This is one of a series of articles introducing the different Payment Service Providers (PSPs) that we work with at Spektrix - the focus of this article is on SagePay, the PSP that we recommend for all UK users.
Click on one of the links below if you want to go directly to that part of the article.
What is a PSP?
Payment Service Providers facilitate the processing of card payments, sitting between Spektrix and your merchant bank (or American Express). The PSP provides a connection between Spektrix and the merchant bank, while the merchant/acquiring bank actually processes the payments.
As well as providing a payment gateway (i.e. the connection between Spektrix and the acquiring bank), PSPs allow you to configure fraud protection rules, and set up security processing features (such as 3D Secure) and address checking. They also provide a secure method of storing cards, outside of Spektrix.
What’s the relationship between a PSP and my bank(s)?
In order to process payments through Spektrix, you need the following:
- A merchant account from an Acquiring Bank: for the purpose of accepting card payments.
- A Payment Service Provider: to actually process the card payments.
- A business bank account: for somewhere to direct and keep your money.
For more information on merchant accounts and how to get everything set up, see this article.
How does SagePay work with Spektrix?
Spektrix has an overall aggregate account with SagePay, which allows us to negotiate the best deal for you in terms of fees. SagePay fees are included in all of our current price plans, so there are no additional costs for using SagePay.
If you have any questions about your SagePay account you will need to get in touch with Spektrix, and we can then speak to SagePay on your behalf.
My SagePay
SagePay provides a secure online portal called My SagePay where you can set fraud protection rules, find records of all transactions, and (depending on access privileges) even make refunds directly. The details for this are as follows:
- URL: https://live.sagepay.com/MySagePay
- Vendor Name: the name of your organisation, as set up with SagePay.
- Username: your individual login for My SagePay.
If you think you should have a login for My SagePay but don’t know your details, you will need to speak to whoever in your organisation is responsible for the SagePay account. For security purposes, Spektrix Support can’t set up logins to My SagePay.
Verifying whether a transaction has been successful
You can use My SagePay to verify whether a transaction has been successful or not, and to check the fraud results of each transaction.
Web and MOTO transactions show up in My SagePay in real time, in the Transactions page.
You can filter this page by date (hourly, daily, weekly and monthly, as well as by specific date range) and by result (success, failure or all) to help narrow down your search. There’s also an advanced button which gives you the option of searching by various other metrics to narrow it down yet further.
Transactions from within your search period will show up one per line, with successful payments as green lines and failed payments as pale pink lines.
The columns shown in the screenshot above are the defaults, although you can add or remove columns if you’d prefer. This is what the default columns show:
- Customer Name: the customer’s name as shown in the address section of their Spektrix customer record.
- Type: the type of transaction, whether a Payment or a Refund.
- Vendor Tx Code: the transaction (or TX) code for that transaction - this should match the TX code against the payment in Spektrix.
- Amount: the value of the transaction.
- Received: the date and time at which the transaction was made.
- CV2/Add/PC/3D/Fraud Screening Action: these all show a green shield for a successful check and a red shield for a failed check.
If you can’t get enough information about a transaction from the default columns, just click anywhere on that line and you will see a popup containing additional information.
From this popup you can check the customer’s address details, the authorisation details for the card, and the results of your fraud checks.
NOTE: if you’re looking for a particular transaction that shows up in Spektrix but you can’t see it in My SagePay, chances are it was an ambiguous payment which was confirmed in Spektrix despite the payment not having reached SagePay. In other words, if you can’t see a payment in SagePay, it didn’t go through.
Chip & PIN transactions
EPOS transactions (i.e. payments made using a chip & PIN terminal) will show up in My SagePay but not until the following day. You can find these transactions in the Card Machine Transactions section of My SagePay.
From here you can narrow down your search in the same way as when looking for Web and MOTO transactions, however only successful transactions will show up. EPOS transactions also don’t show the customer details or Vendor Tx code, however you should be able to find the right transaction using either the Received field or the last four digits of the customer’s card number.
Zero Value Authorisations (ZVAs)
If you have Card Holder Wallets enabled in your Spektrix system and a customer adds a new card to their Wallet in the My Account section of your website, they may be asked to complete a 3D Secure (3DS) challenge when storing a card here if their bank requests one. This is called a Zero Value Authorisation (ZVA) which increases the security of customer cards stored in cardholder wallets.
When a customer completes this authorisation, you will see an additional row against stored card authorisations in the 'Transactions' section of MySagePay. This will be visibly different from the rows for payments. It will include:
- Type = "Authenticate"
- Amount = "0.00"
- Vendor TX Code = A random xxx digit code made up of letters and numbers
Exporting
Any time you look at transactions in My SagePay you can export the results as a CSV by clicking on the Export to CSV button at the bottom of the screen.
If you need more or less information in the output of the CSV, click on the show/hide columns option to amend which columns you want to include.
