Security and Credit Card Transactions
Security is probably one of the most significant concerns for both the shopper and the retailer during an online transaction. In reality an online transaction is probably more secure than a card transaction in a shop or conducted over the telephone or by fax, as the information transmitted online is highly encrypted using complicated logarithm combinations.
The WorldPay payment system uses a combination of both established and innovative techniques to ensure the security and integrity of all sensitive data. Furthermore, our public web servers are certified by
Thawte, a public Certificate Authority, ensuring that both the shopper and retailer can have confidence that nobody can impersonate WorldPay to obtain confidential information.
Transaction Encryption
The transfer of the purchase details from the retailers site to Worldpay are encapsulated using our own encrypted and digitally-signed protocol. This uses a combination of standard methods such as
PGP, RSA and MD5 to ensure that the information passed is secure and tamper-proof.
Security for the Shopper
Any communication between the shopper and WorldPay is also encrypted to the maximum strength supported by the shopper's browser using TLS or 128 Bit
SSL. Shopper are also protected from fraudulent use of their card in a "card not present" environment, by their card issuers. The card issuers provides the right for shopper to dispute a transaction if the goods/services did not arrive or if the card was used fraudulently.
Data Storage
Data storage on WorldPay systems, and the communication between WorldPay and the worldwide banking networks, is regularly audited by the banking authorities to ensure a secure transaction environment. We also ensure that we stay up-to-date with the latest versions of any third-party code we use, and continually review our own proprietary code.
Fraud Prevention
The WorldPay strategy for fraud prevention is made up of numerous anti-fraud measures both within WorldPay and in it’s connecting bank systems. Standard checks are made on each transaction carried out by WorldPay to ensure that the transaction has used a valid card number, the card is not been recorded as stolen and that there is available funds on that account. In addition to these checks, WorldPay verifies the cardholder's billing address and security code, enables shopper to use 3-D secure and provides you with a mechanism for deferring payments.
AVS/Security Code
The WorldPay Payment system provides a verification service on the shopper's card security code number and their billing address. The information enter by the shopper on the Worldpay Payment page is compared with the UK card issuer's records (where available) and the results of the comparison passed back to you for consideration. The additional information supplied by the verification service is designed only to help you decide if you should defer delivery, refund the transaction or research further about the cardholder. WorldPay will not decline any transactions based on the card security or address verification.
Note: This fraud prevention facility only applies for transactions where the card used was issued in the UK.
AVS
The Address Verification Service (AVS) enables the address, including postcode, entered by the shopper to be compared against the UK card issuer's records. The results of this comparison is then passed back to help you decide if you should defer delivery, refund the transaction or research further about the cardholder.
As part of this service the country associated with the shoppers address will be compared with the country the card was issued in.
To use the AVS verification service the address entered by your shoppers must be their billing address (the address where the shopper's card statement is currently sent). The billing address must match the address held by the Card Issuer exactly.
Security Code
The Security Code verification service enables the card's security code entered by the shopper to be compared against the UK card issuer's details.
The card security code is a number printed on the card. The number is not embossed on the card and hence not printed on receipts, making it much harder for anyone other than the cardholder to know what the code is. This will help prevent 'cardholder not present' fraud. A security code is now printed on the vast majority of credit/debit cards.
The format and position of the security code varies across card schemes. Some cards have a three-digit number printed at the end of the cards’ signature strip. Some (AMEX cards for example) have a four digit number on the front of the card. Some card issuers refer to this number as the 'Security Code' (for AMEX cards) and others as 'Card Verification Value'. It may also go by the name of 'CVV2' for Visa Cards, or 'Card Verification Code'
(CVC) for Mastercard/Eurocard.
We provide our AVS/Security Code verification service in conjunction with UK banks and card issuers.
3-D Secure
3-D secure has been designed to reduce your exposure to fraud, and provides your shoppers with additional peace of mind and confidence in shopping on the Internet.
3-D Secure is an additional layer of security, introducing username/password, physical chip card, and Smart Card security. This enables the card issuing banks to confirm the identity of a cardholder to you during the transaction process on many different platforms including,
WAP-enabled mobile phones.
3-D Secure is comprised of two main functions: enrollment and authentication.
Enrollment is the process by which cardholders are enabled to use the service. When cardholders enroll, they are asked for relevant billing information as well as personal information such as a password and a Personal Assurance Message. (These will be used later at the time of purchase). Once this data is collected and the Issuer has verified the cardholder responses, the cardholder is enrolled in 3-D Secure.
When a 3-D secure cardholder selects the goods or services that they wish to purchase online they will proceed to the WorldPay payment page. By entering their card details into the payment page the 3-D secure mechanism will automatically detect if they have enrolled and will then prompt the cardholder to input their password. The password is then authorised and if successful the transaction is able to proceed though the standard payment
authorisation.
3-D Secure is the name given by Visa for the additional security layer. MasterCard have a similar process called "Secure Payment Application" (SPA) and American Express have developed a system call "Smart Pay" which uses the cardholder's smart card reader to transfer the card details for
authorisation.
"Estimations suggest that the use of the additional security layer will reduce eCommerce disputes and fraud by 50%."
For further information about 3-D Secure, refer to : http://www.worldpay.com/documents/3dsecure.pdf
Deferred Processing
WorldPay offers a deferred processing service which enables credit and debit card transactions to be
pre-authorised, whereby the shopper enters their card details, checks are then made on the submitted details and the transaction funds are reserved against the shopper’s card.
By pre-authorising a transaction you can perform any additional offline checks against the shopper's details, and ensure that the order can be fulfilled. On completion of these additional checks the transaction can be
post-authorised and the shopper will be debited the transaction fund.
There are two main reasons for deferred processing are:
For US customers the US law requires 2-stage transaction processing, as funds may not be taken from shoppers until the goods have been dispatched
Additional checks can be made on the shopper to establish that the transaction was not fraudulent before completing the payment and delivering the goods
For further information about Deferred Processing, refer to your Chargeback Guide.
Future Development
WorldPay is constantly developing and integrating new systems to combat online fraud. One such development is a revolutionary, patented system called WorldPay Genesis, which ensures the positive identity of parties undertaking Internet based B2B transactions.
WorldPay Genesis is a small hardware device called a TAD (transaction authentication device) which encrypts the information to a high level of security called Triple DES before transmission over the Internet.
What makes Genesis unique is a Global Positioning System chip embedded in the hardware, which pinpoints the user to within a few feet of the actual location where the transaction is being initiated. The GPS co-ordinates provide an important part of the transaction authorisation process as they confirm that the transaction originates from the physical location of the business or individual approved by WorldPay to undertake the transaction. It is believed that this is the first use of GPS technology to assist in the validation of financial transactions.
For further information about WorldPay Genesis, refer to : http://www.worldpay.com/documents/genesis.pdf
For further information about the future of e-commerce fraud prevention, refer to our recent Press Releases.
|
