Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Who Pays For Credit Card Breaches?

kdawson posted more than 7 years ago | from the buck-stops-where? dept.

Security 313

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

cancel ×

313 comments

Sorry! There are no comments related to the filter you selected.

One Third of Germans Support National Socialism (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18084920)

One Third of Germans Support National Socialism, Disbelieve Holocaust
New Poll Shows Jewish Power On Wane Despite Repressive Laws

2/19/2007 10:07:28 AM
Discuss this story in the forum
Overthrow Staff

Berlin, Germany -- One third of Germans say that National Socialism and Adolf Hitler were "mostly positive" for Germany and "Entirely Disbelieve" the Holocaust lie, whereas a majority think Hitler was mostly positive and 45% think that the Holocaust is mostly untrue, a new poll of 3,000 Germans by the Metropol Institute indicates.

55% of Germans said that Hitler and National Socialism were "mostly positive" or "a mix of positive and negative" for Germany and 45% said that they either "had reservations" or "disbelieved entirely" the Jewish claim that a "Holocaust" occurred during World War II. Germans hold these beliefs despite repressive legislation in Germany that makes it illegal to advocate National Socialism or disbelieve in the Holocaust.

An additional 85% of Germans said that "reparations" payments to the Zionist occupation in Palestine should terminate an 53% that Holocaust lies should not longer be taught in German schools, with 26% uncertain and only 21% in favor.

The poll, taken last week in response to the Zundel imprisonment, had a margin of error of 2.1%. It was unclear if it had yet been reported on in the German press, who comissioned it.

The poll shows the ineffectiveness of Jewish lies and repressive legislation on the thoughts of the people. While the Jewish owned and influence media, combined with the power of the German state, has been able to achieve complete control of the government while arresting and imprisoning political dissident, their brainwashing has had little impact on the actual thoughts and beliefs of the people.

-----

Emailed to you by:

Overthrow.com / White Politics, LLC

The customer pays. Always. (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18084936)

The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.

Re:The customer pays. Always. (2, Informative)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18085150)

The only notable thing here is that all customers pay, not just the ones who use a credit card
Some pay more equally than others, though. It works like a pyramid scheme. The government uses the same principle: it is the reason why we have hundreds of different hidden taxes in thousands of different places.

"We screw the other guy to pass the savings on to you."

Re:The customer pays. Always. (1)

redelm (54142) | more than 7 years ago | (#18085692)

Yes of course some customers pay more. It's called "market segmentation". Different people pay different amounts in an attempt to capture the range of consumer utility while maintaining volume.

Re:The customer pays. Always. (1)

hf256 (627209) | more than 7 years ago | (#18085514)

Err, no the customer rarely "pays". The merchant has always had to pay for any fradulent charges, in some cases the charges aren't fradulent but the customer can still dispute them and the merchant gets the shaft. The worst that can happen to the customer is that their card will be cancelled.

Re:The customer pays. Always. (0)

Anonymous Coward | more than 7 years ago | (#18085576)

Directly the customer might not have to "pay". Indirectly though, the customer has to take the time to clear things up, which in some cases, can be hours or days worth of their time.

Re:The customer pays. Always. (1)

sqlrob (173498) | more than 7 years ago | (#18085584)

The merchant gives the credit card company money.

To offset that, the prices are raised. So yes, the customer pays.

Re:The customer pays. Always. (5, Insightful)

Bastard of Subhumani (827601) | more than 7 years ago | (#18085792)

To offset that, the prices are raised.
If the market would stand that higher price, why wasn't it being charged to start with? Conversely, if the market won't stand it, then lower volume (yada elasticity yada) could mean the merchant makes even less money.

Re:The customer pays. Always. (0)

Anonymous Coward | more than 7 years ago | (#18086376)

The market accepts the higher price because the customer gets additional value: protection from fraud. It's like an insurance. You pay a small surcharge every time, but in return you get a convenient payment method that allows chargebacks in the few cases where the merchant tries to screw you. The customer however is still the one who pays for it, one way or another.

Re:The customer pays. Always. (0)

Anonymous Coward | more than 7 years ago | (#18085822)

But raising prices usually won't earn him back everything he loses (since people will buy less once the price goes up) so both the customer and the merchant pay.

Re:The customer pays. Always. (1)

gfxguy (98788) | more than 7 years ago | (#18085840)

The prices are raised, and the consumers shop elsewhere.

Fact is, it's usually the merchants fault. Or, at least in my case, where every single fraudulent purchase I've had made with my cards (and there's been a lot, sadly) have come, 100% of the time, from merchants who didn't verify the card owner when the shipping address was different than the billing address.

Keep in mind, credit card fraud is different from identity theft. I've had my identity stolen, too. You may now be thinking I'm an idiot that doesn't protect his info, but it was a family member who had access to certain information, like my SS number.

I also always use a credit card (as opposed to a debit/credit card) because I'm protected, and I check my statements regularly. I haven't lost one penny.

So shoppers, especially online, flock to the cheapest merchants. If a merchant gets hit with a lot of losses, they raise their prices. The only way to stay comptetitive is to get a handle on these things before it costs them money and customers.

Re:The customer pays. Always. (1)

ResidntGeek (772730) | more than 7 years ago | (#18085664)

Where do you think the merchant gets his money? That's right, from the customers. So, if the merchant loses a lot of money to credit card fraud, how do you think he recovers the money? By selling his penis on ebay?

Re:The customer pays. Always. (1, Funny)

Anonymous Coward | more than 7 years ago | (#18085760)

So, if the merchant loses a lot of money to credit card fraud, how do you think he recovers the money? By selling his penis on ebay?

Wait ... you mean, there's another way?

STOP THAT AUCTION!

Re:The customer pays. Always. (0)

Anonymous Coward | more than 7 years ago | (#18085880)

If a merchant must keep raising prices due to his negligence of the security of his store network he will reach a point where another merchant in town (with a secure network) offers lower prices. Hence the failure to secure his own system will be his downfall in business as the consumer always has a choice to take business else where and not fund stupidity.

+5 Insightful (1)

dunc78 (583090) | more than 7 years ago | (#18086144)

This should be modded +5 insightful. People aren't very good at following money, and think corporations and even moreso the government are magical entities that grow money on trees. People who don't think customers are footing the bill for this are the same people that think that municipal WIFI is free.

We do! We do! (0)

Anonymous Coward | more than 7 years ago | (#18084950)

Wait, what?

Misses the point (2, Insightful)

currivan (654314) | more than 7 years ago | (#18084958)

The merchant who accepts the fraudulent charge eats the chargeback, not the one whose site is hacked. How does this encourage information security?

Re:Misses the point (2, Insightful)

Scott Lockwood (218839) | more than 7 years ago | (#18085008)

It doesn't. It makes Visa and Mastercard more profitable, however, which is what they care about.

Re:Misses the point (5, Insightful)

letxa2000 (215841) | more than 7 years ago | (#18085178)

As a merchant, this is very annoying. If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

To pay extortionate discount charges on every transaction and not even be able to trust that the charge is legitimate is abusive on the part of Visa/Mastercard. What's worse, a chargeback comes with a chargeback fee. So not only does Visa/Mastercard not get harmed by fraud, it profits from it. As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

Mod parent up! (1)

khasim (1285) | more than 7 years ago | (#18085680)

As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

EXACTLY!

Instead of working out a BETTER SYSTEM, they just pushed the fiscal responsibility for the FLAWED SYSTEM to the merchants.

The merchants are the ones LEAST ABLE to fix the existing system or implement a better system or validate that the transaction is legit.

The ONLY people that this is good for is Visa/Mastercard. They make huge profits without the risk.

The Power of Cartels (4, Interesting)

yintercept (517362) | more than 7 years ago | (#18086108)

Expanding on this thread. The credit card cartels actually benefit from the fraud since they can slam merchants with fees.

