[Transaction] Online security issue with BOI

sqdz

Hi,

I'm just facing to a security issue between Dominos and Bank of Ireland.

The "unsuccessful" payment on Dominos website (because my cryptogram was missing in the payment form), generated a "complete transaction" on BOI side! So I have been debited for a transaction where the cryptogram was not provided.

Concerning the "refund", after talking with BOI Customer Service, they will do nothing, and I should call Dominos directly (What a joke?)

At the moment, I'm waiting for a call from their IT Department concerning this issue..

So it could be possible to complete an online transaction (despite the "unsuccessful payment") with only your 16 credit card digit and expiration date.

What's a CV2/CVV2/Visual Cryptogram ?
"Most credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. Therefore, it can be used as a check that when you make your purchase you are in physical possession of the card, or have at least seen the card at some time. On most cards, the security code number is the last three digits of the number printed on the back, at the top right of the signature strip."

Also most of the bank use 3D Secure, to make sure the transaction will be fully secure. In my case, it was not triggered at all.

Please note, this is a small amount, however my concern is "what BOI will do if the amount was bigger" ?

I plan to move to AIB this week, because I care about the security of my bank account.

Ally Dick

The shadow transaction will drop off eventually 

Bank of Ireland: Aisling

sqdz wrote: »

Hi,

I'm just facing to a security issue between Dominos and Bank of Ireland.

The "unsuccessful" payment on Dominos website (because my cryptogram was missing in the payment form), generated a "complete transaction" on BOI side! So I have been debited for a transaction where the cryptogram was not provided.

Concerning the "refund", after talking with BOI Customer Service, they will do nothing, and I should call Dominos directly (What a joke?)

At the moment, I'm waiting for a call from their IT Department concerning this issue..

So it could be possible to complete an online transaction (despite the "unsuccessful payment") with only your 16 credit card digit and expiration date.

What's a CV2/CVV2/Visual Cryptogram ?
"Most credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. Therefore, it can be used as a check that when you make your purchase you are in physical possession of the card, or have at least seen the card at some time. On most cards, the security code number is the last three digits of the number printed on the back, at the top right of the signature strip."

Also most of the bank use 3D Secure, to make sure the transaction will be fully secure. In my case, it was not triggered at all.

Please note, this is a small amount, however my concern is "what BOI will do if the amount was bigger" ?

I plan to move to AIB this week, because I care about the security of my bank account.

Hi there sqdz, 

Thanks for getting in touch with us here on Boards. 

If an unsuccessful/cancelled transaction takes place on a Visa Debit Card, the transaction should automatically re-credit your current account in 3-5 working days. 

If this doesn't happen, you will need to link in with Dominos as they will have to issue a refund/release the funds on their side. 

Some online merchants or retailers opt in for Verified by Visa codes, this is why it does not always appear when you purchase something online. 

Please be assured that our Card Security Team consistently monitor our customers accounts, and if anything is suspected fraud we would contact the customer. 

Thanks, Aisling. 

sqdz

Bank of Ireland: Aisling wrote: »

sqdz wrote: »

Hi,

I'm just facing to a security issue between Dominos and Bank of Ireland.

The "unsuccessful" payment on Dominos website (because my cryptogram was missing in the payment form), generated a "complete transaction" on BOI side! So I have been debited for a transaction where the cryptogram was not provided.

Concerning the "refund", after talking with BOI Customer Service, they will do nothing, and I should call Dominos directly (What a joke?)

At the moment, I'm waiting for a call from their IT Department concerning this issue..

So it could be possible to complete an online transaction (despite the "unsuccessful payment") with only your 16 credit card digit and expiration date.

What's a CV2/CVV2/Visual Cryptogram ?
"Most credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. Therefore, it can be used as a check that when you make your purchase you are in physical possession of the card, or have at least seen the card at some time. On most cards, the security code number is the last three digits of the number printed on the back, at the top right of the signature strip."

Also most of the bank use 3D Secure, to make sure the transaction will be fully secure. In my case, it was not triggered at all.

Please note, this is a small amount, however my concern is "what BOI will do if the amount was bigger" ?

