Due to Chip and Pin, the number of online fraudulent transactions (by
fraudsters) has increased since they do not need a PIN number to use
your cards if they have stolen/cloned it/got the numbers from somewhere.
Mastercard and Visa have introduced a good system so that when you have
entered your card details, you enter three letters from a password
before the payment will go through for verification. It is so easy to
enrol in this scheme, and the password makes it almost impossible for
anyone who is illegitimately using your card to make a purchase to
complete the transaction.
This scheme has been in place for over a year now, and we online traders
are encouraged to use it to minimise the risk of fraud (something we are
obliged to do under our Merchant T&C).
Three times I have tried to implement it, but every time I do, we have
more orders that never go through than those which do, and our business
would fail, so we end up switching it off again.
PLEASE enrol in this scheme, both for your protection and ours - it only
takes a moment, and you are only required to enrol once - remember the
password and use it for all MC/Visa transactions where 3D Secure is
Under these difficult trading conditions, and increasing threat of
fraud, we have to cooperate to beat the fraudsters and at the same time
ensure that our businesses can actually remain trading.
You're up late.
Interesting viewpoint. Can you tell me how it is for my protection?
In these times of hardship retailers need to be making it oh so easy for
their customers and their customers will stick with them. My main
supplier soft-coats me into shopping with them, it's easy, I like the
web site, there's a stack-load of information, and a customer service
rep who is pleasant to talk to. I probably spend 25k/year with them or
30k in a good year. The second supplier insists I phone up, he's ok to
talk to, I can't browse and humm-and-ahh I probably spend 10k/year with
him. There is no difference in the price, in fact the main supplier I
tend not to negotiate on price so probably pay a little more.
3D Secure is a PITA to use, I can't ever remember my passwords, and if
it comes up I goto a different site who doesn't use it. Me making life
easier for you isn't the game. Soft-soaping your customers is.
Because it is your card that is at risk - it is you that will have to go
to the hassle of trying to get money refunded if your card is cloned or
stolen. What's more it could be some time before you realise that your
card has been cloned or stolen, and the thief could have spent thousands
on it...I don't really understand the question - I would have thought it
Do you not feel that you have any responsibility for your credit card?
What about your wallet?
As a retailer, I will promise not to process any transactions that look
dodgy, but that does not mean that all retailers are as conscientious
about it - I could just process all the payments and hope that none ever
get charged back. I hope I am being a responsible retailer to that
effect. I think that people should take similar responsibility for their
belongings. If they don't want to, then I hope they will not complain
that it happens to them - card fraud is a fact of life and isn't going
away because people feel put out by it.
If we are not making a profit, it doesn't matter how easy it is - we are
finished. This is a business...
Is this retail or wholesale? I mostly only do telephone payments with
I can't see why - all my cards with one bank have the same password. It
might look annoying, but you soon get used to it, and if you do online
banking, you are required to enter more information than that.
Sooner or later, we will be required to use it I'm afraid.
It isn't about you making my life easier - it's about you taking
measures to ensure you are not ripped off. ?
Still, it's your card and it's your choice.
Well now, I can see it being good for the retailer. If someone who has
my card number (and it's hardly the biggest secret in the world) makes a
fraudulent transaction then the banks have to do a refund, they will
reverse the transaction with the retailer who will not only have
additional charges to pay for the reversal but might have shipped goods.
It's no hassle to me because I'm covered, it's no hassle for the banks,
they are covered, the one exposed is you. So it's a simple question, how
does it benefit me?
>Is this retail or wholesale? I mostly only do telephone payments with
Servers mainly. Neither retail nor wholesale. I tend not to buy them in
in batches :)
>> 3D Secure is a PITA to use,
>I can't see why - all my cards with one bank have the same password.
It might look annoying, but you soon get used to it, and if you do
online banking, you are required to enter more information than that.
