SCAMMED - Reward

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

Web Monkey:
This is different than a simple authorization. "Verified by Visa" sends the user to the visa website where they are asked a secret question (or password, I forget which) to validate their identity.

It's pretty much impossible for a stolen credit card number to be used with this system.

Terry
Click to expand...

"Verified by VISA" is a program designed to make purchasers "feel" better about the online transaction. VISA even says that outright on their website. VISA also says that merchants are "protected against fraud, with limited exceptions" right on the promotional information on their website. The biggest "limited exception" is card not present, which is the case with 100% of all online transactions.

To make matters worse, if you activate "verified by VISA" on your website, it confuses legitimate customers who do not participate in the program. This simply causes them to leave my website and make the purchase from one of the zillion other online sites selling scuba gear.

EVERY merchant who has a visa/mastercard account (which is all merchants that take credit cards) is required BY CONTRACT to have a PCI Compliant website. Rolling without a PCI compliant website opens a merchant up to an unlimited civil liability should card numbers be "stolen" by anyone. There are a ton of requirements for this program, but the important one is card number storage. In short, this means that merchants cannot store credit card numbers beyond what is necessary to capture the funds on the initial sale. This means that Divesports.com NEVER knows your credit card number. It is completely hidden from us by the card industry automated clearing house. This actually makes it EVEN HARDER to chase down fraud or to even use card card company voice verification methods.

Phil Ellis
www.divesports.com
 
Web Monkey:
So what good is getting an "authorization" when they can just say "oops! sorry!" and take the money back?

Sounds like a great opportunity for a class action suit.

Terry
Click to expand...

Authorization numbers issued only guarantee that the card is valid and that the amount authorized will be paid to the merchant AS LONG AS the customer agrees that it is a legitimate transaction. For card present sales, that is proven by a signature. For online transactions, there is NOTHING the merchant can do for complete protection. If the customer LATER complains about the transaction, it is still zapped from the merchants account.

Oh, it is ALWAYS taken away from the merchant before the merchant is notified by mail that it is going to be taken away.

Phil Ellis
www.divesports.com


Phil Ellis
www.divesports.com
 
Web Monkey:
This is different than a simple authorization. "Verified by Visa" sends the user to the visa website where they are asked a secret question (or password, I forget which) to validate their identity.

It's pretty much impossible for a stolen credit card number to be used with this system.

Terry
Click to expand...

bull frog, they lie. It happens all the time.
 
PhilEllis:
"Verified by VISA" is a program designed to make purchasers "feel" better about the online transaction. VISA even says that outright on their website. VISA also says that merchants are "protected against fraud, with limited exceptions" right on the promotional information on their website. The biggest "limited exception" is card not present, which is the case with 100% of all online transactions.
Click to expand...

That blows.


EVERY merchant who has a visa/mastercard account (which is all merchants that take credit cards) is required BY CONTRACT to have a PCI Compliant website.
Click to expand...
I write credit-card processing code for websites, so this is something I do know about. However, I never got involved with the actual "getting cash out of the merchant account" part of the transaction, and was unaware they could simply take it back for fraud, even after verifying that it wasn't a fraudulent transaction.

Terry
 
cerich:
bull frog, they lie. It happens all the time.
Click to expand...

all the verified by vias thing does is ask the consumer if they see their "basket", fish, bikeor whatever icon and if not don't continue. a scammer is gonna hit yes, continue.

It's a feel good thing that adds nothing to security for companies taking credit cards
 
cerich:
all the verified by vias thing does is ask the consumer if they see their "basket", fish, bikeor whatever icon and if not don't continue. a scammer is gonna hit yes, continue.

It's a feel good thing that adds nothing to security for companies taking credit cards
Click to expand...

Maybe it has different options, but when I've used it, and they show the picture I picked to prove to me that it's really them, then ask me to login so I can prove it's me.

Contractual weaseling aside, I don't really see how anybody could successfully claim their card was stolen unless they also gave away their login and password.

Terry
 
Web Monkey:
That blows.


I write credit-card processing code for websites, so this is something I do know about. However, I never got involved with the actual "getting cash out of the merchant account" part of the transaction, and was unaware they could simply take it back for fraud, even after verifying that it wasn't a fraudulent transaction.

