urgent..no delivery worried about account

Auntie-Dolly

I have a webshop & I don't see any of my customers financial data. It is all processed by my card provider. The only time I'd see it was if payment was made over the phone. Once it had been processed I couldn't see it again.

DrScotsman

Auntie-Dolly wrote: »

I have a webshop & I don't see any of my customers financial data. It is all processed by my card provider. The only time I'd see it was if payment was made over the phone. Once it had been processed I couldn't see it again.

I didn't say that no shop exists where financial data isn't accessible by the employees, I was saying that there can (and will) exist a shop (or fake shop) where financial data IS accessible by employees.

I mean there are countless legitimate websites that store your card details on a secure system for future use - Amazon, play.com, etc.. There is absolutely no technical barrier stopping them from storing them unencrypted on a hard drive for all of their employees to see. PLENTY of legal barriers, but nothing else.

(I hope no one replies thinking they only store the last 4 digits :rolleyes:)

Trusted_Friend

Auntie-Dolly wrote: »

I have a webshop & I don't see any of my customers financial data. It is all processed by my card provider. The only time I'd see it was if payment was made over the phone. Once it had been processed I couldn't see it again.

Which means if the sale is for over £100, your customers are probably losing the benefits of Section 75 of the Consumer Credit Act.
This only applies for credit card sales direct with the seller, so if you don't see the details, it is probably counted as indirect.
Section 75 is great consumer protection (the credit card company becomes liable just as the seller), and its loss to your customers is a real shame.

vicshippers

DrScotsman wrote: »

I didn't say that no shop exists where financial data isn't accessible by the employees, I was saying that there can (and will) exist a shop (or fake shop) where financial data IS accessible by employees.

I mean there are countless legitimate websites that store your card details on a secure system for future use - Amazon, play.com, etc.. There is absolutely no technical barrier stopping them from storing them unencrypted on a hard drive for all of their employees to see. PLENTY of legal barriers, but nothing else.

(I hope no one replies thinking they only store the last 4 digits :rolleyes:)

You seem to be getting quite confused with who actually hold the data that you enter - it is the payment provider that holds the encrypted data - NOT the seller....so I'm afraid you're wrong - financial data is NOT accessible by employees of the retailer. To repeat a transaction the employee must log in to the payment provider's system, where they can only see the last 4 digits.

The only way that an employee of a company would be able to see the full card details is if the scammer set up a fake payment page - which would then not show the secure padlock. In those circumstances, consumers should be wise enough to not enter their details!

DrScotsman

vicshippers wrote: »

You seem to be getting quite confused with who actually hold the data that you enter - it is the payment provider that holds the encrypted data - NOT the seller....so I'm afraid you're wrong - financial data is NOT accessible by employees of the retailer. To repeat a transaction the employee must log in to the payment provider's system, where they can only see the last 4 digits.

The only way that an employee of a company would be able to see the full card details is if the scammer set up a fake payment page - which would then not show the secure padlock. In those circumstances, consumers should be wise enough to not enter their details!

Oh dear.

First, where did you get this idea that the seller doesn't hold the payment information? On many shopping websites you'll notice the URL is https:// followed by the shop's domain, this means you are connected to shop, not the payment provider, and you are sending your information to the shop. A shop that doesn't store card details for reuse may not store the data, but there is nothing stopping them from doing so. If we take Amazon for example, we see the padlock on the login page and on EVERY step of the checkout. By your logic we're also sending the Amazon username/password, what delivery method and what gift wrap we want directly to the payment provider instead of Amazon. Do you really think the payment provider holds your Amazon username/password, really?

Secondly, why wouldn't it show the padlock? The padlock only means TWO things.

1. That you are transmitting over an HTTPS connection. Any webserver can very easily be set up to do this.
2. You have a "signed" security certificate. These are simply bought from companies like Verisign, and you will find many dodgy companies do in fact have the padlock.

If the people who run Amazon's servers decided to randomly change the payment page into a fake one that doesn't process payments and simply stores your details on a hard drive, there is no reason why the padlock would disappear.

EDIT: For the record, here is an example of a site with SSL that doesn't even sell anything. If you click on the "Register" link, you will be taken to a page with a padlock that asks you to enter your email address, password, First Name, Last Name, Nickname, etc. These are definitely going to the owners of that website (there's no money even involved!), and there is NOTHING stopping them from changing that First Name field into a "Credit Card Number" field.

vicshippers

DrScotsman wrote: »

Oh dear.

First, where did you get this idea that the seller doesn't hold the payment information? On many shopping websites you'll notice the URL is https:// followed by the shop's domain, this means you are connected to shop, not the payment provider, and you are sending your information to the shop. A shop that doesn't store card details for reuse may not store the data, but there is nothing stopping them from doing so. If we take Amazon for example, we see the padlock on the login page and on EVERY step of the checkout. By your logic we're also sending the Amazon username/password, what delivery method and what gift wrap we want directly to the payment provider instead of Amazon. Do you really think the payment provider holds your Amazon username/password, really?

Secondly, why wouldn't it show the padlock? The padlock only means TWO things.

1. That you are transmitting over an HTTPS connection. Any webserver can very easily be set up to do this.
2. You have a "signed" security certificate. These are simply bought from companies like Verisign, and you will find many dodgy companies do in fact have the padlock.

