Google kicks Maestro into touch
Google Checkout - the search giant's online payment system - will stop accepting payments from Maestro cards from next week. From Monday Google Checkout users in the UK will have to pay with a Visa, Visa Electron, MasterCard or a Solo card. Maestro is a debit card which claims 540 million card holders around the world. Several …
My HSBC debit card got damaged so I requested a new one. Instead of giving me another Maestro card, they gave me a Visa card, stating that they're making this move because it's more widely accepted. This is true but I didn't think Maestro was generally getting phased out? Seems like only yesterday that it replaced Switch.
I wonder if this is something to do with all merchants who accept Maestro having to implement the supposedly "extra secure" 3D Secure Code stuff...
We got a letter from Barclays telling us we had to implement it by the end of June (10 days notice) before Mastercard started fining companies up to $25,000 per day or something stupid like that...
What I'd like to know is how something, that if you've "forgotten" your password just allows you to reset it after providing your easily obtained birth date, is meant to be secure...
Lets face it, google checkout is easier to replace than your debit card.
Oh well, I quite liked google checkout too.
This is because you need to enable 3D secure in order to continue accepting payments on this payment method. If you dont they are liable for big sum money fines.
3D Secure/Verfied By Visa has to be the worst thing invented - the average user doenst remember their password (us techies usually do).
I personally think google have done it the correct way - they way Mastercard/Visa have pushed 3D secure on everyone is shocking.
First Google Checkout, the only payment method for the Android Market, only allows Maestro cards to buy apps priced in GBP (which is very, very few apps - I gather developers can only set the price for their nationality and no other prices), and now this... It's rather disappointing!
Maestro/Mastercard are garbage. They've clearly reversed the polarity on their fraud prevention system. Either that or they've built it around the Nokia firewall principle of "block everything and make it impossible to unblock".
I'm trying to get rid of them from my life. I hate them so much.
...HSBC have dumped them as their debit card of choice as well (and that happened quite quickly too), which must have been a fairly chunky number of customers.
I got a note from HSBC UK a few weeks ago saying that they were phasing out Maestro as it is going to be closed. Now whether this is Maestro as a whole, or just HSBC UKs involvement I am not sure. Either way I now have a new Visa card instead of my old Maestro.
Guess that is consolidation for you and Google are simply prempting.
Of course there is the small matter that Maestro has an upfront transaction fee AND then a % transaction fee, so on anything less than around 20 quid, it's simply not worth a stores time to accept it for online payments - and definitely not worth it for values less than a tenner.
When my Switch / Maestro card was renewed in January First Direct sent me a Visa Debit card instead, maybe Google had forewarned them...
A lot of banks now will not accept ANY maestro transactions without the 3d secure password, which is clearly why google have taken their ball home.
However, maestro plus visa/mastercard have been very sneaky here with 3d secure.
If your card is in the 3d secure scheme, yet you have not registered for a 3d secure password, you are responsible for any fraud commited using the card.
For example, if you have a barclays debit card, those cards are in 3d secure. Even if you dont use it on the internet, if the password has not been setup then the banks hold no responsibility for the fraud, neither do the retailers (who foot the bill on non 3d secure transactions).
As an online retailer, this was a fact we were made aware of by our bank months ago, yet as a consumer I've not been told a thing about this. The majority of transactions will still go through without a password.
@Rtdro: If you have a Maestro card at present, I doubt you will for long. IIRC all major banks are ditching Maestro.
I'm having to update a payment system to implement 3DSecure just because MasterCard have enforced it on Maestro transactions. I can only assume they've done this to increase 3DS use without harming MasterCard if it all goes wrong - which it is, considering that all major banks are ditching Maestro and many merchants are no longer accepting it (my PSP even has an option to refuse all Maestro payments).
As for being more secure, it's simply not and that's just a cover for its real purpose - it offloads responsibility from the card companies to customers if they're enrolled, and to merchants if the merchant isn't using 3DSecure.
Of course, once I've finished updating the payment system to handle 3DSecure, it's on to PCI DSS - another huge pile of crap from the card issuers.
They are converting all their customers away to Visa Delta when their old cards run out.
