1. Home
  2. UK Finance Discussions
  3. Mastercard Securecode

Mastercard Securecode

please remember that if you are displaying the maestro logo on your website and are taking payments by UK and internationslly issued maestro cards you must activate Mastercard's secure payments solution

- Mastercard Securecode.

... Card issuers will start to decline maestro e-commerce transactions where securecode hasa not been deployed. Your third party payment solution provider can help you through the simple integration process.

I phoned the helpline at Cardnet and got little help and was referred to pcisecuritystatus.org and told to work though it. Not very helpful.

Now, being literal I would say that as the maestro logo does not appear on our site (not does the word maestro - only mastercard, visa, amex, switch, diners club) then the rest does not apply. Also I cannot see how a transaction entered as customer not present from internet info would appear any different from one taken by phone. They are both entered into the terminal the same way.

Also, as far as I undersand the term, we do not have a third party payment solution provider.

I assume that this does not apply to us, but want to be sure I am understanding it correctly.

Thanks

Reply to
Rob.
Loading thread data ...

"Rob." gurgled happily, sounding much like they were saying:

I think that may be where you're already going wrong...

I don't think you've been able to do that and stay within the PCI-DSS requirements for a while now - IIRC, if you're taking payments online, they have to be validated online. You can't just take card numbers and process them offline any more.

Again, unless I'm mistaken, you need to. That would be the outfit whose online validation & processing you use, instead of your current machine.

Even if you don't actually _need_ to, it'd certainly be a very good idea to.

Reply to
Adrian

I think there are plans to update the website so maybe the new designer/host will be able to sort that out. Hopefully using a 3rd party would not cost any more than the terminal (I assume they take a percentage?) or I can here the boss now!

Reply to
Rob.

If you do implement it, please make it so that it is easy to verify. Preferably launch the verification page unframed with complete chrome, particularly the address bar. Under no circumstances do what one third party provider was doing, and copy the page into the text of your own page. You can iframe it, but it is more of a pain to verify it when people do that. I would treat copying into your own page as a man in the middle attack and abandon the transaction.

The challenge phrase has negligible security value (except that you must reject if it is wrong!) so it is important that users be able to confirm that they have an SSL connection to their card issuer.

This applies to 3D Secure in general, not just the Securecode branding of it.

Reply to
David Woolley

"Rob." gurgled happily, sounding much like they were saying:

It almost certainly will - and they certainly do. His only choice is not to take plastic over the web. Which would he prefer...?

Reply to
Adrian

I would expect him to stop taking orders over the web. A percentage, he might pay. If there is a subscription/standing charge then I think it will all be over.

Reply to
Rob.

I've not read all the replies in the thread but judging by your initial post can he not just drop the mastercard logo? It seems that it's the use of that logo that requires you to do online validation.

"We accept all major credit cards" would probably be all you needed.

And, of course, you could also offer a callback service - instead of entering the credit card number you could tell them to enter their telephone number.

Tim.

Reply to
Tim Woodall

I was reading something recently... it was probably Verified by Visa and I can't remember the precise document (so not terribly helpful) but it mentioned a special exception for salespeople who, for example, take orders over the phone and then enter them through the normal website... in which case they suggested VbV wasn't a good idea (cos you'd have to ask the customer for their password etc).

But your case is the other way around. I thought there were strict rules about not having a record of CVV2s - you can't make a note of them, you have to process them straightaway (over the phone, type them in directly as read out by the caller, not enter them into a database).

So I think Adrian's right, or at least that would see to tally. (but I've only read a limited selection of the merchant stuff)

Theo

Reply to
Theo Markettos

That is what is currently the case, which it has been suggested is contrary to other rules.

It might come to that, although it would mean ringing overseas customers at greater expense and possibly unsocial hours.

Reply to
Rob.

In the case of telephone orders, I cannot see how we would have managed, especially at peak periods, to memorise all the CVVs rather than write them down on the order pads. We try not to make it obvious but there is no real alternative. The website does the same sort of thing, except that the order is printed not hand written. Details are not stored in a database.

I guess there must be special rules for those customers who ask that a merchant holds their card details on file to save them the hassel when they order. In our case that is done on paper, but I can think of a number of online retailers, Amazon for example, or the likes of Paypal who offer a similar service.

Thanks to everyone for the advice given. I have passed it back to the boss, so he can sort it out. :-)

Reply to
Rob.

You're not supposed to memorise them. If you take orders over the phone, you're supposed to process the transaction while the customer is still on the phone.

If the website takes orders, then the payment myst be processed in real time when the customer enters their card details. The details must not be stored, in any form, for later processing.

Such companies have gone through a *very* stringent compliance audit (which costs them many thousands of pounds or dollars) which allows them to store card data. Even so, the first time the card is used, it is validated in real time when the customer is placing the initial order or signing up for the account.

You need to tell your boss that your current systems are seriously in breach of your merchant agreement and could open you up to possible legal action as well as costing you the right to take card payments at all.

If you're going to take card payments online, and you can't afford to create (and don't have the skills to set up) a payment system of your own that complies with the audit requirements, then the simple solution is to use a third-party provider such as Sagepay, Datacash or Worldpay. Costs vary according to provider so it's important to shop around for the package which best meets your requirements, and it will require some programming to integrate it into your website, but it will ensure that you do comply fully both with the law and the contractual conditions imposed by your card provider.

Mark

Reply to
Mark Goodge

Ugh! What sane person would give their credit card details to someone who phoned them???

Reply to
Mark

Sounds like sorting out the issue of phone orders (extra terminals and connections) and regular customers (might be cheaper to lose customers rather than pay for auditors) could be more expensive than sorting out web purchases.

Thankfully it is not my problem to solve. I was just asked to look at the message he received about securecode because I am the only member of staff who knows where to type a URL in a web browser. Pleased to be able to hand it all back.

I am not saying that it is right that it be filed at the bottom of the pile, just that that is his style.

Reply to
Rob.

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.