Who Pays For Credit Card Breaches?

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

Article is Wrong

[scribblej]

Merchants have been responsible, not VISA, all along. It's ALWAYS been that way.

I say that as someone who's been int he industry for ten years, so I'll admit maybe things were vastly different before I got here. But for at LEAST the last decade, merchants have eaten fraudulent charges.

Here's how it works in a nutshell. I'll assume an internet ("e-commerce") transaction since it's what i'm most familiar with.

1) Evil bad guy steals a credit card number.
2) Evil bad guy makes a charge from Bob the Merchant
3) Bob the Merchant ships Evil Bad Guy his product.
4) Joe, the actual owner of the credit card sees the charge on his statement.
5) Joe calls Bob the Merchant and says, "Why did you charge me?"

At this point, the only thing Bob the Merchant can do is issue a refund to Joe. He'll never see his product that Evil Bad Guy took, or the money, ever again. What happens is he refuses to give Joe his money?

6) Joe calls his issuing bank and asks for a chargeback.
7) Bob the Merchant is forced by his merchant account provider to refund the money to Joe. Also, to pay a chargeback fee of somewhere around $50, and if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again.

So who loses here? Not VISA. Not Joe, the cardholder. Not Joe's issuing bank. The merchant, is out product and money, and there's jack-all he can do about it.

There is only one exception I am aware of: Verified by Visa. If a merchant uses VBV on his website, then VISA will guarantee the charges, and if there is a chargeback, VISA will eat the cost. This is a HUGE change from how things have always worked in the past. However, no one uses VBV because it requires the CARDHOLDER to take extra steps to sign up and become active, but the CARDHOLDER has no reason to care, since he's already protected.

Anyhow. Long before PCI, long before CISP, long before any of the security standards were standards, the merchants were already responsible for all fradulent charges. It's the way things are. PCI makes a much cleaner audit trail when things go south, but it's not really about fraud nearly as much as it's about data security. There's a few tiny parts of PCI that address a few particular cases of fraud, and ALL the rest of it is about data security and handlling policies.

Re:The customer pays. Always.

[HomelessInLaJolla]

The only notable thing here is that all customers pay, not just the ones who use a credit card

Some pay more equally than others, though. It works like a pyramid scheme. The government uses the same principle: it is the reason why we have hundreds of different hidden taxes in thousands of different places.

"We screw the other guy to pass the savings on to you."

Re:Article is Wrong

[Rakishi]

no one uses VBV

Newegg does and signing up is rather trivial actually, the bitch is remembering the password (assuming I'm thinking of the right system). It takes me a lot longer to add an alternative (shipping) address to the CC and many websites require that (including some whose incompetence at being able to check it leaves me shocked).

Issuing Banks Pay

[Anonymous Coward]

Look, I dont know what you all are talking about, but I work at a bank doing Infosec.
The issuing banks pay the bulk of costs in a breach, not the merchants. The merchants DO NOT PAY to have the compromised cards reissued, the banks do . In terms of merchandise, in my experience we have never gone to a merchant and asked for money to cover the costs of stolen goods either. If the crook gets away with the merchandise then theres not much to do.

PCI hasn't done much to protect anyone in my opinion, because the standards are still too low, the staffs are still to small, and not every merchant is compliant. The fact that one merchant, certified or not can expose millions is definitely a case of being strong as your weakest link.

The only glimmer of hope is that customers demand everyone do more and vote with their dollars. If people lose more faith in Internet transactions, there will economic hell to pay and everyone will suffer.

Re:Should improve Customer service

[damiangerous]

Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) [visa.com] and pg 48 of the MasterCard merchant rules (PDF) [mastercard.com].

I usually file a complaint here [mastercard.com] and check the "merchant required identification" box.

Merchant pays? Not all the time.

[Itninja]

I am an online merchant and I use both Google Checkout (in the foreground) and Paypal Payments Pro (in the background) to process CC transactions. Both of those providers will (and have for me in the past) eat the fraudulent charges as long as I had taken all required steps to ensure the transaction was genuine.

For example, I had one $100 sale that, a few months ago, came back as 'fraudulent'. Paypal asked me to provided documentation to show the steps I took to verify the buyers information. I keep all these records, so I sent Paypal address verification, proof of delivery, etc. After about a week they contacted me, told me that I followed their verification process properly, and that they would absorb the cost of the disputed transaction.

