Where the customer is not present at the point-of-sale (i.e. mail order, telephone order and internet transactions) chip and PIN does not affect the current situation. However there are several initiatives at different stages of development, which are outlined below.
Contact your acquiring bank to discuss further options for your business or visit www.cardwatch.org.uk
Please be aware that the banking industry has developed Address Verification Service(AVS) and Card Security Code (CSC) to help prevent Cardholder-Not-Present (CNP) fraud:
AVS checks the numeric data in the cardholder's statement address with the card issuer.
CSC provides additional security digits to confirm that the card number provided is a genuine one.
By checking the cardholder's statement address and card security details, AVS/CSC has helped many merchants reduce their CNP fraud and chargebacks.
Other methods such as Verified by Visa or MasterCard SecureCode can protect you from chargebacks for certain fraudulent Internet transactions.
MasterCard SecureCode and Verified by Visa are authentication services that have been developed by the card schemes to provide a more secure approach to credit and debit card transactions over the Internet.
Cardholders register for the services and can choose a private password for use when shopping online at a participating merchant.
Use of these authentication services by a merchant shifts the liability from the merchant to the card issuer in the event of a chargeback, under any of the following conditions:
As both of these services are based on the 3D Secure protocol, the installation of either service, together with a merchant plug-in, can support both card schemes.
These services provide customers, merchants and banks with greater security for card payments on the Internet. Merchant acceptance in the UK has seen a dramatic growth in the past year and issuer and cardholder adoption is now growing strongly. The volume of transactions seen through the services has increased tenfold with prominent merchants continuing to join the initiative.
You can register for these services with your merchant acquirer or Payment Services Provider. For more information contact your acquiring bank or go to:
http://www.visaeurope.com/verified, or http://www.mastercardmerchant.com/securecode
Undoubtedly the use of the internet, telephone and mail order for shopping is a huge success story but it is this success that attracts the fraudsters. As we close avenues for fraudsters to commit crime on the high street with initiatives such as chip and PIN, as expected, they attempt to migrate their activities to other areas such as these.
To protect you the retailer, and of course the customer, and to help drive the use of these channels, APACS is working closely with banks, card schemes and systems vendors to ensure that the person making a ‘card-not-present’ payment is the genuine cardholder.
This is most likely to involve the cardholder inserting their chip and PIN card into a hand-held card reader provided by their bank and enters their PIN. On validating the PIN entered, the reader generates a unique, one-time only passcode, which the cardholder provides to the retailer for authentication by the cardholder’s bank. The card reader uses the security features built into the chip on the card, and is never connected to the internet.
What are the next steps?
APACS is liaising with banks, card schemes, retailers and systems vendors on the system for potential use in both online and telephone shopping scenarios, and is working towards a trial in the latter channel in 2007.