How to protect your card on the Internet

What is an online payment?

Oddly enough, but in the terminology of payment systems there is no such thing as an online transaction. From the point of view of Visa and MasterCard, a transaction on the Internet is no different from a transaction in the terminal, by phone, IVR, etc. Payment systems consider the Internet only as a transaction environment. And this introduces some confusion when the cardholder communicates with the bank that issued the card (the issuer). The statement of the call center employee that your card is open for online payments, as well as the statement that it is closed, may not be true.


I think many of you who regularly use cards have come across a situation where the card seems to be open for online payments, but payments on some sites do not work. The reverse situation is also possible, when the issuer does not indicate in the contract for opening a card about the possibility of payment on the Internet, and payment on some sites may still pass. This is all related to the types of transactions that are allowed on the issuer side. The type of transaction depends on the parameters involved in authorization (CVV2, magnetic stripe, PIN, 3DSecure password, chip, cardholder address, etc.) and the type of terminal (traditional POS terminal, e-commerce merchant, Mail / Phone order, ATM). You see, there is no such property that would indicate the environment of the transaction, in particular - the Internet. For example, for security reasons, the issuer can only authorize e-commerce transactions with CVV2 input, while some CVV2 sites do not request and form a transaction as Mail / Phone order. In the latter case, the payment will not work. Or the issuer may ban e-commerce, but forget to ban Mail / Phone order, then payment in some online merchants will be allowed. Therefore, to the end it is sure that the payment will pass or not under certain conditions, maybe only an employee of the processing center, who sees the authorization software settings in front of him, and that is not always the case.

Personal Card Culture

In view of the above, you should always be careful with your payroll, credit, business / corporate or any other card that has available funds. First of all, I would recommend not to use these cards on the Internet, despite the convenience (there is always an available amount, as a rule, many types of transactions are allowed). Also, do not shine the card number and the reverse side with CVV2 in the queues at the terminals (you can even erase the CVV2 with a blade or other improvised tool) and do not release the card from view, passing it to the cashier / waiter / other staff. In some cases, the amount from the card can be debited even without entering CVV2. Those. It will be enough for an attacker to spy on your card number and expiration date to make a payment on the Internet For payment on the Internet, it is best to have a separate Internet card, or use the existing debit card, constantly controlling the available balance on it (for example, by connecting the sms-informing service). Also, if the issuing bank provides such a service, it is desirable to set an individual payment limit on the Internet on the card.

Means of protection

In addition to complying with the advice given above, one of the means of card protection, now technical, is the 3DSecure protocol (the Verified by Visa program from the Visa payment system and MasterCard SecureCode from the MasterCard).
Despite attempts to promote 3DSecure protocol payment systems, banks in the CIS are not in a hurry to master it and continue to invent their own methods of fraud protection. Why is this happening, and what is the 3DSecure protocol?
In short, 3DSecure is a protocol of the Visa and MasterCard payment systems, which allows you to further authenticate the cardholder by redirecting it during the online purchase to the issuer's bank site. At the same time, the issuer bank checks the password entered by the cardholder and gives an answer about the consent or refusal to conduct the transaction.
It would seem, obviously, that the main purpose of the 3DSecure protocol is to protect the cardholder from unauthorized use of his card. But in reality, in full, it only works if both the acquirer bank and the issuing bank support the protocol. Those. If the fraudster tries to pay with your card connected to 3DSecure at a point of sale that does not support it, the protection will not work. Since the majority of merchants in the CIS still do not support the 3DSecure protocol, or support, but only in words, there is little benefit to the cardholder from such protection. In case of unauthorized use of a protected card in a merchant that does not support 3DSecure, the responsibility for fraud lies with the bank servicing the outlet. Although in this case, the cardholder can fully count on a refund, it is little comfort, knowing what the red tape with a claim in our banks is fraught with.
Thus, the main advantage of 3DSecure at this stage of e-commerce development in the CIS countries is the transfer of responsibility to the bank serving the outlet.
')

Total

To summarize, how to warn yourself against fraudsters (they still use simple rules, how not to infect a computer with viruses, how not to let a thief into an apartment, so there is nothing burdensome about following the rules of using cards):
- do not shine the map in public places
- do not lose sight of the card when paying for goods and services
- use on the Internet only cards that you specifically discovered for this purpose
- follow the balances on the cards (preferably via sms-informing)
- set an individual payment limit on the Internet card
- connect the card to the 3DSecure protocol
- enter card data only on verified sites, preferably with Verified by Visa and MasterCard SecureCode logos
- do not transfer the card data to a third party (even relatives and friends)

Despite the seemingly deplorable situation with the protection of payment cards on the Internet, everything is not so bad. Payment systems Visa and MasterCard establish uniform rules for claim handling, which usually protect the cardholder, and guarantee a refund in case of fraud, if there is no fact of compromise and data transfer to a third party. This may not always work in our “legal” state, but this is a significant advantage compared to irretrievable local virtual payment systems. In addition, payment cards on the Internet are widely used throughout the world and for us it is only a matter of time and speed of developing a culture of cashless payments. A couple of years ago, a person paying with a card in the terminal of the store caused outrage at the waiting line, and today, except that small shops in the outback have no terminals. Therefore, to whom, if not us, the most active part of the Internet community, should guide the development of e-commerce on the right track. Do not be afraid to experiment, pay on the Internet and connect card payments to your merchants / startups. Suddenly it will be convenient and cheap :)