If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.

One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).

As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud ... charging fees based on the performance of the payment method.

The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.

Re:Misses the point (2)

mike2R (721965) | more than 7 years ago | (#18085682)

If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.

At the end of the day, the merchant knows their business, and is by far the best situation to spot fraud attempts, and I don't have any problem with the majority of the risk being taken by us.

What gets to me is the total lack of interest from merchant service providers. I do think it would be better if they bore a small percentage of the risk; 10% at most, maybe 5%. Then they might actually start to care, and if they care then maybe the police would.

Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.

This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.

Re:Misses the point (4, Insightful)

letxa2000 (215841) | more than 7 years ago | (#18085992)

You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.

I have looked at it from their perspective and it still doesn't make sense. If someone has a history of lots of chargebacks, that merchant gets canned anyway. If I'm entering ship-to and bill-to addresses into the system and if there's something that makes them (or their computers) uncomfortable, have the merchant call in for verbal authorization where the risks are explained to the merchant and/or Visa/Mastercard can say that they won't take responsibility for the charge.

I'm not opposed to a merchant being expected to be honest enough to do due diligence. If I ship something to Nigeria and expect Visa/Mastercard to pay me, and it turns out to be fraudulent, they have a right to ask me what documentation or evidence I have that I made an honest effort to be reasonably sure the transaction was valid. If I failed to do that, they can expect me to pay for it. But if there's nothing Nigeria-like about the transaction, nothing raises my suspicion, I submit the card to Visa/Mastercard and they authorize it and confirm the zip code and CSV matches, I've done all I can. To then turn around and say, "Yeah, we know we told you the charge was authorized, we know you have the right address, zip code and CSV, but what do you know... our system sucks and even though you obviously have all the right data you could possibly provide, we're still holding you responsible."

If a merchant is fraudulently processing charges or is accepting credit cards that are obviously stolen, that's a crime that should be prosecuted in a court of law. Simply assuming all merchants are crooks and arbitrarily taking back money you already gave them is simply not acceptable.

A customer is in the "business" of buying. A merchant is in the "business" of selling. Visa/Mastercard is in the business of facilitating the transaction. That's their business and they need to make sure it works so the buyer and seller can do their business. It is not acceptable to hold either the customer or the merchant responsible for shortcomings in Visa/Mastercard's system. If a merchant gets an authorization number from Visa/Mastercard, that should be a done deal. If it's fraud, Visa/Mastercard needs to eat that charge. If that means raising the discount rate, fine, do it--and let merchants decide whether they're willing to accept credit cards given the real cost of accepting them; or the customers and/or merchants will demand real security.

I've seen it happen. (Sort of.) (4, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#18086050)

Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.

This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.


They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)

He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.

So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.

In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.

Re:Misses the point (1)

josquint (193951) | more than 7 years ago | (#18085712)

When I worked retail it was company policy to ALWAYS ask for ID and compare signatures on a card to the ID. Due to our credit card processing company making it known that it was OUR reponsibility to verify this, as the end user is the only one that can.

On the flip side of this, I walked into Home Depot and purchased $49 worth of merchandise with a credit card in the SELF CHECKOUT and was NOT REQUIRE TO EVEN SIGN. Anything under $50 does not require a signature. Now how is it even remotely possible for them to know who is charging on the card?

As a former retailer, I very well know the frustrations of a chargeback that comes out of no-were. As a consumer, I've found that it's quite easy to deny a charge for very little reason.

Re:Misses the point (0)

Anonymous Coward | more than 7 years ago | (#18086004)


On the flip side of this, I walked into Home Depot and purchased $49 worth of merchandise with a credit card in the SELF CHECKOUT and was NOT REQUIRE TO EVEN SIGN.


Oh yeah. That illegible squiggle on the the PIN pad device is a GREAT security check.

I don't understand why _anyone_ asks for signatures any more. No one looks at them, and if you do look, then what can you compare it with? (the illegible squiggle on the tiny stripe on the back of the card?) Different input area results in different squiggle, so... what was the point?

Re:Misses the point (0)

Anonymous Coward | more than 7 years ago | (#18086034)

On the flip side of this, I walked into Home Depot and purchased $49 worth of merchandise with a credit card in the SELF CHECKOUT and was NOT REQUIRE TO EVEN SIGN. Anything under $50 does not require a signature. Now how is it even remotely possible for them to know who is charging on the card?

Would you feel better with an illegible squiggle? Requiring a signature at a self-checkout isn't very useful, since there is no person who compares it to anything.

Re:Misses the point (2, Interesting)

planetmn (724378) | more than 7 years ago | (#18086414)

As a former retailer, I very well know the frustrations of a chargeback that comes out of no-were. As a consumer, I've found that it's quite easy to deny a charge for very little reason.

It's also quite easy to shoplift from a lot of stores, to back into somebody's car and just drive off, etc. Just because something is easy, doesn't mean that people take advantage of it.

Every chargeback I have made has been completely legitimate. One of the reasons I pay for everything on a credit card is that security it provides me. Once a merchant didn't want to obey their return policy, so I left the store and disputed the charge, got my money back. Another time, a service provider decided he deserved more of a tip than I gave them (he even called me after the chargeback and tried to argue that he deserved the additional money), again, I got my money back. I don't bother arguing with customer service anymore. If they don't follow their own return policy, I'll say thank you, walk out, and dispute the charge.

Sure, if the system is being abused, then I feel bad for the merchant. I don't personally know the percentage of instances where a chargeback is not warranted, but given to the consumer, but if as a merchant it costs you too much, don't accept credit cards.

-dave

Re:Misses the point (1)

Jonny do good (1002498) | more than 7 years ago | (#18085782)

If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization.

To me it is annoying that 90%+ of the time the merchant never checks my signature line which says "See ID" and actually ask for an ID. I understand your complaint, but when merchants blindly accept a card they should have to pay for it. I know it always ends up being the end consumer that pays, but still why should Visa/Mastercard lose their profits when merchants usually never check the card in the first place?

Re:Misses the point (1)

letxa2000 (215841) | more than 7 years ago | (#18086172)

To me it is annoying that 90%+ of the time the merchant never checks my signature line which says "See ID" and actually ask for an ID.

I'm actually talking more about card-not-present transactions which is where the real risk is. While I guess someone could steal your physical credit card and try to use it, that'd be pretty bold these days. Cards are canceled so fast that it might not even work and they'd get caught with a stolen card on their person. It'd make more sense to just silently collect credit card numbers and use them online where at least you're not right there to get caught. So I really don't think you increase your own security by asking someone to look at your ID; and if someone steals your card and some merchant accepts it, you get to charge back the whole thing anyway. So why are you concerned?

I understand your complaint, but when merchants blindly accept a card they should have to pay for it.

I somewhat agree on card-present transactions. If they don't ask for an ID, they haven't done due diligence. It's not unreasonable to ask for ID on card-present transactions. But I'm more concerned about card-not-present transactions. Visa/Mastercard has decided to allow these transactions for decades, whether it be by phone or Internet. They're more than happy to allow that even though the cards aren't present. If they're willing to accept the transaction and profit from it, they should be willing to vouch for the transaction. If I've provide Visa/Mastercard with every detail they ask for (credit card #, expiration, CSV, billing name/address and shipping name/address) and they authorize it, that's my due diligence. If they want more evidence to vouch for the transaction, they should ask for it. But for me to give them everything they ask for and then have them turn around and say it's my fault the transaction was fraudulent is bogus.

It really comes down to an antiquated system. Every bank should allow users to be able to login to their account and have master control over their card. We should be able to tell our bank that for any given card, only accept "card present" transactions. Or to "open" our card for non-present transactions for a specific period of time. Ideally, every merchant would have a public merchant ID that would be posted to websites and users would get that number and authorize a specific merchant for a specific period of time. Any transaction that didn't meet the customer's authorization specifications would be rejected. If that was done, credit card fraud would drop to almost zero and NO-ONE would lose. Except the crooks.

