Sounds like a good idea but puzzled by your post which says "Three times I have tried to implement it, but every time I do, we have more orders that never go through than those which do" and then tell us to use it! What happens to the orders that don't go through?
We just have an unpaid order sitting on the database until we delete it! What I'm saying is that we get many more abandoned orders when we switch it on, maybe because for the reasons outlined by others, they are put off using it and so go and buy the item they want elsewhere.
I see. Didn't realise you were talking as the business! Just out of interest, what do you sell?
Most likely because the customer comes across it so rarely that s/he has forgotten the password. If a web site transaction comes up with a question that I cannot answer or becomes too onerous (such as unreadable capchas), I usually abandon it and look for somewhere that makes it easier for me to buy the item.
I had an order once for a significant amount. Upon entering my CC details, up came the message, "You are a returning customer. Please log in using your previous username and password."
Sure, I had used the site months previously, but had no idea what username and password I had chosen, so I abandoned a +/- £2000 transaction and bought the stuff elsewhere.
I`ve seen them time out regularly for a number of different banks. I also dislike the idea of having to enter security information into a frame that realistically I have no way of knowning who provides that frame. I have the option of digging down and finding out the hosting site, checking certificates and so on, or spending my money elsewhere. Which option do you think I`ll take?
Which in itself is a reason to avoid it like the plague - it shifts the blame from the bank/retailer onto the customer. I have a chip&signature card, and if someone steals the card and uses it fraudulently then the bank has to prove it is my fault. If I have a chip&pin card and someone steals the card after obtaining the pin, I have to prove I wasn`t negligent. And how can I prove that - the fraudster has my pin number, so I must have been negligent. Ditto 3D security - if the fraudster has my PIN, then it`s my fault.
Until and unless a merchant gives me a good reason to use 3D, I wont do it. If it cuts down on your costs due to fraud then reward me with a discount for using it. Otherwise you`re asking your customers to put up with agravation simply to make life better for you, and why would a customer want to do that?
Ok I got that part!
I am not aware that the customer gets blamed if they get ripped off while they have a chip and pin card. ? Is it the case that should you still be ripped off, you won't be believed and won't get your money back, because I've never heard of it. As far as I know it's just another tool in the anti-fraud toolbox, not a way of transferring blame. Also as far as I know the banks are never blamed, and the retailer doesn't have a leg to stand on - he just gets a chargeback anyway. BTW the retailer is not to blame if someone uses your stolen card details on his site - if you want to blame him for being negligent in not using available anti-fraud tolls to avoid dodgy cards, then why not also blame the customer for being negligent in not using available tools in order to minimise the chance of their card being used by a dodgy person? I agree that the banks are ambivalent about it - they aren't going to make any loss so why should they bother? They will process any payment they are asked to, whether the card details match or not. The retailer is definitely in a worst position because there is always a presumption against him and the money automatically charged back (with associated expenses).
As far as I know, all you have to do is say that you did not make the transaction to get your money back. We have had numerous customers with totally correct card details who have later said that they did not make the transaction - they are simply refunded and the money zapped from the retailers bank account. Too many of those and the retailer can lose their merchant account - they are out of business.
Is this true? Do you have any details of that because I've never heard of it. My bank card was cloned a while back and my account cleaned out through a hole in the wall. I did not lose the money even though they obviously entered the correct PIN to get the money out. The bank refunded the money the next day.
It is meant to be for your protection...and at the same time benefits the retailer. It is a symbiotic relationship, customer and retailer, though you'd never think so at times...
How is it to make life better just for me? Or is that the customer v. retailer conflict again? It does make us more certain that the card use is genuine, but that benefits both parties, not just the retailer. It is in all parties interest to prevent card fraud, isn't it? If we as retailers did not co-operate with fraud prevention, we would be attacked for refusing to co-operate! If a customer refuses to co-operate, then he is just what...daft? Sensible? Now having read the comments here, I understand the reasons why customers might be reluctant to use the 3D system, but I stand by my comments that it is in both our interests - for you to protect your cards, and us to protect our merchant account, and I would guess that with banks pulling credit facilities all over the place at the moment, that is even more so these days. I can only hope then that something better than 3D secure comes along soon, but I don't suppose it will make customers any more inclined to use it because it will always be an inconvenience, even if it is safe.
Yes, I'll second that, any site which has "Verified by Visa" or the Mastercard equivalent turned on is a site that I will avoid if I possibly can - even to the extent of paying a little more for something. None of the sites where I spend significant amounts of money have implemented these - e.g. Screwfix, CPC, etc.
In message , Maria wrote
Who is telling you that it is any safer than not going through 3D? Surly not the same people who have misplaced many 100s of billions of GBP because they have no idea of what's happening inside their own organisations and networks..