If the people who run Amazon's servers decided to randomly change the payment page into a fake one that doesn't process payments and simply stores your details on a hard drive, there is no reason why the padlock would disappear.

EDIT: For the record, here is an example of a site with SSL that doesn't even sell anything. If you click on the "Register" link, you will be taken to a page with a padlock that asks you to enter your email address, password, First Name, Last Name, Nickname, etc. These are definitely going to the owners of that website (there's no money even involved!), and there is NOTHING stopping them from changing that First Name field into a "Credit Card Number" field.

It depends on the payment provider that the retailer uses as to whether the system dictates an embedded window to the payment provider (the domain remains the same but the embedded window shows the payment provider website - as with most 3D secure entry screens) or a referral to the payment provider's domain (as with providers such as Sagepay, formally Protx). Just let me know if you would like me to explain what embedded windows are in more detail.

I shall ignore the obvious flaw in your use of Amazon as an example of a normal seller - you really should watch Watchdog more often - and move to the information the retailer sends. I'm struggling to understand why you are making reference to gift wrap etc - my logic did not assume that this information would be sent to the payment provider at all. The store sends you to the payment provider with the details of the payment amount, the payment provider takes the payment and then takes you to a confirmation page on the stores website, this confirmation page effectively advises the website that you have successfully paid and to treat the order as live (as opposed to an abandoned one).

The information sent to the payment provider is necessary - name, billing address, card details. The retailer may decide to send more information than this ie delivery address but that would be about it.

"A shop that doesn't store card details for reuse may not store the data, but there is nothing stopping them from doing so."

Again I will say - the store does NOT hold the details, the payment provider does. Again I will say - the store can access limited information (including the last 4 digits of the card) in order to repeat a transaction or refund one but they cannot copy out full card details with the intention of using the cards to make purchases from other stores.

vicshippers

Maybe you should let these guys know that their advice is pointless too, as you know better.

Here's the direct quote from consumer direct, to save you the click -

"Look for websites that have a secure way of paying (known as an encryption facility) - these show a padlock at the bottom of the screen when you are filling in the payment details."

DrScotsman

Your entire logic seems to be based on this fatal flaw:

The store sends you to the payment provider with the details of the payment amount, the payment provider takes the payment and then takes you to a confirmation page on the stores website, this confirmation page effectively advises the website that you have successfully paid and to treat the order as live (as opposed to an abandoned one).

eBay works like this. Many small online businesses work like this (e.g. with Sagepay like you said). Any store with the option for Paypal works like this. But not ALL businesses work like this.

We know that Amazon and the like do not redirect you to the payment providers site and they ONLY use embedded Windows for Verified by Visa and Mastercard secure, they do not use them for the rest of the transaction. Go to the page where they ask for your card details and look at the source code, there is no reference to any external sites. Check Amazon, check Play, check GAME, there are countless examples. I don't understand where you are getting this theory from, do you think that it's only possible for a financial institution to have an encrypted connection with a valid security certificate?

If information like gift wrap is not sent to the payment provider and is sent directly to Amazon then what is to stop credit card details from being sent directly to Amazon? It's all arbitrary, there is not some magical technical overlord that knows whether or not an input field is "Credit Card Details" or "Input a personal message to be included with your gift wrap", and many websites have the credit card details input box on the same page as data like gift wrap that goes straight to the retailer. And no, no embedded windows.

Just out of interest, who are Amazon's "payment provider" ?

With regards to consumer direct's quote, secure way of paying only means that the connection cannot be intercepted between you and the retailer - which is good advice, as most consumers will be looking at an online shop where the risk of details being stolen by the shop is low (but not impossible!). Additionally to get the padlock you do actually have to pay for a security certificate, which most scammers would not bother with as enough consumers wouldn't look for the padlock making it not worth it. Doesn't mean they can't get it though!

You have still ignored my point with regards to websites with the padlock that have absolutely nothing to do with money, and what is to stop them from changing the "First Name" field to "Credit Card Number" ?

DrScotsman

For the record a good example of what I said about gift wrap is GAME's website. Put a game in your basket and go to the checkout (without logging in). They ask for ALL of your details on one page, including your card details and what gift wrap message you may want.

Like you said, the gift wrap details will go to GAME. What's to stop the card details from going to GAME? (Which they do btw). Now there *COULD* be an embedded window where it asks for the card details, but that doesn't mean there is, and the padlock certainly has nothing to do with that - double click on it and it says nothing with relation to any bank or payment provider, only that https://www.game.co.uk has a valid certificate supplied from GlobalSign.

bitemebankers

DrScotsman wrote: »

Check Amazon, check Play, check GAME, there are countless examples. I don't understand where you are getting this theory from, do you think that it's only possible for a financial institution to have an encrypted connection with a valid security certificate?

It's actually a little more complicated than that. Amazon, Play and the like are the exception to the rule these days, and are becoming increasingly rare. The reason is that you need more than just a secure website in order to receive payments in this way. Since October, to receive payments from the leading card providers (VISA, MC etc) the site must be PCI-DSS compliant. For sites that use a third party checkout (i.e. Sagepay) acheiving compliance is a relatively trivial exercise. However, for sites like Amazon that store cardholder information themselves, the compliance process is lengthy and expensive. This means it's only worth it if a company is processing millions of transactions - otherwise it works out far cheaper to use a third party checkout.

Hope this clarifies the issue.