Re:Misses the point (1)

jfengel (409917) | more than 7 years ago | (#18086388)

Yeah, that would sure be nice. I'd really like to see one of the many digital-signature checking systems catch on with merchants. The kind that involve a private key. That would put a lot more on the consumer to protect his keys, but it would take a lot of pressure off the merchant.

Theoretically paypal is such a system. I'm not sure what happens with paypal disputes, but at least it's difficult for somebody to claim that somebody stole their paypal account the way somebody can steal a credit card number, since the truly unique information rests solely with PayPal. But I'm told that PayPal is rather onerous in its other dealings with merchants.

I really think that the next move is up to the merchants to pick a system and stop accepting no-card-present transactions entirely. Those are so fraught with peril that I'm stunned that people accept them at all any more.

The credit card companies could create such a system very easily and wipe out Paypal right quick, but as others have pointed out their risk exposure is so minimal that they're perfectly content with the system as it is (and in fact even profit from it.) I know both Mastercard and Visa were working on such systems, and I really don't know what happened to them.

Re:Misses the point (1)

Dan Ost (415913) | more than 7 years ago | (#18086212)

What about on-line merchants? How are they supposed to compare your signature or view you ID?

Seriously, what protections do they have?

Re:Misses the point (1)

planetmn (724378) | more than 7 years ago | (#18086330)

It's a cost of doing business and a problem that they have to consider. Just like a retail business has to determine if the cost of a storefront and physical presence is worth the cost. If they don't like the risk, don't accept credit cards or don't set up shop.

-dave

You'd think the same with cleared checks, but no (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18086000)

My friend had a cashiers check given to him by a 3rd party for a car he was selling. He took the check and deposited it into his account with a bank that sounds like TNC and is located in PA. Check clears, so he pulled out the money and uses it to buy a different car. Life seems good. A night or two later him and I decide to go shoot some pool and get some wings. He checks his account online, only to find it's nearly 3 grand in the hole. After a few rounds of calls to "TNC" he finally learns the cashiers check was a fake. Guess who's stuck with the loss even though THE CHECK CLEARED??? Not the bank! After some researching we've sorta figured out in the US and Canada, just because a check has cleared does not mean the check is legit and valid... apparently the clearing "process" is just a damn joke is just a delay for you to get your money, not time used to check everything is correct.

After contacting the local police and being passed over to the local FBI branch he came to learn this had happened a few times before in our area. I just hope the other banks actually protect their customers better than "TNC". Needless to say he switched banks after that, and when I moved my girlfriend into the dorms at *P*itt I yelled at the people pretending to be helpers for the freshman but who were really trying to get you to sign up at "TNC". Guess you could say leason learned the hard way.

Re:Misses the point (0)

Anonymous Coward | more than 7 years ago | (#18086258)

You're missing the point of an authorization. When you ask for an authorization, you're not asking if the card legitimately belongs to the card presenter. How would they know? The point of the authorization is to validate that (a) the account is in acceptable standing (not already reported as lost/stolen/past due/etc), and (b) the account has enough available credit for the charge. If (a) and (b) are satisfied, the auth is approved--even if Frank is using Jim's card. Sorry, but it's the merchant's responsibility to validate if it's Frank or Jim trying to use Jim's card. If they don't, and it's Frank, they'll eat the chargeback.

Re:Misses the point (1)

planetmn (724378) | more than 7 years ago | (#18086274)

If you don't like the system, don't accept the credit cards. Nobody is requiring you to. If you get chargebacks, that's part of the cost of doing business and you have to determine whether or not that is acceptable.

-dave

Re:Misses the point (1)

ShibaInu (694434) | more than 7 years ago | (#18085218)

Technically neither Visa nor MasterCard is a for profit business. It looks like that is changing, but for most of their history both companies were just a service provider to the various banks that issued credit cards. So it wasn't Visa chasing down the money, it was the bank that issued the card that was.

Re:Misses the point (1)

truthsearch (249536) | more than 7 years ago | (#18085446)

Both Visa and MasterCard have been operating for-profit for over 10 years. Visa started first, then MasterCard decided they needed to fill their coffers to keep up. I was working at MasterCard when they started to focus more on profits. The change really became a focus at the company after MasterCard lost their application with the US government to be considered a non-profit organization to avoid paying taxes.

Re:Misses the point (1)

hackstraw (262471) | more than 7 years ago | (#18086002)

It makes Visa and Mastercard more profitable, however, which is what they care about.

OK. A merchant does not have to accept credit card payments at all. Its a choice up to the merchant, and part of that choice involves the complexity of implementing a CC payment system, the cost of a percentage of profits on each transaction to the CC people, but I was under the assumption that the benefits to the merchant were:

1) more customers can buy things

and

2) they are guaranteed payment

Checks can bounce, cash can be stolen, or fake. I thought the lure of #2 was that the extra cost that they paid on each transaction was insurance that they would get paid.

I'm just a computer guy, but this is my understanding of the system. If there is no #2 benefit provided from the CC people, I don't see too much of a benefit to accepting CC payments.

Re:Misses the point (1)

Tillmann (859300) | more than 7 years ago | (#18085128)

Hi,

true, but there may have been cases where merchants are entirely aware that they're accepting stolen credit cards (and didn't care). Maybe not your average online retailer. But quite possibly the gold shop somewhere in South East Asia, who in the past happily served the suspicious-looking stranger who buys as much gold as "his" credit card limit allows.

bye,
Till

Re:Misses the point (0)

Anonymous Coward | more than 7 years ago | (#18085224)

Because the merchant who is blindly accepting fraudulent cards ISN'T being secure.

As an employee at a company that relies on heavily on online credit card sales, we are extremely careful with card security, taking nearly every order with a grain of salt, verifying that the information we are given is valid and making sure the orders are not fraudulent.

Re:Misses the point (1)

Erwos (553607) | more than 7 years ago | (#18085226)

Clearly, they should have done a better job actually authenticating that the person who did the charge actually is the card owner. Good security doesn't involve just protecting credit card numbers from being stolen - it's trying to prevent those credit cards from being used fraudulently, too.

Re:Misses the point (1)

Bryansix (761547) | more than 7 years ago | (#18085708)

If you use a virtual terminal on your merchant account and sell stuff over the phone or online then you can only check the fields the merchant bank allows you to check. Even checking name, address, card number, security code etcetera will not prevent fraud in the case of a stolen customer database that would store all of that information.

The retailer is not supposed to store all of that info but many do and many store it insecurely.

Re:Misses the point (1)

multimed (189254) | more than 7 years ago | (#18085874)

Not to mention whoever got hacked - be it the merchant, MC/Visa or the issuing bank - usually manages to keep the whole thing secret. Even when it's your account info that has been stolen, they won't even admit to you that it has. Of course they justify this because you don't have to pay for fraudulent charges that result. If you catch them in time. And of course it assumes that they can't do anything else with the info. I can accept the fact that they won't ever really pay the cost when they can pass them along to us as an expense of doing business - same for fines. But there needs to be a law requiring disclosure and criminal charges for failure to disclose breaches. The bad PR and loss of public trust is the only way to punish bad security and allow consumers to be informed, not to mention actually providing them real encouragement to work harder at protecting private information.

Re:Misses the point (1)

dbaker (7409) | more than 7 years ago | (#18086286)

False. Have you ever signed a merchant contract? I have.

The merchant whose billing data was compromised is liable as well -- both for the charges, the cost of replacing cards, and fines by the issuer and/or credit card network.

It's easy to take a bunch of fraudulent charges and see which merchant they have in common to determine the source of the data. Merchants are fined more if they don't disclose a breach of data before the credit card companies discover it.

