Using business cards online

Everything is available online, from information to entertainment content. Online shopping with card payment has become a usual way of getting a desired product or service in just a few clicks.

Although online shopping is simple and fun, check what you have to be careful about to protect yourself from frauds: Safe use of cards.

Online payment with a card starts:
1. by selecting a desired product or service
2. by entering your personal details, such as your name and surname, as well as your delivery address
3. and by entering your card details: card number, expiration date and/or the three-digit number from the back of the card (so-called CVC).

All Zagrebačka banka cards support the 3-D Secure security standard, i.e., reliable authentication is ensured when making online payments with Zaba cards.

After entering your card details, the transaction authorization method depends on whether the point of sale accepts the security standard or a certain exception applies (e.g., small-value transactions, subscriptions - recurring transactions, etc.).

It is recommended to make payments at retail stores supporting 3-D Secure (Mastercard Identity Check, Visa Secure).

For paying with cards at online shops supporting the security standard, you need a Bank PS m-token. If you do not have a PS m-token, you can request it from your Relationship Manager/Corporate Banker. The PS m-token service itself is free of charge.

Mastercard and Visa are discontinuing support of the old version of the security standard for online card payment authentication.

Important: On 26 June 2024 the possibility of authorization of a payment transaction by card at an online point of sale via m-token by entering MAC/APPLI2 data, is terminated and it is implemented a new way of authorizing with QR code.

The new way of authorizing card transactions at the online point of sale will be as follows:

• Confirmation in the computer browser

Confirm the transaction via m-zaba push message which you received on your mobile device.

If you want to authorize the transaction with the displayed QR code, do it in four steps: 1. Download new version of m-zaba, 2. Choose m-token 3. Choose „Scan QR code“ option 4. Confirm transaction.

• Confirmation in the mobile device

m-zaba push message will arrive to your mobile device (which may take up to 30 seconds). In case you haven't received it, we will resend it. After receipt, open it and confirm. Then click „Continue“.

If you haven't received it, check in your device settings if receiving push messages for m-zaba is enabled. After checking, repeat the purchase.

Frequently Asked Questions:

What is the 3-D Secure security standard?

The 3-D Secure security standard is a cardholder identification service which allows secure online shopping using Visa debit cards and Mastercard and Visa credit and charge cards. When using your corporate card to make an online payment, you confirm your transaction by using the bank’s PS m-token.

Which Zagrebačka banka cards can be used for online payments?

All corporate cards may be used online and they support the 3-D Secure security standard. Only an authorised representative of the relevant entity may arrange online usage and have limits defined for corporate debit cards made available to authorised users.

How to pay using a card if the 3-D Secure security standard is implemented?

Card transactions online could be authorized via m-zaba push message or by scaning the QR code, depanding on the way of performing the transaction (browser or app-based transaction).

1. 3DS PUSH METHOD via biometrics or PIN

Prerequisites for receiving push-messages:

- m-zaba - the option of receiving push messages is included (More-Settings-Notifications)

- settings on mobile devices on which is installed m-zaba - it is necessary to check whether the permissions for receiving m-zaba messages are turned on

Payment on mobile application of the merchant on the same device on which m-zaba is installed:

1. After selecting payment confirmation in merchant's application, you would simultaneously receive a push message from the Bank and the Bank's screen with payment transaction information would be displayed:

After opening the push message with biometric or PIN, the new screen for online payment will be displayed. First you need to accept (Potvrdite) the online payment before you click on Continue (Nastavite) on previous screen:

1. Please check the merchant name, amount, date before click on accepting the online payment (Potvrdi). 

2.  If all data matches your purchase, please click on Potvrdi on this screen and Nastavi on previous screen.



Please open the push message as described above. When the push message is opened and confirmed, this screen would automatically be closed and there is no need to scan also the QR code.



The method is available while using card for payments on browser based merchants or the push message is not available. After the Bank's screen is displayed, you need to login in m-token.

How to shop online using my debit or credit business cards?

On online shops supporting the 3-D Secure security standard, you confirm your payment using your PS m-token by following the instructions appearing on the screen. If you do not have a PS m-token, you can request it from your Relationship Manager/Corporate Banker ( more information). The PS m-token service itself is free of charge.
Only a duly authorised person may arrange corporate cards and enable the online shopping limit option for end users of the card.
At online stores that have not implemented 3D Secure, no token authorisation screens will be displayed.

Why is the security standard enabling screen not displayed?

This screen is not displayed at retail stores that have not implemented the 3-D Secure security standard or where a certain exception from the implementation of reliable authentication applies (e.g., for small-value transactions or recurring transactions - various subscriptions, etc.). The security of using a card for online payments depends on the security standards implemented by retail stores.
Zagrebačka banka ensures that card payments remain secure and has implemented the 3D Secure security standard for all cards issued by Zagrebačka banka.

In addition to the security standard implemented, which other card security measures are taken?

For security reasons, Zagrebačka banka additionally defines daily spending limits and the maximum number of transactions for different cards. Such defined limits may be changed at the cardholder’s request, depending on the needs and habits associated with using payment cards. Please contact the company’s authorised representatives to check the agreed card limits.

What is important to check before using websites where cards are used for payment (PayPal, Google, Amazon, etc.)?

Before using an online shop where cards are used for payment or where your card number is saved for future payments, please thoroughly examine and check all terms and conditions, save your username and password, and always sign out when you are finished.

In addition to the card number expiration date, online shops ask for my CVV or CVC or a security code. Where can I find this information?

CVV (Card Verification Value) or CVC (Card Verification Code) is a 3-digit number appearing on the back of your card.

What should I be careful about when booking accommodation (hotel, apartment, etc.) online?

Each time they shop online, including booking and/or paying for accommodation using their payment card, the user must read the accommodation service provider’s business terms and conditions and whether or not any payment will be required in case of failure to appear or early departure. In certain situations, the offer is particularly favourable precisely because the accommodation service provider does not provide the option to subsequently cancel the accommodation or modify the terms of the reservation, in which case the customer will not receive a refund of the advance payment made using their card. It is also recommended to only use your card at sites known to be secure and, in case you do not know the service provider’s language, retain the service from a local travel agency.

What should I do if I want to cancel a card-based subscription for a service arranged online (for example, a daily/monthly/annual subscription to an online magazine or professional portal, online game subscriptions, etc.)? Do I need to block the card and submit a complaint to Zagrebačka banka?

As this service was arranged with an online store, please read the terms and conditions of using the service available on their website, which should include information about the options of cancelling the service and the relevant notice period, if any. You should submit your subscription cancelation request to the online store. As an exception, if you are unable to have your service cancelation request processed (the website is no longer available or the service provider denies your request), you can contact the bank for advice. In that case, please attach your service cancelation request and all correspondence between the service provider and you as the cardholder and their customer and we will try to help.