44

I have set a "3-d secure password" for my debit card, on my bank's website. But when I purchased something in amazon.co.uk, I went through the whole process without ever being asked for that 3D password. I was asked for a card number and its expiration date.

Can anyone explain to me what happened?

I live in Bulgaria.

Note: I also wasn't asked for CVC.

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
Stefan Monov
  • 959
  • 1
  • 7
  • 10
  • [this thread](https://security.stackexchange.com/questions/21168/how-does-amazon-bill-me-without-the-cvc-cvv-cvv2) seems relevant. – eis Sep 03 '17 at 20:44
  • 2
    @Stefan: not an answer, but please do take note that the behavior is acceptable within the context of US. In case of transaction fraud, US customers can easily get back their money. I'm not sure if this is the case with your bank or your country rules. – Hoàng Long Sep 04 '17 at 07:54
  • @HoàngLong country doesn't make a difference in this regard AFAIK – eis Sep 04 '17 at 13:01
  • 1
    IIRC, when "Verified by Visa" etc were first introduced they asked for the authentication for every transaction. They then relaxed that (probably because of customer pushback) to only require it for random sample of transactions, and/or for large amounts. It may also depend on whether you have a past history of transactions with the same company from the same IP address and/or PC - my online banking service doesn't consider transfers of a few hundred pounds sterling to be worth checking *every* time, for example. – alephzero Sep 04 '17 at 15:17
  • 1
    @HoàngLong the country involved is certainly part of the psychology of the "user experience". Living in the UK, I sometimes buy items from the US by credit card, and I'm usually left with the *feeling* that the US approach to "security" is about the same level I would expect if I was buying from somewhere in the third world. And that's from US-based multinational companies, not relatively small e-commerce sites! – alephzero Sep 04 '17 at 15:38
  • Braces yourselves. Astonishment and disappointment towards the credit card system's security is inbound. This is an entire industry where the sausage principle applies. – Alexander Sep 04 '17 at 22:50
  • @eis: from what I experience, it does make the difference. I have read through 3D Secure spec (my work requires understanding on payment system), and the theory is perfect. Yet banking practice is another issue. In certain cases, it may take months before your appeal is responded to. You may still get back the money, but it is quite troublesome. – Hoàng Long Sep 05 '17 at 03:10
  • Echo @alephzero's experience. Especially the speculation about same company / IP address / PC as I've seen regular transactions (one weekly) with the same company go from "ask every time" to "haven't been asked in many months". – TripeHound Sep 05 '17 at 07:05
  • [This](https://nakedsecurity.sophos.com/2016/12/05/how-to-guess-credit-card-security-codes/) might be an interesting read. – DiplomacyNotWar Sep 05 '17 at 09:47
  • Considering the security: for debit cards, I have long used the method of having a separate account for the card and for my normal use. When I buy something with a card, I transfer the money to my card account from my main account (which is not connected to a card). So even if someone gets all my card details (even the PIN), all they can do is to use whatever I have remaining there. Usually a few euros - the "change" if you will. And the card is region-limited to Europe, unless I visit another continent. – Juha Untinen Sep 07 '17 at 10:36
  • I added a second factor to my amazon account and have not yet been asked to use it. I can log in and purchase stuff without the second factor. – Marv Sep 07 '17 at 11:38

8 Answers8

45

Security measures like "3D password", CVV, etc. do not exist to protect you the cardholder. Do not assume that someone who lacks them can't use your card number fraudulently. All they do is allow a merchant who chooses to use them as part of their card processing merchant agreement to obtain a lower transaction fee, on the basis that the feature reduce the rate of fraudulent transactions and thus chargebacks.

If anything, these features actually hurt you as the cardholder, as they make it easier for the merchant to "prove" you authorized a transaction and harder for you to dispute it. See my answer to a related question here:

https://money.stackexchange.com/questions/54772/why-does-the-introduction-of-chip-pin-appear-to-be-so-controversial-in-the-uni/54780#54780

