However, it was not Sberbank who invented transfers between cards, but international payment systems. Here is a description of such a service from the international payment system Visa . Shining the details of your card on the Internet (even if not complete details) is not the best idea, but it is not the bank that does it, but the people themselves.
3. The author claims that it is possible in Amazon to select the expiration date of the card, and, on the basis of this, concludes that the card number is sufficient for fraudulent card transactions. I am not familiar with how the fight against fraud is arranged specifically in Amazon, but I assure you that this online store would have been bent a long time ago if it had not fought with such basic types of fraud as the selection of the card number and the expiration date. I think that their automatic system to combat fraud increases the risk assessment for it every time the card expiration date is entered incorrectly. Therefore, the assertion that to make a payment on Amazon you need to “just” sort out “no more than 36 options” is no more than the fruit of a wandering fantasy.
4. Anyone who pays a card on the Internet should firmly know one thing: in all disputes between the issuing bank (this is the name of the bank that issued the card) and the acquiring bank over Internet transactions are resolved in favor of the issuing bank (and therefore in favor of the cardholder). The exception to this rule is one - it will be discussed in the next paragraph. It does not matter if the scammers entered the correct name of the cardholder, or even the correct CVC / CVV - the rules of payment systems for card not present transactions always stand on the side of the cardholder. Losses on controversial transactions fall on the acquiring bank, which transfers them to the online store. Moreover, for each protested operation, a fine is imposed on the online store by international payment systems. Therefore, it is much more profitable for him to quickly return the money to the card holder if he applied to the online store to return the money for the transaction he did not commit than to do it in 100% of cases after the transaction was officially challenged, but with an additional penalty in favor of the payment system .
5. The only exception is transactions using 3D Secure (as Visa calls this technology) and MasterCard SecureCode (I think it is clear that this is the technology of the international payment system MasterCard). The scheme of operation of this technology is worth more details.
When both the issuing bank and the acquiring bank (both of them are obligatory!) Conduct online transactions using one of these technologies, the card holder, making a purchase, after entering the card details, sees a window from his bank that issued him a card, asking enter a password that only he and his bank know. Entering this password is analogous to entering a PIN code during offline transactions, and these technologies were designed to give additional protection to online stores.
However, this plan of international payment systems did not work, and here's why. The fact is that the scheme described above only works if both the acquiring bank and the issuing bank are certified with these technologies. In the event that only one of them uses these technologies, then the bank that does not use them, with controversial transactions, is in a knowingly losing situation. Because of this, issuing banks, when they saw that they were receiving an authorization request from the acquiring bank using Visa 3D Secure or MasterCard SecureCode, simply refused to authorize so as not to “fall” in case of controversial operations. And when shops saw that because of this, the number of successful authorizations they decrease, they decided that it would be more profitable to “get” on a part of the disputed transactions, rather than receive less profit due to the fact that issuing banks give “failures” ( you can see how many banks in Russia were certified by MasterCard SecureCode ).
But this is a theory, but in practice you should know the following: if you use a Sberbank credit card that is certified by both Visa 3D Secure and MasterCard SecureCode, then regardless of whether it uses an acquiring bank that serves one or another online store, this technology, your transactions are fully protected.
I hope that this post has helped everyone to understand what to fear in the network, and what are speculation and myths.
Disclaimer: I work in Sberbank of Russia. My work is connected with the help of clients, not with cards, however I used to work in the field of e-commerce, and I know very well how the card payment scheme works on the Internet.
1. So, the author of the aforementioned topic reproached Sberbank with the fact that it, by showing the name of the client when transferring to a card through a terminal or Sberbank Online, thus facilitates the work of card fraudsters. This statement is untrue, and this is why:
When paying on the Internet with a card issued by a US bank, the acquiring bank (the so-called bank that serves payments on the online store’s cards) is able to verify both the cardholder’s name and his billing address (this is the address to which the bank that issued the card sends the monthly statement on this card). This happens if the acquiring bank or the payment gateway through which the payment passes uses a service called AVS (Address Verification System).