Terry
Click to expand...

The civil penalty for a merchant that suffers a "data security loss" is very high if they are not certified as an approved compliance location with the PCI DSS standards is very high. In many states, the penalty is $500,000 PER INSTANCE. So, if someone steals 10 credit card numbers from your site, you can get hammered.

Online merchants are best served by using a PCI DSS approved merchant software hosting organizations. These types of providers have yearly audits by independent outside PCI auditors and are issued certification they they comply with PCI DSS standards. The security in these hosting environments is both intense and INSURED by commercial liability policies.

A note to online purchasers. If you call your favorite store and they ask you if you want to charge your purchase "to the card number we have on file"......then you are dealing with a merchant that is operating out on the edge. PCI DSS compliant merchants, and merchants complying with their card processors contract, wouldn't have your card number on file. It simply isn't allowed. That is part of the protection scheme.

Phil Ellis
www.divesports.com
 
PhilEllis:
A note to online purchasers. If you call your favorite store and they ask you if you want to charge your purchase "to the card number we have on file"......then you are dealing with a merchant that is operating out on the edge. PCI DSS compliant merchants, and merchants complying with their card processors contract, wouldn't have your card number on file. It simply isn't allowed. That is part of the protection scheme.
Click to expand...

Card numbers can be stored as long as necessary, however they do need to be kept safe and they are a liability. Home Depot, for example, stores millions of credit cards because they're required in order to process customer refunds for returned goods.

However in your case, you're apparently using an outside vendor for credit card processing, which relives you of the responsibility of storing the card data, but also removes your ability to access it when necessary.

Terry
 
PhilEllis:
A note to online purchasers. If you call your favorite store and they ask you if you want to charge your purchase "to the card number we have on file"......then you are dealing with a merchant that is operating out on the edge. PCI DSS compliant merchants, and merchants complying with their card processors contract, wouldn't have your card number on file. It simply isn't allowed. That is part of the protection scheme.

Phil Ellis
Discount Scuba Gear at DiveSports.com - Buy Scuba Diving Equipment & Snorkeling Equipment
Click to expand...

I had to stop doing business with a store for exactly that reason. They were keeping my company AMEX number ($100k limit) in their friggin PC. I routinely have between $40 and $50k on the amex per month, and rarely look at the statement. Turns out, they had my personal debit card number there too. Arrrgh.

What sucks is that if you have to give a refund 30 days after accepting the card, you have a whole new transaction fee. We never know the cc number, all we get is a transaction number. That transaction number expires after 30 days, so a refund is a whole new 3% fee for going the other way.
 
PhilEllis:
A note to online purchasers. If you call your favorite store and they ask you if you want to charge your purchase "to the card number we have on file"......then you are dealing with a merchant that is operating out on the edge. PCI DSS compliant merchants, and merchants complying with their card processors contract, wouldn't have your card number on file. It simply isn't allowed. That is part of the protection scheme.
]
Click to expand...


Phil, I've heard this before and don't doubt that it's the law.

however, how do "big vendors" such as Amazon keep your card on file legally then?


Or is it because they are so big that they have a seperate "financial unit" of business than can legally do it?
 
You must log in or register to reply here.

Similar threads

living4experiences
Trip Report Cozumel-Feb. 11-21, 2024
Replies
7
Views
1,367
Doc Harry
Doc Harry
FishWatcher747
Can't book Batik flights with US credit card. Help?
2 3 4
Replies
38
Views
7,479
fishfood
F
living4experiences
Trip Report Raja Ampat, Live Report, Nov. 7-Dec. 7, 2023
17 18 19
Replies
187
Views
21,228
FishWatcher747
FishWatcher747
rayaa3
Raja Ampat Dec 2023 trip report
2 3 4
Replies
33
Views
4,182
Joneill
Joneill
carono6333
Trip Report Raja Ampat [10 weeks diving with 9 different operators]
4 5 6
Replies
59
Views
7,497
Tadpole Frogfish
T
https://www.shearwater.com/products/teric/

Back
Top Bottom