  • 1
    "Do not assume that lacking them will prevent someone from using your card fraudulently." maybe you meant other way around? – eis Sep 04 '17 at 06:20
  • 8
    @Eis I don't think he does. The sentence more basic is: Do not assume not having the password will prevent someone from using the card. Which is exactly the case :) – EpicKip Sep 04 '17 at 11:04
  • @EpicKip ah. the previous sentence was talking about security measures, so I guess could be understood either way. But yes, in this context that's what it has to mean, anyway. – eis Sep 04 '17 at 13:03
  • 1
    The sentence means exactly what it says: don't assume that someone who has your card number but not the "password" can't use the card. – R.. GitHub STOP HELPING ICE Sep 04 '17 at 14:17
  • 2
    I also misread the sentence in the same way as eis until reading these comments; you may want to consider rewording to "Do not assume that someone lacking these details will prevent them from using your card fraudulently" to remove all ambiguity – Dave Sep 04 '17 at 18:22
  • This feels overstated to me, because you're interpreting the merchant liabilities as the aim, rather than the means to a different aim. The professed aim of the card handling companies *is* to protect cardholders, but they need the co-operation of merchants to do so. They therefore incentivise merchants who implement the new security measures, and/or penalise those who don't. The cardholder also benefits directly if their claim of fraud is upheld against a merchant who was not using the security mechanism. – IMSoP Sep 05 '17 at 14:03
  • 3
    @IMSoP except the cardholder was already fully protected because they do not carry the cost of fraud. All that the new features add from a card holder's perspective is more ways to have a fraud claim denied. – Ukko Sep 05 '17 at 18:40
  • 1
    @Ukko It depends if you consider prevention and compensation to be equivalent. The cost of reporting a fraudulent transaction, even if immediately upheld, is non-zero, so a measure that reduces fraudulent transactions benefits the cardholder. – IMSoP Sep 05 '17 at 19:14
  • 2
    @IMSoP Sure, if something costs me a nickel every other year and you can reduce that to 3 cents I have benefited. But the benefit is so small it is immaterial. There have been hundreds of dollars of fraud on my cards over the past couple of decades, the potential liability of me having to pay for even one of those transactions vastly outweighs the pennies of savings from calling out a fraudulent charge. – Ukko Sep 05 '17 at 19:26
  • @Ukko Fine, that's a judgement you can make, which is why I said this is overstated, not completely wrong. The fact remains that the liability shift is at least partially a consequence of the card issuers' belief (possibly misplaced) that the additional measures make it more likely that you are faking your claim, because it's less likely you'll need to make a legitimate claim in the first place. – IMSoP Sep 05 '17 at 19:37
  • making a transaction harder to fake does not really hurt the cardholder – njzk2 Sep 06 '17 at 04:20
  • 1
    @Ukko *the cardholder was already fully protected because they do not carry the cost of fraud.* - so you don't think that lower costs on the bank side (because of decreased fraud) will be reflected, *to some extent* in lower prices for the card holder? – FooBar Sep 06 '17 at 11:21
  • 1
    @FooBar: Ukko already noted that it might *to some extent*, in the form of a few pennies. It's not an amount that's noticeable or worthwhile to the cardholder. – R.. GitHub STOP HELPING ICE Sep 06 '17 at 19:10
  • 2
    @njzk2: Yes it does. Click through the linked answer on money.SE and the ones it links to. Any additional evidence of validity of a transaction is *more work for the cardholder* to refute. The best situation for a cardholder who has received a fraudulent charge to be in is the one where the merchant has absolutely no evidence to present, and the cardholder basically wins the chargeback by default. – R.. GitHub STOP HELPING ICE Sep 06 '17 at 19:13
  • @R.. but it is less likely to require refutal in the first place – njzk2 Sep 07 '17 at 05:52
  • @njzk2: I don't think that claim is well-supported. Merchant errors (or deception) like double-running a card or claiming that a transaction didn't go through when it did do not get any less likely, and fraud by third-party criminals can just move to merchants where it's easier to pass off. – R.. GitHub STOP HELPING ICE Sep 07 '17 at 15:46
  • @R.. payment processors and bank are usually not fooled by double transactions. That's a bit too obvious. And as a customer (granted, the onus is on the customer), you should ask for a receipt anytime a transaction doesn't "go through" – njzk2 Sep 08 '17 at 04:12
  • 1
    @njzk2: Double transactions need not be on the same card; they can be "try a different card" or "our card reader isn't working, do you have cash?" Did you actually read the linked post where that happened to the OP? Even if your comment were the full story, "onus is on the customer" proves my point: **with any additional "proof" of transaction, the cardholder is always the loser**. – R.. GitHub STOP HELPING ICE Sep 08 '17 at 12:41
  • @R.. your arguments have value, but what I don't understand, I guess, is how can any seller have any trust in customers paying with credit card? Basically what prevents someone from contesting legitimate transactions? – njzk2 Sep 10 '17 at 01:57
  • @njzk2: Someone who repeatedly does that will get caught easily by the card issuer. Thus the number who do it is small, less impact than shoplifting. And for big sales merchant likely has additional evidence like shipping records, surveillance video, paper signatures, phone or email records, etc. – R.. GitHub STOP HELPING ICE Sep 10 '17 at 03:39
44

I just read my bank's page on 3D security. It says:

If the site supports payments to be made in additional security, you will see the logos of the respective card organization Verified by Visa or MasterCard SecureCode

So apparently it's up to the site to require or not require my 3D password.

