Twitter
Facebook
YouTube
SecureTrading Blog
Flickr
LinkedIn
The Services are designed to enable the Merchant to accept different forms of payment from their customers – payment cards and other specified methods such as Paypal and Ukash - in both cardholder not present situations and via the virtual terminal whilst remaining compliant with Card Scheme requirements.
1. PCI Compliance
SecureTrading is approved at the highest level as a PCI DSS Level 1 compliant Service Provider.
The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis and looks at the capture, transmission and storage of card data.
By using one of SecureTrading's Payment Page solutions (see section 4.1), as the Payment Page is hosted by SecureTrading and captures and transmits the card data and SecureTrading store the data, all you have to do is complete a simple self assessment questionnaire to be compliant.
If you use the SecureTrading API or XPay you will require your own secure server and will need to ensure your own PCI compliance. You can find more information on what you will need to do to ensure compliance at https://www.pcisecuritystandards.org/merchants/index.php. Also see section 2.4 Card Store & Tokenisation to see how to reduce your PCI compliance bill by over 50% by taking care of the storage of the card number.
2. Products
2.1 Payment Gateway
Under the Payment Gateway service, SecureTrading acts as an intermediary between the merchants' shopping cart and all the financial networks involved with the transaction, including the customers' credit card issuer and your merchant account. It checks for validity, encrypts transaction details, ensures they are sent to the correct destination and then decrypts the responses which are sent back to the shopping cart or website.
This is a seamless process and your customer does not directly interact with the gateway; as data is forwarded to the gateway via your shopping cart or website and a secure (SSL) connection. The shopping cart is configured via plugins to send information in a format that is acceptable to the particular gateway.
2.2 Merchant Account Service
Merchant accounts provide you with the ability to accept credit or debit card payments from customers for goods and services. A merchant account establishes a relationship between your business, a bank and a credit card processor, such that funds generated from sales where you were paid by credit cards are deposited into your bank account on a regular basis, less merchant account fees.
SecureTrading will work with our network of acquirers to identify the best one for our merchant.
2.3 Virtual Terminal
The Virtual Terminal is designed to replace physical terminals for Mail Order/Telephone Order (MOTO) transactions. In terms of functionality it is similar to the Payment Gateway, however, it is password protected and details are entered by the merchant or their agents.
2.4 Card Store & Tokenisation
Built into the SecureTrading API, CardStore and Tokenisation provide you with a reference number (or token). The token is used in place of the card number for all refunds or repeat transactions.
Card Store and Tokenisation eliminate the need for customers to repeatedly enter credit and debit card details and for merchants to send sensitive card details to acquirers via SecureTrading. The customer registers a credit or debit card with SecureTrading to store the sensitive card details required to process a transaction, including card number and expiry date. Upon receipt of the card details, SecureTrading sends a unique reference number (a Token number) in return that will be used for future transaction payments.
The key difference between Card Store and Tokenisation is that with Card Store a token can be generated without a transaction whereas Tokenisation relies on a transaction taking place.
Card Store and Tokenisation reduce your PCI compliance bill by over 50% by taking care of the storage of the card number.
3. Payment Methods
3.1 Credit and Debit Cards
We allow you to accept a wide range of different card types, dependent on your MID. A full list is available on request, but the most common are Visa, Visa Debit, Visa Electron, MasterCard, Maestro, Solo and American Express.
A credit or debit card transaction consists of three parts:
Authentication – the process of checking that the cardholder is genuine. These include 3-D Secure, AVS and Security Code checks (see Counter Fraud Services for more information).
Authorisation – is the process of making sure the cardholder has the funds to pay for the transaction and their card has not been blocked for any reason. Once the card issuer has authenticated the customer, SecureTrading then passes the transaction to the Acquiring Bank to be authorised. They forward the request to the Issuing Bank, who return an authorisation code if they approve the transaction.
If the cardholder was unsuccessful in their verification attempt or the request is somehow invalid, the transaction will not be sent for authorisation.
The full transaction response - including the authorisation code if the transaction is successfully authorised - is then captured and stored in MyST and is passed back to your system.
Settlement - Successfully authorised transactions are batched and sent to the Acquiring Bank each day to be settled into the Merchant Account the next working day. We are not responsible for the transfer of funds.
