Bank cards: hidden risks

Let’s talk about the dangers of cross-border payments with plastic cards and security flaws in payment systems architecture.

Frequently we (and many, many others) write about different skimming techniques and other ways of compromising bank cards. Today, we’ll talk about the less apparent dangers that run the risk of remaining unnoticed by the majority of users. We will relate stories about risks attributed to cross-border payments, as well as some inherent flaws found in payment systems.

Bank cards hidden risks

Payments not requiring a CVV code

Many think that indicating a CVV code (3 digits printed on the reverse side of a card) is necessary for processing any online transaction. However, some online shops provide an opportunity to avoid this step, and do not transmit the secret code to a payment gateway.

We asked Sergey Dobrinyuk, director for R&D in the department of business development at DiaSoft, to comment on this fact: “The following credentials are usually submitted: card number, expiration date, cardholder’s name embossed on the card and the CVV code printed on the reverse side of the card.”

“However embossed cards (the ones having letters visibly protruding above the surface), which are more frequently used when paying online, are, in general, of a higher class, whether it is Visa Classic, Visa Gold etc. A bank that issued the card, is handling the check of the client’s identity and their purchasing ability. This is why in case of low-value purchases, the seller might just verify the card number and skip authorization, as he is sure the client is a worthy buyer.”

“This is what we call ‘floor limit’. With some banks and some shops this floor limit might reach as much as $1000”, Dobrinyuk said.

According to the expert, on emerging markets this awe before the ‘worthy’ client is not that prominent, and the payment system would, generally, employ more levels of security, but there are no shared policies on card credentials — each online store can establish its own rules.

“All transactions completed remotely, without a PIN code or a 3D Secure certificate, might be disputed by a user. Should you have any doubts about the legitimacy of the transaction, just file a charge back complaint at the bank, and the money would be returned to you at the end of the investigation”, Dobrinyuk said.

Dobrinyuk recommends users rely on online stores which employ a 3D Secure standard (“Verified by Visa” and “SecureCode” for Visa and MasterCard respectively) for online transactions — it is a two-factor authentication which requires you to enter a one-time passcode sent via an SMS or printed on the ATM receipt.

Unfortunately, the store is the one deciding on whether an additional security level should be deployed in their payment system. Even if your card is protected by 3D Secure, the store might just skip this step.

Using virtual cards also helps to increase the level of protection. They have a very limited validity period and can contain only small sums of money. In case of a breach, payment credentials of your primary card would not leak into the wild.

As you can see, it is not a good idea to present your card number to anyone. If a culprit lures you into passing him over the cardholder’s name and the expiration date, it’s a piece of cake for them to steal your money — even without a CVV code. The good news is that in this case, you can file a charge back. Bad news is, you need to detect the fraudulent transaction and act promptly.

Electronic use only

There is one common misbelief about VISA Electron and other entry-level credit card products by different payment systems. Such cards are not embossed and have a disclaimer printed on its face: “ELECTRONIC USE ONLY”.

Many people mistakenly consider that such a card cannot be used for online transactions, however, it is up to the issuing bank to decide. Payment system policies do not restrict online operations for such cards.

To put it simply: online scammers can steal money from an entry-level card as well.

Cross-border payments

Due to currency fluctuations, one might experience problems with cross-border online payments and money withdrawals when abroad. One of the major risks here is an unfavorable exchange rate.

“Conversion in this case might be applied up to four times: on e-commerce platform’s terminal, in the acquirer bank, in the payment system and in the issuing bank”, Dobrinyuk warns.

Fees are applied at each of these stages, but the cardholder usually sees them as a conjoint sum which might or might not be included into the total cost of the purchase. “Honestly, without a detailed insight into the payment system’s and the bank’s fee structure a common user would not understand how the whole concept works. My piece of advice here is to shop at the supplier who charges less”, the Dobrinyuk said.

It can happen that the card is charged later than the payment is processed, as the shop might be liaising with its bank once every few days or even weeks (policies employed by payments systems allow for up to 45-day delay). It is due to this delay, combined with sudden change, that the card may be charged at a less favorable exchange rate.

This is the situation many Russian cardholders are dealing with at present when shopping in overseas online stores or withdrawing cash from ATMs while abroad. If you have to process large sums of money in such circumstances, we’d recommend you not. An overdraft in this case is quite likely.

It might sound strange, but debit cards with no overdraft allowed pose a higher risk as a ‘technical’ or ‘restricted’ overdraft is applied in their case, with banks charging cardholders a penalty up to hundreds per cent annual interest rate.

Protecting against conversion

Some banks offer multi-currency cards, with their holders having an opportunity to vary the currency used for transactions. Should you travel to Europe, take EUR as your primary currency, or USD if you travel to the US, respectively, etc. This is the easiest way to avoid conversion.

If you use your bank card abroad with fixed currency as it is often the case, then VISA, Mastercard or any other payment system establishes its internal exchange rate. The surplus then is relatively small: some per cent or even less.

The highest surplus is characteristic of ATMs, third-party payment systems (PayPal, for instance) and POS-terminals which offer to process the transaction in your native currency and not the currency indicated on the price tag. It’s hard to comprehend that on the spot: you need to spend some time on careful calculations, remembering all up-to-date exchange rates for all currencies, fees, etc.

Just take our word on it: in most cases, it will mean overpayment, which might be quite high. Say no to such appealing offers and pay in the currency indicated on a price tag or necessary in the country you happen to be in.

***

The simple truth here is that bank cards, as well as the methods of charging them, were invented almost half a century ago and are by no means flawless. Technical solutions offered by payment systems are not 100% convenient and are bound to offer more profit to the seller and less security to the buyer. But on developing certain skills, you could mitigate your risks: be cautious and mind the tricky peculiarities we told you about.

Tips