In my business we take credit cards and due to the type of business we
are in we have had zero fraud in 15 years. We therefore don't ask for
the security code as this gives out customers extra protection.
We have been paying £17/month for the machine rental.
Now they tell us that we must change to a new machine which is
£23/month and the security code will be mandatory.
Is this a scam or is it real? What are the options? Currently we use
the same card processor as our main bank.
Virtually all our business is 'customer not present'.
We used a card processing machine supplied by HSBC and they too have
recently upped the monthly rental from 15 to 20 (both +VAT), along with
increased charges on individual transaction.
The security code is not needed for normal (in store) transactions, but is
always required for those where the cardholder is not present.
It's amazing how the banks are screwing small businesses in this & similar
ways. In our case (and numerous others that we know) they've also changed
their charging regime (without any negotiation) for normal day-to-day
banking services, and the changes are certainly not to our advantage.
The bank is now our single highest monthly expenditure (other than for stock
purchases & wages); that despite the fact that we don't owe them any money
or use any overdraft facilities, and our business account is usually
substantially in credit. The amount they take from us each month exceeds
our monthly business rates.
If you have a Payment Card Industry Data Security Standard compliant
system in place, taking the CV2 should not increase the risk to your
I'm surprised to discover there are still machines around that permit
CNP transactions without the CV2. However, on my machines, the CV2 is
only 'mandatory' in that you have to enter one to complete the
transaction. You could, in theory, enter any number you like and still
accept the transaction when it says no data matches.
I`d say that regardless of how secure the system in place is, the company
never having the CV2 number has got to be less risky to the customer than
the company having the number, all other things being equal and assuming the
zero fraud situation is still the case.
Of course that is true.
Most frauds are really obvious, like somebody from Russia ordering 100
of everything on our price list, with a credit card.
The problem is that most companies employ a load of chimps doing this
work so the Russian's order will simply get processed with the account
manager smiling at his month's bonus payment.
But the company will get a chargeback, CV2 or no CV2, because a CC
payment is not "cleared funds"... not for about 6 months.
If the system is PCI DSS compliant, the increase in risk is minimal. The
CV2 is only held long enough to obtain authorisation and if the
transaction is being done by phone, need never even be written down.
But even if they *need not* be written down, they still *can be* written
down. The suggestion is that no matter how compliant or secure the
machine is, the person operating it can still be a crook, and can write
down the details and type them in later, and then sell his notepad to
his accomplice in the pub.
On Fri, 30 Jul 2010 18:20:34 +0100, Ronald Raygun wrote
I was horrified when I had ordered a book on a local booksellers website for
collection at their premises.
I had paid online with my credit card and address, CV2 details etc.
When I got to their collections desk, there was my order, printed out in
full, card number, CV2, address, the lot lying on the desk. In a public
space, on full view, with other customers just milling about looking at books
- as you would in a book shop.
Apparently, their https:// website's e-commerce system consists of taking the
entered details, and printing them out.
When I collected my book, they typed the number and CV2 into a terminal by
hand, and processed the order.
I left them with no doubt about what I thought of their ordering system and
My wife is a member of the local health centre and was asked by the
receptionist to complete a new application. The receptionist then picked the
top form off the pile sitting on the reception counter and the wife brought
it home to complete.
The form was a duplicate, top white and bottom pink. When I looked closely,
the white had imprints of someone else's details and the pink CLEARLY showed
every detail of someone else, card number, bank account, sort code, CV2,
address, home phone, mobile, the whole works. This person must have filled
out their form on the top of the pile, at the counter, not realising one or
more of the forms below were duplicating her details. Now there's security
The reality however is that this is unlikely to result in card fraud.
It's a bit like parking your car unlocked. The chance of a thief just
happening to walk past is small.
Most card fraud is done with large-scale break-ins into company
databases and servers, where the full cardholder details are held,
even if only temporarily. Or thefts of card machines from garage
forecourt shops, which are followed by an extraction of the
I had to fill in that card processing security verification form the
other week. It was all meaningless bollox. A bit like those brainless
forms generated by brainless self-important ISO9000 quality managers
asking whether you segregate defective incoming goods. NO SIR WE MIX
IT ALL UP AND USE IT IN PRODUCTION... what a load of w*ankers. The
card security form asks a load of questions which are obvious as to
how they should be answered, and anyway most small companies won't
have the IT resources to really conform. We still use paper, which is
why we don't ask for the security code.
Not in any company I'm involved in. You just know that these guys were
using an email enabled form that was sending the data in plain text to a
mail-box waiting to be cracked.