3.2 ELV
Elektronisches Lastschriftverfahren (also known as Lastschrift, Bankeinzug or simply ELV) is a form of direct debit transaction that is popular in Germany. It is only used in Germany.
3.3 iDEAL
iDEAL is an Internet payment method in The Netherlands, based on online banking. This payment method allows customers to buy securely on the Internet using direct online transfers from their bank account. iDEAL works as follows:
- Consumer selects iDEAL and selects his bank
- Consumer is redirected to his bank's login page
- Participating bank displays transaction data
- Customer enters account number and signs the transaction digitally.
- Bank authorises transaction in real-time, deducting the amount directly from the consumer's account (if there is not enough balance, the transaction will be refused)
- Merchant received real-time confirmation of the payment by the bank
- Consumer is redirected back to the merchant page with a confirmation that the payment has been successful
3.4 PayPal
The solution enables merchants to accept PayPal transactions via the SecureTrading Payment Gateway. At the point of payment, the customer is transferred to PayPal. PayPal process the transaction and return details to SecureTrading. This information is stored in MyST.
3.5 Sofortüberweisung
Sofortüberweisung is a German payment method that allows a consumer to directly and automatically trigger a credit transfer during your online purchase with your online banking information. A transfer order is instantly confirmed to the merchant allowing an instant delivery of goods and services.
3.6 Ukash
Ukash works by customers getting a Ukash voucher in their local shop or online. The customer then enters the unique 19 digit Ukash number from their voucher to pay for goods and services on your web site.
4. Integration Methods
4.1 Payment Pages
The Merchant's payment pages (which can be customised by the Merchant to meet their own requirements) are hosted on SecureTrading's Secure Servers, which use SSL encryption (Secure Socket Layer) When a cardholder chooses a product or products from the merchant website and proceeds to the checkout, they are directed to the SecureTrading servers. Their payment details are securely captured, encrypted and sent to the relevant third party for authorisation.
Authorisation is not a guarantee of payment; it confirms that there are sufficient funds available on the customer's account SecureTrading is unable to guarantee that the person presenting the card details is the genuine cardholder, but we provide various counter-fraud measures as listed below.
Email messages can be automatically generated by SecureTrading and sent to the cardholder on behalf of a merchant. The merchant is responsible for setting this up. Emails can also be sent to the Merchant to indicate whether the authorisation is successful.
SecureTrading sends a settlement file containing details of settled transactions to the Merchant's chosen Acquirer on a daily basis to enable that Acquirer to send the agreed settlement funds to the Merchant's bank account. In the event of a failure to transmit a file at the designated time, the file will be resubmitted at the earliest opportunity on the next working day.
We have three Payment Page Solutions:
SecureTrading Payment Pages - Fully customised to match your web site and hosted on our secure servers. As the Payment Page captures and transmits the card data and SecureTrading store the data, all you have to do is complete a simple self assessment questionnaire to be compliant. No Technical work whatsoever is required.
SecureTrading Payment Pages + - Some of our customers wish to gain the benefit of outsourcing their PCI compliance, but also want to ensure that their URL is the one seen by the customer throughout the entire process. SecureTrading Payment Pages + can deliver this. Your Payment Page is hosted on our site, but through DNS mapping, your URL is the one displayed to the customer, making it appear that the customer never leaves your site. To take advantage of this option you will need to purchase an SSL certificate. You can purchase a certificate from the Verisign website here.
SecureTrading Payment Frame - Another way of achieving the same effect is to map our Payment Pages into an iframe on your site. Your customer never moves from your URL. SecureTrading takes care of the major PCI requirements, leaving you with just a simple 11 question self assessment questionnaire to complete.
4.2 SecureTrading API and Xpay
SecureTrading API and Xpay are our services for merchants who want to use their own secure servers, but who wish to use SecureTrading's payment network as part of their own e-commerce application. They have all the capabilities of SecureTrading Payment Pages, but in addition you can use our service in a more sophisticated way. For example, you can:
- Automate refunds and authorisation reversals, and control the settlement schedule for each transaction.
- Have development capability and write applications that can process payments
- Integrate a payment solution into back-office or legacy systems
- SecureTrading API and Xpay are based on XML, for maximum flexibility and ease of use.
