New VISA machine - mandatory security code

In my business we take credit cards and due to the type of business we are in we have had zero fraud in 15 years. We therefore don't ask for the security code as this gives out customers extra protection.
We have been paying £17/month for the machine rental.
Now they tell us that we must change to a new machine which is £23/month and the security code will be mandatory.
Is this a scam or is it real? What are the options? Currently we use the same card processor as our main bank.
Virtually all our business is 'customer not present'.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Postman Pat" wrote

We used a card processing machine supplied by HSBC and they too have recently upped the monthly rental from 15 to 20 (both +VAT), along with increased charges on individual transaction.
The security code is not needed for normal (in store) transactions, but is always required for those where the cardholder is not present.
It's amazing how the banks are screwing small businesses in this & similar ways. In our case (and numerous others that we know) they've also changed their charging regime (without any negotiation) for normal day-to-day banking services, and the changes are certainly not to our advantage.
The bank is now our single highest monthly expenditure (other than for stock purchases & wages); that despite the fact that we don't owe them any money or use any overdraft facilities, and our business account is usually substantially in credit. The amount they take from us each month exceeds our monthly business rates.
John.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Postman Pat wrote:

If you have a Payment Card Industry Data Security Standard compliant system in place, taking the CV2 should not increase the risk to your customer.

I'm surprised to discover there are still machines around that permit CNP transactions without the CV2. However, on my machines, the CV2 is only 'mandatory' in that you have to enter one to complete the transaction. You could, in theory, enter any number you like and still accept the transaction when it says no data matches.
Colin Bignell
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I`d say that regardless of how secure the system in place is, the company never having the CV2 number has got to be less risky to the customer than the company having the number, all other things being equal and assuming the zero fraud situation is still the case.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Of course that is true.
Most frauds are really obvious, like somebody from Russia ordering 100 of everything on our price list, with a credit card.
The problem is that most companies employ a load of chimps doing this work so the Russian's order will simply get processed with the account manager smiling at his month's bonus payment.
But the company will get a chargeback, CV2 or no CV2, because a CC payment is not "cleared funds"... not for about 6 months.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Simon Finnigan wrote:

If the system is PCI DSS compliant, the increase in risk is minimal. The CV2 is only held long enough to obtain authorisation and if the transaction is being done by phone, need never even be written down.
Colin BIgnell
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Nightjar wrote:

But even if they *need not* be written down, they still *can be* written down. The suggestion is that no matter how compliant or secure the machine is, the person operating it can still be a crook, and can write down the details and type them in later, and then sell his notepad to his accomplice in the pub.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Fri, 30 Jul 2010 18:20:34 +0100, Ronald Raygun wrote

I was horrified when I had ordered a book on a local booksellers website for collection at their premises.
I had paid online with my credit card and address, CV2 details etc.
When I got to their collections desk, there was my order, printed out in full, card number, CV2, address, the lot lying on the desk. In a public space, on full view, with other customers just milling about looking at books - as you would in a book shop.
Apparently, their https:// website's e-commerce system consists of taking the entered details, and printing them out.
When I collected my book, they typed the number and CV2 into a terminal by hand, and processed the order.
I left them with no doubt about what I thought of their ordering system and security.
--
Col


Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

That's quite normal in small companies.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Fri, 30 Jul 2010 19:22:45 +0100, Postman Pat wrote

What? And leaving them on a desk in a public space?
In a staff only office, perhaps - just perhaps.
--
Col


Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote

My wife is a member of the local health centre and was asked by the receptionist to complete a new application. The receptionist then picked the top form off the pile sitting on the reception counter and the wife brought it home to complete.
The form was a duplicate, top white and bottom pink. When I looked closely, the white had imprints of someone else's details and the pink CLEARLY showed every detail of someone else, card number, bank account, sort code, CV2, address, home phone, mobile, the whole works. This person must have filled out their form on the top of the pile, at the counter, not realising one or more of the forms below were duplicating her details. Now there's security for you.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The reality however is that this is unlikely to result in card fraud. It's a bit like parking your car unlocked. The chance of a thief just happening to walk past is small.
Most card fraud is done with large-scale break-ins into company databases and servers, where the full cardholder details are held, even if only temporarily. Or thefts of card machines from garage forecourt shops, which are followed by an extraction of the transaction logs.
I had to fill in that card processing security verification form the other week. It was all meaningless bollox. A bit like those brainless forms generated by brainless self-important ISO9000 quality managers asking whether you segregate defective incoming goods. NO SIR WE MIX IT ALL UP AND USE IT IN PRODUCTION... what a load of w*ankers. The card security form asks a load of questions which are obvious as to how they should be answered, and anyway most small companies won't have the IT resources to really conform. We still use paper, which is why we don't ask for the security code.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 30/07/2010 19:22, Postman Pat wrote:

Not in any company I'm involved in. You just know that these guys were using an email enabled form that was sending the data in plain text to a mail-box waiting to be cracked.
There's no wonder card fraud is rife with this kind of idiocy, it's as bad as TKMax but on a smaller scale
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Fri, 30 Jul 2010 19:22:45 +0100, Postman Pat

It is completely unacceptable.
And if your card service ever gets wind of it, is likely to lead to your authorisation being withdrawn.
You should NEVER print out the full card number, nor the CV2. Under any normal processing circumstances.
--
Alex Heney, Global Villager
Nothing is as inevitable as a mistake whose time has come
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

--
(\__/) M.
(='.'=) Due to the amount of spam posted via googlegroups and
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

100% unnacceptable.

