12 September 2019 | Published by Bryony Pearce
When it comes to card payments, security’s key - for you and your customer, but it can also be pretty confusing to get your head around if you’re new to it all.
So, to help you get to grips with everything you need to know, we’ve come armed with all the important bits about the four main measures: Chip and PIN, AVS and CVV, 3D Secure Authentication and PCI DSS Compliance.
P.S. Don’t worry, they’re not as complicated as they sound.
This is the most common type of payment security used in card machines. The majority of people have probably heard of it, it’s been around since 2006.
Was a lot different. Businesses had to take payments using a magnetic swipe which worked like this:
Sounds pretty pre-historic compared to how things work now, doesn’t it?
The problem with using a magnetic swipe was that if someone lost their card there wasn’t much stopping someone else from fraudulently using it; all they had to do is forge the signature that was right in front of them. The Chip and PIN revolution put an end to all that.
Step 1: the customer puts their card in the machine and enters their four-digit PIN when prompted.
PIN codes are set by the bank when someone first gets their card and most people change theirs to something personal (but not obvious) and easy to remember.
Step 2: once the PIN’s been entered it turns into encrypted data and is sent to your business’ merchant account.
What’s encrypted data? Basically, it just means the PIN code is turned into another form of code that only people with a decryption key or password can access.
Step 3: when the customer’s payment’s been given the all-clear it’ll show in your business bank account in 3 to 5 days, ready for you to access.
And don’t worry, all this goes on behind the scenes without you lifting a finger, and takes just a couple of seconds.
Chip and PIN benefits:
FYI: the process for contactless payments works almost exactly the same, just without the customer’s four-digit code.
Whether they’re done with a card machine or through a virtual terminal, AVS and CVV checks should be used for all phone payments.
Address Verification System (AVS)
Card Verification Value (CVV or CV2)
You’ll be asked to provide your customer’s full billing address and then the system matches the postcode given to the address already stored with their bank.
Requires your customer’s CVC or CSC (card security code) to verify the card’s details - this is either a three or four-digit number that can usually be found on the back of the card.
The good thing about AVS and CVV checks is they’re done in real-time so you can go ahead and accept or reject the transaction right away.
Important: failed checks could be a sign of credit fraud, so, if you get any, in the interest of yours and your customer’s safety, it’s best to decline the payment.
This one applies to online payments and although there are security measures in place without it, adds another layer to help stomp out credit fraud - it’s also backed by big-name card issuers like Mastercard and American Express.
After your customer’s entered their usual details (like their billing address and CVV number) but before their payment’s processed, they’re taken to their card provider’s 3D secure page where they’ll either be:
As with the other two, this process is super quick but this time it’s done by the person’s card provider.
Last but by no means least is Payment Card Industry Data Security Standard (PCI DSS) Compliance.
It’s a standard that applies to any card payment and exists to make sure businesses are doing their bit to protect their customers. Mainly, this involves ensuring you’re storing, transmitting and processing customer data safely.
A couple of quick facts:
We can help you get PCI compliant, you can read more about it here.