Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
While it certainly reduces/eliminates fraud risk, there are some users who have no idea what to put in this new input field of visa password/pin that pops up. They call and ask us (merchant) what their PIN is...
Issuing banks need to do a lot of user education, if not, it may be quite a nightmare for merchants when these type of cards become common.
I especially like that they're going to shift responsibility to card issuers and not just merchants, that's great news. But I do agree that many people will be lost. However, people learn to deal with it. Now some people request the CVV2 code - people are now getting used to this. I think it's great and will eventually prove to improve online sales.
"Please Enter the 4 Digit Pin Number Located On The Back Of Your Credit Card"
If they can't follow that simple instruction they probably can't fill out the rest of the form properly. ;)
Along with the transfer of liability away from the merchant, this is great news. :)
This new system involves a pin number/password that is not printed on the card in any way. The WorldPay screens forwards the customer to a Visa/Mastercard pin entry screen and the customer enters their confidential information that they have previously set up. Visa/MC return this back to WorldPay (or other processor) as accepted or failed. This way, WorldPay never find out this confidential information.
Please Enter the 4 Digit Pin Number Located On The Back Of Your Credit Card
That's the 3 digit CVC code you're thinking of... the PIN is the 4 digit access number you use if you want to (for example) withdraw cash at ATM machines.
Problem with using PIN numbers is that I intentionally throw away/forget my CC PIN numbers as soon as I get them... hehehe.
<addded>All of which you obviously just realized... hehe. Typing at the same time. ;)</added>
unfortunately, merchants collecting card numbers via SSL for manual processing via their bank merchant account will simply add a PIN field to their order pages and store or transmit all the details (card number, PIN, CVV number, name, address, telephone number etc) in plain text format exactly as they do now. fraudsters / hackers / criminals will still obtain these details in exactly the same way as they do now - accessing insecure web sites set up by people with little skill or knowledge and hosted on web servers run by people with little skill or knowledge. the fact that the merchants may not need to collet the PIN number means nothing - they'll ask for it because they think it will make their order form look more legitimate and that it will deter fraudsters.
i believe introducing the PIN number will do little or nothing to prevent fraud.
it'll take time for the PIN system to spread - cards are typically issued or 2 or 3 years at a time, so we're looking at a year or so before PIN numbers are used commonly on the net. by then, merchants and fraudsters will be collecting PINs just the same as they are collecting card and CVV numbers now.
i can only think of one way to really tackle credit card fraud on the net - legislation that is enforced rigidly. ie, make it illegal to collect card details with SSL for manual processing and force all merchants to use an approved online card processing company. this will prevent merchants from storing and transmitting card details in plain text format and will simply cut off the supply of card details to fraudsters / hackers etc. although cards will still be stolen in robberies etc, the thieves won't have the PIN numbers and won't be able to use the cards online as online sales will be through approved processing companies requiring the PIN number. this is only one method to seriously tackle fraud and it won't stop *all* fraud, but it would sure stop the majority of it ...
the shift of responsibility from the merchant to the issuer is a welcome move.
In which case the only point at which both will be accessible to hackers will be through the banks, and having worked in an IT department in a bank (yes, me - the least techie person on the forum) I know that they are pretty on the ball when it comes to security.
Or am I being:
B. Stupid (having completly forgotten about the article since i read it the other day and not bothered to read it since).
It just seems to me that sending yet another number to the retailer for confirmation is a waste of bandwidth.
You need to split up the responsibilities so fraud cannot be carried out internally, thereby reducing it a great deal. IMHO, anyway. :)
i believe american express has a 4 digit CVV code while most others have 3 digits. there may be one or two others that also have 4 digits, but i can't remember off-hand.
>>So who will pay for this new system? The clients or the
the shoppers / cardholders will pay for it just as they pay for the current systems. card issuers will pass on costs to the cardholders (who are also your customers) or to the merchants who will pass the costs on to the customers (cardholders) through increased prices. either way, the same people pay - the shopper / cardholder / customer, whatever you want to call them
that's how it's intended to work .....
but what's to stop john doe adding a PIN field to his payment form on his SSL based site? nothing. john doe shouldn't do it, but he will.
PIN numbers will end up being collected and stored on insecure sites and servers, just as credit card details are now.
Offline payments will be changed either. Similar to CVV codes (3 digits on the back of your card) and AVS (Address Verification System) - these are not entered or checked by offline systems - only online accounts can be used to check these.
The new system is only for internet payments through approved merchant account suppliers (WorldPay being just one of them).