I was recently reading up on the Newcastle University report (Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?) about how easy it is for fraudsters to hack credit and debit cards. The report is pretty revealing and well worth a read – but it also gets in the details of online payments systems. In this post, i highlight some of the things i learnt about online payments systems as i read through the report:
Online Payments Systems:
What does an online payments site do?
- Online payment sites are used to transfer money from a customers credit or debit card to a merchant or suppliers bank account
How is an online payment made?
- A – To buy something the Customer enters their credit or debit card details at the Online Merchant checkout site
- B – The Online Merchant transfers the payment card details to their selected Payment Gateway
- C – The Payment Gateway connects the merchant to the Card Payment Network
- Card Payment Network companies include: MasterCard and Visa
- D – The card payment network is the glue between the various Payment Gateways and the Card Issuing Bank, and makes the request for payment from the customers bank account at the Card Issuing Bank
- Card Issuing Bank is the bank that gave (issued) the physical debit or credit card to the customer
- E – The Card Issuing Bank approves, or rejects, the payment request
- The Card Issuing Bank passes back the payment approval / rejection details back through the chain to the Card Payment Network, Payment Gateway, Online Merchant and finally to the Customer
- F/G/H – If the payment is approved by the Issuing Bank, it transfers the customers money from their bank account to the merchants bank account – this is called Settlement
What credit/debit card information does the Customer need to supply?
In short, it depends on the online merchants website! The following 5 elements can be requested:
- Cardholder Name – as written on the front of the card
- 16 digit card number – also known as the Primary Account Number (PAN) – this is linked to the customers bank account (Mandatory)
- Card Expiry Date – as written on the front of the card (Mandatory)
- Card Verification Value (CVV2) – a 3 digit number on the back of the card
- The idea of the CVV2 number is for added security, the idea being that you only know this because you’re in possession of the card
- Cardholder Address – this is not written on the card, but is often used to verify the customer
PCI DSS – Payment Card Industry Data Security Standard
Debit and credit card information is protected by a global information security standard developed by the payment card industry. This information security standard is called PCI DSS – Payment Card Industry Data Security Standard.
The objective of PCI DSS is to secure and protect customer debit and credit card data and in turn reduce payment fraud. PCI DSS looks to create secure controls around the storage, transmission and processing of cardholder information across the various players involved in the online payment systems network.