Serguei Alleko Blog

A lot of people are asking this questions: I’ve used this credit card many times successfully , but why I can not pay in this particular e-shop?

Your payment could be filtered at 2 stages:

1. Credit Card Issuers

Mastercard or Visa are checking the following data from your credit card:

• credit card number
• expiration date
• Name on the credit card
• CSV-code
• whether you have enough credit for your purchase

Normally this should be enough, I’m authenticated and I’ve authorized this payment. A credit card can not give you more. But the amount of credit card fraud  in the Inthernet is so enormously big, so almost all the e-shops make additional checks.

2. E-shop itself

E-shop has much more data, then just your credit card information. Your registration data, your IP-address, your purchases, etc. They can control a number of different things:

• is your IP is in the same country as your reported home address?
• is your IP in the same country as your credit card has been issued in?
• do you order too many products, than normal user (or strange combinations of products. For example most of the vendors provide discounts on big amount of software licenses. So any user, who’s spending a lot of money on full price licenses in the shop is suspicious)?
• have you bought something in this e-shop before
• is your credit card number, IP, email address, phone, name or address are marked as “blacklisted” buy your Payment Service Provider?

and many more things could be checked automatically when you buy something in a e-shop.

Then it’s up to e-shop and you to try to have business together. For example last week bol.com (the biggest media-site in Netherlands) has rejected my payment. Most probably because I’ve done in from Belgium with Belgian credit card, but specified delivery address in Netherlands. Bol.com asked to send prove of my identity (scan of the passport) for the clarification. In this situation I’ve just bought what I wanted (new Sony eBook Reader PRS-600) from another e-shop and they’ve lost me.

But I don’t blame them of course. As I also have the same problems in my e-shop, I understand: it’s nothing personal, just business.

After some extensive screening of credit card information in our e-shop I still could see from time to time people buying licenses in big amounts (which usually indicates fraud).

A week ago I’ve decided to use proactive tactics. For every order, which looks like fraud, I’m sending an email:

————————-

Dear Sir/Madame,

Unfortunately we’ve found problems with your order of Kaspersky products. There is a possibility that credit card, used to pay for the purchase, was stolen or misused.

We’ve blocked your Kaspersky licenses and send information about this purchase to anti-fraud department of the credit card issuer.

If you are the owner of this credit card, please make contact with us as soon as possible.

Sorry for inconvenience!

Best regards,

————————-

This actually helped (at least for some time). I don’t see any big cases of fraud payments sins then. Now it’s just a matter of following this daily procedure.

We’ve got again a number of products, bought via our e-store with stolen credit cards.

Sins we’re sending our products – activation codes electronically per email, customers can supply bogus delivery address an still receive their code via a temporary gmail account.

At this moment we have the following limits on our e-store:

• no credit cards from countries except Europa are allowed (our e-shop officially sells only in Benelux)
• IP of the user must belong to the same country as the card issues (sorry, problems for Dutch guys, who went on “caravans” to Spain and decided to buy antivirus there)
• There are strict limits on number of purchases and amounts

And still they’re coming through! Some Dutch credit cards were stolen and used from the Netherlands (or via a Dutch proxy)

We’re sending all the money back, of course, we don’t want to be a bad e-shop. And when I was 3 days too late to do it, I had a visit from a fraud controller form our MasterCard/Visa acquirer. Better to be neat next time.

And of course, we don’t have any protection and virtually no fraude with iDEAL

In every European country, if you buy something, you have to pay Value Added Tax (or VAT) It ranges per country from 15 till 25% per country.

• If you’re a private person, you just have to pay it, no matter what.
• If you’re a company or self-employed, you can deduct this tax via complex procedure with your accountant.

This procedure becomes even more complex if your company is located in one European country and you’re buying something in another. In this situation you can ask from a shop, if they can sell it to you without VAT at all. 

It is possible, but not all the shops provide this service. You can not just come to a supermarket, show your VAT-id from neighbor country and ask for non-VAT payment. It has to be a special “B2B” shop.

If you have a e-store, it’s also not very easy:

1. You need to ask a VAT-id from all your customer and check it via official European Commission VAT-check web-service, called VIES (VAT Information Exchange System). Finally something useful from European Commission! You can also check a VAT manually here.
2. Then your shop need to provide order without VAT tax and your CRM must understand it
3. (worst part) When your accountant has to provide a tax declaration for VAT, you need to represent every transaction separately, including information about client’s VAT. A lot of e-shops don’t provide this service because of difficulties of tax declaration

In general, if you’re located in one EU-country and want to go abroad, check it with your accountant, may be it’s not such a good idea.

