I’ve written many times about how insecure the credit cards are. They’re stolen by thousands and often merchants are those, who have to pay the price. But credit cards are still the e-payment number one in the world.

So, what are the current (2011) trends in making the electronic payments safer?

1. Hardening the credit card transactions security.
   • Some intelligent controls for the merchant self. Payment Service Providers help with dosens of different smart filters, like IP-address, credit cards issue data, etc.
   • Help from PSPs. They keep black/white lists of credit card numbers and trying to react on stolen cards faster then issuing organizations
   • Help from Credit Card issuing banks – 3D secure. This helps merchants to shift their financial responsibilities a little
2. Alternative payments, like iDeal or mobile payments. They’re much more secure technically. Additionaly credit cards are SO much simplier to steal that thiefs don’t care about cracking cryptho on Maestro-style devices yet.
3. A combination of a credit card and a e-banking cryptho-authenticator, check this one out http://scobleizer.com/2011/02/23/credit-card-of-the-future/ Nice one from France!

Share on Facebook

It looks like the credit card payments in the Internet are immediate. You pay and the money are coming from your credit card to the bank account of the e-shop. Well, it’s only partially true. The credit card “cloud” promises that the money will come directly, but in reality this process is not that fast.

Let’s see how the process looks like from prospective of e-merchant, using Ogone as PSP.

4.jan.2011 around 14.05
- a customer buys something in the e-shop.
- via Ogone service the credit card information is send to an acquirer and the acquirer “authorizes” the payment. However Ogone doesn’t send the actual command to transfer the money

5.jan. 2011 after midnight

- scripts from Ogone are connecting to the acquirers and start the transactions from the day before:

As you can see the actual payment happened 1 day later.

10.jan.2011

According to our contract with the acquirer the money are coming to our account once per week every Monday. So the real money from this transaction will be transferred to the bank account of the e-shop only on 10 January. So much for the “direct Internet payments”

Share on Facebook

Several days ago a Russian-dutch Payment Service Provider Chronopay had some security issues.

It is not 100% clear what happened, but a number of credit cards were compromised. Apparently they’ve missed payment on their domain name, which allowed criminals to create a fake payment page and collect some credit card numbers.

May be it’s true, may be not, but I wanted to focus on the situation from prospective of a e-shop customer. What did Chronopay problem could mean for an average credit card user?

First of all, who is the Chronopay and why do they have the credit card information anyway?  People buy products from e-shops, not from Chronopay. It’s actually a bit ironic, but the role of PSP is to manage the operation and security of the credit card operations for the e-stores, so the latter could focus on selling their products – books, CDs, TVs, etc.

If you bought a CD in an e-shop, in most cases the e-shop had never seen your credit card number, it was managed only by Chronopay (or other PSP).

So, when you heard the news about one of the PSP loosing some credit card numbers, how to find out if you should block your card at your bank? How do you know, if your card was managed by Chronopay?

Well, this depend on the e-shops, you’ve used your credit card with. And any of them could have two different contracts with their PSPs:

• “umbrella contract”, where the PSP is managing everything for a e-shop and transferring the real money just once per month to the merchant bank account. In this situation “Chronopay” should be clearly visible on the credit card statement.
• “normal contract”, suitable for advanced e-stores,  where the PSP is providing the technology and all the financial operations are performed directly with e-shop’s account by it’s acquirer. In this situation only the name of e-shop will be visible on the credit card statement. You should go to the e-shop itself and try to find any information about which PSP do they use. In most cases it’s clearly stated and even promoted.

Have a save payments and good year 2011!

Share on Facebook

A lot of Internet companies, dealing in Europe are trying to reduce their VAT. Opening a company in Luxembourg is a good choice, they have just 15% and they’re respectable European country, nothing like strange islands, which could be covered by occasional tide wave.

However, you have to consider a lot of additional problems, such set-up could create:

• Lux bureaucracy is very slow. If you think you can start up your e-shop in a couple of months, think again.
• Credit Card aquireres don’t like Lux start-ups much, they could ask huge amount of bank guaranty in case you default and all your credit card payments have to be charged back.
• PSPs don’t like Lux companies either, although they don’t care much, because they don’t have any financial risk. But they may also ask for additional guarantee for payments for their services. In countries like Germany or Netherlands you could just give your bank account, and this will be enough.
• You still have to somehow support European local methods, like iDeal or ELV. It’s possible by opening accounts in all those countries, but it takes time and money.

Of course, if you’re making millions with your shop 6% of additional turnover is very important.

Share on Facebook

One of the advantages of modern electronic banking is a very high security. Its provided by a very strong 2 factor authentication. You must have a small computer (authenticator) in order to generate cryptically strong (supposedly) random passwords.

(pic is from abnamro.nl)

I’ve described about e-commerce application of this authentication in my post about IDeal payment system.

It doesn’t matter if your computer got compromised and somebody stole your passwords. They’re not valid anymore. And you can not crack the authenticator device remotely, it’s not connected to the Internet. One only cold steal it and try to guess your PIN. One of the reasons why computer viruses could target e-banking software is that old banks don’t use this type of authentication.

However just today I’ve downloaded an iPhone app called Saldo voor de iPhone from ABN-Amro. This small app allows you to check the balance on your accounts without supplying the random passwords every time!

Surely, it’s not an open book and you jave to supply a pin-code every time you start it, but this pin-code is checked only locally!  And you can check your balance without using the authenticator. According to the web-site of ABN-AMRO the app is build according to the security standards of the bank. But they don’t say which ones!

So the hackers just have to hack the iPhone app and get access to your balance. Hopefully it doesn’t allow to send money without 2-level authentication.

Share on Facebook

Just got an email from our credit card acquirer with suggestion to pass PCI DSS Certification. This certification ensures that companies handling the credit card numbers safely.

