Published on the 31/08/2018 | Written by Pat Pilcher
Is Trade Me's new payment service just too 'convenient'...
Over the weekend one of the team here at iStart purchased an item using Trade Me’s new Ping payment system. You can imagine their surprise – or should that be shock – when they were able to make the purchase with a single click – no password, no CVV – nothing needed to be entered.
It raised some important questions about merchant responsibilities when it comes to protecting buyers from a security and anti-fraud standpoint.
Using multi-factor authentication should be the gold standard for secure handling of financial information.
In the transaction, the Trade Me system did include fields with all the usual credentials including the user’s password, credit card number and verification number (CVV). Trouble is, all of these fields were pre-populated. The net result? A ‘no-questions-asked’ buy now.
The lack of additional authentication is a worry says Professor Ian Welch, cyber-security specialist at Victoria University’s Computer Science department: “Using multi-factor authentication for sensitive tasks such as making payments (e.g. entering a unique password and a code number), should be the gold standard for secure handling of financial information like credit card or bank account information.”
The trouble is that remembering every unique user name and password to the umpteen online services you have joined is all but impossible. A recent solution to this modern-day conundrum comes in the form of browsers that can store user information and pre-populate payment, user ID and password fields – a convenience recently extended to include credit card details. It might save a ton of time and prevent much hassle, but the big question remains: Is security being sacrificed at the altar of convenience?
If the iStart staffer’s laptop was compromised or a child liked the look of a new Harley for Dad, there is nothing to stop unauthorised purchases from being made.
But how could the credit card transaction be processed without an accompanying CVV number you ask?
According to Trade Me’s head of payments Gerard Creamer, the company doesn’t store CVV numbers: “We have never (and will never) store them. They aren’t required, and we’re very confident in our anti-fraud tools. We allow our members to store their credit card numbers when they enter them for the first time.”
Confusingly, Creamer’s statement was contradicted by Trade Me’s support team who, when queried on Ping by the staffer, replied “The CVV code is included in the details that are saved to your account.”
If Trade Me was storing CVV details, they would find themselves in hot water says Kiwibank spokesperson Dee Radhakrishnan. “The storage of card data is governed and prescribed by Payment Card Industry rules and Card schemes (Visa and Mastercard), both of which are quite extensive. Merchants are required to ensure the payment systems they use are compliant to these rules and can be held liable if they are not PCI compliant.”
The conclusion: credit card transactions can be processed without the accompanying CVV.
So, what is the point of having them?
The Payment Card Industry Data Security Standard (PCI DSS), requirement 3.2 states that merchants “do not store sensitive authentication data after authorisation (even if it is encrypted)”. Instead they require that “all sensitive authentication data be unrecoverable upon completion of the authorisation process”.
So while Trade Me’s Ping payment system may not store CVV data and may comply with the PCI data security standard, Ping’s lack of multi-factor authentication at transaction time could still see it being at odds with PCI DSS.
Trade Me’s tacit ‘ask once and don’t worry about entering it again’ use of your CVV code is a bold decision that runs against virtually every other e-commerce payment portal on the web – Amazon’s One-Click being a glaring exception that no doubt emboldened the Ping design team. Amazon, however, allow the user to turn the function off. Ping does not offer any such option.
However, what of the banks? Should they be able to process credit card data even if it is unaccompanied by CVV data? The answer, it turns out is far more complicated than you would think.
Firstly, banks do not process credit card transactions. They get handled by Visa, Mastercard, Amex, Diners Club and so on. Approved transaction data then gets sent to the banks. While few credit card companies have a direct and substantial presence in New Zealand, American Express was able to confirm that the need to request CVV information from a merchant varies by card provider and, crucially, by the merchant, although they declined to elaborate any further.
Of course, Trade Me advises, if Ping’s lack of any user input in the purchase is a concern for you, you can simply not save your credit card details and disable the auto-complete features on your web browsers (and forgo all that convenience).
Trade Me also argues that it’s buyer protection processes are robust. In essence these boil down to you noticing that there’s a dodgy payment on your credit card and raising the alert. And no doubt plenty of AI and analytics that probably do a great job after the fact.
How about, instead, Trade Me – and every other credible merchant interested in protecting buyers – simply turn on that little switch that means CVV must always be populated.
Even if, as it seems, it is only for appearance’s sake.