Guest Brivtech Posted September 18, 2007 Share Posted September 18, 2007 I've just come off the phone with my bank - They tell me that UK legislation now requires that any payments online are authorised online at the same time. Therefore, capturing credit card details for manual entry into a terminal is no longer permitted. Does anyone else know about this? It would mean that the manual credit card capture facility from Mals-E is technically not allowed, as it does not authorise the card. Apparently, the reason for this legislation that was recently passed is to fill a gap for chip-and-pin over the internet, having online authorisation is apparently more secure. I wonder if it really is - I know exactly who my customers are, and if I take offline payments, I have to still authorise it through the terminal, and this includes address verification, as well as security code numbers. Quote Link to comment Share on other sites More sharing options...
Guest Posted September 18, 2007 Share Posted September 18, 2007 Seems odd to me as well since it means you cannot charge the card when the item is shipped any more which is what most people want. If an item is backordered or anything, the authorization probably would expire before you can capture it. Also, it opens the door for greater fraud - one of the reasons I manually process all my charges is because of bogus orders I catch that I'm not sure an automatic processing routine would. Plus I check on items that may be sold out with the manufacturer before I run them. Hope this is not true in the US. Quote Link to comment Share on other sites More sharing options...
Guest Brivtech Posted September 18, 2007 Share Posted September 18, 2007 I've asked for some additional information regarding this, and I'll post it up as soon as it's forthcoming. I personally think this is crazy, and the banks idea of making more money! Perhaps I'm wrong. Quote Link to comment Share on other sites More sharing options...
Guest webicon Posted September 18, 2007 Share Posted September 18, 2007 Would be really interested as to what you find out. I try to keep up by visiting the DTI website often but am starting to get baffled by all of the rules... Quote Link to comment Share on other sites More sharing options...
Guest rocky Posted September 19, 2007 Share Posted September 19, 2007 According to my bank in Sweden, I have to get a second more expensive contract to manually process cards. Quote Link to comment Share on other sites More sharing options...
Guest Brivtech Posted September 19, 2007 Share Posted September 19, 2007 Here we go, this is what the bank provided me with (attached). Draw your own conclusions. EDIT: Can't attach it file is too big, so here's the text pasted instead... with reference to the Payment Card Industry Security Standard, here's the details of it as a PDF: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf In summary, these standards are: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site. INTERNET GUIDELINES FOR MERCHANTS Introduction Lloyds TSB Cardnet has produced this guide to aid and support retailers who are considering taking card payments on the Internet. It is not a comprehensive list of requirements for trading over the Internet. Businesses around the world are increasingly using the Internet to advertise and take payment for their goods or services. To accept card payments on the Internet you will need to have a web site that lets customers know who you are and the goods or services you have to offer. If you want to receive and process card transactions directly over the Internet, you will need to use a Payment Service Provider (PSP). A list of PSP's that you can use is attached. Please contact them direct- they will be able to advise you of relevant costs, set up times and how their systems integrate with your web site. When choosing a Payment Service Provider (PSP) please ensure that they are compliant with or working towards the Payment Card Industry Data Security Standard (PCI DSS). What is the Payment Card Industry Security Standard (PCI DSS) and how does it affect Internet merchants? The payment card industry is concerned about the increasing incidents related to stolen cardholder account data. These thefts have resulted in merchants and financial institutions suffering fraud losses and unanticipated operational expenses, and of course the significant inconvenience to cardholders. To protect your business, your customers (cardholders), and the integrity of the payments system, the card schemes (Visa and MasterCard) have introduced a set of requirements governing the safe keeping of account information, these are known as the Payment Card Industry Data Security Standard (PCI DSS). Using a PSP means that you are taking an important step in protecting cardholder details, especially if your integration with them means that your Internet shopping software and back end systems do not store card data. If this is the case, then compliance with the PCI DSS will be completed by your chosen PSP. However, if you choose to use a PSP but your integration method enables you to capture card details on your software and back office systems then you will need to comply with the PCI DSS. If you are in any doubt as to whether the PCI DSS applies to you, please speak with your chosen PSP who will be able to confirm your type of integration and what you need to do. For more information on the PCI DSS, visit Visa- www.visaeurope.com/aboutvisa/security/ais MasterCard- https://sdp.mastercardintl.com/merchants Achieving PCI DSS Compliance- who can help If you need help in achieving compliance with PCI DSS, LTSB Cardnet have engaged a specialist Qualified Security Assessor who can guide you through the process of completing the Self assessment questionnaire and vulnerability scanning. One -Sec Telephone- 0845 456 9611 Email- [email protected] www.one-sec.com Alternatively, you are free to choose from the full list of Qualified Assessors or network-scanning organisations listed on the Visa and/or MasterCard web sites. Authenticated Payments- Verified by Visa and MasterCard SecureCode You may also want to check that your chosen PSP can support Verified by Visa and MasterCard SecureCode as this will offer you significant additional protection from chargebacks (disputed transactions). Verified by Visa and MasterCard SecureCode are industry-wide initiatives introduced to combat fraud over the Internet. Much like chip and PIN for 'over the counter' transactions, cardholders who register for this service will be required to input a personal PIN or password at the time of the transaction to confirm they are the genuine cardholder. How does Verified by Visa and MasterCard SecureCode work? Verified by Visa and MasterCard SecureCode operate on your website and interact with both the customer and their card issuer. The customer signs up for these extra security features with their bank/card issuer. • When