| 10:41 am on Dec 19, 2002 (gmt 0)|
It's about time!
| 10:52 am on Dec 19, 2002 (gmt 0)|
We have had some mixed experience with this in the pilot stage.
While it certainly reduces/eliminates fraud risk, there are some users who have no idea what to put in this new input field of visa password/pin that pops up. They call and ask us (merchant) what their PIN is...
Issuing banks need to do a lot of user education, if not, it may be quite a nightmare for merchants when these type of cards become common.
| 7:02 pm on Dec 20, 2002 (gmt 0)|
So........when are PC's going to start coming with a magnetic strip reader? Seems like a logical thing to me :)
| 7:59 pm on Dec 20, 2002 (gmt 0)|
Hey Lextech I think that's already out there, I've seen it.
I especially like that they're going to shift responsibility to card issuers and not just merchants, that's great news. But I do agree that many people will be lost. However, people learn to deal with it. Now some people request the CVV2 code - people are now getting used to this. I think it's great and will eventually prove to improve online sales.
| 8:05 pm on Dec 20, 2002 (gmt 0)|
Can't really see asking someone to turn their card over and enter the pin as something that should be perceived as difficult. I didn't know my card had a pin until some web form asked for it.
"Please Enter the 4 Digit Pin Number Located On The Back Of Your Credit Card"
If they can't follow that simple instruction they probably can't fill out the rest of the form properly. ;)
| 9:00 pm on Dec 20, 2002 (gmt 0)|
The good thing about this is that the PIN verification is not done on the merchant's server, so the merchant will never see the PIN. That was the problem with the CVC2 code: once you've given it out it's not private anymore - everybody and their brother will have it eventually. So it looks like a big improvement. Though, recurring billing will be a nightmare I'm sure.
Along with the transfer of liability away from the merchant, this is great news. :)
| 9:27 pm on Dec 20, 2002 (gmt 0)|
digitalghost, that is something different and has been used for most of the two years I have been taking card payments. This simply stops photocpied cards from being used.
This new system involves a pin number/password that is not printed on the card in any way. The WorldPay screens forwards the customer to a Visa/Mastercard pin entry screen and the customer enters their confidential information that they have previously set up. Visa/MC return this back to WorldPay (or other processor) as accepted or failed. This way, WorldPay never find out this confidential information.
| 9:30 pm on Dec 20, 2002 (gmt 0)|
Thanks gsx, I was wondering what the big deal was. Guess I should have read that article. :) Mea culpa.
| 9:30 pm on Dec 20, 2002 (gmt 0)|
|Please Enter the 4 Digit Pin Number Located On The Back Of Your Credit Card |
That's the 3 digit CVC code you're thinking of... the PIN is the 4 digit access number you use if you want to (for example) withdraw cash at ATM machines.
Problem with using PIN numbers is that I intentionally throw away/forget my CC PIN numbers as soon as I get them... hehehe.
<addded>All of which you obviously just realized... hehe. Typing at the same time. ;)</added>
| 10:20 pm on Dec 20, 2002 (gmt 0)|
So who will pay for this new system? The clients or the merchants? I would believe that the merchants will pay for it. Has anyone found pricing information?
| 1:44 am on Dec 21, 2002 (gmt 0)|
>>The good thing about this is that the PIN verification is
>>not done on the merchant's server, so the merchant will
>>never see the PIN.
unfortunately, merchants collecting card numbers via SSL for manual processing via their bank merchant account will simply add a PIN field to their order pages and store or transmit all the details (card number, PIN, CVV number, name, address, telephone number etc) in plain text format exactly as they do now. fraudsters / hackers / criminals will still obtain these details in exactly the same way as they do now - accessing insecure web sites set up by people with little skill or knowledge and hosted on web servers run by people with little skill or knowledge. the fact that the merchants may not need to collet the PIN number means nothing - they'll ask for it because they think it will make their order form look more legitimate and that it will deter fraudsters.