Credit cards? (0)

Anonymous Coward | more than 7 years ago | (#18084964)

How do credit cards work? [howstuffworks.com]

Re:Credit cards? (0, Offtopic)

Brad Eleven (165911) | more than 7 years ago | (#18085082)

Business partners (1, Flamebait)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18085014)

Credit card companies are branches of banks (who else has money to lend?). They are affiliated, strongly, with insurance and investment companies. Just as any other large corporation when one division suffers a loss then, in nothing more than the ledger book, the losses are distributed amongst the other divisions.

Think about that next time the interest rates on home mortgages goes up, or the premium on the insurance plans, or when the quality of service for medical insurance goes down, or when the price of motor fuel goes up...

These things happen because the businesses are recouping losses. Why are credit card rates so high?

Re:Business partners (2, Insightful)

Ctrl-Z (28806) | more than 7 years ago | (#18085120)

Why are credit card rates so high?
Because that's what the market will bear? Credit card companies aren't having any difficulty finding people to lend money to at exorbitant rates.

Federal Reserve is privately owned (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18085248)

Credit card companies aren't having any difficulty finding people to lend money to at exorbitant rates.
The illusion of a multi-trillion dollar federal debt, passed along to the taxpaying public through taxes, is a convenient business m0del, n'est-ce pas?

Re:Business partners (1)

Rakishi (759894) | more than 7 years ago | (#18085156)

Why are credit card rates so high?

Interest rates? Likely there are a lot of cc debts which are simply never paid off. Furthermore its not like anyone has to pay interest rates, its not that hard to realize that CC are not free money and that the balance should be paid off each month. There are some exceptions to that (school, emergencies, etc.) but I doubt most CC interest charges are from them.

Medical partners (0)

Anonymous Coward | more than 7 years ago | (#18085380)

"Likely there are a lot of cc debts which are simply never paid off"

The MAJORITY of that is medical bills. That's why the bank-ruptcy laws were changed.

Re:Business partners (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18085284)

Credit card companies are branches of banks (who else has money to lend?).

Depends what you mean by "credit card company". Mastercard & Visa are not banks, they just rent out their name to banks. It's the bank that issues the cards. Mastercard & Visa set some standards in their contracts with the the banks.

On the other hand, American Express is not a bank. They issue their own cards themselves.

Why are credit card rates so high?

They are high because they can be. Credit card rates are (generally) unregulated and determined by the free market. Many people with high credit card rates don't realize that there are many, many other credit options available to them.

Either get a credit card with a low interest rate, or get a line of credit and pay your credit card in full every month from your line of credit. Generally, lines of credit have lower rates than credit cards.

Re:Business partners (1)

rainman_bc (735332) | more than 7 years ago | (#18085484)

the losses are distributed amongst the other divisions.

Think about that next time the interest rates on home mortgages goes up


That's just ignorant on your part. Interest rates on mortgages are tied to the bond market. Any move in the yield curve will present itself in the mortgage market.

Now mortgage brokers have made lenders so competitive that the spread between bond rates and mortgages should be nominal at best. Mortgage lenders profit by issuing bonds ( borrowing money ) and issuing bonds ( lending boney ). The spread is their profit, and it's pretty slim.

And who holds bonds? You do. In your pension fund, or your 401(k), etc. Anyone can buy them. Heck, you can buy your own mortgage even if you want to, although the rate of return is so nominal that it's not really worth it right now - you can better invest your money elsewhere.

Re:Business partners (1)

king-manic (409855) | more than 7 years ago | (#18085870)

or they are gouging. Ther eis no garentee they are simply charging a fair price. It may nto be collusion but they compete wiht each other and many industries no longer compete on price. They compete only on marketting.

PCI? (2, Funny)

AikonMGB (1013995) | more than 7 years ago | (#18085090)

And here I thought they implemented PCI to make it easier to attach peripherals to your computer O_o I can't keep up with the world today.

Nothing as secure as nothing at all (1)

BronsCon (927697) | more than 7 years ago | (#18085092)

Face it, you can have your credit/debit card information stolen by direct sight, security camera recording, straight through the network, by some guy getting lucky and guessing, by a social engineering attack and, i'm sure, by means I can't think of at the moment.

Hell, you aren't safe with cash, either; you could be mugged, oh and now they have your credit and debit cards, drivers license, and if you're completely stupid (or on your way from somewhere where you need it), your social security card.

Keeping it in the bank isn't safe, either. ATMs are prone to the same network attacks as credit/debit terminals; not to mention, that off-branded ATM may be logging your card number and PIN for the purpose of duplicating your card and using it to drain your account.

The most secure person I know lives behind a dumpster in the alleyway a few blocks down from where I work. He has no money, in any form, to steal. He has no belongings, save the clothes he is wearing. You know what, he's happy.

Re:Nothing as secure as nothing at all (1)

Skye16 (685048) | more than 7 years ago | (#18085256)

Until a bunch of middle class suburban teenagers show up with a few baseball bats and beat him to death [cnn.com] .

I guess that's a small price to pay for being safe from fraud, though.

Yeah this makes a lot of nonsense (1, Insightful)

RaigetheFury (1000827) | more than 7 years ago | (#18085094)

So what about all the stolen credit card information. You actually think people who steal information from a grocery store are going to spend it on groceries! "Yeaaaah boy... them hams weren't on sale..". Please just take a look at the credit card ads that go around with people voice synching the people who stole their information. The merchants have NO IDEA and NO METHOD PROVIDED BY THE CREDIT CARD COMPANIES to identify someone beyond the basics. Sure the above ad talks about people scanning the information passed along a network but still. They are going to take that information and use it with another merchant who had NO PART in the original theft. It's punishing the wrong people. There is no 100% secure method in existence. Fraud should be laid on those who make a profit off using credit cards. That's definitely not the merchants as they are already being robbed by the credit card companies. Up to 8% of a total sale goes to them. Seriously... who's the thief. Merchants don't have the power, money, or infrastructure to track down these thieves. The Credit Card companies do. Oh wait we should leave this up to the police. Yeaaaa... I'm an application developer and I've worked with credit applications. While the merchant obviously needs to bare the responsibility of making their networks as secure as possible the ultimate responsibility should NOT lie with them. It should lie with the credit card companies for making it so easy to steal this information. The new scanable credit cards are the WORST. You just have to walk near someone with one and walla you have all their information you need unless it requires the 3-4 digit number on the back. Even then the method used to steal these credit cards would still work. If you put the burden on those that loan the money it makes it makes them develop more secure practices. The merchant can't tell the credit card company how to make their cards or their security.

Re:Yeah this makes a lot of nonsense (1)

operagost (62405) | more than 7 years ago | (#18085520)

You just have to walk near someone with one and walla
Please... French is only my second language and I'm thoroughly pissed at seeing this garbage. It's "voilà".

Re:Yeah this makes a lot of nonsense (1)

Billism (714386) | more than 7 years ago | (#18085766)

My thoughts EXACTLY.

Article is Wrong (5, Informative)

scribblej (195445) | more than 7 years ago | (#18085126)

Merchants have been responsible, not VISA, all along. It's ALWAYS been that way.

I say that as someone who's been int he industry for ten years, so I'll admit maybe things were vastly different before I got here. But for at LEAST the last decade, merchants have eaten fraudulent charges.

Here's how it works in a nutshell. I'll assume an internet ("e-commerce") transaction since it's what i'm most familiar with.

1) Evil bad guy steals a credit card number.
2) Evil bad guy makes a charge from Bob the Merchant
3) Bob the Merchant ships Evil Bad Guy his product.
4) Joe, the actual owner of the credit card sees the charge on his statement.
5) Joe calls Bob the Merchant and says, "Why did you charge me?"

At this point, the only thing Bob the Merchant can do is issue a refund to Joe. He'll never see his product that Evil Bad Guy took, or the money, ever again. What happens is he refuses to give Joe his money?