Stefan Monov
  • 959
  • 1
  • 7
  • 10
  • 54
    In fact, it usually only *benefits* the vendor too. Sometimes it is even worse for you to use the 3D stuff, as some banks added fine print that makes you liable for fraud if the 3D password was used, while you wouldn't be liable if you didn't use it. – schlenk Sep 03 '17 at 21:37
  • 2
    While it is good that you read that page (and would ideally have done so when signing up) it might be considered part of the research you should have done before asking the question. – PJTraill Sep 04 '17 at 22:00
  • "Sometimes it is even worse for you to use the 3D stuff, as some banks added fine print that makes you liable for fraud if the 3D password was used, while you wouldn't be liable if you didn't use it." What gives the bank the right to give someone authority to steal from you? How can they say *you* will be liable for the charge and not whoever stole the information from you? Isn't that like making a law to say you cannot charge someone for robbing your house simply because they picked your lock or hacked your garage door opener? – user64742 Sep 04 '17 at 23:28
  • 5
    @typhon No since the bank isn't making the law. It's like the insurance company saying they won't pay out insurance if you didn't bother to lock the garage. This has nothing to do with who committed a criminal offense. It has strictly to do with whether the bank will shoulder the fraudulent charge or if you will have to. You are agreeing to this when you get a credit card from them. Essentially they are saying "hey we will give you this cool piece of plastic and send money to people who can show they saw it. Plus these are the extra rules we have for when we pay and you have to pay us." – DRF Sep 05 '17 at 11:21
  • @DRF Ah, I took as you legally agreeing not to charge anyone who steals this 3d thing. – user64742 Sep 05 '17 at 13:21
  • @Typhon: welcome to the legal quagmire of legality regarding banking practices. Those chip cards are a great example as initially they were a means for banks to absolve themselves of responsibility for handling fraud, instead pushing it onto other people (who also usually didn't have the resources to investigate). Banks **love** shafting merchants. – whatsisname Sep 05 '17 at 19:11
  • @whatisname Not *entirely* fair. More accurately, it was an acceptance that banks literally *couldn't* validate every signature on every card transaction in a country like the UK, where actual cash is bordering on obsolescence. – deworde Sep 07 '17 at 07:57
23

Credit card transactions have varying levels of authentication, ranging from simply submitting the card number, to card+cvc, various password systems, chip-and-pin, and so on.

The important thing here is that it is the transaction, not the card, that has this. The type of authentication used influences things like who is liable for fraudulent transactions, the ease with which the cardholder can dispute transactions, the size of the transaction fee, and the likelihood of the transaction being rejected as potentially fraudulent.

Amazon has probably found that the increase in sales from a simplified payment system more than offsets the increased costs of fraud, so the only information they require for a payment is the credit-card number.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 1
    Things like one-click ordering is impossible if they require the 3D secure password every time. – Gert van den Berg Sep 05 '17 at 12:47
  • 1
    Some payment providers are also applying heuristics to decided whether or not to ask for the 3DS code. The idea being they (the merchant) gets some protection from the credit card company, without inconveniencing regular users. No idea how effective they are, but you might get asked sometimes and not others from the same site – Adam Sep 05 '17 at 14:00
6

Amazon does not even request the CVV. The only piece needed to bill a card is the card number. Processing the transaction without the CVV or the 3D will be considered riskier by the card processor (thus being more expensive, or even refusing to provide service to them) but Amazon is keen to do that in exchange of a more streamlined process to their visitors.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Just for the records: a few months ago a local TV channel experimented a fraud (done consensually with the chosen victim) in which they cloned the card's PAN and expiration date using an enhanced NFC reader, and then they used that information to order goods. The target website was partially blurred in the video, but **it was clearly Amazon** judging from the blurred colours and layout – usr-local-ΕΨΗΕΛΩΝ Sep 04 '17 at 10:56
  • 3
    @usr-local-ΕΨΗΕΛΩΝ Why did they even bother to clone the card to do that experiment? In the UK you don't need the physical card to make transactions to a website - you only need to know the card number, expiry date, and security code. But I suppose if the card owner had just given them that information to type in, it wouldn't have been such a "interesting" (though misleading) item for the TV program! – alephzero Sep 04 '17 at 15:26
  • 1
    You can get a credit card's number and expiration date from short (2 metres distance) with a special RFID transmitter with additional radio power, through the pocket stored in the cardholder's pocket, which in that case was consensual. E.g. in queue in a museum. The TV experiment wanted to discuss the security of contactless cards showing how one could make an Amazon order *easily* – usr-local-ΕΨΗΕΛΩΝ Sep 04 '17 at 15:59
1

Credit Card security features are designed to protect the merchant. Other fields including name, expiration, CVV, Secure 3D, etc are only there to reduce the risk of fraud for the merchant.

If the merchant is willing to assume the risk of a credit card, they technically only need the credit card number to process a payment.

In most cases, all a credit (non-debit) card holder needs to do is declare "fraud" and funds are reversed in a short time. This is because in a dispute the burden of proof applies to the merchant that the payment by a customer is legitimate.

NOTE: These consumer protections are NOT true for debit cards including paypal... the burden of proof switches to the customer for bank account debit cards, and it often does take months to resolve.

This is why you should use actual credit cards instead for public pay stations including gas, parking meters, etc.

Phil M
  • 105
  • 3
0

3D secure is optional. It's as simple as that. It may not comply with PCI DSS to not enforce 3D secure in this case.

0

3D Secure implementation is the prerogative of the Merchant. 3D Secure allows for liability shift in cases of fraud. 3D Secure is mandated in some geographies due to mandates from the central banks/authorities.

Kamria
  • 1
-1

Maybe you turned on one-click ordering like I did. My provider never asks for cvv on Amazon but does on other sites. Possibly because I confirmed with two-factor authentication?