PCI Misconceptions

[brufar]

A lot of people seem to have a misconception of exactly what PCI is, what it covers, and what it does.

PCI affects all areas of the transaction stream.

When looking at ATM's for instance the units must be tested and Certified (InfoGuard, TNO and T Systems). If you attempt to open the device it dumps the program and tampers the unit so it can't be reprogrammed. this prevents a situation such as the one at stop and shop where a malicious party opened the POS device and apparently hooked up a device to sniff the card reader (article is a little vague on exactly what was done to the POS devices) There should be no place in between the PIN PAD and the CPU of the device where data can be read in the clear without causing a temper condition to the unit.

Some of these requirements are relatively new and some older terminals that are currently in place may not meet these requirements. Any existing units that are relocated or changed must meet the new requirements at that time. One exception to this is Data encryption. All terminals must now transmit data using 3DES encryption, any terminals that are not utilizing 3DES encryption and are running the older Single DES were to be taken off-line at the end of last year.

Also all software run on the device must be certified through testing and any software changes must be re-certified as well. Software is sent to the device in an encrypted format, routinely verified on the device for changes, and units must identify themselves with a unique set of keys in order to access updated software. On top of that each Switch (STAR, CORE DATA, ECS, LYNK, etc..) that the terminal may dial into has to certify the equipment and software to work with their systems before you can use that terminal to process transaction through that switch.

Now go to the company/merchant/etc.. that is processing transactions whether they be web based, Point of sale, or ATM. any company that has Card data on file is subject to PCI requirements as well. This can be everything from segmenting card holder data on the network, encryption the database containing card holder data, additional logging requirements that show who accessed what data, when and from where. Physical security, the PCI requirements are quite extensive. https://www.pcisecuritystandards.org/tech/download _the_pci_dss.htm [pcisecuritystandards.org]

If a card number is lost it costs VISA,or Mastercard about $60.00 to re-issue a new card. now if several thousand cards get lost those numbers can get large rather quickly. If you are PCI compliant as a merchant or processor, and have adhered to all 240+ requirements of the PCI certification that apply to you, and you loose card holder data, you will probably dodge the huge fines (think tens of thousands or millions of dollars here depending on the size of he breach) levied by VISA in case of a breach which is on top of the fees to re-issue the cards. if you are NOT compliant all those fines and fees will be passed on to you.

PCI is not an instrument put in place to address the use of a stolen card. it's to prevent the loss of large numbers of card holder data at one time.

I think it's great the industry is imposing the regulations on itself, some of which are extremely stringent. And it beats the heck out of how the government could butcher doing the same process by trying to regulate it.

Re:Mod parent up!

[bastion_xx]

There are better systems, just ask our Europeans counterparts. It's near impossible to buy anything in the UK (and I assume other EU countries) where the merchant does not have chip/PIN capability. Chip cards significantly reduce the risk to the merchant, and thereby reduce the discount rate paid, and provides the merchant with more chargeback rights.

Granted, if the merchant puts out a Visa or MC logo, they still have to honor swiped transactions (not withstanding that one Brick Lane curry house that kept saying no-no-no-chip only -- but I digress), but will do everything in their power (and the merchant agreement) to dissuade swiped transactions.

Anyone who's had to work with Mastercard Visa, AMEX, Discover, JCB/Diners, and the rest know how bad it can be. But remember, these are just the associations. Look to the members who make up these organizations (or sit on the board of the publicly traded ones) and ask them why they haven't increased security. That's you BoA, Chase, Citi, and the rest.

But then again, one step down the food chain (and off to the side) are the acquirers. If they and the the ISO's under them would provide merchants (their clientele) with chip/PIN solutions, that would go a long way to help the merchants out. Supporting such solutions, on razor thin margins (measured in single basis points in the most competitive markets) is always low on the list (along with decent merchant reporting).

But, then again (2), the issuers would have to have products that support Chip/PIN. The only one I ever see, AMEX Blue, may be a good card, but I bet it's still used 98% of the time as a regular old track 2 swiped transaction. I'm interested in any large merchant that has card readers capable of chip transactions.