I guess I won't be using anything but cash from now on as even my bank says Visa won't approve me for a card despite having a near perfect credit rating and had until recently a Platinum Amex for business and zero outstanding balances on any cards.
Cash is King.
Long live the king.
Grenade - to blow up all the banks who treat their customers like a POS.
A lot of merchant acquirers are dropping acceptance of Maestro, google is just the latest in a long line who dont want to or wont deal with Maestro.
The whole "Verified by Visa" thing is a crock of shit whose ONLY purpose is to put the onus for lack of Visa security onto the customer. If you forget your password, you just need one extra bit of information to change the password there and then to make the purchase. Not exactly secure AT ALL, yet it allows Visa to pretend.
Both my credit and debit cards have changed from mastercard/maestro to visa/visa debit. It would seem that mastercard is getting too bossy with the banks and the merchants and had forgotten that they can easily be dropped in favour of visa.
@sandman Why the google hate? How is this possibly evil?
To be honest, I can't blame Google for this. This month the payment card industry group have insisted that 3D Secure is mandatory for Maestro; it costs shitloads to implement and is of absolutely no benefit to the merchant. (In fact, it appears to put legal pressure on the merchant or the customer, as if 3D Secure is used for a fraudulous transaction, it couldn't POSSIBLY be the bank's fault)
3D Secure and PCI-DSS are costing our medium-sized business more than we can afford; but as a B2C supplier we also cannot afford to turn paying customers away. We just *have* to let them pay with Maestro if they want - it counts for 20% of our payments. I'm just dreading the day (this week) that we turn 3D Secure on; I'm suspecting we'll see a drop in payment quantities as customers reach the VbV/MSC page, get confused and annoyed, and abandon the transaction.
Anyway - good on Google if, as I suspect, they're refusing to implement 3D Secure - hopefully enough people will do that and tell the banks to fuck off and just take our customer's money. Unfortunately, either way, they'll have screwed over plenty of small/medium customers in the process.
As I recall the UK banks handed over the running of the Switch debit card scheme to Mastercard a few years back, Mastercard rebranded it Maestro.
The banks/mastercard don't make much out of Maestro debit , it's a fixed fee to the retailer (30 odd pence - total 30p) and thats it. It incurs no % of the transaction charge, unlike the competing credit card schemes (30 odd pence plus 2.2% or so of the transaction value, so on a £100 transaction that totals a charge of around £2.50).
Since getting hold of it, Mastercard/Banks seems to have buggered around with the scheme to make using Maestro Debit inconvenient for both cardholders and merchants, IMO because it's not as profitable and competes with the more lucrative credit card business.
I don't know why Google have declined to be upfront, and simply state why they are dropping such an important debit card scheme? Perhaps it is to do with 3D Secure (Securecode, Verified by Visa), but the 3D system is already deliberately used to distort and limit competition within the online payments market.
There really does need to be an OFT investigation into the continued undermining of the less profitable debit card schemes. These debit card schemes should be properly protected, we shouldn't be pushed towards indirectly paying £2.50 to the card schemes/banks just to purchase £100 of goods online, just because the debit card schemes have been made delibrately difficult and unattractive to use.
I forget where, but I recently visited an online store which had a notice to the effect that they "only accept UK issued Maestro cards".
I can't stand this 3d secure / verified by visa stuff...
I have several cards, and don't buy stuff online that regularly... I tend to forget the passwords and have to reset them every time, so all it does is provide an annoyance.
It typically comes up as an iframe inside a site, ie without a url bar so you can't verify that it's really coming from visa/mastercard or that it's even using ssl... A malicious site could easily spoof it.
Many criminals acquire card details from keyloggers these days, so it just gives them something else they need to log...
For the legit user tho, it's just more hassle, more passwords to lose, more incentive to use the same password everywhere or print it on a postit note etc...
Some people may be getting a nasty surprise when they find their adwords accounts suspended as Google have dropped it as payment for that with only a few weeks notice.
I feel sorry for the retailers who have Checkout as their only payment provider here. Bam - a big chunk of their UK market has just gone down the toilet. There must be scores of people - myself included - who own only a Maestro card.
IIRC, Maestro transactions cost more than Visa Debit transactions, so this could be a factor.