If you want to know how to receive money via online transactions, you have to know, how to pay it back.

Why refund?

There are different reasons for paying customer their money back:

• (obvious) Customer is not happy about the product. In different countries there are different periods, when customer has right by law to return a product and ask for a full refund. Normaly in Europe it ranges from 7 till 14 days. Software companies normally extend this period as an additional bonus.
• Customer got confused with payment and paid twice or paid the wrong amount. This is especially applicable to a complex payment methods like iDEAL or bank transfers.
• Your shop is a victim of a fraud. Somebody has purchased some products with stolen credit card numbers. In theory it’s insured by the credit card company, and even if it’s not, the customer can initiate a charge back. But you don’t want this, because too many of such incidents and you’re considered a “bad shop”

In all those situations it’s always better to pay this client back the whole amount and focus on the other clients. People do appreciate if you give them money. Even if it’s their own money and they are really frustrated about the services of your company. There is a magic in a small amount of cash coming to you.  I’ve got a lot of crazy, rude and loud clients on the phone, demanding satisfaction. I’m yet to meet one, who wouldn’t calm after I promise him some money.

How to refund?

So how easy is to pay money back technically? It depends on the type of online payment you use.

In most situations, you’re going to use some information from your PSP (Payment Service Provider). They all are trying to provide you the best services they can, but sometimes you have limits. A lot of financial information is provided to you on “need to know” basis. You can’t have the credit card numbers of your clients unless your company is PCI-certified  You don’t get the bank account number if you initiate some automatic bank transfers, etc. This make your life a bit harder. Let me explain in details how do you make a refund with different payment methods using Ogone as a PSP and Rabobank as  a bank.

Refund with credit cards

Normally its the easiest part. Even if you don’t have the credit card number of the client, your PSP does. And It can initiate the charge back with one mouse-click. 

click for bigger image

The money appear on the client Credit Cards account in a couple of days.

Refund with iDEAL

An a nutshell, iDEAL is bank transfer.  The money go directly from the account of the client to yours. PSP doesn’t have access to your bank account. So it’s only you or your bank can do it. Postbank does  provide a button for the refund of an iDEAL transaction, but, surprisingly, it does nothing!

I’ve hidden the private data of the client

Nothing happens if you click on “Terugboeken” (Pay back). It’s just a registration of the refund for your accounting (according to Rabobank support). You have to perform the refund yourself. 

In order to perform a refund, you have to know 2 things:

• account number of the client
• his name

Fortunately in the situation with iDEAL you can get this information from your PSP:

OK, I had to hid it again, but there was a real account number and name of the client

With this information you can go to your online banking client and perform the transaction manually.

Refund with bank transfer

If you think it’s complicated with iDEAL, wait for the next one, bank transfer. You can ask your customer for a bank transfer directly, by giving him the instructions to pay certain amount to a certain account or, better, you can ask for a permission to make a charge on the account of the client. I don’t want to go to deep into details of bank transfers, I really hope they will die soon as an online payment method. But in any case, your PSP doesn’t give you the account number of the client!

click for bigger image

Please note that there is a button for refund. But it also is not doing what it supposed to do. Instead PSP is trying to help you as much as they can. It sends you per email a fax template, which you can fax to your bank in order to refund this bank transfer. So much for online!

You basically have to ask your customer for a missing account number. Which he finds strange, he gave it to you during the payment, why don’t you have it when it’s time to refund. But we have to live with it. Bank transfers are only for the clients who don’t have credit cards or online banking service. Those, who have paid in the old-fashioned way for 50 years and don’t trust the computers. Again, I hope not for long!

Conclusion

To summarise, refund operations with credit cards are the easiest, PSP provides all required infrastructure to perform it. iDEAL is a bit harder, banks should realy keep up with automatising of their iDEAL back-office. With bank transfer is a huge pain to make a refund. 

And again: refunded customer is a happy customer. And happy customer is a way to more customers!

In my previous post I’ve described 3 major modern online payment methods. Let met give more attention to the most modern one – iDEAL.

iDEAL is one of the online payment methods which are using online banking with special tokens. Currently such methods are deployed by different European Banks. Of course each bank has it’s own authentication method for e-banking and it would be a nightmare to support online payments for every bank.

Fortunately the banks are trying to consolidate their efforts at least on country level. Currently I know only Netherlands and Belgium (Bankcontact\Mister Cash)  having such systems.