6) Joe calls his issuing bank and asks for a chargeback.
7) Bob the Merchant is forced by his merchant account provider to refund the money to Joe. Also, to pay a chargeback fee of somewhere around $50, and if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again.

So who loses here? Not VISA. Not Joe, the cardholder. Not Joe's issuing bank. The merchant, is out product and money, and there's jack-all he can do about it.

There is only one exception I am aware of: Verified by Visa. If a merchant uses VBV on his website, then VISA will guarantee the charges, and if there is a chargeback, VISA will eat the cost. This is a HUGE change from how things have always worked in the past. However, no one uses VBV because it requires the CARDHOLDER to take extra steps to sign up and become active, but the CARDHOLDER has no reason to care, since he's already protected.

Anyhow. Long before PCI, long before CISP, long before any of the security standards were standards, the merchants were already responsible for all fradulent charges. It's the way things are. PCI makes a much cleaner audit trail when things go south, but it's not really about fraud nearly as much as it's about data security. There's a few tiny parts of PCI that address a few particular cases of fraud, and ALL the rest of it is about data security and handlling policies.

Re:Article is Wrong (2, Informative)

Rakishi (759894) | more than 7 years ago | (#18085360)

no one uses VBV

Newegg does and signing up is rather trivial actually, the bitch is remembering the password (assuming I'm thinking of the right system). It takes me a lot longer to add an alternative (shipping) address to the CC and many websites require that (including some whose incompetence at being able to check it leaves me shocked).

Re:Article is Wrong (4, Insightful)

scribblej (195445) | more than 7 years ago | (#18085442)

Well, of course I was exaggerating when I said "no one." But it's interesting to hear your view. :) I didn't realize newegg provided it.

As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.

A few interesting notes on AVS:

1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.

2 is becoming a little less true recently, though - several issuing banks have taken it on themselves to reject the transaction even if the AVS standard says they aren't supposed to. I think this is a good thing.

Re:Article is Wrong (1)

ps_inkling (525251) | more than 7 years ago | (#18085966)

I have seen more web sites that uses VBV. My credit card was "automatically and for my convenience" signed up for VBV by my issuing bank. More than once I've cancelled my order instead of dealing with the additional verification.

When I finally needed to buy from NewEgg, it took 3 or 4 tries to get through the VBV crap page (unblock popups, unblock cookies, allow JavaScript). Surprised it let me try that many times. I was not impressed with the security or functionality, from the consumer standpoint.

Re:Article is Wrong (1)

spydum (828400) | more than 7 years ago | (#18085516)

Right on, I completely agree. PCI may seem like a gigantic pain in the ass, but if you really knew how many of these online e-commerce systems kept track of your personal information and credit card #'s, you'd be shocked. Unfortunately, even though the PCI policies are clear, and requirements are spelled out, not everyone follows them. The audits required are flimsy at best.

Exactly how it should be. (0)

Anonymous Coward | more than 7 years ago | (#18085542)

The merchant is the one responsible !

Do an experiment. Pay for stuff with a card for a week. Count the number of times that the clerk actually:

Looks at the name on the card.
Checks the back of the card for a signature.
Asks to see ID in the absence of a signature (or where you might write "CHECK ID" in big bold letters)
Asks to see your ID period.

You may be surprised. I routinely use my wife's personal card, which has only her name on it, and nobody even gives as much as a glance at the name.

It's really so bad, that when people do ask to see my ID (I write "CHECK ID" on all my cards.) that I thank them.

Point is: If a merchant can't be bothered to verify the identity of the card bearer, as well as the card owner, then they fully deserve to be out their merchandise and their money.

Re:Article is Wrong (1)

HomelessInLaJolla (1026842) | more than 7 years ago | (#18085672)

if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again
Who offers a form of chargeback insurance to the merchants? The whole system is such a racket that someone must be working that angle.

Re:Article is Wrong (1)

Not_Wiggins (686627) | more than 7 years ago | (#18086008)

3) Bob the Merchant ships Evil Bad Guy his product.

Does Bob the Merchant have access to Joe's credit-card billing address?

I'm going to plead total ignorance here, but it would make sense that, with that information, Bob could ask Visa/MC if the billing address is the same as what's on file for the card. No, it doesn't eliminate all fraud, but it would certainly reduce it.

I think the point of making merchants liable was because they're the ones accepting the payment. That is the last line of defense against the criminal.

I have written on my credit card "Please ask for ID" instead of a signature. While technically not "allowed," I'm surprised at the number of places I've gone that haven't bothered to notice no signature and never bothered to ask me for my ID. Is that Visa/MC's fault, or lack of care at the merchant?

Last thing I want to say is this: the one common thread throughout these posts puts the real problem into perspective; it isn't about who's responsible, merchants or Visa/MC... we should be focused on STOPPING THE CRIMINALS THAT ABUSE EVERYONE. We all lose when someone steals through higher prices. Maybe instead of focusing on "how to make it easier for someone to spend money," it should be on "ensuring only authorized users are making purchases."

Re:Article is Wrong (1)

scribblej (195445) | more than 7 years ago | (#18086332)

Does Bob the Merchant have access to Joe's credit-card billing address?

No - if he did, we'd have a nice way to verify things. See my other post on AVS: http://slashdot.org/comments.pl?sid=223350&cid=180 85442 [slashdot.org]

The postal database lookup I mentioned would only verify that the input address exists, not that it belongs to Joe.

Bob could ask Visa/MC if the billing address is the same as what's on file for the card. No, it doesn't eliminate all fraud, but it would certainly reduce it.

You're right, and he can - my other post above makes the reasons why it doesn't work so well more clear. Most importantly, nothing but the digits get sent to the credit card processing network in the first place, so they can't verify the difference between 123 fake street and 123 oak street, EVEN IF THEY WANT TO. On top of that, if the address is wrong, VISA still approves the transaction - it's up to the merchant to check the response and void the transaction if it's not a response they are happy with.

Is that Visa/MC's fault, or lack of care at the merchant?

Oh, it's definitely the merchant's fault. I'm not saying that things should be otherwise; I think things work more or less the way they should in this case. I'm not objecting to the merchant being responsible; I'm just pointing out that they are, and always have been, and PCI doesn't change a thing.

That's retarded (1)

pavera (320634) | more than 7 years ago | (#18085132)

One of the largest CC heists of all time happened last year when MASTERCARD lost I forget how many card numbers, it was > 1 million cards though.
The Merchants who processed transactions with those stolen cards have to eat it?! How can that be proper?!

Further, as noted elsewhere, this does not penalize the proper people. If I am a merchant and someone buys something from me with a stolen card (even though I have great security, maybe I don't even store CC information, I just process the card and I'm done with it) I eat the chargeback even though it was www.flybynight.com who's site got hacked to provide the thief with the stolen card. flybynight.com doesn't pay a dime for their lack of security.

Re:That's retarded (1)

NewWorldDan (899800) | more than 7 years ago | (#18085800)

In your scenario it is entirely proper for the merchant to eat the loss. They are at the point of transaction and are the only one with the possibility to identify the consumer and verify that they are authorized for the account. There are otherwise just far too many avenues to obtain credit card information to otherwise be effective. I'll certainly admit that most merchants do not have adequate tools to identify and validate most customers, nor do most customers care to deal with that level of scrutiny, but security at any other level is doomed to fail.

As a merchant, I call shenanigans! (2)

silentbozo (542534) | more than 7 years ago | (#18085170)

Uh bullshit. Let's say I'm merchant A, and I do everything by the book, and have never had a breach.

I can still get screwed if merchant B has a breach, as far back as a year ago, if I'm taking card not present transactions, and get stuck with an order from some punk who uses a stolen number.

Is it right that I get penalized for charges made and authorized by the issuing credit card company, due to no fault of my own?