The Maestro system in the UK is a mess anyway - whose bright idea was it to use the existing Switch network and thus make international Maestro incompatible with UK Maestro? I'm surprised that MasterCard hasn't forced the banks to switch to MasterCard Debit cards yet, which are processed through the MasterCard network.
We had a VbyV password changed on one account - lucky we spotted the warning email immediately and A&L blocked the account before the toe rags used it! The rumour at the time being you only need a date of birth to change a forgotten password.
Conversely this week my mother's account failed to accept a 3DS registration with no explanation AFTER insisting we made one - aborting the transaction.
As others have said the whole modus operandi seems to be to push the blame to the account holder rather than the merchant or bank. And their pages are easy to spoof AND the security needs only a DoB to revise it.
BROKEN!
Myself and my wife have a joint account with a Visa debit and credit card. The VbV system is too stupid to know if it's me or my wife making the payment thereby requiring me to remember both my wife's and my own passwords so that I can successfully complete the transaction depending on whichever account it randomly decides needs to verify it.
And to repeat what has already been said, how can doing this in an iframe and being able to reset the password by entering a dob possibly be secure enough to absolve the banks of all responsisbility for fraud.
What a joke.
Colin
I don't really care what name is on the service/card/website. If you won't accept my payment, someone else will.
My Maestro card has served me well over the years, the 3D Secure thing works fine, unlike the verified by visa shite that never seems to remember the correct password after you reset it. Each time I order with my VISA card I have to reset my VbV password as it doesnt remember the last one I entered.
Something is obviously going on here - it means either way that google checkout wont be getting my business and businesses will be losing money because of it!
------------------
It typically comes up as an iframe inside a site, ie without a url bar so you can't verify that it's really coming from visa/mastercard or that it's even using ssl... A malicious site could easily spoof it.
------------------
Crap isn't it? - but that's PCI preferred method of doing it to circumvent pop-up blockers. Yes, I have recently completed the full 3D Secure & PCI DSS compliance malarky at the company I work for. Incidentally the iframe content doesn't come from either Visa or Mastercard but the customer's bank - if their bank isn't enrolled in the scheme 3DS verification is bypassed (unless you configure your PSP systems to block non-authed transactions).
The benefits of 3D Secure are to the card issuers and the merchants - the card issuers (Visa/Mastercard) accept less liability and the merchants can get a reduced cost-per-transaction charge... as I understand it, the card HOLDER is no more liable for the transaction than they were before - it's their bank that picks up the cost of the fraud rather than Visa/Mastercard. I guess the bank may well have a "Fuck You" clause however that'll shift liability to the customer.
PCI DSS compliance has the tiny benefit that your site has to undergo regular automated penetration testing to pick up on some of the more common security pitfalls (it's by no means perfect though). If you know what you're doing you're probably well aware of most of these issues anyway.
------------------
The VbV system is too stupid to know if it's me or my wife making the payment thereby requiring me to remember both my wife's and my own passwords
------------------
That's not necessarily the VbV system itself - it's more likely to be shonky implementation on the part of your bank.
So I'm nearly done building a site for a friend of a friend. Nothing too special, just selling vehicle light films. Then I notice something buried in the back of the inbox from last week telling me that the guys I'm using for the Buy Now buttons aren't accepting Maestro cards any more.
Well that means me and anyone else who have their accounts with Yorkshire can't buy from the site in its current shape. I've not checked to see what details he's registered with for the live account. So, it's going to be another phone call, another round of entering details and the choice of whether he wants to just use PayPal or PayPal _and_ Google Checkout, which effectively means using two systems at once.
Of course I could write something with a database and a system that tracks its own orders, talks through SSL secured XML APIs ("oh by the way it'll cost another £$€wtf to buy a certificate mate") and just uses the online transaction provider for.. well.. the transaction, but all I and the client want is to have a few pages on the web that have "THIS COLOUR, WANT? (OK)" and "SEND US MAILINGS! ^_^" I shudder to think what anyone with anything complex relying on Google Checkout is going to have to do to hack around this.
So it's probably going to be byebye Google Checkout. Sorry guys. I wanted to give it a go, the UI is reasonably slick, but you need to support ALL common cards or that's a lot of people who can't do business with a lot of online shops.