I plan to move to AIB this week, because I care about the security of my bank account.

Hi there sqdz, 

Thanks for getting in touch with us here on Boards. 

If an unsuccessful/cancelled transaction takes place on a Visa Debit Card, the transaction should automatically re-credit your current account in 3-5 working days. 

If this doesn't happen, you will need to link in with Dominos as they will have to issue a refund/release the funds on their side. 

Some online merchants or retailers opt in for Verified by Visa codes, this is why it does not always appear when you purchase something online. 

Please be assured that our Card Security Team consistently monitor our customers accounts, and if anything is suspected fraud we would contact the customer. 

Thanks, Aisling. 

Well I will wait until next week, however an "unsuccessful/cancelled" transaction should not appear in "completed transaction" ?

Please understand, if a transaction is complete on BOI side, without a cryptogram provided, the responsibility should not be Dominos but BOI.

At the moment BOI is washing its hands of all kind of responsibility, and did not try to investigate a minimum on their side, even a bank online like Paypal care more about their customers and provide a better service.

We can close that thread.

Regards.

Bank of Ireland: Aisling

sqdz wrote: »

Bank of Ireland: Aisling wrote: »

sqdz wrote: »

Hi,

I'm just facing to a security issue between Dominos and Bank of Ireland.

The "unsuccessful" payment on Dominos website (because my cryptogram was missing in the payment form), generated a "complete transaction" on BOI side! So I have been debited for a transaction where the cryptogram was not provided.

Concerning the "refund", after talking with BOI Customer Service, they will do nothing, and I should call Dominos directly (What a joke?)

At the moment, I'm waiting for a call from their IT Department concerning this issue..

So it could be possible to complete an online transaction (despite the "unsuccessful payment") with only your 16 credit card digit and expiration date.

What's a CV2/CVV2/Visual Cryptogram ?
"Most credit and debit cards carry a security code number. This number is known to the bank and printed on the card, but is not stored or printed anywhere else. Therefore, it can be used as a check that when you make your purchase you are in physical possession of the card, or have at least seen the card at some time. On most cards, the security code number is the last three digits of the number printed on the back, at the top right of the signature strip."

Also most of the bank use 3D Secure, to make sure the transaction will be fully secure. In my case, it was not triggered at all.

Please note, this is a small amount, however my concern is "what BOI will do if the amount was bigger" ?

I plan to move to AIB this week, because I care about the security of my bank account.

Hi there sqdz, 

Thanks for getting in touch with us here on Boards. 

If an unsuccessful/cancelled transaction takes place on a Visa Debit Card, the transaction should automatically re-credit your current account in 3-5 working days. 

If this doesn't happen, you will need to link in with Dominos as they will have to issue a refund/release the funds on their side. 

Some online merchants or retailers opt in for Verified by Visa codes, this is why it does not always appear when you purchase something online. 

Please be assured that our Card Security Team consistently monitor our customers accounts, and if anything is suspected fraud we would contact the customer. 

Thanks, Aisling. 

Well I will wait until next week, however an "unsuccessful/cancelled" transaction should not appear in "completed transaction" ?

Please understand, if a transaction is complete on BOI side, without a cryptogram provided, the responsibility should not be Dominos but BOI.

At the moment BOI is washing its hands of all kind of responsibility, and did not try to investigate a minimum on their side, even a bank online like Paypal care more about their customers and provide a better service.

We can close that thread.

Regards.

Thanks for getting back to us sqdz, 

All transactions go though a pending stage on an account, meaning they are not completed or fully processed on an account until this time has elapsed. 

If the transaction fully processes on your account after this time, the funds would be with Dominos and therefore it would be necessary for them to issue you with a refund. If they confirm with you that they rejected/cancelled the transaction it is currently being reversed and the funds will automatically credit your account. 

Please be assured that we monitor all of our customers accounts and our card security team will be in touch if they wish to confirm a transaction with you, alternatively if you do not recognise a transaction on your account we would always advise you link in with the team directly on 01 488 54 66.

Thanks, Aisling.

sqdz

Bank of Ireland: Aisling wrote: »

Thanks for getting back to us sqdz, 

All transactions go though a pending stage on an account, meaning they are not completed or fully processed on an account until this time has elapsed. 