I'm not happy when they print out just the last 4 digits of the card number. The other 12 digits would be the easiest to guess if you know the company that issued the card.
And I still wonder how my card details were obtained by a fraudster when I had only used it for a small number of online purchases, all with well known (large) companies and the card had never been near an ATM or C&P machine.
--
(\__/) M.
(='.'=) Due to the amount of spam posted via googlegroups and
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Colin Harper wrote:

They are in breach of their agreement with their card handling provider in a number of ways and a complaint to the provider would be in order and probably a lot more effective:
1) As payment was taken on collection, it was wrong to take the CV2 in the first place.
2) As you were present during the transaction, it was wrong to process it as cardholder not present. It should have been verified by PIN (or signature in some cases)
3) They breached the following requirements of the Payment Card Industry Data Security Standard
Requirement 3 - Protect stored card holder data
Requirement 7 - Restrict access to cardholder data by business need-to-know
Requirement 9 - Restrict physical access to cardholder data
and probably, Requirement 12 - Maintain a policy that addresses information security.
Colin Bignell
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Nightjar wrote:

Just poor training, I think. Normally what I would have expected to happen in the case of a "hold for collection" order is that payment be taken in the same way as if it had been mail order. That means a "customer not present" method must be used. It is still advisable to retain the card details so that whoever collects the goods can produce the card as proof of identity. Naturally in such a case, it would be sufficient to retain the card number without any of the related guff like expiry date or CV2 code.
That said, what if goods are not in stock at time of order? It is considered bad form for mail order retailers to debit one's card before the goods are ready for dispatch, and so if they take card details, there is no alternative to recording full details including CV2, is there?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 31 Jul 2010 22:05:59 +0100, Ronald Raygun put finger to keyboard and typed:

No, Nightjar is correct. "Hold for collection" orders should normally be processed as a standard over-the-counter transaction at the time of collection.
"Cardholder not present" transactions should usually only be processed when the cardholder is not present at any time during the transaction. If the cardholder is present at any time in the process, including collection of an order placed previously, then it ceases to be CNP.
There are exceptions to this, but they would be unlikely to apply to a typical small retailer.

There are two ways of doing it. The first is to debit or reserve funds from the customer's card at the time of the order. In practice, this is the only option available to small and medium-sized retailers that do not have the necessary facilities to be able to legitimately store card details. The second is to validate the card (using the cvv) at the time of order, but then store the card details (excluding cvv) and use them to debit the previously-validated card at the time of dispatch. This requires the facility to securely store card details as well as carry out separate validation and debit transactions, and hence be fully compliant with the PCI-DSS requirements. It is, therefore, expensive to implement and only practical for larger companies.
The idea that retailers shouldn't debit a card until dispatch is, unfortunately, responsible for a lot of bad (and insecure) practice among smaller sellers. While it may well be good customer service to delay debiting, there is no legal requirement to do so and good security practice makes it impractical for many retailers. But, because it's widely perceived by customers as a good thing, many retailers are tempted to do it anyway by storing details insecurely and illegally. And customers in turn, because of their preference for delayed debiting and lack of awareness of both the law and good security practice, connive in this by using retailers which operate illegally and insecurely rather than those which do the right thing.
From my perspective of working within the online retail industry, I have to say that I'd be very suspicious indeed of any small retailer which didn't take my money at the time I placed the order. The inconvenience of paying up front for something which turns out to be out of stock is relatively trivial compared to the very real risk of fraud that I am exposed to by a retailer which stores my card details insecurely.
Mark
--
Blog: http://mark.goodge.co.uk
Stuff: http://www.good-stuff.co.uk
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"Mark Goodge" wrote

So, if a customer says s/he's not sure whether they'll collect or want it delivered, but will let the retailer know once the item has been ordered & received by the retailer, then the retailer can't process as CNP on order? (because it might end up being a collection)

"Mark Goodge" wrote

Hmmm. Can't process at time of order (see above), yet that's the "only option"!!
What to do?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

BeanSmart.com is a site by and for consumers of financial services and advice. We are not affiliated with any of the banks, financial services or software manufacturers discussed here. All logos and trade names are the property of their respective owners.

Tax and financial advice you come across on this site is freely given by your peers and professionals on their own time and out of the kindness of their hearts. We can guarantee neither accuracy of such advice nor its applicability for your situation. Simply put, you are fully responsible for the results of using information from this site in real life situations.