How does it work?

The system is a bit more complicated for a user, than paying with credit cards.

• Step 1. You select products in your e-shop and click on “pay”
• Step 2. Normally you select your bank from the list

(sorry for the Dutch text)

• Step 3. You’re transferred on a page of your bank where you perform the authentication and pay.

Please note that the system automatically picked the amount of the payment and the name of the e-shop. You only need to use your card to authenticate yourself and click on “Pay”

• Step 3.  iDEAL system transfers information back to the site of the merchant and the e-shop starts the process of delivery of goods – online or offline.

Pluses of iDEAL system

• It’s very secure. It uses direct connection with your bank with 2-factor autentication.
• It could be done online, sitting on your chair.
• It’s more automatised than just “wire transfer”, because customer doesn’t have to type correctly the bank account of the e-shop, amount or any special “number”, which e-shops are using to recognise the transaction. This data is filled automatically, which really helps with human errors

Minuses of iDEAL system

•  First and the biggest disadvantage – customer has to leave your site and go to another – the website of the bank, which supports iDEAL. It creates a huge field for customer errors. People forget to click on “pay”. People pay on “pay” twice. People forget to click on “OK” and close their browser. Basically you lose some control on what the customer is doing during the purchase.
•  Second is coming from the first – the payment process is asynchronous. With credit card you start a transaction and finish it (successfully or unsuccessfully) within one process. With iDEAL you have a number of processes, which your e-shop starts, by sending customers to the bank payment page and then we must wait till the customer comes back
  Customers may come back in a couple of minutes (that’s how long it’s required to pay with iDEAL). They may come couple of hours later in a different order. They may not come at all or come two times. Your e-shop software has to maintain a table of current “open” transactions and wait for possible outcomes. 
• Every transaction is actually a bank transfer to your account. If your Payment Service Provider is not using some buffer bank account, you end up with hundreds of small transactions, which your accountant has to book. 
• The services from the banks. supporting iDEAL system, are sometimes not “ideal”.  We’re using the one from Rabobank, it doesn’t have a possibility to initiate a charge back. But paying back to your customers it’s a separate big topic, which I’m going to cover later

Conclusion

The rest of the world is still considering iDEAL as a “new and innovative system”, and it does have some glitches. But I belive that such systems will eventually be the payment method of the future. It will replace Credit Cards as e-banking is replacing paying your bills at a brick-and-mortar banks.

Pioneers sometimes pay more than their followers. It’s harder to be the first in any field, and in any industry as well. To be The First of course means  you’re also The Best, at least at the beginning.

Pioneers invest heavily in R&D, infrastructure and they find methods to do what they do cheaper. The followers could profit from it and do it better and more effective. At some point you can see that pioneers are still busy with their old infrastructure at the moment when the followers are going further.

It’s not a secret, that in 19-21 century the USA is a pioneer in a number of industries. Americans did something first and let other learn from their successes and mistakes. This happened with railroads, this happened with mobile telephony, this also is happening with online payments.

The Past

How can consumers pay for products before Internet era. There was, of course, cash. There were bank transfers, there were different types of cheques. And there were a credit cards. Which of those method were suitable for online payments.  You can’t send cash or a cheque online, via a web-form or email. There were no online banking services. So we’re stick with:

• Credit Cards

You only need to transfer a number per Internet and “virtually” give permission to a e-shop to charge you. Almost no authentication, only identification (for difference between those to click on links).  The major plus is – very easy procedures. Client fills the number in a form, “one click” and payment is done, the rest is up to the merchant.

The Present

Presently there are dozens of different online payment methods available. I’m going to focus only on business transactions between a consumer and official business – e-shop. So, I’m not going to cover Pay Pal,  Western Union, etc. Those are designed to transfer money between individuals without legal entities and sometimes without even bank accounts. Let us assume that the e-shop is a corporation, which pays taxes as a business and can register itself as a merchant with all rights and responsibilities, provided by government and financial institutions.

Online payments were changed a lot by online banking. Almost all banks in the world now allow to perform transactions online. It requires a person to log in (Now we do have authentication, good!) and perform some operations manually. Not exactly “one-click payment”, but it could be done from your arm-chair.

Here came the “Pioneer problem”. Who was the first in providing online banking? USA, of course. At that moment the philosophy of information security  told us, that one factor authentication (currently known as weak authentication)  is enough.  Most of the banks required only user name and password to access those services. This created the whole generation of computer viruses, designed to stole those passwords. It was so insecure that people didn’t wanted even to integrate in with e-shops. How do you automate the process of online payments with password? Give your password to the merchant?