A lot of people will say that's the cost of doing business. The problem is, that there is no incentive to fix anything broken with the system as far as protecting MERCHANTS from fraudulent transactions. Fact of the matter, there's no incentive to fix all the things broken with the system that make identity theft possible, since the people who would be most motivated to fix those things (credit card bureaus and the issuing companies) have moved all the cost to the merchants and merchant banks, and the have no control over the bureaus!

Should improve Customer service (2, Interesting)

Iridium_Hack (931607) | more than 7 years ago | (#18085198)

As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?

Re:Should improve Customer service (4, Informative)

damiangerous (218679) | more than 7 years ago | (#18085634)

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) [visa.com] and pg 48 of the MasterCard merchant rules (PDF) [mastercard.com] .

I usually file a complaint here [mastercard.com] and check the "merchant required identification" box.

Re:Should improve Customer service (2, Insightful)

ucblockhead (63650) | more than 7 years ago | (#18086260)

Great. You hate it when merchants take extra steps to make sure it's actually you using the card. It's people like you that discourage merchants (and visa/mastercard) from adding extra security that would help ensure that thieves can't swipe cards and go to town.

Re:Should improve Customer service (0)

Anonymous Coward | more than 7 years ago | (#18085722)

I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?


No, I wouldn't. I don't want to give my ID to a clerk or store - tbey now have my credit card info AND my driver's license info, making it MUCH easier to commit identity theft.

As a consumer, the credit card status quo is good for me - I don't pay for fraudulent transactions, period. Whether the bank pays, the merchant pays, or the payment processor pays doesn't matter to me.

More importantly, in a free country, you don't have to show ID to buy bread.

Stop & Shop's fault (1)

dreamt (14798) | more than 7 years ago | (#18085384)

No matter what people think about who should or should not pay, this was Stop & Shop's fault. The Globe article only slightly mentioned (was covered better on the news last night) that someone basically walked off with the PIN boxes, hacked them, and reinstalled. I know that there are ideas in some of these replies as to which business pays for stolen credit card usage, but Stop & Shop has got to do better than letting someone walk off with their equipment.

Stop & Shop going out with a bang. (0)

Anonymous Coward | more than 7 years ago | (#18085604)

"I know that there are ideas in some of these replies as to which business pays for stolen credit card usage, but Stop & Shop has got to do better than letting someone walk off with their equipment."

I recommend a pressure plate with some C4.

Having owned a store (5, Interesting)

JohnnyComeLately (725958) | more than 7 years ago | (#18085402)

I would say it's set up correctly. Sure VISA makes Billions and merchants eat fraud, but it's really the best point to do it. And, technically, I already do it with Checks (the reason a lot of people don't take them). Some storeowners don't get it and think credit cards are "magic"...they can take all the cards they want and money appears (minus a 5-15% fee) in their bank account. They don't realize they can minimize by: ACTUALLY CHECKING THE SIGNATURE!!!, suggest Debit over Credit (if it's both, their fees are less if it runs as a ATM, and security it better!). But it's the same as anything else in life: If you're uneducated you will always pay more.

Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:

He who has the most accurate and timely information wins.

Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).

On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.

So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.

Re:Having owned a store (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18085936)

The problem comes in if you're an online merchant, you've followed the credit card companies rules for online transactions (AVS and other fraud check devices) and you get a chargeback for a fraudulent charge. How were you supposed to do a better job at verifying the identity of the CC user? The CC companies should be on the hook if they authorize a charge that turns out to be fraudulent. They authorized it, not me.

Re:Having owned an ONLINE store (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18086024)

None of your comments make sense for an online store. outside of standard card checking stuff, their is nothing we can do to stop fraudulent use, and we get screwed over and over again. We can't check a signature, can't suggest debit over credit to check PIN and can't make sure Wendy is really a woman. So, drop the attitude about 'education.'

Re:Having owned a store (1)

King_TJ (85913) | more than 7 years ago | (#18086202)

All valid points, but I'd also say it's arguable that credit card companies themselves have helped foster this "lax" security environment we're seeing on the part of many merchants.

Take, for example, the cases of a woman coming in, buying something using a card with a man's name on it, or vice-versa. The fact is, the credit card companies are more concerned about people using their cards as often as possible than in caring WHO uses them. My ex-wife ran up charges on my cards all the time, despite never even being listed as an "authorized user" of them. When I tried to complain that I never authorized those charges, the credit card companies faxed me back the "proof" that they were legitimate, in the form of photocopies of receipts with HER signature on them instead of mine! Their take on thing is basically "If you're married, who cares? Everything's your problem to pay anyway, until/unless some divorce court judge says otherwise."

And with the proliferation of these electronic terminals that have you sign on a touch-screen after swiping your card through, you'd think they'd do some kind of comparison to a stored signature of yours before approving a transaction. But no! They choose not to include a useful security measure like that in the system. You can draw a stick figure, write "Home Depot Sucks!" at Home Depot, or whatever you like.... It's all the same to the terminal.

Issuing Banks Pay (1, Informative)

Anonymous Coward | more than 7 years ago | (#18085534)

Look, I dont know what you all are talking about, but I work at a bank doing Infosec.
The issuing banks pay the bulk of costs in a breach, not the merchants. The merchants DO NOT PAY to have the compromised cards reissued, the banks do . In terms of merchandise, in my experience we have never gone to a merchant and asked for money to cover the costs of stolen goods either. If the crook gets away with the merchandise then theres not much to do.

PCI hasn't done much to protect anyone in my opinion, because the standards are still too low, the staffs are still to small, and not every merchant is compliant. The fact that one merchant, certified or not can expose millions is definitely a case of being strong as your weakest link.

The only glimmer of hope is that customers demand everyone do more and vote with their dollars. If people lose more faith in Internet transactions, there will economic hell to pay and everyone will suffer.

Re:Issuing Banks Pay (0)

Anonymous Coward | more than 7 years ago | (#18086142)

Actually I want to clarify something. In my experience the usual course of action is straight to the compromised individual's bank, not to the place that the fake charge came from. In this scenario we put money back in your account, cancel your card, and issue a new one. I do not believe that the cost of the merchandise is ever recovered by reversing charges to individual merchants.

If you go back to the merchant that the fake charge came from, i guess that is one course of action, and yes, the merchant loses in that scenario.

Overall though the cost of reissuing the cards is the greatest cost, and the fraud is secondary.

Merchant pays? Not all the time. (5, Informative)

Itninja (937614) | more than 7 years ago | (#18085674)

I am an online merchant and I use both Google Checkout (in the foreground) and Paypal Payments Pro (in the background) to process CC transactions. Both of those providers will (and have for me in the past) eat the fraudulent charges as long as I had taken all required steps to ensure the transaction was genuine.

For example, I had one $100 sale that, a few months ago, came back as 'fraudulent'. Paypal asked me to provided documentation to show the steps I took to verify the buyers information. I keep all these records, so I sent Paypal address verification, proof of delivery, etc. After about a week they contacted me, told me that I followed their verification process properly, and that they would absorb the cost of the disputed transaction.

Slightly OT about merchants eating charges (2, Interesting)

hellfire (86129) | more than 7 years ago | (#18085856)

I'm absolutely shocked by the ignorance some people about credit cards. Now I'm not talking about a Joe on the street, I'm talking about people taking the orders. Many merchants favor convenience over everything else.

For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.

I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.

Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.

The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.

PCI Misconceptions (2, Informative)

brufar (926802) | more than 7 years ago | (#18085864)

A lot of people seem to have a misconception of exactly what PCI is, what it covers, and what it does.

PCI affects all areas of the transaction stream.

When looking at ATM's for instance the units must be tested and Certified (InfoGuard, TNO and T Systems). If you attempt to open the device it dumps the program and tampers the unit so it can't be reprogrammed. this prevents a situation such as the one at stop and shop where a malicious party opened the POS device and apparently hooked up a device to sniff the card reader (article is a little vague on exactly what was done to the POS devices) There should be no place in between the PIN PAD and the CPU of the device where data can be read in the clear without causing a temper condition to the unit.