shopping online, the cardholder selects their chosen goods and proceeds to the payment page • The cardholder enters their card number. If they are registered for Verified by Visa and MasterCard SecureCode, a pop-up screen from their bank appears asking for their password. • The bank verifies the password • The transaction is completed giving both the retailer and the cardholder the confidence that the identity of each has been verified. These new services also have an added benefit to you as a retailer. This is because regardless of whether cardholders use Verified by Visa or MasterCard SecureCode or not, retailers who offer these services will be protected from the majority of chargebacks where the cardholder subsequently denies engaging in or authorising the original transaction. For example, cardholder not accepting that the transaction is theirs. For more information on Verified by Visa and MasterCard SecureCode, visit www.visaeurope.com/merchant/handlingvisapayments/cardnotpresent/ verifiedbyvisa.jsp www.mastercardmerchant.com/securecode Card Not Present transactions Internet card transactions are processed as "card not present" transactions. This means that the signature of the cardholder and other information located on the cards magnetic stripe/chip cannot be verified and so there is a higher risk of fraud on these transactions. You must remember that the authorisation of the card transaction does not guarantee payment. It only confirms that the card has not been reported lost or stolen at the time of the transaction and that the cardholder has sufficient funds available in their account. You should be aware that Internet card transactions might lead to the following customer disputes. • The card was used by someone (possibly another member of the family ) without the cardholders knowledge • The card was lost or stolen • The cardholder may deny the transaction • The cardholder may claim that the order has been cancelled • They may claim that the goods have not been received • The quality of the goods was not as described All transactions processed on the Internet are done so at the merchant's own risk. Any disputes may result in a chargeback to the merchant irrespective of authorisation, under the Cardnet agreement. Further information on how to guard against fraud can be found in the Cardnet Retailer Operating Manual. Applying for an Internet facility with Lloyds TSB Cardnet If you wish to trade over the Internet, advertising your goods or services and taking payment by credit or debit card, you will need a separate merchant account and Lloyds TSB's prior agreement to accept cards this way. A new application must be made for an Internet account with Cardnet, even if you have an existing Cardnet account. When your Internet account is approved, you will be issued with a new Cardnet Merchant number. This number must be used for Internet Sales only. The reason for this is that all E -Commerce transactions need to be identified separately in compliance with the Card Schemes (Visa/MasterCard) Electronic Commerce Indicator (ECI). If your web site has already been designed then a copy of the layout, including a print- out of the Terms and Conditions of trading must be provided with your application. If your web page content is changed then you must submit print- outs of the new web pages to Lloyds TSB Cardnet for review. Lloyds TSB Cardnet may terminate your Internet account if the changes to the web pages are not submitted for approval. Web Site design – Code of Best Practice A well -designed web site will not only attract customers to the site but will also give the customer the confidence to purchase your goods online. LTSB Cardnet believes the best practice is to follow these guidelines which will encourage your customers to return to your store and reduce the level of subsequent cardholder disputes on card payments taken over the Internet. Terms and Conditions Provide clear, easy to find terms and conditions on the web site. Domain Name The web site design should ensure that the customer clearly understands which company they are purchasing goods or services from. If your web site name is the same as the trading name of your company then the customer will easily recognise the transactions when it appears on their cardholder statement. Commitment The web site should clearly describe the nature of the goods or services for sale so that the customer understands the commitment that he is making. The best sites offer photographs and clear descriptions of all the products for sale. Option to Cancel When entering card details on a web site, the customer must be advised that they are committing to a payment, and be given the option to cancel. The cardholder should be asked to give positive confirmation that the transaction should be processed. Contact The web site must also include a customer service telephone number (including country code) trading address and country of domicile. This will improve the customer's confidence in ordering goods from your web site. Total Costs The web site must describe all of the costs associated with the purchase of the goods including any additional postage or courier costs. The customer should be advised if VAT and other duties may be payable on the purchase. The transaction currency should also be clearly indicated. Stock You should only advertise products that are currently available for sale and ensure there is sufficient stock. Please remember that the Internet provides you with a global marketplace. Delivery The web site should always advise the customer of the delivery time for all goods and services. Web Site design – Code of Best Practice Delivery Methods You should always arrange the delivery of your goods by registered post or recorded delivery or use a well-known courier service. You should take additional care when delivering goods to a third party address on behalf of the cardholder. The cardholder billing address should always be recorded in addition to the delivery address. Communication You should advise the customer by email of any delay in the delivery of goods so that the customer remains fully informed. This will reduce the number of customer queries and cancellation orders that you will receive. Receipt Regardless of which Internet option you choose you must always provide the customer with a receipt of the transaction. This receipt should include your Internet site address (home page URL) and/or your email address. A hardcopy receipt should also be provided with the delivery of the goods. You will also need to provide a copy of the receipt if the customer queries the transaction at a later date. Shopping Cart Software There are many companies offering 'shopping cart' software that integrates with your web site that will provide you with the ability to show photographs with all your product descriptions. Quote Link to comment Share on other sites More sharing options...
