Great news everyone – Your ecommerce pages are becoming even more secure!
As you know, Web Services in ITS offers the CU Ecommerce Service to those of you on campus who need to take money for events and services. We are pleased to announce that in September we transacted our 10,000,000th dollar! We are pleased with how this service has grown – a growth which is driven by the ideas and enthusiasm of our clients on campus. The whole service is a team effort and wouldn’t exist without the help of the Business Office and the finance and security experts in ITS.
Speaking of security, the Payment Card Industry (PCI) creates a list of stipulations to help insure credit and debit cards are not used fraudulently, and we try to comply as closely as possible. For example, we don’t collect credit card numbers ourselves at Carleton – we farm that out to a third-party, secure gateway (the company is called E-xact). They specialise in just taking credit card numbers, encrypting them, and sending them to the clearing bank for verification. When the bank verifies that they can clear the payment on this card, E-xact then sends a message back to our web servers to tell us the payment has been successful. All this happens in less than a second!
One of the pieces of information we send to E-xact is the Card Verification Value (CVV). That is the code on the back of your credit card, which is usually just three-digits. In Web Services we have always made this a mandatory field. Other ways of checking that the card is being used by the right person are less satisfactory. For instance, if we asked people for their address as a way to double check there are some disadvantages. People have to know their exact address for E-xact – if they type St. instead of Street then the transaction can fail. If we ask for their address this might double the length of the form they have to fill out which lowers the conversion rate of interested customers > actual completed purchases. Addresses are also quite easy to find out by other people.
So instead we verify the credit card’s CVV number. In Web Services we have always made the CVV mandatory on purchases. People have to fill that in in order to attempt to make a purchase. The University has decided to make this mandatory on ALL E-xact account across campus, not just Web Services. That is good news! As we have to switch on the mandatory status on each and every ecommerce event we create, and with the news this is going to be the same for everyone on campus, we are going to take the added measure of going back through every live ecommerce instance at the moment and check that the CVV is a mandatory requirement on each and every one of them.
One interesting aspect of the CVV number is that when it is checked by the bank and found to be incorrect, the bank doesn’t block the transaction! Instead the bank sends that nugget of information back to us and lets us decide whether we want to run the risk that this is a fraudulent use of a card or simply someone keying in their CVV incorrectly. In other words, to gamble on taking a fraudulent payment over losing a sale. Obviously, we are not interested in taking any fraudulent payment attempts so we have instituted a filter that declines any payment that comes from a card where there is a CVV mismatch – where the number on the card doesn’t match what the customer said it was. We might lose a few sales, but it is better than allowing malevolent forces from using a credit card illicitly.
All these things are just a part of the great work the ITS Security Department and the Business Office do in advising us on how to make our payment system more secure.
If you want to know more or wish to engage with us about the CU Ecommerce Service, you can learn more about it on our website, or complete this form.