Well it diverts you another unknown website and starts asking for
security information. That is where I hang up on the transaction or if I
really need it call the bank or get it entered manually. It's way too
easy to forge these things using DNS insertion, fake certificates, or
even just a fake website hanging off the merchant site (that wouldn't
work on me because I do check the certificate). How do I know it's my
bank and not a rogue site? I don't do online banking for the same
reason, until they start to issue tokens or something similar.
> I can't ever remember my passwords, and if it comes up I goto a
> different site who doesn't use it.
>Sooner or later, we will be required to use it I'm afraid.
>> Me making life easier for you isn't the game. Soft-soaping your
>It isn't about you making my life easier - it's about you taking
>measures to ensure you are not ripped off. ?
Ahh back to that again. It's not me who can be ripped off with a
fraudulent transaction, it's you.
>Still, it's your card and it's your choice.
In my experience as a customer it's a complete pain in the arse to be
directed away from a merchants secure site to re-enter details that I've
already supplied into some third party 'unknown' site that is often slow
and times out.
When a seller makes payment for goods so difficult I usually abandon the
purchase. Judging from you observation it's not that people haven't
signed up but that the system doesn't work very well and people cannot
actually pay for the goods. Often the card verification web pages and
the way they are linked into the sellers web pages give the appearance
of a phishing site!
What's wrong with the sellers only requiring these additional
'safeguards' when the goods are to be supplied to an address that isn't
the card holders registered address?
Mine is supplied by my card issuing bank, Natwest, so I presumed that it
would not appear as an 'unknown' site to other people, but their card
issuer's site. When I had to enrol on it to purchase something, it was
just a seperate Natwest window - IIRC it asked me for my DOB and
postcode to prove I was the cardholder, asked me to register a password,
and then immediately returned me to the checkout pages of the site to
continue what I was doing. I've never had it time out - maybe for other
card issuing banks it's a different story, and it hadn't occurred to me
that the was happening. Thanks.
There is no way of doing that - we can only force the 3D rules by
setting value parameters for the transaction.
NB A merchant bank rep I was talking to a while back told me there was
no way that online retailers should even agree to send to any address
other than the cardholders, though most business seems to.
I'm a little confused as to people's reluctance to engage with it (I
know it is a problem as I have seen forum discussions about the volume
of sales lost by retailers after implementing 3D) - it's just an online
version of Chip & Pin.
Just to reiterate, my reason for posting this is the same reason I have
posted before about the frustration of seeing payment after payment made
with people's obviously stolen cards and no-one to report it to or to
inform the cardholder. If people would use this system, at least for
Visa and Mastercard, there would not point in the fraudsters even
trying. This type of fraud increased 14% last year, so I personally
really want to do something about it, as the banks and police are so
ambivalent about it. Those left to pick up the pieces are the cardholder
and the retailer who will just receive a chargeback.
For some types of goods it would be completely impractical for me to
accept delivery at my home address, and for the rest it is a PITA to
If there is usually nobody at home during working hours it makes far
more sense to take delivery at your work address.
I have on occassion ordered large, heavy goods that I need to use on
my boat. I need to have them delivered (by lorry) to where my boat is
kept. Delivering such items to my home address would be useless to
me, because I would then have to arrange separate transport to my
I agree entirely - the problem is that a common feature of a fraudulent
transaction is where they have the entire card details of someone,
somehow, but have it delivered to a different address. There are some
websites which don't allow different shipping address, but we do because
so many of our customers are students away at college.
I`ve seen them time out regularly for a number of different banks. I also
dislike the idea of having to enter security information into a frame that
realistically I have no way of knowning who provides that frame. I have the
option of digging down and finding out the hosting site, checking
certificates and so on, or spending my money elsewhere. Which option do you
think I`ll take?