Some of these requirements are relatively new and some older terminals that are currently in place may not meet these requirements. Any existing units that are relocated or changed must meet the new requirements at that time. One exception to this is Data encryption. All terminals must now transmit data using 3DES encryption, any terminals that are not utilizing 3DES encryption and are running the older Single DES were to be taken off-line at the end of last year.

Also all software run on the device must be certified through testing and any software changes must be re-certified as well. Software is sent to the device in an encrypted format, routinely verified on the device for changes, and units must identify themselves with a unique set of keys in order to access updated software. On top of that each Switch (STAR, CORE DATA, ECS, LYNK, etc..) that the terminal may dial into has to certify the equipment and software to work with their systems before you can use that terminal to process transaction through that switch.

Now go to the company/merchant/etc.. that is processing transactions whether they be web based, Point of sale, or ATM. any company that has Card data on file is subject to PCI requirements as well. This can be everything from segmenting card holder data on the network, encryption the database containing card holder data, additional logging requirements that show who accessed what data, when and from where. Physical security, the PCI requirements are quite extensive. https://www.pcisecuritystandards.org/tech/download _the_pci_dss.htm [pcisecuritystandards.org]

If a card number is lost it costs VISA,or Mastercard about $60.00 to re-issue a new card. now if several thousand cards get lost those numbers can get large rather quickly. If you are PCI compliant as a merchant or processor, and have adhered to all 240+ requirements of the PCI certification that apply to you, and you loose card holder data, you will probably dodge the huge fines (think tens of thousands or millions of dollars here depending on the size of he breach) levied by VISA in case of a breach which is on top of the fees to re-issue the cards. if you are NOT compliant all those fines and fees will be passed on to you.

PCI is not an instrument put in place to address the use of a stolen card. it's to prevent the loss of large numbers of card holder data at one time.

I think it's great the industry is imposing the regulations on itself, some of which are extremely stringent. And it beats the heck out of how the government could butcher doing the same process by trying to regulate it.

Re:PCI Misconceptions (0)

Anonymous Coward | more than 7 years ago | (#18086074)

It may great that the industry is imposing the regulations on itself, but I can assure you that self-regulation will generally be in their self-interest.

The card brands didn't establish PCI to combat fraud per se, because as we have established above the brands don't pay (directly) for fraud. The card brands established PCI to maintain consumer confidence in their cards.

The brands lose more money from loss of confidence in card transaction, than they do from fraudulent charges.

Follow the money.

Re:PCI Misconceptions (0)

Anonymous Coward | more than 7 years ago | (#18086434)

PCI is just like HIPPA, SOX, or GLBA. A GENERAL framework. Yes, this includes things like encrypting PINS back to the ATM "switch" (Visa, in this example). But its still pretty weak, and most online sellers dont know enough about security (application security especially) to do anything about it. Theres not enough people and systems to watch out for fraud, PCI isnt enough alone.

Anyway, VISA DOES NOT PAY TO HAVE CARDS REISSUED. Banks pay for reissued cards, and credit monitoring (if your bank knows what it is doing).

Visa is just a branded network, kind of like Nyce, Cirrus, Star, or Plus. Look at the back of your card.

Where's my rate cut? (1)

teflaime (738532) | more than 7 years ago | (#18085876)

Credit card companies justify their ridiculous interest rates by pointing to the losses the "have to eat" when credit card fraud happens. Since they no longer have to eat those losses, where's my rate cut, you theiving bastards?

Bull (1)

iamacat (583406) | more than 7 years ago | (#18085958)

Credit card today is a dumb piece of plastic with no security to speak off. When credit card companies come up with a decent authentication scheme and implement it in ALL locations, they can pass the responsibility for fraud to vendors.

Fraud == Money for Visa/MC (0)

Anonymous Coward | more than 7 years ago | (#18085962)

The problem is that Visa and Mastercard see PCI-DSS as a money-making venture. If you've ever read through the requirements, they are basically impossible to implement in the real world. Every change must be documented to the T, and approved, and first tested in a full dev environment. One problem with this is patching systems, how fast can that process really occur? If a vendor releases a patch, you're probably going to need 2-3 weeks to comply, but if you're breached within that time period, you can be fined hundreds of thousands of dollars by not having a patched system, and if you patch a live system within approval, or testing in a dev environment, or documenting it, you're in violation of PCI-DSS. The process is always going to be skewed to their benefit, and not to the merchants.

With all the fraud issues out there, it wouldn't take much for Visa/MC to almost entirely eliminate it with additional data verification requirements, the problem is they'd lose too much money if fraud didn't exist (Verified by Visa and Mastercard Secure Code are a step forward, but the subscription rate to those programs is extremely slim. Make it a requirement, and things would change). Did you know that on a chargeback, they charge the merchant $25.00, and still keep the interchange percentage they originally charged, and take the full charge amount back out of your account? It's a total racket.

why are these numbers being stored? (1)

ALpaca2500 (125123) | more than 7 years ago | (#18085978)

when i swipe my debit card through the machine at stop and shop, it says "approved". At that point, the money is wired from my bank to stop and shop, and my personal information should be purged. or am i mistaken, and is there a reason for stop and shop keeping everyone's crdit and debit card numbers?

Yes, the merchant always pays. (1)

alisson (1040324) | more than 7 years ago | (#18085996)

And it eats small retailers alive. Most small businesses can't AFFORD very much by the way of security, nor their own credit authorization system. So instead, they typically accept cards through a middle-man, that has terms which make you wonder how small retailers stay in business.

Say you pay for goods with a stolen credit card. For phone or internet verification, all you need is the verification code, which is listed ON the card. And if the cardholder denies the charges? The merchant gets hit. Say the merchant files a police report of fraud? The merchant still get hit. The authorization companies have no incentive to provide any security, and why? Most merchants MUST accept credit cards to survive. A large portion of their customers won't pay any other way.

Say you DO buy good with your own card, yet deny the charges later on. The merchant gets hit. Now, like a good merchant, they kept your receipt on file. It has your scribble of a signature, which(like most americans) vaguely resembles the half rubbed off scribble on your card. Is it entirely plausible to deny you signed it, and say your card was stolen.

The burden to prove fraud always lies with the merchant, who, in many cases, has no means to do so. The security for transactions always lies with a merchant, who in many cases, has no means to provide it.

Cards are a rather flawed system, particularly when not in person. Not to mention how unfriendly credit cards are to customers. It's wonderful to have cash now, but not worth the interest charges. Past that, their unfriendly to merchants, but due to the "convenience" of cards, they're all but required.

ATM fees make cash expensive. (1)

Kadin2048 (468275) | more than 7 years ago | (#18086240)

Cards are a rather flawed system, particularly when not in person. Not to mention how unfriendly credit cards are to customers. It's wonderful to have cash now, but not worth the interest charges. Past that, their unfriendly to merchants, but due to the "convenience" of cards, they're all but required.

Cards are effectively required because of one thing: ATM surcharges.

Customers use credit cards, and their kin, debit cards, because it's obnoxious and impractical to use cash anymore. If you get your paycheck direct-deposited into a checking account, it's much easier to pay with plastic (and then either write a single check at the end of the month, or have it debited electronically) than it is to go to the ATM, withdraw cash, pay with cash, and then deal with the resultant change. Plus, it's difficult to find an ATM that doesn't charge you a fee for getting cash.

To a consumer, using cash costs money -- if you withdraw in $50 increments, it could be as much as 4-6% ($2 to $3 per ATM transaction) -- while using a debit or credit card is free.

If it weren't for ATM fees, I'd probably still use cash more often. But given that my bank doesn't have any local branches, and it's a pain to constantly worry about where the nearest fee-free ATM is, it's easier just to use plastic for everything. There are more merchants around who accept credit cards, than there are fee-free ATMs.

