Thinking logically I'd have said how would you use 3D secure on MOTO payments, are you going to ask them for their password? If you are that has some rather catastrophic possible outcomes if you do. I think you might be mixing up 3rd man and 3D secure which are 2 different things.

Lee,

Thanks for correcting me. I had confused 3rd man with 3D Secure in this instance. I realised after I posted that it's not possible to do CNP 3D Secure on MOTO payments received by phone, as the purchaser is never going to give away his password. Excuse me as a newbie trying to work out how all this works.

So am I right in thinking that MOTO transactions through Actinic Payments will just be AVS and CSC/CVV2 checked? Consequently, that wouldn't count as having been 'authenticated' in the way Barclays require it to be in order to avoid chargeback liability shift onto me in the event of a fraudulent transaction? I think in order for a transaction to be authenticated, it must pass the Verified by Visa or MasterCard Securecode check (i.e. 3D Secure). Therefore, it would appear that any fraudulent MOTO transactions would be at my risk? (albeit limited somewhat by the AVS CSC check).

It's a good question Martyn and one i'm not entirely sure on the answer. If the 3D system covers you when used, it seems logical that it doesn't when it is not. But that's not the whole story, firstly you've told them by having a MOTO account that you won't be using 3D secure and surely MOTO has to be catered for in some way, without the need to divulge 3D passwords.

I'd expect fraud over the phone to be radically less than online as its not completely faceless too, that must count for something. I'd have thought MOTO merchant account has its own T&Cs to answer this perhaps.

Lee,

When Barclays set up my merchant account they also sent me a link to a Software Developers Kit (SDK) that I could integrate into my software, which included 3D Secure checks (i.e. Verified by Visa MasterCard Securecode). They stated that I would be responsible for any fraudulent transactions chargebacks for any transactions that weren't authenticated. I believed that Actinic Payments would provide that facility for me and I wouldn't need to incorporate the SDK into my v10 eCommerce software. (Not that I'd want to attempt to do that anyway).

It's beginning to look like CNP MOTO transactions cannot be authenticated through Actinic Payments (and possibly any other PSP) although eCommerce transactions, understandably can, as the purchaser enters his 3D secure password when he places the order online. CNP MOTO transactions can be 'validated' however, by the AVS & CSC/CVV2 checks, but that is not sufficient to shift the chargeback liability away from me as the Merchant.

That has a big knock-on effect as CNP MOTO orders become higher risk than internet eCommerce orders and I have to question whether MOTO orders are worth doing. I think it also potentially affects my PCI-DSS status, as there would be no need to complete a SAQ Form C if I wasn't taking MOTO orders.

we debated just this and decided no.
Not worth the hassle for the very few orders we get as MOTO.

Obviously, for people who take a lot, the turnover outweighs the hassle but it's something only you can decide.

Sounds like dumping it is a good idea. To be fair to them, they find themselves in between a rock and a hard place as do you, one of those fall out areas because of how rife fraud is i guess.

Tracey/Lee,

Thanks again. I will now have a good hard think about whether I should ditch MOTO, and just stick to eCommerce online transactions, because of the potential financial liability on me. I'm just waiting for a reply from Actinic Payments regarding authentication and I'll post any updates I get for the benefit of others.

I've just had a very helpful discussion with SecurityMetrics about my PCI-DSS compliance. If I was going to take MOTO card payments, I would be required to complete SAQ Form C-VT for my office setup, which is a single PC using Actinic v10 eCommerce software and using Actinic Payments as my PSP. MOTO card details would only be received over the phone, typed into the secure Actinic Payments webpage directly or possibly temporarily written on paper until typed in, then shredded immediately after use and not stored anywhere on my system.