Which in itself is a reason to avoid it like the plague - it shifts the
blame from the bank/retailer onto the customer. I have a chip&signature
card, and if someone steals the card and uses it fraudulently then the bank
has to prove it is my fault. If I have a chip&pin card and someone steals
the card after obtaining the pin, I have to prove I wasn`t negligent. And
how can I prove that - the fraudster has my pin number, so I must have been
negligent. Ditto 3D security - if the fraudster has my PIN, then it`s my
Until and unless a merchant gives me a good reason to use 3D, I wont do it.
If it cuts down on your costs due to fraud then reward me with a discount
for using it. Otherwise you`re asking your customers to put up with
agravation simply to make life better for you, and why would a customer want
to do that?
I am not aware that the customer gets blamed if they get ripped off
while they have a chip and pin card. ?
Is it the case that should you still be ripped off, you won't be
believed and won't get your money back, because I've never heard of it.
As far as I know it's just another tool in the anti-fraud toolbox, not a
way of transferring blame. Also as far as I know the banks are never
blamed, and the retailer doesn't have a leg to stand on - he just gets a
chargeback anyway. BTW the retailer is not to blame if someone uses your
stolen card details on his site - if you want to blame him for being
negligent in not using available anti-fraud tolls to avoid dodgy cards,
then why not also blame the customer for being negligent in not using
available tools in order to minimise the chance of their card being used
by a dodgy person?
I agree that the banks are ambivalent about it - they aren't going to
make any loss so why should they bother? They will process any payment
they are asked to, whether the card details match or not. The retailer
is definitely in a worst position because there is always a presumption
against him and the money automatically charged back (with associated
As far as I know, all you have to do is say that you did not make the
transaction to get your money back. We have had numerous customers with
totally correct card details who have later said that they did not make
the transaction - they are simply refunded and the money zapped from the
retailers bank account. Too many of those and the retailer can lose
their merchant account - they are out of business.
Is this true? Do you have any details of that because I've never heard
My bank card was cloned a while back and my account cleaned out through
a hole in the wall. I did not lose the money even though they obviously
entered the correct PIN to get the money out. The bank refunded the
money the next day.
It is meant to be for your protection...and at the same time benefits
the retailer. It is a symbiotic relationship, customer and retailer,
though you'd never think so at times...
How is it to make life better just for me? Or is that the customer v.
retailer conflict again? It does make us more certain that the card use
is genuine, but that benefits both parties, not just the retailer.
It is in all parties interest to prevent card fraud, isn't it?
If we as retailers did not co-operate with fraud prevention, we would be
attacked for refusing to co-operate! If a customer refuses to
co-operate, then he is just what...daft? Sensible?
Now having read the comments here, I understand the reasons why
customers might be reluctant to use the 3D system, but I stand by my
comments that it is in both our interests - for you to protect your
cards, and us to protect our merchant account, and I would guess that
with banks pulling credit facilities all over the place at the moment,
that is even more so these days.
I can only hope then that something better than 3D secure comes along
soon, but I don't suppose it will make customers any more inclined to
use it because it will always be an inconvenience, even if it is safe.
Who is telling you that it is any safer than not going through 3D? Surly
not the same people who have misplaced many 100s of billions of GBP
because they have no idea of what's happening inside their own
organisations and networks..
Perhaps the increase of fraudulent activity is directly related to the
way retailers operate their own sites and then lose control of secure
information when redirecting to a third party site. Judging by your
observations I guess that for many this redirection away from the
retailers site is a suspect part of the transaction and people are
taking the good advice given by the banks and abandoning the
transaction. Banks and credit card companies tell us to NEVER give
passwords or any other details to a phishing sites. Is the pop-up window
actually the banks own site or is it somewhere else? Just because it has
a mastercard/visa logo on the page doesn't make it genuine.
I think the real problem with that is that it so undermines the concept
of an SSL certificate that it becomes impossible to teach the general
public how to use them securely.
