The number of Internet users in Serbia is on a constant rise; hence, online shopping is becoming ever more popular. Performing online payment transactions differs in more ways than one from paying for goods and services at point of sale, i.e. neither the customer nor his/her card are physically present and there is no direct communication with the merchant. Online shopping offers numerous advantages for both customers and merchants – purchase can be performed any time, any place, without going to a point of sale, and reduces costs and increases trading volumes of merchants.

Banks currently offer their clients two types of payment via Internet in the DinaCard system:

• payment by already issued debit/credit cards
• payment by virtual cards.

DinaCard holders who wish to use their cards for online payment should register for this service with the card-issuing bank, provided the bank offers such service. If a card-issuing bank does not offer online payment service in the DinaCard system, DinaCard holders may register for this service with one of the banks issuing virtual or standard DinaCards for payment via the Internet.

Constant rise in the number of Internet users and specific conditions under which online payment transactions are performed – the fact that neither the customer nor his/her card are physically present at point of sale – raise the issue of safety of using payment cards on the Internet. As more risks are attached to online shopping than to standard way of shopping (by going to a point of sale), safety measures have been introduced to eliminate these risks and make online shopping safer.

• If a bank in the DinaCard system decides to enable online shopping by already active debit or credit DinaCards, specifying the limits on the value of Internet transactions is compulsory. A bank may specify the same limit for all its customers or leave it to customers to define their own limit.
• As an additional safety measure, banks can introduce the so-called user “authentication”, i.e. identity check at the time of online payment. It can be performed by entering a one-time or permanent password, by a digital certificate on a CD or a chip, by a token etc. This measure ensures that a card is used by the “actual” holder of the card only.
• Another safety measure is payment on the Internet by virtual DinaCards, which are aimed for online payment only. These cards physically differ from the “standard” cards and cannot be used on ATMs and POS terminals, as they contain only such information as is necessary for online shopping (user name, card number, card expiry date and CVV2). A virtual card is not necessarily made of plastic like a regular card. It is up to the bank to choose a format of virtual cards (paper, e-banking, etc.). Users of virtual cards are advised to keep only small amounts on these accounts and to pay in larger amounts right before they decide to shop online.

User advice:

• When shopping online, use only protected web browser if you are visiting a webpage containing the form for entering the DinaCard number, and always check whether a webpage address starts with “https”. The “https” letters at the beginning of a webpage address which contains the form indicate that the data entered in the form will be sent in an encrypted form, i.e. will be protected by the Internet network.
• When paying online, carefully read all the information. Never ignore and close messages appearing on screen without reading them.
• Under no circumstances should you enter your PIN code when shopping on the Internet. Data requested for shopping in the DinaCard system are first name, last name, card number, card expiry date and CVV2. If user authentication is needed, a password may be requested. However, password and PIN are two different codes used for different purposes. A password is used for online payment, while PIN is used at ATMs and POS terminals.
• Banks in the DinaCard system shall never request confidential personal information via e-mail or on a website. Sometimes, when shopping on the Internet, the trader’s website may request the name and the delivery address. If you receive a request to submit these or even more confidential information (card number, account number, etc.), ignore it, as it is probably an attempt of abuse.

Merchants who wish to start accepting DinaCard for the payment of their goods and services on the Internet should sign a contract with one of the banks in the DinaCard system offering the service of acquiring DinaCard payment cards on the Internet. The bank will provide them with all the information needed and shall clarify terms of offering goods and services to be paid by DinaCards on the Internet. On the basis of data submitted by the acquiring banks, a list of Internet merchants will be posted on the DinaCard system website on a monthly basis.

Communication between the DinaCard user and a merchant is performed on the merchant’s website. More information on the implications of DinaCard payments over the Internet for acceptant merchants can be found in the following chapter.

Merchants offering to their clients Internet purchase of goods and services with DinaCard payment cards are required to display the DinaCard logo on their websites. The logo is to be provided by the bank with which the contract on DinaCard Internet acceptance has been concluded.

If retail services also include delivery, the merchant has to post a special delivery form to be completed by the buyer (receiver’s name and surname, delivery address, buyer’s name and surname and, optionally, contact details such as buyer’s telephone number and e-mail).

Merchants wishing to offer on-line payments of their goods or services via DinaCards must enter into contract with a bank certified for DinaCard payment cards Internet acquiring. Acquiring bank ensures connection to the DinaCard system, and provides the merchant with instructions and training regarding the collection of payments. Merchant’s site must be logically connected to the Payment Gateway system (the Payment Gateway system enables on-line payments and the acquiring bank provides the merchant with technical data for the connection of the website with the PG system). The Payment Gateway system enables the processing of on-line payment transactions in the DinaCard system. The merchant redirects customers to the Payment Gateway site (SSL protected) to enter payment card details (PAN, expiry date and CVC) and continue the transaction. No PANs or CVCs are to be entered on merchant site.

• PAN (Primary Account Number) is a 16-digit numeric code embossed on the face side of a payment card. With virtual cards, PAN is not necessarily embossed on the card itself – it may be delivered to the cardholder in the form decided by the card issuer.
• CVC (Card Validation Code, also known as CVV2 – Card Verification Value 2) is a 3-digit number printed on the back of the card, most often on the signature strip. CVC is a security feature giving increased protection against fraud, especially in “card not present transactions” over the Internet. Just as PAN, CVC is not necessarily printed on virtual cards. It may be delivered to the user in the form decided by the card issuer.

Other details of message exchange between the merchant and Payment Gateway are defined by the Payment Gateway and the merchant is obliged to comply with them.

Storing CVC values or complete card numbers on merchant or Internet provider’s site is not permitted. Unauthorized storing of data such as PAN and CVC may incur merchant liability in the event of card fraud and other similar offenses.

Merchants are obligated to show on their website sales-related information such as information on prices, VAT, means of transport, expected delivery time, notifying customers of cancelled and problematic transactions (by e-mail, telephone, etc.), and the possibility of returning and replacing damaged or defective goods.

The Internet purchase process is broken up into two phases:

1. the buyer makes an on-line purchase authorizing the bank to transfer an appropriate amount from his/her account (authorization); after that
2. the merchant ships the goods or provides the service and concludes the purchase deal by selecting that transaction for clearing (final settlement and debiting of the buyer’s account and transfer of funds to the merchant).

In order for the goods/services to be delivered, they first have to be shipped/provided. Only then can the merchant select authorized transaction for clearing by using the Payment Gateway service.

If the merchant cannot deliver the goods/services purchased by the customer, he/she is obligated to cancel the authorization (through the Payment Gateway service) and notify the customer of aborted sale (by e-mail, telephone, etc.) using the buyer information entered within the Internet purchase process. If the merchant fails to deliver the goods/services purchased and the transaction has already been selected for clearing, he/she shall cancel the transaction in the process of clearing.

A signed delivery receipt for goods/services is considered a proof of delivery by the merchant. The receipt must contain the following elements:

• receiver’s name and surname,
• receiver’s permanent place of residence and ID card number,
• delivery address,
• time of goods/services delivery (year, month, day and hour),
• receiver’s signature, and
• signature of the person who had delivered the goods/services.