Banks don't get it either (1)

Alwin Henseler (640539) | more than 7 years ago | (#18086146)

From the summary:

there are tens of thousands of merchants who don't understand the basics of information security

Neither do banks themselves, sometimes. In the Netherlands where I live, banks would like to have their customers use 'plastic' wherever possible. With plastic meaning bank card + pin number, or a type of e-wallet called 'chipknip'. Credit cards are not a very popular payment method here AFAIK (these e-wallets aren't either, but that's a different story).

But the weird thing is: a customer is expected to keep his pin number a secret (eg. not write it down anywhere). At the same time, you're expected to type this 'secret' number into terminals at shops, gas stations, restaurants, grocery stores, etc, etc, etc, on equipment you can't verify whether it's tampered with, and under the watchful eye of security camera's and customers waiting in line behind you.

Keep something a secret, and use it in as many (possibly not trustworthy) places? I won't pretend to know much about information security, but that makes no sense.

Another example: recently an online payment method was introduced called iDeal [ideal.nl] . After placing your order on a webshop, the merchant sends you to your own bank's website, where you can enter password (or other method of authentication), and give the okay for specified amount to be transferred from your account to the merchant. Looks easy enough, doesn't it?

But: Helloooo! After many e-mail phishing attacks, people have been warned not to click on links they receive in e-mails, or follow links on untrusted websites. At the same time, they are encouraged to follow links provided by online shops, which they may not really know or done business with before. How is that webshop to be trusted? Because they have a decent looking site? Because they offer this payment method (and thus need to have some sort of agreement with a bank in place)? Because others have ordered items there? Come on! Don't be surprised if online buyers don't check anything anymore, after getting used to paying this way. Click icon, enter online banking password, done!

For clarity: you sign the 'okay' on your bank's website, using its normal authentication/confirmation procedure. It's like doing a money transfer via your own bank, but streamlined from webshops 'checkout cart' to 'confirm payment'. My critism doesn't involve the security of this particular method (with a customer that pays attention), but how it gets customers used to be on a webshop site, and 2 seconds later enter their online banking details (passwords etc). That sequence isn't a good thing to get used to, and it's ridiculous that banks are promoting this.

It's really a wonder abuses are rarely heard of, but I assume in most instances where it happens, word doesn't get out, and the costs are added to 'the cost of doing business' (=running a bank). There are several reasons I still prefer cash for day-to-day shopping, and the above is one of them. Welcome to our brave new world, where fiction and reality blurs increasingly into one.

Anecdote (4, Interesting)

king-manic (409855) | more than 7 years ago | (#18086200)

My family owns a very small chinese food place. We had a mastercard account. My parents were ludites and refused to upgrade to an electronic terminal because they didn't understand how to use it. Our bank/merchant account reseller droped the imprinter proccess and implemented a complicated IVR. My sister registered a transaction on the ivr for 62.86. The IVR registere dit as 44,400.00 instead. We got a notice about it after and co-operated in resolving it for our customer. Despite the fact it was an obvious mistake and was greater then the actual limit of the customers card we got a charge back of $2456.00. Which is more then the total MC orders we get in a year. We tried for weeks to address this since we were sure it was a ivr error. especially since it exceeded the customers limit. but we had no course of action to resolve it as an error. we were stuck with a $2456.00 chargeback because the IVR either had a bug or did not do a proper check ont he amount. We dropped MC support and dropped all of our MC cards because of this. but it won't protect merchants form other arbitray decisions Visa/MC/AMEX make.

The other half of the problem (1)

GreyPoopon (411036) | more than 7 years ago | (#18086234)

While security at merchants and banks might be half of the problem, the following quote from the article sums up the other half:

It's still such a nightmare to get the problems resolved.

The biggest problem for consumers is not getting back the money they lost. It is repairing their credit record. We have a situation where three credit bureaus are collecting and disseminating private financial data about consumers. There is little or no control for the consumer over what information is given out in a credit check and to whom, and there is little or no control for the consumer about what information hits their credit report and what impact it has. Scour the web, and you'll find plenty of horror stories about consumers who have tried to clear their credit records of erroneous entries. In an identity theft situation, a consumer requires a team of lawyers working overtime to even partially restore their credit record after such an attack. What we need in this country is a complete revamp of the credit system that provides the following:
  1. Consumers have control over what credit information is sent and to whom. Each and every attempt to pull a credit report should be approved by the consumer, and the consumer should be able to say whether or not just the credit score is sent, or whether more details are provided. Consumers could provide up-front authorization for financial entities that they are already doing (or intend to do) business with by providing the credit bureau with pre-authorization.
  2. Once a case of identity theft has been proven, recovery should be simple with no lawyers required. There needs to be a foolproof method for a consumer to prove his or her identity, and then the consumer should be able to get reports of activity from the credit bureaus and involved financial entities. Once this is done, the consumer should be the authoritative source of determining which charges are accurate and which are a result of the identity theft. Obviously, responsibility for defraying these costs should fall on the shoulders of the entity whose breakdown in security was responsible for the theft.
  3. Credit monitoring should be provided by each of the credit bureaus automatically at no additional charge. Any unusual activity should be immediately reported to the consumer.
  4. Disputes in the information contained on the credit report should be handled promptly by credit bureaus, with a several financial penalty for failing to do so.
  5. Disputes between the consumer and creditors that cannot be resolved should immediately be sent to arbitration by an uninvolved third party.
  6. Consumers that are not satisfied with the results of arbitration should still have the option of appealing the decision using the court system.
  7. In the event that a credit bureau is unable to adequately perform the above requirements, their license to operate should be revoked, a copy of all data on consumers should be sent to the each consumer as is appropriate, and all remaining copies (physical or electronic) of any data on consumers should be destroyed.
  8. Financial entities should not be allowed to share data about consumers with each other -- not even with their own subsidiaries.
  9. Financial entities should be required to specify clearly to a consumer what data they will collect and exactly what information will be sent to what credit bureaus and under what conditions it will be sent.
  10. Financial entities caught harassing consumers by damaging their credit record intentionally or by using credit information in "creative" ways to support raising interest rates should have their license temporarily suspended pending the results of an independent investigation. The license should not be reinstated until all employees even remotely involved are removed from their positions. This would include members of the board of directors. Such action would not preclude criminal investigation and charges.
  11. Credit bureaus should be required to maintain a separate scoring system, visible to consumers at a reasonable fee, for financial entities that use their services. The system should take into account consumer complaints about data accuracy, time to resolve disputes, direct consumer complaints about misuse of credit data, and complaints made to the Better Business Bureau(s).

Credit cards and small business (1)

RebrandSoftware (817021) | more than 7 years ago | (#18086238)

Here is my experience with accepting credit cards directly through a merchant account:

-You process a transaction.
-It passes all fraud checks by the merchant account and processor.
-You're happy because you've made a lot of money.
-You transfer the money to your account a month later when you pay yourself.
-All of the sudden, 3 months later, you get a chargeback notice and all of the money is withdrawn from your account.
-You have to file paperwork with the merchant service in order to dispute the chargeback.
-If you are selling a non-shippable product (like software) you are completely screwed and will never get your money back.
-Eventually if you have enough chargebacks the merchant service cancels your account and puts all of your money on hold.
-You revert entirely to paypal.

I had higher hopes for Google Checkout since they claim to have great fraud filters: not true. They are even more misleading.

The system SCREWS small businesses like mine. You receive no training in preventing fraud and when you finally catch on it's too late. Luckily my customers are happy to pay through paypal, which has a much lower rate of fraudulent transactions, but it makes my business look less professional to not accept credit cards directly.

Is it really so hard to put a password on a credit card? That's all I ask for: one little password. That would virtually eliminate chargebacks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>