Basically, if you get redirected off to acme-payment-service.com, or
worse secure.yoyodyne.net (apologies if these domains exist) and you do
not know what these domains are, you have no guarantee that you are not
giving your payment details to a fraudster, or even that the referring
site is owned by the company you thought you were ordering from.
With time one learns to recognise companies like WorldPay, who can be
trusted to validate their customers and handle your payment securely,
but until you learn to recognise and trust a payment handler, you could
be dealing with anyone.
Actually there is a benefit in dealing with a really well known payment
handler, in that they will have made some checks that the web site is a
reasonable business, whereas an SSL certificate for the site itself, at
best, only tells you the name of the owning company, not whether they
are a reputable business. However, at least at one time, sites handing
off to a payment handler would try and disguise this, whereas for
security it should done very openly.
And increases your confidence that some money will be taken out of your
account, and paid to someone. However, the rogue trader you are talking
to has all the information they need to set up an independent connection
to Cyota to get that information, and pass it on to you and they can
make the actual transaction with a different amount of money, or to a
different account, or simply save the passphrase and password for a
subsequent fraudulent transaction.
Moreover, anyone else intercepting the transaction can do the same, as
long as you do not full authenticate the trader (assuming they did use
In my view the passphrase has no security value at all, or rather a
negative one, as it gives false confidence. The only way of being
certain you are giving your password to someone authorised by your bank
1) determine the identity of organisation/web site that operates the
service for your bank;
2) on every transaction, verify that the SSL certificate for the frame
belongs to that organisation and was issued using one of the better
authenticated root certificates from a certifying authority you truet.
(This assumes that you are confident that your browser and PC haven't
been tampered with.)
But by asking me to use 3D, you`re asking me to give security information to
an unknown website. That is surely a very bad idea!
I do take all reasonable steps. I avoid any site that asks me for anything
more than the bare essential info for a payment. I keep my card physically
secure, and I keep my house network as secure as possible. Asking me to
verify the security credentials of every site I want to buy from, and every
step along the payment chain, is being unreasonable. I could just as easily
ask you to manually verify every transaction is going to an address
associated with the registered card holder, and telephone that address to
check its legit. Both are an unreasonable use of time.
Not everyone is as lucky as you.
But it ISN`T for my protection at all. What it is there fore is to "prove"
I was negligent in letting someone else get my details. Duff transaction
using 3D, I must have given my password out, therefore I have to foot the
bill. Why would I agree to such a system when the current one makes it much
harder for me to get into that situation.
Yes, but Im not the one who will be paying for the fraud, you will be. And
if you want me to use a slower, more annoying method to verify who I am, you
will have to make it worth my while. Until that is done, I`ll stick with
the current system which works very well for me.
It depends - would you consider giving advice that goes against all
anti-phishing advice to be a good idea or a bad idea?
Yes it will be more annoying to use, but why not offer a trade off. Get 1%
off your order for using our new secure system. It`ll reduces your costs
due to fraud, and give people an incentive to pay that way. Is there any
reason why this isn`t an option?
Natwest's site is https://www.nwolb.com/ which comes up with a nice green
title bar saying it is owned by Royal Bank of Scotland Group plc.
The Mastercard Secure thing comes up as something like
https://www.securesite.co.uk/ with no green title bar to reassure me that
it is not a phising site, and further digging suggests it is owned by
someone I've never heard of.
Perhaps another reason why many transactions may fail when redirected to
that bank's site
The Internet browser you are using is not supported by online banking.
And yet they claim to support the browser that I'm using (Opera 9.63)!!
BeanSmart.com is a site by and for consumers of financial services and advice. We are not affiliated with any of the banks, financial services or software manufacturers discussed here.
All logos and trade names are the property of their respective owners.
Tax and financial advice you come across on this site is freely given by your peers and professionals on their own time and out of the kindness of their hearts. We can guarantee
neither accuracy of such advice nor its applicability for your situation. Simply put, you are fully responsible for the results of using information from this site in real life situations.