There's no wonder card fraud is rife with this kind of idiocy, it's as
bad as TKMax but on a smaller scale
It is completely unacceptable.
And if your card service ever gets wind of it, is likely to lead to
your authorisation being withdrawn.
You should NEVER print out the full card number, nor the CV2. Under
any normal processing circumstances.
Alex Heney, Global Villager
Nothing is as inevitable as a mistake whose time has come
I'm not happy when they print out just the last 4 digits of the card
number. The other 12 digits would be the easiest to guess if you know
the company that issued the card.
And I still wonder how my card details were obtained by a fraudster
when I had only used it for a small number of online purchases, all
with well known (large) companies and the card had never been near an
ATM or C&P machine.
(='.'=) Due to the amount of spam posted via googlegroups and
They are in breach of their agreement with their card handling provider
in a number of ways and a complaint to the provider would be in order
and probably a lot more effective:
1) As payment was taken on collection, it was wrong to take the CV2 in
the first place.
2) As you were present during the transaction, it was wrong to process
it as cardholder not present. It should have been verified by PIN (or
signature in some cases)
3) They breached the following requirements of the Payment Card Industry
Data Security Standard
Requirement 3 - Protect stored card holder data
Requirement 7 - Restrict access to cardholder data by business need-to-know
Requirement 9 - Restrict physical access to cardholder data
and probably, Requirement 12 - Maintain a policy that addresses
Just poor training, I think. Normally what I would have expected to happen
in the case of a "hold for collection" order is that payment be taken in the
same way as if it had been mail order. That means a "customer not present"
method must be used. It is still advisable to retain the card details so
that whoever collects the goods can produce the card as proof of identity.
Naturally in such a case, it would be sufficient to retain the card number
without any of the related guff like expiry date or CV2 code.
That said, what if goods are not in stock at time of order? It is
considered bad form for mail order retailers to debit one's card before
the goods are ready for dispatch, and so if they take card details, there
is no alternative to recording full details including CV2, is there?
On Sat, 31 Jul 2010 22:05:59 +0100, Ronald Raygun put finger to keyboard
No, Nightjar is correct. "Hold for collection" orders should normally be
processed as a standard over-the-counter transaction at the time of
"Cardholder not present" transactions should usually only be processed when
the cardholder is not present at any time during the transaction. If the
cardholder is present at any time in the process, including collection of
an order placed previously, then it ceases to be CNP.
There are exceptions to this, but they would be unlikely to apply to a
typical small retailer.
There are two ways of doing it. The first is to debit or reserve funds from
the customer's card at the time of the order. In practice, this is the only
option available to small and medium-sized retailers that do not have the
necessary facilities to be able to legitimately store card details. The
second is to validate the card (using the cvv) at the time of order, but
then store the card details (excluding cvv) and use them to debit the
previously-validated card at the time of dispatch. This requires the
facility to securely store card details as well as carry out separate
validation and debit transactions, and hence be fully compliant with the
PCI-DSS requirements. It is, therefore, expensive to implement and only
practical for larger companies.
The idea that retailers shouldn't debit a card until dispatch is,
unfortunately, responsible for a lot of bad (and insecure) practice among
smaller sellers. While it may well be good customer service to delay
debiting, there is no legal requirement to do so and good security practice
makes it impractical for many retailers. But, because it's widely perceived
by customers as a good thing, many retailers are tempted to do it anyway by
storing details insecurely and illegally. And customers in turn, because of
their preference for delayed debiting and lack of awareness of both the law
and good security practice, connive in this by using retailers which
operate illegally and insecurely rather than those which do the right
From my perspective of working within the online retail industry, I have to
say that I'd be very suspicious indeed of any small retailer which didn't
take my money at the time I placed the order. The inconvenience of paying
up front for something which turns out to be out of stock is relatively
trivial compared to the very real risk of fraud that I am exposed to by a
retailer which stores my card details insecurely.
So, if a customer says s/he's not sure whether they'll collect or want
it delivered, but will let the retailer know once the item has been
ordered & received by the retailer, then the retailer can't process
as CNP on order? (because it might end up being a collection)
"Mark Goodge" wrote
Hmmm. Can't process at time of order
(see above), yet that's the "only option"!!
What to do?
BeanSmart.com is a site by and for consumers of financial services and advice. We are not affiliated with any of the banks, financial services or software manufacturers discussed here.
All logos and trade names are the property of their respective owners.
Tax and financial advice you come across on this site is freely given by your peers and professionals on their own time and out of the kindness of their hearts. We can guarantee
neither accuracy of such advice nor its applicability for your situation. Simply put, you are fully responsible for the results of using information from this site in real life situations.