Yes, you do need a special certification to handle very sensitive 20-digit numbers. And yes, it shows again how unsecure the credit cards really are.

The cerfitication could be quete costly, 1-rst level means hundred thousands euros per year spend on security.

Fortunately I don’t have to do it, sins our e-shop is not handling any real credit card information. Everything is managed by our Payment Service Provider Ogone. This means that during the processing of an order we have to send client from the URL of our e-shop to some URL of Ogone. Ogone provide nice opportunity to keep the same look-and-feel as our e-shop, so most of the clients don’t notice anything.

This is also a disadvantage: clients who do notice the change of URL during payment for our products don’t like it. Because it may look like a phishing attempt. And this is one of the most basic precautions for online shoppers – check your URL for phishing! Well, at least all our URLs are SSL-protected with valid certificates.

I’m not sure what could be better solution for this URL changing problem. May be – becoming DSS compliant after all. Ogone provides technical API for those, who are compliant. So may be, one day.

Today I’ve just send the form with all required information to the acquirer. Let’s wait for their reply.

Share on Facebook

A lot of people are asking this questions: I’ve used this credit card many times successfully , but why I can not pay in this particular e-shop?

Your payment could be filtered at 2 stages:

1. Credit Card Issuers

Mastercard or Visa are checking the following data from your credit card:

• credit card number
• expiration date
• Name on the credit card
• CSV-code
• whether you have enough credit for your purchase

Normally this should be enough, I’m authenticated and I’ve authorized this payment. A credit card can not give you more. But the amount of credit card fraud  in the Inthernet is so enormously big, so almost all the e-shops make additional checks.

2. E-shop itself

E-shop has much more data, then just your credit card information. Your registration data, your IP-address, your purchases, etc. They can control a number of different things:

• is your IP is in the same country as your reported home address?
• is your IP in the same country as your credit card has been issued in?
• do you order too many products, than normal user (or strange combinations of products. For example most of the vendors provide discounts on big amount of software licenses. So any user, who’s spending a lot of money on full price licenses in the shop is suspicious)?
• have you bought something in this e-shop before
• is your credit card number, IP, email address, phone, name or address are marked as “blacklisted” buy your Payment Service Provider?

and many more things could be checked automatically when you buy something in a e-shop.

Then it’s up to e-shop and you to try to have business together. For example last week bol.com (the biggest media-site in Netherlands) has rejected my payment. Most probably because I’ve done in from Belgium with Belgian credit card, but specified delivery address in Netherlands. Bol.com asked to send prove of my identity (scan of the passport) for the clarification. In this situation I’ve just bought what I wanted (new Sony eBook Reader PRS-600) from another e-shop and they’ve lost me.

But I don’t blame them of course. As I also have the same problems in my e-shop, I understand: it’s nothing personal, just business.

Share on Facebook

After some extensive screening of credit card information in our e-shop I still could see from time to time people buying licenses in big amounts (which usually indicates fraud).

A week ago I’ve decided to use proactive tactics. For every order, which looks like fraud, I’m sending an email:

————————-

Dear Sir/Madame,

Unfortunately we’ve found problems with your order of Kaspersky products. There is a possibility that credit card, used to pay for the purchase, was stolen or misused.

We’ve blocked your Kaspersky licenses and send information about this purchase to anti-fraud department of the credit card issuer.

If you are the owner of this credit card, please make contact with us as soon as possible.

Sorry for inconvenience!

Best regards,

————————-

This actually helped (at least for some time). I don’t see any big cases of fraud payments sins then. Now it’s just a matter of following this daily procedure.

Share on Facebook

We’ve got again a number of products, bought via our e-store with stolen credit cards.

Sins we’re sending our products – activation codes electronically per email, customers can supply bogus delivery address an still receive their code via a temporary gmail account.

At this moment we have the following limits on our e-store:

• no credit cards from countries except Europa are allowed (our e-shop officially sells only in Benelux)
• IP of the user must belong to the same country as the card issues (sorry, problems for Dutch guys, who went on “caravans” to Spain and decided to buy antivirus there)
• There are strict limits on number of purchases and amounts

And still they’re coming through! Some Dutch credit cards were stolen and used from the Netherlands (or via a Dutch proxy)

We’re sending all the money back, of course, we don’t want to be a bad e-shop. And when I was 3 days too late to do it, I had a visit from a fraud controller form our MasterCard/Visa acquirer. Better to be neat next time.

And of course, we don’t have any protection and virtually no fraude with iDEAL

Share on Facebook

In every European country, if you buy something, you have to pay Value Added Tax (or VAT) It ranges per country from 15 till 25% per country.

• If you’re a private person, you just have to pay it, no matter what.
• If you’re a company or self-employed, you can deduct this tax via complex procedure with your accountant.

This procedure becomes even more complex if your company is located in one European country and you’re buying something in another. In this situation you can ask from a shop, if they can sell it to you without VAT at all. 

It is possible, but not all the shops provide this service. You can not just come to a supermarket, show your VAT-id from neighbor country and ask for non-VAT payment. It has to be a special “B2B” shop.

If you have a e-store, it’s also not very easy:

1. You need to ask a VAT-id from all your customer and check it via official European Commission VAT-check web-service, called VIES (VAT Information Exchange System). Finally something useful from European Commission! You can also check a VAT manually here.
2. Then your shop need to provide order without VAT tax and your CRM must understand it
3. (worst part) When your accountant has to provide a tax declaration for VAT, you need to represent every transaction separately, including information about client’s VAT. A lot of e-shops don’t provide this service because of difficulties of tax declaration

In general, if you’re located in one EU-country and want to go abroad, check it with your accountant, may be it’s not such a good idea.

Share on Facebook