i believe introducing the PIN number will do little or nothing to prevent fraud.
it'll take time for the PIN system to spread - cards are typically issued or 2 or 3 years at a time, so we're looking at a year or so before PIN numbers are used commonly on the net. by then, merchants and fraudsters will be collecting PINs just the same as they are collecting card and CVV numbers now.
i can only think of one way to really tackle credit card fraud on the net - legislation that is enforced rigidly. ie, make it illegal to collect card details with SSL for manual processing and force all merchants to use an approved online card processing company. this will prevent merchants from storing and transmitting card details in plain text format and will simply cut off the supply of card details to fraudsters / hackers etc. although cards will still be stolen in robberies etc, the thieves won't have the PIN numbers and won't be able to use the cards online as online sales will be through approved processing companies requiring the PIN number. this is only one method to seriously tackle fraud and it won't stop *all* fraud, but it would sure stop the majority of it ...
the shift of responsibility from the merchant to the issuer is a welcome move.
| 1:52 am on Dec 21, 2002 (gmt 0)|
I apologise if im missing the point, but isnt it that the card number will go to the merchant and the PIN will go to third party?
In which case the only point at which both will be accessible to hackers will be through the banks, and having worked in an IT department in a bank (yes, me - the least techie person on the forum) I know that they are pretty on the ball when it comes to security.
Or am I being:
B. Stupid (having completly forgotten about the article since i read it the other day and not bothered to read it since).
It just seems to me that sending yet another number to the retailer for confirmation is a waste of bandwidth.
You need to split up the responsibilities so fraud cannot be carried out internally, thereby reducing it a great deal. IMHO, anyway. :)
| 1:55 am on Dec 21, 2002 (gmt 0)|
>>That's the 3 digit CVC code you're thinking of... the PIN
>>is the 4 digit access number
i believe american express has a 4 digit CVV code while most others have 3 digits. there may be one or two others that also have 4 digits, but i can't remember off-hand.
>>So who will pay for this new system? The clients or the
the shoppers / cardholders will pay for it just as they pay for the current systems. card issuers will pass on costs to the cardholders (who are also your customers) or to the merchants who will pass the costs on to the customers (cardholders) through increased prices. either way, the same people pay - the shopper / cardholder / customer, whatever you want to call them
| 2:01 am on Dec 21, 2002 (gmt 0)|
>>I apologise if im missing the point, but isnt it that the
>>card number will go to the merchant and the PIN will go
>>to third party?
that's how it's intended to work .....
but what's to stop john doe adding a PIN field to his payment form on his SSL based site? nothing. john doe shouldn't do it, but he will.
PIN numbers will end up being collected and stored on insecure sites and servers, just as credit card details are now.
| 2:04 am on Dec 21, 2002 (gmt 0)|
Ah! Good point Crazy!
Consumer education is the key!
Stop them falling for it! ;)
| 9:57 am on Dec 21, 2002 (gmt 0)|
The way I thought PIN prevents fraud is that people would be able to change it just like password from time to time...so even if some merchant saved it somewhere .. and a hacker hacked it out .. still those who changed their PIN would not have to worry about it .. just because hacker now had their credit card number...and their old PIN number.
| 11:09 am on Dec 21, 2002 (gmt 0)|
that's probably right jaski. the flaw there is that people don't bother changing their PIN numbers. i've had a cashpoint card that allows me to change the PIN but i've used the same number for several years.....
| 12:52 pm on Dec 21, 2002 (gmt 0)|
Those who take payments via a 'normal' merchant and not an approved third party will not need to worry about this change. They will not need to enter the PIN into their machines to take the payment. They will still get chargebacks and be responsible for all costs involved.
Offline payments will be changed either. Similar to CVV codes (3 digits on the back of your card) and AVS (Address Verification System) - these are not entered or checked by offline systems - only online accounts can be used to check these.
The new system is only for internet payments through approved merchant account suppliers (WorldPay being just one of them).