Best Practice Solutions Direct Payment Solutions are pioneers of Payment and Billing systems; certified with seamless connectivity for settlement into every bank in Australia and New Zealand, Maybank Malaysia, Westpac Pacific Islands and Citibank in Singapore. DPS develops software which processes electronic transactions, in real time. Security of credit card information and personal data that is routed via Payment Express is of extreme importance and as such this document aims to outline best practice solutions that DPS recommends to all merchants. Security and Infrastructure DPS have a dedicated development and datacentre specially designed for payment processing. DPS are fully certified and compliant with Visa AIS (Account Information Security) and MasterCard SDP (Site Data Protection) (PCI-DSS) at processor level; using Ernest and Young Risk Management for quarterly scans on systems and full onsite audits, annually. DPS own all internal networking and security infrastructure, including dual Host systems and cold stand-by at the IBM datacentre, dual UPS, multi-ohm internet connectivity, failover switches and back up generators. We also have a host system based in Sydney for our Australian customers and a private GPRS network, in Australia and NZ, for wireless payment processing. Reference Sites: DPS customers include: AMI Insurance, American Express, APN holdings, Ascent Technology, Automobile Association, Auckland City Council, AXA, Aussie Stadium, Air Pacific, Air Rarotonga, Bank of New Zealand, Bond and Bond, Boise, BTI, Cardmember Wines, Cash Handling Systems, Computerland, CommSecure, Contact-Energy, Cosmos, Department of Internal Affairs, DHL, EDS, ematters, Empower, Energy Online, Fairfax, Fatso, Farmers, Fonterra, Fedex, Freedom Air New Zealand, Flexirent, Genesis Energy, Go Holidays, Holiday Shoppe, Hutt City Council, Hewlett Packard, IDG Communications, Intercity, Just Kids, Kroma Colour Prints, Lion Nathan, Microsoft, Ministry of Justice, Mitre 10, Needitnow, NorthShore City Council, NZ Herald, NZ Post, Northern Territories Government, NuSkin, OmegaTrend, Origin Pacific, Qantas Holidays, Qantas, Quotable Value, Progressive Enterprises, Pumpkin Patch, Ricoh, Signature Travel, Sabre Pacific, Sony, Southern Cross Insurance, Sun Microsystems, Sky TV, 2day Internet, Tasmania Temptation Holidays, Tech Pacific, Telecom, TelstraClear, Ticketek, TMP, Toll NZ, Tourism Holdings, Tower Insurance, Travel Spirit Group, Trade Me, TrustPower, UBD, Vero Insurance, Visa Preferred Seating, Wellington City Council, Wilson Parking, Woosh, Wotif.Com and Zuji. We currently use the Hosted Payments Page solution from DPS to process online orders. Customers can see their cards being authorized and debited in real-time, all in an SSL secure environment. The Hosted Payments Page enables us to offer customers a safe and speedy online experience Customer testimonials can be viewed at https://www.paymentexpress.com/default.asp?id=a_testimonial
Understanding Potential Risks There is a level of risk involved when accepting credit cards in a card not present situation. Examples of card not present transactions include accepting credit cards over the phone, via fax or via a website. In these cases, it is not possible to validate the signature of the card holder thus increasing the risk of fraudulent transactions. Often, some business types are more susceptible to fraud than others. It is important to understand ways in which fraud can be reduced by incorporating some of the features described in this section. How can I practice safe online trading? DPS offer a fully hosted solution, in which users can process payments on our secure servers. DPS are fully AIS (Account Information Security) and SDP (Site Data Protection) commonly encompassed as PCIDSS certified. Using our hosted solutions removes the risk from the merchant having to store sensitive credit card information on their servers or databases. DPS hosted solutions provides the end user with 128 bit encrypted (SSL) payment page and comes pre built with exception handling resulting in reduced website development time and costs. Cost Savings No secure certificate (SSL) certificate is required to be purchased as all payment (sensitive) information is collected on DPS servers Reduced cost in development. DPS hosted solutions come built with a robust engine for catching exceptions. DPS hosted solutions come packaged with 3D Secure capabilities. 3D Secure is discussed in greater detail in the following sections. The merchant is covered for all future mandates that banks impose upon them as e-merchants, and will incur no further development or compliance costs.
Tips to Help Mitigate Fraud Every merchant will agree that ensuring their customers have the most convenient means of shopping is the best way to trade online. It is also important to take into consideration the following: Display the DPS privacy policy This is an important step and often shows your customer that you are indeed serious about the way in which you collect information in line with banking requirements, DPS mandate this for all integrated solutions as well. Additional information such as your shipping procedure should also be outlined as either a sub-section of this policy document or as a separate document altogether, should you wish to display more detailed information. Display the DPS logo on your payments pages It is often comforting for the consumer to know that transactions processed via your application are back-ended by Direct Payment Solutions. DPS lead the electronic payments market in Australasia and as a further reassurance, you can provide a link to testimonials from some of DPS high profile customers. Draw attention to additional security policies If you have implemented additional secure processes (e.g. 3D Secure), make this known to the customer. Explain these processes in a clear and comprehensible format. Display information on your sales / refund policy This will allow your customer to view your company s policy on sales and refunds. You may also want to include a terms and conditions of sale policy alongside this information as well. Additional information such as your shipping procedure should also be outlined as either a sub-section of this policy document or as a separate document altogether, should you wish to display more detailed information. Additional Security Implementations 3D Secure Authentication Visa and MasterCard have each developed schemes to further protect merchants from fraudulent transactions with Verified by Visa and SecureCode. Each of these schemes requires the consumer to enter a password, unique to each credit card before a transaction is approved. This additional step requires both the merchant and the card holder to be enrolled as participating members. DPS can make available at no additional cost to merchants using the Hosted Payments Page package a merchant plug-in (MPI) that will enable 3D secure functionality.
How it Works 1. Your customer selects the items they wish to purchase and proceeds to the payment page. 2. Your customer enters their credit card details in a secure environment. 3. Your customer then enters their password and clicks the submit button. This window automatically resizes itself to fit the contents on-screen. 5. Your customer is re-directed back to your website where you can cofirm the amount charged and the details of the order. 4. Once your customer s password is verified, they will receive a confirmation message acknowledging the transaction was sucessful. The user is then prompted to click the Next button where they will be re-directed back to your website.
Pre-authorization / Completion ( Tipping ) This is a two step transaction involving a consumer initiating a purchase. This process is particularly useful for merchants that want complete control over their order fulfillment process or have a need to verify that the product is in stock before any money changes hands. To enable this functionality, please contact merchant services at your bank. Step 1: Pre-authorisation In this step, the consumers credit card is validated for a predefined amount. If approved, these funds are guaranteed to be available to the merchant for up to 7 days. If for any reason, you decide not to go ahead with completion of this transaction you as the merchant simply need to take no further action. Step 2: Completion This is the second step to this transaction. Once the merchant has validated the contents of the order and feels comfortable in fulfilling this, he/she will need to complete the transaction. In this stage, money is transferred between the card holder (consumer) and the merchant. CVC / CID CVC values are found on Visa and MasterCards and CID values are found on American Express cards. The CVC value is a four digit non-embossed number that is on the back of a Visa and MasterCard. CID values and just above the credit card number on American Express cards, as illustrated below. All of the above features are available via the Hosted Payment Page and the MinaCart. To view a sample of the Hosted Payment Page please visit www.pos.co.nz. To view working samples of the MinaCart, please visit: www.minacart.com. Please contact info@paymentexpress.com if you require any additional information.