This service is provided, as a rule, by companies independent of the banks that make a request to the credit bureaus whether the entered name and billing address match the given card number and receive the answer “yes” or “no”. In addition to the United States, such a service can be acquired by acquiring banks or online stores in Canada, Australia, the United Kingdom and New Zealand. In other countries, including Russia, AVS does not exist, therefore neither Russian nor foreign online stores can verify whether the card with such a number belongs to a person with such a certain name and surname.
')
Thus, the conclusion that displaying the name of the cardholder poses a threat of card fraud is not true. Knowing the card details (and this is not only the card number), fraudsters can use any name and surname for purchases in online stores, and the store, as well as its acquiring bank, will not be able to verify this. This is a systemic bug of international payment systems associated with their fundamentally outdated architecture, the foundations of which were laid at the beginning of the second half of the last century, and were not designed either for the Internet or for the emergence of terminals that allow real-time authorization of the card offline.
2. The author of the topic in question charges Sberbank with the idea that he invented making transfers between cards, whereas one could use the account number for these purposes. However, it was not Sberbank who invented transfers between cards, but international payment systems. Here is a description of such a service from the international payment system Visa . Shining the details of your card on the Internet (even if not complete details) is not the best idea, but it is not the bank that does it, but the people themselves.
3. The author claims that it is possible in Amazon to select the expiration date of the card, and, on the basis of this, concludes that the card number is sufficient for fraudulent card transactions. I am not familiar with how the fight against fraud is arranged specifically in Amazon, but I assure you that this online store would have been bent a long time ago if it had not fought with such basic types of fraud as the selection of the card number and the expiration date. I think that their automatic system to combat fraud increases the risk assessment for it every time the card expiration date is entered incorrectly. Therefore, the assertion that to make a payment on Amazon you need to “just” sort out “no more than 36 options” is no more than the fruit of a wandering fantasy.
4. Anyone who pays a card on the Internet should firmly know one thing: in all disputes between the issuing bank (this is the name of the bank that issued the card) and the acquiring bank over Internet transactions are resolved in favor of the issuing bank (and therefore in favor of the cardholder). The exception to this rule is one - it will be discussed in the next paragraph. It does not matter if the scammers entered the correct name of the cardholder, or even the correct CVC / CVV - the rules of payment systems for card not present transactions always stand on the side of the cardholder. Losses on controversial transactions fall on the acquiring bank, which transfers them to the online store. Moreover, for each protested operation, a fine is imposed on the online store by international payment systems. Therefore, it is much more profitable for him to quickly return the money to the card holder if he applied to the online store to return the money for the transaction he did not commit than to do it in 100% of cases after the transaction was officially challenged, but with an additional penalty in favor of the payment system .
5. The only exception is transactions using 3D Secure (as Visa calls this technology) and MasterCard SecureCode (I think it is clear that this is the technology of the international payment system MasterCard). The scheme of operation of this technology is worth more details.
When both the issuing bank and the acquiring bank (both of them are obligatory!) Conduct online transactions using one of these technologies, the card holder, making a purchase, after entering the card details, sees a window from his bank that issued him a card, asking enter a password that only he and his bank know. Entering this password is analogous to entering a PIN code during offline transactions, and these technologies were designed to give additional protection to online stores.
However, this plan of international payment systems did not work, and here's why. The fact is that the scheme described above only works if both the acquiring bank and the issuing bank are certified with these technologies. In the event that only one of them uses these technologies, then the bank that does not use them, with controversial transactions, is in a knowingly losing situation. Because of this, issuing banks, when they saw that they were receiving an authorization request from the acquiring bank using Visa 3D Secure or MasterCard SecureCode, simply refused to authorize so as not to “fall” in case of controversial operations. And when shops saw that because of this, the number of successful authorizations they decrease, they decided that it would be more profitable to “get” on a part of the disputed transactions, rather than receive less profit due to the fact that issuing banks give “failures” ( you can see how many banks in Russia were certified by MasterCard SecureCode ).
But this is a theory, but in practice you should know the following: if you use a Sberbank credit card that is certified by both Visa 3D Secure and MasterCard SecureCode, then regardless of whether it uses an acquiring bank that serves one or another online store, this technology, your transactions are fully protected.
I hope that this post has helped everyone to understand what to fear in the network, and what are speculation and myths.
Source: https://habr.com/ru/post/109473/
All Articles