There are currently two versions of Xpay available for use:
- SecureTrading Xpay Version 4
Xpay4 is the latest version of the Xpay Client, which works with Java version 1.6. - SecureTrading Xpay
The original version of Xpay is compatible with Java version 1.4 only.
If you unsure which version of Xpay you require please contact our Support team on 01248 672 050.
4.3 Web Services
The SecureTrading Web Services Integration method allows all the benefits of the SecureTrading API, but without having to install Java on your servers.
5. Counter-fraud Services
All of the following counter-fraud services are included as part of the standard SecureTrading processing services.
5.1 3-D Secure
3-D Secure is a credit and debit card authentication program, implemented by Visa and MasterCard, to help reduce fraudulent purchases online by verifying purchaser identity during an online transaction. Put simply, 3-D Secure is the Internet equivalent of Chip & PIN at Point-of-Sale.
Visa has branded this program 'Verified by Visa', while MasterCard's version is called 'MasterCard SecureCode'. SecureTrading is fully accredited with all the Acquires to process 3-D Secure as part of its standard service to those merchants that have registered for the service.
5.2 Quarantine Service
Every transaction processed by SecureTrading is inspected by our in-house fraud control system. The system looks for certain patterns of card usage, which indicate that the transaction may be fraudulent, or even erroneous, in some way. Whilst the card may still be authorised by the bank, our pattern checks may 'quarantine' this transaction when settlement runs and you will be notified of this via email at that time. This check is not run in real time.
Additionally, each merchant can set a confidence level and any transactions that do not match the criteria selected will also be 'quarantined' (not sent for settlement) and an e-mail automatically generated to warn the merchant, when settlement runs, that the payment has been excluded.
The SecureTrading fraud control system is in addition to the standard authorisation checks carried out by the Card issuer or payment method originator. It is not guaranteed to detect fraud and neither will every transaction it alerts on be fraud. However it may help in alerting a merchant to possible fraudulent activity.
5.3 Address Verification System (AVS)
AVS adds an extra level of security to a transaction. The address that your customer has entered is checked against the cardholder address that the bank holds for that card. The bank will indicate whether there is a match between the address entered and the card address.
SecureTrading support the real time validation of AVS data as part of our standard service to merchants.
An online merchant can use the results of this check to decide whether or not to fulfil an order. This is valid only for UK cards. Acceptance criteria of address results could form part of the confidence level mentioned earlier.
5.4 Security Codes
All credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. So, it can be used as a confirmation that the person using the card to make a purchase is in physical possession of the card, or has at least seen the card at some time.
SecureTrading supports the real time validation of card security code numbers as part of our standard service to merchants. Again, part of the confidence levels can be set to include the Security Code response.
5.5 Encryption Levels
All Payment Pages communication is encrypted using 1024-bit Public/Private key encryption with a minimum 128-bit session key.
The SecureTrading API (XPay) use digital signatures throughout the system to ensure that any transaction arriving at a payment gateway has come from a Merchant that SecureTrading can identify, and that any information passed back to the Merchant is from the SecureTrading payment gateway.
The encryption and decryption processes are totally transparent to the Merchant and their customers.
5.6 Identity Check
SecureTrading Identity Check provides merchants with a two step check. Firstly a simple check on UK Electoral Roll and BT databases (including Ex-Directory). If the merchant is unhappy with the result or believe the transaction requires further investigation, merchants can then choose to access additional databases such as credit reference files, Directors databases and sanction lists.
5.7 Fraud Score
SecureTrading Fraud Score offers merchants the ability to implement fraud detection through IP reputation. Geolocation is the ability to determine where online customers are physically located based on their IP addresses. With geolocation, merchant can use the user's IP to non-intrusively determine where their customers are physically located. This can be used effectively to detect potential fraud by analysing the differences between the user location and the billing address. Building on geolocation, IP reputation provides relevant risk indicators on given IP addresses.
5.8 Card Check
Using the first 6 digits of a card number, Card Check allows the merchant to check the card type, the issuing bank, the country the card was issued and if the card is a commercial card or not. The merchant can then use this information to make decision on how to handle the transaction.
6. Reporting
6.1 MyST
MyST is a password protected online transaction management area which allows all SecureTrading merchants to monitor their transactions, produce reports, perform refunds and repeat payment, access the Virtual Terminal and manage their SecureTrading Account.
