There has been a phenomenal growth in spending over this remote sales channel. APACS’ statistics show that there has been £101bn of goods and services purchased over the internet between 2000 and 2006. There has been a more than eight fold increase in sales from £3.5bn in 2000 to £30.2bn in 2006.
When a merchant starts trading over the internet they take orders from their own website that is in effect a ‘virtual’ or electronic shop that displays a brochure of the goods they have for sale. To receive payment, the merchant requires a virtual terminal or ‘till’ which their customer sees as a payment page, often provided by the merchant’s payment service provider, when they go to the checkout on the merchant’s website.
A merchant’s acquiring bank may be able to provide information on what a merchant will need to do when setting up a website, and the information which needs to be displayed to accept card payments, as well as how to comply with card scheme rules.
The card payment cycle for an internet transaction is similar to that for other card transactions. The exception is the part played by a payment service provider to securely pass card details between the banks (acquiring bank and issuing) and card schemes and ensure the cardholder is presented with the MasterCard SecureCode or Verified by Visa authentication page where a merchant has enabled this facility.
All card transactions accepted over the internet are classed as card not present and carry similar fraud risks to other types of CNP transaction. To help reduce this risk, there are a range of fraud prevention tools available to merchants including AVS and CSC, MasterCard SecureCode and Verified by Visa, and services provided by third party solution providers.
3D Secure (MasterCard SecureCode and Verified By Visa)
To help reduce card fraud, the card schemes have developed MasterCard SecureCode and Verified by Visa, an internet based system similar in concept to chip and PIN, which merchant’s can add to their website when their customers are paying. More information on MasterCard SecureCode and Verified by Visa can be found in the Fraud Prevention Tools pages.
An acquiring bank can help their merchant on the steps to be taken to incorporate MasterCard SecureCode and Verified by Visa into their website and its interaction with an internet payment page.
AVS / CSC
Where a merchant has the AVS and CSC service enabled on their website these details can help to decide if it is the genuine cardholder who is purchasing the goods.
To ensure that a merchant is dealing with the genuine cardholder and receive chargeback protection where the cardholder denies taking part in the transaction, a merchant should consider implementing MasterCard SecureCode and Verified by Visa.
Fraud Screening
Apart from the standard fraud prevention tools - AVS / CSC, MasterCard SecureCode and Verified by Visa – that a merchant can use to safeguard against possible fraudulent transactions, there are other specific tools for e-Commerce and the other card not present transaction types of mail order and telephone order known as MOTO transactions.
Fraud screening services can be provided by an acquiring bank, payment service provider or in conjunction with a third party solution providers who can supply a range of fraud prevention tools.
These tools work by using a number of detection pattern technologies such as pattern recognition or rule generation to assess whether a transaction is likely to be fraudulent or not – providing risk screening to help reduce chargebacks and fraud - before it is sent for authorisation. A merchant can then decide, on the advice given to them by the fraud screening service, whether to allow the transaction to proceed or not.
Payment Service Provider
To trade over the internet, a merchant will require a Payment Service Provider (PSP) whose role is to securely capture a cardholder’s card details and pass these onto the merchant’s acquiring bank for processing.
How this works, in practice, is that a merchant provides a ‘virtual shop’ on the internet that their customer visits and selects the goods or service they want to buy. The customer or cardholder then goes to the checkout or ‘virtual till’ / internet terminal on the merchant's website provided by a PSP. This internet terminal securely captures the customer's card details and enables them to authenticate themselves. Cardholder authentication can be performed using either MasterCard SecureCode or Verified by Visa and involves the cardholder providing an agreed password in addition to their card details.
The card details and result of the authentication are passed by the PSP, using a secure link to safeguard the security of the details, to a merchant’s acquiring bank who will pass these onto the card issuer to seek an authorisation. The authorisation is passed back from the acquiring bank to the merchant via the PSP.
Some merchants will only have a relationship with a PSP and not an acquiring bank. In this case, the PSP will also perform the role of acquiring bank and this will be reflected in their charges. Alternatively, a merchant can choose their acquiring bank and a PSP – the acquiring bank can advise which PSPs have been accredited to pass card transaction details to them for processing.
A merchant can choose to use third party providers to help them develop their
web presence for the following three components:
- A website.
- Shopping cart software to enable customers to add up their purchases before moving on to a secure payment page.
- A payment service provider to provide the secure payment page.
Shopping cart software providers can advise which PSPs they work with and vice versa. In this example it has been assumed that the PSP will also perform the acquiring function of card acceptance. However, if this is not the case, a merchant should discuss with their acquiring bank which PSPs they have accredited and discuss which shopping cart software providers these work with.