Guest jdizon Posted March 16, 2009 Share Posted March 16, 2009 Seems odd to me as well since it means you cannot charge the card when the item is shipped any more which is what most people want. If an item is backordered or anything, the authorization probably would expire before you can capture it. Merchant Services Quote Link to comment Share on other sites More sharing options...
Guest johnvarenda Posted December 4, 2009 Share Posted December 4, 2009 hi.. The information given by you is very reliable and easy to understand.... Thanks.. ................ data entry india Here we go, this is what the bank provided me with (attached). Draw your own conclusions. EDIT: Can't attach it file is too big, so here's the text pasted instead... with reference to the Payment Card Industry Security Standard, here's the details of it as a PDF: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf In summary, these standards are: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site. INTERNET GUIDELINES FOR MERCHANTS Introduction Lloyds TSB Cardnet has produced this guide to aid and support retailers who are considering taking card payments on the Internet. It is not a comprehensive list of requirements for trading over the Internet. Businesses around the world are increasingly using the Internet to advertise and take payment for their goods or services. To accept card payments on the Internet you will need to have a web site that lets customers know who you are and the goods or services you have to offer. If you want to receive and process card transactions directly over the Internet, you will need to use a Payment Service Provider (PSP). A list of PSP's that you can use is attached. Please contact them direct- they will be able to advise you of relevant costs, set up times and how their systems integrate with your web site. When choosing a Payment Service Provider (PSP) please ensure that they are compliant with or working towards the Payment Card Industry Data Security Standard (PCI DSS). What is the Payment Card Industry Security Standard (PCI DSS) and how does it affect Internet merchants? The payment card industry is concerned about the increasing incidents related to stolen cardholder account data. These thefts have resulted in merchants and financial institutions suffering fraud losses and unanticipated operational expenses, and of course the significant inconvenience to cardholders. To protect your business, your customers (cardholders), and the integrity of the payments system, the card schemes (Visa and MasterCard) have introduced a set of requirements governing the safe keeping of account information, these are known as the Payment Card Industry Data Security Standard (PCI DSS). Using a PSP means that you are taking an important step in protecting cardholder details, especially if your integration with them means that your Internet shopping software and back end systems do not store card data. If this is the case, then compliance with the PCI DSS will be completed by your chosen PSP. However, if you choose to use a PSP but your integration method enables you to capture card details on your software and back office systems then you will need to comply with the PCI DSS. If you are in any doubt as to whether the PCI DSS applies to you, please speak with your chosen PSP who will be able to confirm your type of integration and what you need to do. For more information on the PCI DSS, visit Visa- www.visaeurope.com/aboutvisa/security/ais MasterCard- https://sdp.mastercardintl.com/merchants Achieving PCI DSS Compliance- who can help If you need help in achieving compliance with PCI DSS, LTSB Cardnet have engaged a specialist Qualified Security Assessor who can guide you through the process of completing the Self assessment questionnaire and vulnerability scanning. One -Sec Telephone- 0845 456 9611 Email- [email protected] www.one-sec.com Alternatively, you are free to choose from the full list of Qualified Assessors or network-scanning organisations listed on the Visa and/or MasterCard web sites. Authenticated Payments- Verified by Visa and MasterCard SecureCode You may also want to check that your chosen PSP can support Verified by Visa and MasterCard SecureCode as this will offer you significant additional protection from chargebacks (disputed transactions). Verified by Visa and MasterCard SecureCode are industry-wide initiatives introduced to combat fraud over the Internet. Much like chip and PIN for 'over the counter' transactions, cardholders who register for this service will be required to input a personal PIN or password at the time of the transaction to confirm they are the genuine cardholder. How does Verified by Visa and MasterCard SecureCode work? Verified by Visa and MasterCard SecureCode operate on your website and interact with both the customer and their card issuer. The customer signs up for these extra security features with their bank/card issuer. � When shopping online, the cardholder selects their chosen goods and proceeds to the payment page � The cardholder enters their card number. If they are registered for Verified by Visa and MasterCard SecureCode, a pop-up screen from their bank appears asking for their password. � The bank verifies the password � The transaction is completed giving both the retailer and the cardholder the confidence that the identity of each has been verified. These new services also have an added benefit to you as a retailer. This is because regardless of whether cardholders use Verified by Visa or MasterCard SecureCode or not, retailers who offer these services will be protected from the majority of chargebacks where the cardholder subsequently denies engaging in or authorising the original transaction. For example, cardholder not accepting that the transaction is theirs. For more information on Verified by Visa and MasterCard SecureCode, visit www.visaeurope.com/merchant/handlingvisapayments/cardnotpresent/ verifiedbyvisa.jsp www.mastercardmerchant.com/securecode Card Not Present transactions Internet card transactions are processed as "card not present" transactions. This means that the signature of the cardholder and other information located on the cards magnetic stripe/chip cannot be verified and so there is a higher risk of fraud on these transactions. You must remember that the authorisation of the card transaction does not guarantee payment. It only confirms that the card has not been reported lost or stolen at the time of the transaction and that the cardholder has sufficient funds available in their account. You should be aware that Internet card transactions might lead to the following customer disputes. � The card was used by someone (possibly another member of the family ) without the cardholders knowledge � The card was lost or stolen � The cardholder may deny the transaction � The cardholder may claim that the order has been cancelled � They may claim that the goods have not been received � The quality of the goods was not as described All transactions processed on the Internet are done so at the merchant's own risk. Any disputes may result in a chargeback to the merchant irrespective of authorisation, under the Cardnet agreement. Further information on how to guard against fraud can be found in the Cardnet Retailer Operating Manual. Applying for an Internet facility with Lloyds TSB Cardnet If you wish to trade over the Internet, advertising your goods or services and taking payment by credit or debit card, you will need a separate merchant account and Lloyds TSB's prior agreement to accept cards this way. A new application must be made for an Internet account with Cardnet, even if you have an existing Cardnet account. When your Internet account is approved, you will be issued with a new Cardnet Merchant number. This number must be used for Internet Sales only. The reason for this is that all E -Commerce transactions need to be identified separately in compliance with the Card Schemes (Visa/MasterCard) Electronic Commerce Indicator (ECI). If your web site has already been designed then a copy of the layout, including a print- out of the Terms and Conditions of trading must be provided with your application. If your web page content is changed then you must submit print- outs of the new web pages to Lloyds TSB Cardnet for review. Lloyds TSB Cardnet may terminate your Internet account if the changes to the web pages are not submitted for approval. Web Site design � Code of Best Practice A well -designed web site will not only attract customers to the site but will also give the customer the confidence to purchase your goods online. LTSB Cardnet believes the best practice is to follow these guidelines which will encourage your customers to return to your store and reduce the level of subsequent cardholder disputes on card payments taken over the Internet. Terms and Conditions Provide clear, easy to find terms and conditions on the web site. Domain Name The web site design should ensure that the customer clearly understands which company they are purchasing goods or services from. If your web site name is the same as the trading name of your company then the customer will easily recognise the transactions when it appears on their cardholder statement. Commitment The web site should clearly describe the nature of the goods or services for sale so that the customer understands the commitment that he is making. The best sites offer photographs and clear descriptions of all the products for sale. Option to Cancel When entering card details on a web site, the customer must be advised that they are committing to a payment, and be given the option to cancel. The cardholder should be asked to give positive confirmation that the transaction should be processed. Contact The web site must also include a customer service telephone number (including country code) trading address and country of domicile. This will improve the customer's confidence in ordering goods from your web site. Total Costs The web site must describe all of the costs associated with the purchase of the goods including any additional postage or courier costs. The customer should be advised if VAT and other duties may be payable on the purchase. The transaction currency should also be clearly indicated. Stock You should only advertise products that are currently available for sale and ensure there is sufficient stock. Please remember that the Internet provides you with a global marketplace. Delivery The web site should always advise the customer of the delivery time for all goods and services. Web Site design � Code of Best Practice Delivery Methods You should always arrange the delivery of your goods by registered post or recorded delivery or use a well-known courier service. You should take additional care when delivering goods to a third party address on behalf of the cardholder. The cardholder billing address should always be recorded in addition to the delivery address. Communication You should advise the customer by email of any delay in the delivery of goods so that the customer remains fully informed. This will reduce the number of customer queries and cancellation orders that you will receive. Receipt Regardless of which Internet option you choose you must always provide the customer with a receipt of the transaction. This receipt should include your Internet site address (home page URL) and/or your email address. A hardcopy receipt should also be provided with the delivery of the goods. You will also need to provide a copy of the receipt if the customer queries the transaction at a later date. Shopping Cart Software There are many companies offering 'shopping cart' software that integrates with your web site that will provide you with the ability to show photographs with all your product descriptions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.