Fraud protection rules
There are various ways you can customise the way in which you use SagePay’s fraud protection services. These are designed to allow you to find a balance between taking payments quickly and simply, and limiting the risk of potentially fraudulent transactions.
You don’t want to be too strict, bearing in mind that tickets don’t hold a particularly high fraud risk (as customers have to attend in person to collect their ‘goods’), so ideally you should aim to avoid unnecessary barriers to your customers buying tickets. If you find yourself getting a lot of chargeback requests then you might want to tighten your fraud protection up, but otherwise you want to make your customers’ journeys as easy as possible.
These rules are all available in My SagePay within the Settings tab - to be able to access this tab, each user will require the Settings account privilege.
AVS/CV2 checking
You can select whether you want SagePay to check customers’ CV2 numbers and addresses as part of the fraud checks. We recommend that you always keep this on in principle, for security purposes - SagePay will then check each customer’s address, postcode and CV2 details before approving a transaction. To check or amend your CV2 settings, go to Settings > AVS/CV2 in My SagePay.
If you have CV2/AVS checking switched on, you also need to add one or more rules to apply to each transaction. If you don't set up any rules, SagePay won't reject transactions based on the AVS/CV2 results, despite recording them.
NOTE: Santander and Clydesdale Banks no longer accept AVS/CV2 checks for card payments. This means for any organisations using either of those receiving banks and rely on AVS/CV2 checks only will likely see payments failing. Other banks might also follow this method in the future, making CV2 checks unreliable. If you have any questions regarding this, please contact the Support, Training & Consultancy Team who will be happy to help.
You can add CV2 rules which differ depending on the value of a transaction - just click the Add rule button in the AVS/CV2 page.
You can set as many rules as you like, each for a different value range, with one or more of these options for what SagePay should accept.
NOTE: some banks may authorise transactions even when an incorrect CV2 value has been provided. This is rare, but to mitigate the risk of this happening you can create an AVS/CV2 rule with all the boxes unticked (i.e. being as strict as possible).
- Accept DATA NOT CHECKED: transactions will be approved even if no checks have been made on CV2, address and postcodes.
- Accept ADDRESS MATCH ONLY: transactions will be approved if address and postcode checks have passed, but the CV2 check failed.
- Accept SECURITY CODE MATCH ONLY: transactions will be approved as long as the CV2 check succeeds, even if the address and postcode checks have failed.
- Accept NO DATA MATCHES: transactions will be approved even if none of the address, postcode or CV2 checks succeed. We do not recommend you use this option.
NOTE: for address checks, the first line of the customer's address in Spektrix needs to exactly match what their bank has on record. This is especially important for customers who live in flats, or whose addresses run across two lines.
Please note, in order to be compliant with Payment Services Directive 2, you must enable 3D Secure.
SagePay allows you to turn on 3D Secure, which is an additional online security method (for example Verified by VISA or Mastercard SecureCode). With 3D Secure set up, customers booking online will see the relevant prompt (depending on what type of card they use) and be asked for their 3D Secure password before being able to proceed and complete their transactions.
You can turn 3D Secure on and off in Settings > 3D Secure within My SagePay.
As with the CV2 checks, you can set up rules determining when 3D Secure should be used. From the 3D Secure page, just click the Add rule button.
- Perform the 3D secure authentication: ticking this box ensures that 3D Secure is enabled for the price range you’ve defined. This box must be ticked if you set up any rules.
- Accept non-3D secure cards to be authorised: 3D Secure is not optional for countries such as the U.K. and R.O.I. that are required to adhere to Payment Services Directive 2. However, 3D Secure is still optional for other countries, such as the U.S.A.. Selecting this option allows customers who don’t have it enabled to be processed for authorisation.
- Accept authorisations when MPI errors occur: selecting this option means transactions can proceed even if the 3D Secure functionality (outside of SagePay) ever drops out.
- Accept cards from non-3D secure issuers to be authorised: tick this box to allow cards which don’t have 3D Secure functionality to be used. Currently only Visa, MasterCard and American Express are eligible for 3D Secure.
- Accept 3D secure failures to continue for authorisation: this will allow a transaction to proceed even if the 3D Secure check has failed.
N.B. - If you do set up 3D Secure rules you need to ensure you are covering all transaction ranges and you are always ticking the box to enable 3D Secure checks. Unticking this box means transactions in that range aren't being checked for 3D Secure and are therefore non-compliant with PSD 2.
If you have Card Holder Wallets enabled in your Spektrix system and a customer adds a new card to their Wallet in the My Account section of your website, they may be asked to complete a 3D Secure (3DS) challenge when storing a card here if their bank requests one. This is called a Zero Value Authorisation (ZVA) which increases the security of customer cards stored in cardholder wallets.
In order for ZVA to work, your MySagePay settings will need to be configured to perform 3DS checks on all payments from £0/€0. Skipping this step won't break anything, but doing it will increase card security for your customers.
***
If there’s anything else you want to know about SagePay or the My SagePay online portal, or if you have any questions, please contact the Spektrix Support Team.