So, you have the unholy triumvirate: banks and issuers that give out cards; ISO's / acquirers that accept card and settle for the merchant; and the associations that sets the rules for card acceptance, fraud processes, and such. If I was Visa, I'd issue a mandate to, err, issuers, that as of date x, all cards must be chip capable (with world-wide standards). At date x+n, acquirers, ISO's, and merchants must be capable of accepting Chip/PIN cards or face fines.

Anyone who has had to deal withe craziness of PCI and it's predecessors knows the frustration, fear, and pain of not meeting association deadlines.

And while I'm on it, what is the adoption rate of Verified by Visa or the other SET-based solutions? These offer reduction is discount rates too, if implemented.

Sorry for the rant, but having a waiter tell me to go down to a cash machine because by US-issued credit card isn't chip capable has got me a little feisty.

Re:I've seen it happen. (Sort of.)

[Target Drone]

I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was

They may have figured it out from his IP address. If your on highspeed you IP tends to remain the same for weeks or months at a time. Other providers may be different. The credit card API that I used had an optional field to send through the IP address of the customer making the purchase. If enough online retailers fill in the field then it's pretty obvious that you have charge backs on different CC numbers that were purchased from the same IP address.

Brainless

[Slashdot Parent]

Credit card companies are branches of banks

Extremely misleading--borderline falsehood. True: credit card issuers must have bank charters, but there is no requirement that they participate in retail or commercial banking. Also true: There has been consolidation in the monoline credit card industry, such that there aren't any more large monoline credit card issuers, but that was not always the case. Before 2004 or so, MBNA, Capital One, and Providian were the third, fifth, and seventh largest credit card issuers (respectively), and were monoline. MBNA and Providian were bought, Capital One decided to go into retail banking and bought some branch banks (they offer deposit accounts, auto loans, etc. now) My point is, credit card companies are not automatically branches of large banking conglomerates.

They are affiliated, strongly, with insurance and investment companies.

That's sort of true for AmEx, and B of A (if you really want to consider them investment companies... they are certainly bottom tier in that department... and B of A offers some insurance, but is certainly not a major player), but what about Capital One? What's in your wallet, man? ;) (just a little joke... I know who ya are)

Just as any other large corporation when one division suffers a loss then, in nothing more than the ledger book, the losses are distributed amongst the other divisions.

That is really out of touch with reality. Most large business groups do not keep poorly-performing lines of business open for long. They tend to be more focused on profit, not shunting losses among divisions.

Think about that next time the interest rates on home mortgages goes up, or the premium on the insurance plans, or when the quality of service for medical insurance goes down, or when the price of motor fuel goes up...

Pure tinfoil hat thinking. Plain and simple. A company isn't going to bleed losses in one LOB just because another is profitable. And credit card interest rates have zero to do with the price of gasoline in China.

These things happen because the businesses are recouping losses. Why are credit card rates so high?

Credit card interest rates are high because credit risk is high.

Think about it. Let's say you charge up $5,000.00 on your credit card. You get a bill from MBNA/Bank of America/WhoeverOwnsThemThisWeek for $125.00 (2.5% of your outstanding balance is a common minimum payment). At this point, you have three options:

1. Pay the $125.00. Result: you get a bill next month for $123.75. Rinse, lather, repeat.
2. Pay more than $125.00. Result: you get a bill next month for less than $123.75... or $0, if you paid off your entire balance. See option #1.
3. Instead of sending money, you send a letter to your bank instructing them to go pound sand. You're not paying. Result: They'll call you. They'll yell at you. They'll tell you you owe them money. They'll demand payment. They'll call you nasty names. But in the end, the loan was unsecured, so they are basically up a creek. Their only recourse is to sue you and then attempt to collect. The average amount collected is higher than the average collection costs, so they generally don't even try unless you owe tens of thousands of dollars

What does that have to do with the price of tea in China or the interest rate on your credit card? Because the CC company's only recourse if you decide not to pay is to make menacing phone calls (until you realize you can just tell then to quit calling and they are required by the FDCP Act to stop), they have a ton of losses. That 18% interest rate you pay is to cover the fact that the CC company is taking on an enormous credit risk.

That's why mortgage rates are so much closer to the prime rate. Very low credit risk. You no pay, bank take your house and you wind up homeless in la jolla. End of s