Dear Schools and Parents,

With more and more transactions processed online every day, there is an ever increasing need to remain vigilant when making payments online. We at SchoolMoney feel it is important to inform our users of the safety measures implemented on the system and some of the steps we’ve taken to provide our users with a safe, secure, and reliable experience when making payments. Below we have outlined steps that we would advise you to take should anything suspicious occur during your experience.

If your Card is Declined

Should your card be declined we would advise you to take the following actions:

• Take a screenshot of the error message or make a note of it.
• Immediately contact your Issuing Bank to find out the reason. This is the bank that owns the card that you are using to make this transaction.
• Whilst speaking to your Issuing Bank please have to hand your card details and the name of the website you are trying to pay through.

Verified by VISA / Mastercard SecureCode and 3-D Secure requests

When you make a card payment online, after entering your card details you are presented with a Verified by VISA page, or if using a Mastercard, you will be taken to a MasterCard SecureCode page. These are the schemes’ proprietary 3 Domain Secure (aka 3-DS or 3-D Secure) services.

3-DS provides an additional layer of security for eCommerce transactions prior to authorisation and fulfils the requirements of the latest Payment Service Directive (PSD2) through Strong Customer Authentication (SCA). The three parties involved in the 3-DS process are:

• The merchant; in this case the merchant is SchoolMoney
• The card issuer; in most cases this is a bank or building society
• VISA or Mastercard

And, when necessary, the consumer will be asked to validate that the transaction is being initiated by the rightful owner of the account. 3-DS does this by supporting the requirements of the SCA, where two of the three requirements below must be met:

• Something only the customer has (e.g. a mobile device)
• Something only the customer knows (e.g. a password)
• Something only the customer is (e.g. a fingerprint)

Through using EMV® 3-D Secure (formerly known as 3DS 2.0) to authenticate Card-Not-Present transactions. PSD2 SCA can be fulfilled.

You should never be asked for an ATM PIN.

ATM PIN Requests

3-DS will never ask for your card’s ATM PIN.

If you are prompted to enter an ATM PIN or anything other than a username or password, DO NOT enter anything. This will ensure that your money and bank details remain safe.

Take a screenshot of the page before closing it and delete the entry from your browser history.

Log out of the SchoolMoney system and close your browser completely.

Please choose another time and possibly another device to make the payment.

Following the above steps will ensure that your bank details and money remain safe.

Next, contact your Issuing Bank to report what happened.

This ATM PIN request is linked to a phishing attack and likely occurred through clicking on an unsecure or malicious link, pop-up or email un-related to SchoolMoney on your device recently.

The phishing attack is not caused by using SchoolMoney and is a standalone incident targeting your device alone. However, this does not mean your device is at risk. This situation is rare and unfortunately is not something that can be resolved by SchoolMoney or their partners.

Devices

Devices at risk include mobile phones, tablets, laptops and computers.

School Payment Questions?

If you have any questions, please contact support@schoolmoney.co.uk

More information about 3-DS can be found via the following links:

https://www.visaeurope.com/making-payments/verified-by-visa/

https://www.mastercard.co.uk/en-gb/consumers/features-benefits/securecode.html