Internet Trading and the Requirments
Basic Products + Features
All official figures have shown that Internet sales (overall) have shown continual growth, even during the recession period when high street sales suffered. From these simple facts, it is clear that all successful businesses have a strong online presence.
Requirements for trading on the web
All businesses trading on the internet require a Payment Service Provider (PSP) whose role is to securely capture a cardholder’s card details and pass these onto the merchant’s acquiring bank for processing.
How this works, in practice, is that when a customer purchases an item from your e-commerce website they end up at a checkout page or ‘virtual till’.This Internet terminal securely captures the customer’s card details and enables them to authenticate themselves.
The card details and result of the authentication are passed by the PSP, using a secure payment link or integrated payment page to a merchant’s acquiring bank who will pass these onto the card issuer to seek an authorisation. The authorisation is passed back from the acquiring bank to the merchant via the PSP.
To start accepting cards, you will need a Merchant Service Agreement with an acquiring bank and terminal that connects to the acquiring bank to process a card transaction. This can be either hardware (like a chip & PIN machine) or software – a “virtual” terminal.
The terminal provides an authorisation when a transaction is processed. This confirms, that the card used has not been reported as lost or stolen and that there are sufficient funds available in the cardholder’s account to make the purchase.
A bank will manage your card payments (for a fee); placing the money or funds into your merchant account, typically within four working days after the transaction has been processed.
All card transactions accepted over the internet are classed as a card, not present (CNP) and carry similar fraud risks to other types of CNP transaction. To help reduce this risk, there is a range of fraud prevention tools available to merchants including AVS and CSC, MasterCard SecureCode and Verified by Visa, and services provided by third-party solution providers.
Types of Card
A credit card is a payment card that can be used to pay for goods. The card’s issuer will keep a running total of how much has been spent, by the cardholder, on the credit card account. Credit cards are, primarily, issued by MasterCard and Visa and will show a ‘start’ or ‘valid from’ date and an ‘end’ or ‘expiry date’ on the front of the card, along with the card security code on the reverse in the signature line. Although not often seen in the UK, the certain UK acquiring banks also accept JCB cards.
A debit card is linked to the cardholder’s bank or building society account and can be used to pay for goods at shops and withdraw cash from an ATM (Automatic Teller Machine/Cash Machine).
A cardholder can spend up to the value of funds in their bank account and any unused overdraft.
Some Debit Cards have different product features depending on how the card scheme wants them to function. For example, Visa Electron card transactions can only be accepted electronically i.e. they cannot be used with paper vouchers or PAN key entered (PKE).
Fraud screening services can be provided by an acquiring bank, payment service provider or in conjunction with third-party solution providers who can supply a range of fraud prevention tools.
These tools work by using a number of detection pattern technologies such as pattern recognition or rule generation to assess whether a transaction is likely to be fraudulent or not – providing risk screening to help reduce charge-backs and fraud – before it is sent for authorisation. A merchant can then decide, on the advice given to them by the fraud screening service, whether to allow the transaction to proceed or not.
PCI (Payment Card Industry) Compliance
In order to be PCI compliant, your business must conform to the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS, a comprehensive set of requirements for ensuring credit card (and other payment means) data security which was developed by the founders of the PCI Security Standards Council. These include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International. These Global brands helped facilitate the adoption of consistent data security measures worldwide for our protection.
The PCI DSS multi-tiered approach to security that specifies the requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
This is a hugely important area for all businesses who hold a merchant account which includes both online and offline sales. It is WAY beyond the scope of this website to cover everything here but there is a summary below and a link to the official PCI Security standards website for the full chapter & verse.
Summary of the PCI DSS
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall.
Requirement 2: Do not use default system passwords
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data to staff
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Full details can be found at pcisecuritystandards.org
Other forms of online payment
Another form of online transfer is done by the banks themselves. These include Standing Orders, Direct Debits, BACS or CHAPS payments.
- Standing Orders: A regular payment where you can stop or alter payments and dates. Gives you complete control of the payment schedule. Your bank makes the payment on your behalf
- Direct Debits: Regular payments where the payee claims the amounts from your account. Amounts are variable by the payee (the payee’s bank makes the request from your bank) so best used for variable payments like phone or utility bills. Banks offer a Direct Debit Guarantee where customers are automatically refunded in the case of a payment error.
- BACS: A (Usually) Free electronic payment made electronically by your bank on demand. Funds will usually take 3 – 4 days to clear.
- CHAPS: An electronic payment but the funds clear on the same day (subject to the time you request a transfer). Banks charge for this service (often between £20 & £40). The transfers are overseen by a senior banking member for added security. Suitable for larger payment sums
For more information about financial payment methods and security visit http://www.financial-ombudsman.org.uk/