Hi Folks,
I'm wondering about the mechanism underlying say on-line purchase.
Superficially, it seems you tell someone your card number, and they then somehow communicate with your bank and get money out of your account without further intervention by you.
If that's all that's needed, then anyone who knew your card number could do the same. So does anyone know what the underlying mechanism is which authorises the bank to hand out the money when asked by someone who knows your card number?
I suppose a similar question arises when someone knows your bank's sort code and your account number (as when you authorise a direct debit or standing order). Though I suppose, in that case, there's a piece of paper signed by you which ends up at your bank. But would it be possible in the absence of a signed authorisation? (I think I've actually done this when paying a bill on-line, though my memory is now not sure of the details).
Somewhat curious ...
Best wishes to all, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 29-Jul-05 Time: 15:11:49 ------------------------------ XFMail ------------------------------
On 29/07/05, Ted Harding Ted.Harding@nessie.mcc.ac.uk wrote:
Hi Folks,
I'm wondering about the mechanism underlying say on-line purchase.
Superficially, it seems you tell someone your card number, and they then somehow communicate with your bank and get money out of your account without further intervention by you.
No, they need card number, expiry date (and sometimes start date), name of account holder (sometimes exactly as it is on the card), address where card is registered and often also now the 3 digit number on the back of the card printed on the signature strip.
They also need a merchant account setup with the bank.
Cheers, Al.
On Fri, Jul 29, 2005 at 03:33:12PM +0100, Alan Pope wrote:
On 29/07/05, Ted Harding Ted.Harding@nessie.mcc.ac.uk wrote:
Hi Folks,
I'm wondering about the mechanism underlying say on-line purchase.
Superficially, it seems you tell someone your card number, and they then somehow communicate with your bank and get money out of your account without further intervention by you.
No, they need card number, expiry date (and sometimes start date), name of account holder (sometimes exactly as it is on the card), address where card is registered and often also now the 3 digit number on the back of the card printed on the signature strip.
They also need a merchant account setup with the bank.
... and most places will also only deliver (at least the first order) to the card holder's address that's registered for the card.
On 29-Jul-05 Alan Pope wrote:
On 29/07/05, Ted Harding Ted.Harding@nessie.mcc.ac.uk wrote:
Hi Folks,
I'm wondering about the mechanism underlying say on-line purchase.
Superficially, it seems you tell someone your card number, and they then somehow communicate with your bank and get money out of your account without further intervention by you.
No, they need card number, expiry date (and sometimes start date), name of account holder (sometimes exactly as it is on the card), address where card is registered and often also now the 3 digit number on the back of the card printed on the signature strip.
OK, granted; but that's information you part with when you do the deal. (It can also all be read off the card by someone who sees it, and if they also know your address ... ).
They also need a merchant account setup with the bank.
I think this is the info I was after -- the hidden mechanism which allows it to work! I didn't know about merchant accounts.
Thanks, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 29-Jul-05 Time: 16:06:43 ------------------------------ XFMail ------------------------------
On 29/07/05, Ted Harding Ted.Harding@nessie.mcc.ac.uk wrote:
No, they need card number, expiry date (and sometimes start date), name of account holder (sometimes exactly as it is on the card), address where card is registered and often also now the 3 digit number on the back of the card printed on the signature strip.
OK, granted; but that's information you part with when you do the deal. (It can also all be read off the card by someone who sees it, and if they also know your address ... ).
It can be read off the card by someone who has *access* to your cards, yes. Most people keep them either in a wallet/pocket/handbag. There's also the question that anything they buy will be delivered to your house. Coupled with the fact that in the event of a fraudulent transaction made known to the Bank they *will* investigate it, and will likely prosecute the person (if found) who committed the crime.
Cheers, Al.
I'll add a bit to this,
Actually enforced delivery to the cardholder address is completely optional and entirely down to the retailer.
The reason most do it is because of something called Chargeback
Basically in recent years the responsibility for card fraud protection has fallen in the hands of the retailer, this is particularly true for "Card Holder not present" transactions such as those made online or over the telephone.
Within 60 days of a transaction on your card you have the ability to dispute it. If you do this a chargeback notification is sent to the retailer.
The retailer then has a limited window of time (14 days I think) to prove that they actually supplied the goods or services to the card holder, if they are unable to do this then the funds are automatically withdrawn from the retailers account (you have to sign into allowing the merchant to have this ability) and refunded to your card account.
This gets to be a lot of fun for the retailer, imagine trying to get proof of delivery from a Courier 59 days after they made the drop....it's not easy...I know.
For this reason retailers are encouraged to use all of the anti-fraud measures available, including verifying both the expiry and the security digits, only delivering to the card holder address, verifying the card holder address against the card, consignee signatures only and getting proof of delivery.
Some merchants even retain the funds until the 60 day grace period has expired, this is common in high risk categories.
As a retailer you can get extra protection if you operate in a very precise way. Then the chargeback's are underwritten by an insurance company...but this extra expense is passed onto the retailer, usually in the form of higher payment surcharges. (notice how the merchant and card company have taken no responsibility for any of this)
All in all it's a pretty unfair system at the moment, as an online retailer you either take a bit of a risk or pay half your margins to the merchant...these things have stopped me setting up an e-commerce business for high value IT equipment in the past. The consumer SHOULD be protected, I'll never dispute that...but the Merchants and Card companies should take responsibility (or at least some of it) at the moment, as a retailer even if you do all the right things you can still get stung....as a consumer you are pretty much bullet proof.
Funnily enough as soon as you move into Card Holder present transactions the rules are completely different, for the sake of a simple signature (or nowadays a Pin number) the retailer gets a lot of protection.
Further more, just to put your mind at rest. Most small scale E-Commerce setups are arranged through a payment gateway and by the time you are entering card details you are doing it on the merchants web site. This way it is difficult for the E-Commerce site owner to ever see the critical details, they just get a status from the merchant (pass, fail, pending, declined) This is particularly convenient for smaller scale operations because it means that the site owner doesn't have to take responsibility for any information collected (because they are not collecting it)
Hope that helps
Wayne
On Fri, Jul 29, 2005 at 03:20:50PM +0100, Ted Harding wrote:
I suppose a similar question arises when someone knows your bank's sort code and your account number (as when you authorise a direct debit or standing order). Though I suppose, in that case, there's a piece of paper signed by you which ends up at your bank. But would it be possible in the absence of a signed authorisation?
It is actually possible to do paperless direct debit, but only if your bank is really sure they decide they can trust you.
Having had to sign the forms associated with doing paper direct debits I think it's a pretty safe form of payment; there are lots of provisions in place for pulling back money if there are dodgy transactions going on. I believe this isn't the case in America however.
Likewise I'm quite comfortable with using a credit card after experience from the merchant side of things; most banks will claw back money on the say so of the customer with no chance for the merchant to refute any dispute.
J.
On 29-Jul-05 Ted Harding wrote:
Hi Folks,
I'm wondering about the mechanism underlying say on-line purchase. [...]
Thanks to all for informative and interesting replies. It's been a minor revelation to someone who really didn't have much idea of what went on behind the scenes!
Best wishes to all, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 30-Jul-05 Time: 10:38:09 ------------------------------ XFMail ------------------------------
-
Alan Pope -
Chris Green -
Jonathan McDowell -
Ted.Harding@nessie.mcc.ac.uk -
Wayne Stallwood