If the transaction fully processes on your account after this time, the funds would be with Dominos and therefore it would be necessary for them to issue you with a refund. If they confirm with you that they rejected/cancelled the transaction it is currently being reversed and the funds will automatically credit your account. 

Please be assured that we monitor all of our customers accounts and our card security team will be in touch if they wish to confirm a transaction with you, alternatively if you do not recognise a transaction on your account we would always advise you link in with the team directly on 01 488 54 66.

Thanks, Aisling.

Hi Aisling,

I believe you have a misunderstanding of my issue.

I know a transaction could be a in a pending stage on my account ("Today's Transactions & Transactions in Progress"), or "complete".

In my case, the transaction is in "Completed Transactions", and I never provided the cryptogram during the payment ! So here, this is NOT AN ISSUE WITH DOMINOS, but with BANK OF IRELAND, because BOI should NOT accept/complete this transaction without all the information of a credit card!.

Also did you investigate anything in my account ? No, you are just providing a generic answer.

Regards.

Tow

'CV2/CVV2/Visual Cryptogram' is not required.  It is up to the merchant if they want to implement it.  Many don't, as is the one point most valid transactions fail.

sqdz

Tow wrote: »

'CV2/CVV2/Visual Cryptogram' is not required.  It is up to the merchant if they want to implement it.  Many don't, as is the one point most valid transactions fail.

Thanks Tow

1st order:
- Visa checkout,
- email/password provided,
- Payment failed in the VisaCheck module.

2nd order:
- Visa checkout
- email/password provided
- code received by text for 3d secure provided
- cryptogram provided
- transaction is complete.

I understand there is a 3rd party tool like Realex payment, Global Payments, to make a "bridge" between Dominos website and their Bank.

Do you mean we can complete a transaction without filling the Cryptogram/3d secure core (even if it's shown in their payment form), and BOI will just authorize/complete a transaction ?

I'm very surprised (and disappointed) that BOI will didn't do anything and let their customer resolve their own issue ? :-/

Bank of Ireland: Aisling

sqdz wrote: »

Tow wrote: »

'CV2/CVV2/Visual Cryptogram' is not required.  It is up to the merchant if they want to implement it.  Many don't, as is the one point most valid transactions fail.

Thanks Tow

1st order:
- Visa checkout,
- email/password provided,
- Payment failed in the VisaCheck module.

2nd order:
- Visa checkout
- email/password provided
- code received by text for 3d secure provided
- cryptogram provided
- transaction is complete.

I understand there is a 3rd party tool like Realex payment, Global Payments, to make a "bridge" between Dominos website and their Bank.

Do you mean we can complete a transaction without filling the Cryptogram/3d secure core (even if it's shown in their payment form), and BOI will just authorize/complete a transaction ?

I'm very surprised (and disappointed) that BOI will didn't do anything and let their customer resolve their own issue ? :-/

Thanks for getting back to us here sqdz, 

I completely understand your frustration on this, and really sorry you feel this way. 

Please be assured with a pending payment it generally correct within 5 business days on your account. If the payment completed, Dominos should be able to easily resolve this with you. If you have any difficulties with Dominos regarding the payment that has complete you can certainly raise a visa debit dispute, and we will certainly liaise with Dominos on your behalf to resolve it for you. 

I have attached the link to our Dispute Form below. 

Thanks, 
Aisling. 

https://www.bankofireland.com/help-centre/faq/can-get-purchase-refunded-credit-card-debit-card/

sqdz

@Tow :
During the payment process, it seems the cryptogram was not required at this time, and BOI authorized/completed the transaction despite the error message from VisaCheck.


CVV2 (wikipedia):
"This code is often sought by merchants for card not present transactions occurring by mail, fax, telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person"

So I believe it's apply of all type of online transaction in Ireland ?

Gooser14

sqdz wrote:

CVV2 (wikipedia): "This code is often sought by merchants for card not present transactions occurring by mail, fax, telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person"

Maybe Ireland is one of the Western European countries where it is not a requirement to provide the code in all instances.