Europe was a bit late and had luxury to learn from American mistakes. Banks started to develop tools with Two-factor authentication (or Strong Authentication). All people need to use a special device, which looks like a small calculator.

Here you can find some information about such services in a Belgian ING bank

They have some strong crypto inside, which helps you to generate one-time passwords. The procedure is more complex, but it’s so secure that Payment Service Providers started to help merchants to automate it. Now with some magic and some web-services customers can pay via Internet in e-shops.

Summarising. there are 3 types of online payments available:

• Credit Cards
• Bank transfers
• Payment methods based on modern online banking, like iDEAL, Bancontact/Mister Cash, etc.

The Future

In order to try to predict the future let me show, which methods are used by our clients in Netherlands on our e-shop:

iDEAL is winning and will continue it’s growth.  Currently such systems are local to an European country (actually to a bank) and not compatible with each other. But I hope that with introduction of SEPA Single Euro Payments Area this type of payment will be accepted in all EU-countries. 

Conclusion

At the end let me summarize 3 types of payment with their pluses and minuses

There are still some difficult es with those new payment methods, I’ll cover them in later posts. Europe is  ”the pioneer” this time and I’m sure USA will come a bit later with better solution.

Credit cards are good for online purchases. Everybody knows that. They’re popular, they’re fast, they’re convinient for the client. A lot of Payment Service Providers are dedicated mostly to credit cards only.

But actually, for merchants, credit cards are the worst and least secure method for online payments.

1. The authentication is week
2. Third party (the “MasterCard itself”) is in the loop
3. It’s quite costly for a merchant.

Let’s go through those points in details

Weak authentication. 

Credit card owner need to supply only an openly known number – the credit card number (sometimes with another openly known number – CVV code). Not even a password! That’s why there are so many fraud with credit cards. In Europe, some Credit Card issuers trying to add a simple password authentication – 3-D Secure. But it’s still just a password, and it’s weak.

Third person in a loop – Credit Card Acquirer

A shop always work with a Credit Card Acquirer. In fact, you can say that it’s “MasterCard” or “Visa” itself. It’s a person, who’s handling the money. Shop gets it’s money from an Acquirer. And later, it’s a problem of Acquirer to get the money from a customer. This is the main idea of the credit cards.

Let’s image you’re selling fish on a North Pole and your customers come to you without cash, but only with credit cards. How do you know, that they survive the next storm to pay you for your products. You don’t. But you’re sure, that MasterCard survive. And pays you this money. 

Sounds actually quite positive, why did I put it as a negative point. A huge rich person, working as a intermediate with your money transactions – this can’t be good, and I’ll show you in a moment why.

Credit Card transactions cost money

Of course, responsibility gives power and power brings money. Credit Card Acquirers ask for a lot (relatively)  of money for their services. It’s almost always a percentage, 2-3% of the value of the transaction. It’s much more than costs for more modern iDEAL for example.

For this money a Credit Card Acquirer takes responsibility for the money and ensures, that debts are paid, no matter what. And we’re talking about a very unpredictable debtors – remember weak authentication? A lot of credit cards are stolen, there is a huge possibilities to cheat.

If you’re a Chinese hacker with a computer virus and got your hands on a bunch of credit cards from the Internet? You can buy a plasma TV or a lot of books from Amazon. Or, you can spend all those money in a e-shop of your friend. Your friend and you gets pure cash (MasterCard pays for all stolen cards).

What can MasterCard do with it? Of course, it’s illegal, and police can find it and prosecute the bad guys. But Mastercard has millions and millions of shops around the globe, how it can work in this environment. It can’t.

That’s why they change the rules. Only “Good e-shops” are allowed accept Credit Cards from their customers. “Bad e-shops” are not allowed that. What are a “Bad e-shop”? It’s a shop where a lot of goods are bought with stolen credit cards. Sounds like the e-shop is a victim, not a criminal. Doesn’t matter, we’re not in a court yet, we’re in business. In business there is no presumption of innocence. If you’re “Bad”, Master Card doesn’t want you.

So, actually, the responsibility for the money is now with the e-shop! MasterCard of course makes advices on how to protect your shop against fraud. For example, don’t accept strange transactions from Chinese IP-addresses with credit cards, issued in USA, etc

A big rich dept collector is not responsible, merchants are. It’s good to be big and rich!