Perhaps the increase of fraudulent activity is directly related to the way retailers operate their own sites and then lose control of secure information when redirecting to a third party site. Judging by your observations I guess that for many this redirection away from the retailers site is a suspect part of the transaction and people are taking the good advice given by the banks and abandoning the transaction. Banks and credit card companies tell us to NEVER give passwords or any other details to a phishing sites. Is the pop-up window actually the banks own site or is it somewhere else? Just because it has a mastercard/visa logo on the page doesn't make it genuine.
Natwest's site is
Perhaps another reason why many transactions may fail when redirected to that bank's site
The Internet browser you are using is not supported by online banking.
And yet they claim to support the browser that I'm using (Opera 9.63)!!
I think you will actually find that they are all supplied by Cyota Inc, a US company. Some banks have sufficient clue to actually get them to use an SSL certificate and domain name that match the bank, but some simply use a specific co.uk (secure-suite?) site which is actually owned by the US company.
In any case the challenge is normally provided with chrome disabled, so you have to go out of your way to check the identity of the site. Unless you actually check the SSL certificate, you cannot know that the phrase you gave Cyota to confirm that they really are the bank wasn't obtained on a separate connection to Cyota by the company operating the untrusted web site on which you started the payment process.
For the average punter who doesn't check SSL certificates, the risk of a man in the middle attack is not reduced at all.
I think the real problem with that is that it so undermines the concept of an SSL certificate that it becomes impossible to teach the general public how to use them securely.
Basically, if you get redirected off to acme-payment-service.com, or worse secure.yoyodyne.net (apologies if these domains exist) and you do not know what these domains are, you have no guarantee that you are not giving your payment details to a fraudster, or even that the referring site is owned by the company you thought you were ordering from.
With time one learns to recognise companies like WorldPay, who can be trusted to validate their customers and handle your payment securely, but until you learn to recognise and trust a payment handler, you could be dealing with anyone.
Actually there is a benefit in dealing with a really well known payment handler, in that they will have made some checks that the web site is a reasonable business, whereas an SSL certificate for the site itself, at best, only tells you the name of the owning company, not whether they are a reputable business. However, at least at one time, sites handing off to a payment handler would try and disguise this, whereas for security it should done very openly.
The IP address comes down to them as well. I suspect they are their own man in the middle, because, as far as I know the actual service is operated by the same people for everyone. They do, however, seem to have taken the necessary steps to establish proper trust, for those who understand that the counter password is worthless.
Most banks use this, which is owned by Cyota Inc, in the States.
As far as I can tell, it is the same system operated by the same company, as the one used by Matercard.
I had that problem. The password security requirements are particularly high, which combined with it being a banking site for which I use unique passwords, makes it particularly difficult to remember.
On re-reading, I think you are talking about the online banking site, not the 3D secure site. The problem with that as an online banking site is that the domain name is not the well known domain name for the bank, and it is only the very latest browsers that have started displaying the subject name for a particularly secure class of SSL certificate.
But by asking me to use 3D, you`re asking me to give security information to an unknown website. That is surely a very bad idea!
I do take all reasonable steps. I avoid any site that asks me for anything more than the bare essential info for a payment. I keep my card physically secure, and I keep my house network as secure as possible. Asking me to verify the security credentials of every site I want to buy from, and every step along the payment chain, is being unreasonable. I could just as easily ask you to manually verify every transaction is going to an address associated with the registered card holder, and telephone that address to check its legit. Both are an unreasonable use of time.
Not everyone is as lucky as you.
But it ISN`T for my protection at all. What it is there fore is to "prove" I was negligent in letting someone else get my details. Duff transaction using 3D, I must have given my password out, therefore I have to foot the bill. Why would I agree to such a system when the current one makes it much harder for me to get into that situation.
Yes, but Im not the one who will be paying for the fraud, you will be. And if you want me to use a slower, more annoying method to verify who I am, you will have to make it worth my while. Until that is done, I`ll stick with the current system which works very well for me.
It depends - would you consider giving advice that goes against all anti-phishing advice to be a good idea or a bad idea?
Yes it will be more annoying to use, but why not offer a trade off. Get 1% off your order for using our new secure system. It`ll reduces your costs due to fraud, and give people an incentive to pay that way. Is there any reason why this isn`t an option?
The pop-up window contains the passphrase which you originally agreed with the card issuer when you registered for the service.
Chris
And increases your confidence that some money will be taken out of your account, and paid to someone. However, the rogue trader you are talking to has all the information they need to set up an independent connection to Cyota to get that information, and pass it on to you and they can make the actual transaction with a different amount of money, or to a different account, or simply save the passphrase and password for a subsequent fraudulent transaction.
Moreover, anyone else intercepting the transaction can do the same, as long as you do not full authenticate the trader (assuming they did use SSL).
In my view the passphrase has no security value at all, or rather a negative one, as it gives false confidence. The only way of being certain you are giving your password to someone authorised by your bank is to:
1) determine the identity of organisation/web site that operates the service for your bank; 2) on every transaction, verify that the SSL certificate for the frame belongs to that organisation and was issued using one of the better authenticated root certificates from a certifying authority you truet.(This assumes that you are confident that your browser and PC haven't been tampered with.)
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.