Who Pays For Credit Card Breaches? 313
PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"
The customer pays. Always. (Score:5, Insightful)
Misses the point (Score:3, Insightful)
Re:Misses the point (Score:3, Insightful)
Yeah this makes a lot of nonsense (Score:1, Insightful)
Re:Business partners (Score:3, Insightful)
Re:Misses the point (Score:5, Insightful)
As a merchant, this is very annoying. If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?
To pay extortionate discount charges on every transaction and not even be able to trust that the charge is legitimate is abusive on the part of Visa/Mastercard. What's worse, a chargeback comes with a chargeback fee. So not only does Visa/Mastercard not get harmed by fraud, it profits from it. As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.
Re:Business partners (Score:1, Insightful)
Depends what you mean by "credit card company". Mastercard & Visa are not banks, they just rent out their name to banks. It's the bank that issues the cards. Mastercard & Visa set some standards in their contracts with the the banks.
On the other hand, American Express is not a bank. They issue their own cards themselves.
Why are credit card rates so high?
They are high because they can be. Credit card rates are (generally) unregulated and determined by the free market. Many people with high credit card rates don't realize that there are many, many other credit options available to them.
Either get a credit card with a low interest rate, or get a line of credit and pay your credit card in full every month from your line of credit. Generally, lines of credit have lower rates than credit cards.
Re:Article is Wrong (Score:5, Insightful)
As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.
A few interesting notes on AVS:
1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.
2 is becoming a little less true recently, though - several issuing banks have taken it on themselves to reject the transaction even if the AVS standard says they aren't supposed to. I think this is a good thing.
Re:The customer pays. Always. (Score:5, Insightful)
Re:Having owned a store (Score:1, Insightful)
Re:Misses the point (Score:4, Insightful)
You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.
I have looked at it from their perspective and it still doesn't make sense. If someone has a history of lots of chargebacks, that merchant gets canned anyway. If I'm entering ship-to and bill-to addresses into the system and if there's something that makes them (or their computers) uncomfortable, have the merchant call in for verbal authorization where the risks are explained to the merchant and/or Visa/Mastercard can say that they won't take responsibility for the charge.
I'm not opposed to a merchant being expected to be honest enough to do due diligence. If I ship something to Nigeria and expect Visa/Mastercard to pay me, and it turns out to be fraudulent, they have a right to ask me what documentation or evidence I have that I made an honest effort to be reasonably sure the transaction was valid. If I failed to do that, they can expect me to pay for it. But if there's nothing Nigeria-like about the transaction, nothing raises my suspicion, I submit the card to Visa/Mastercard and they authorize it and confirm the zip code and CSV matches, I've done all I can. To then turn around and say, "Yeah, we know we told you the charge was authorized, we know you have the right address, zip code and CSV, but what do you know... our system sucks and even though you obviously have all the right data you could possibly provide, we're still holding you responsible."
If a merchant is fraudulently processing charges or is accepting credit cards that are obviously stolen, that's a crime that should be prosecuted in a court of law. Simply assuming all merchants are crooks and arbitrarily taking back money you already gave them is simply not acceptable.
A customer is in the "business" of buying. A merchant is in the "business" of selling. Visa/Mastercard is in the business of facilitating the transaction. That's their business and they need to make sure it works so the buyer and seller can do their business. It is not acceptable to hold either the customer or the merchant responsible for shortcomings in Visa/Mastercard's system. If a merchant gets an authorization number from Visa/Mastercard, that should be a done deal. If it's fraud, Visa/Mastercard needs to eat that charge. If that means raising the discount rate, fine, do it--and let merchants decide whether they're willing to accept credit cards given the real cost of accepting them; or the customers and/or merchants will demand real security.
Re:Having owned an ONLINE store (Score:1, Insightful)
Re:Should improve Customer service (Score:3, Insightful)
Re:Having owned a store (Score:3, Insightful)
Doesn't do a thing except waste time. You would catch more false positives before you catch an actual thief that forgot to learn to forge the signature.
Re:Should improve Customer service (Score:3, Insightful)
And yes, I would keep helping others in line as I "waited for authorization." Sorry, sir. The computers are a little slow right now. Maybe I'll try calling in for authorization. I'm sure that MasterCard won't put me on hold once they know that we have royalty in line here at the bodega.
Re:Should improve Customer service (Score:3, Insightful)
As a small business owner, let me say,
Get the hell out of my store!
I don't need customers like you.
Things got a lot better around here once we started "firing" customers who were assholes. More trouble than they are worth.
Re:Should improve Customer service (Score:2, Insightful)
Re:Misses the point (Score:2, Insightful)
Nice. So why can't you extend that same logic to Visa/Mastercard? There's no reason to pass it off on the merchants instead of Visa/Mastercard. Like I said elsewhere, a business that takes a credit card has enough stuff going on in their own business to have to be held responsible for flaws in Visa/Mastercard's system.
The whole "if you don't like the risk, don't accept credit cards" is no longer valid. It might have been 20 years ago (and many places didn't accept them back then), but now you can't do business if you don't accept them. Visa/Mastercard/AMEX basically holds a monopoly on transaction processing and if you don't accept them, you often can't do business. So while the "if you don't like the risk, don't take the cards" is a nice, convenient cop-out, it really isn't a legitimate answer.
The fact is, Visa/Mastercard is now a scam. There is essentially zero cost to provide the Visa/Mastercard service now that we have Internet and if they aren't even going to guarantee the payment is valid, WTF am I paying 2-4% in discount fees for? Any decent developer could make a competing system in a few months--the problem is that no-one would use it because the market is dominated by the Visa/Mastercard monopoly. And therein lies the problem: Visa/Mastercard is an abusive monopoly and the merchant gets screwed.
Re:Should improve Customer service (Score:3, Insightful)
Don't like proving your identity? Then pay cash. We accept that always. Want to give a promise instead? Then get ready for some verification.
How come "checking id when you promise payment in lieu of real money" = instant fascism!! Oh No Everybody Panic!!! 1984!!! AAAAHH!!
And the terms of my contract with VISA are none of your business. Don't like that I look out for my interests? Hit the road, jack.
Re:Should improve Customer service (Score:2, Insightful)
Because it's virtually impossible to survive as a business without accepting credit cards, and if all credit cards have the same bs terms....
Re:The customer pays. Always. (Score:2, Insightful)
And the credit card issuers advertise that they "protect" the cardholder from credit card fraud. That's fraud right there. The issuers simply charge it back to the merchant who did everything right -- ID check, address verification, signature, everything that could possibly be verified. If the cardholder disputes a charge simply because they don't remember it, the merchant is automatically charged a fine, and the transaction amount reversed. Then, after "investigation", the cardholder admits that the charge was correct, the merchant is still in the hole for the fine and the "research fee", which total at least $50 and can exceed $100 for a single $10 transaction which was correct and is eventually confirmed by the cardholder.
Eventually this cost must be passed through to the customer. Not all at once, and not across the board at all merchants: just like increases in postage, gas, utilities, etc., some merchants will absorb the added cost for a time. Some will raise prices sooner, some will raise them later. But eventually, equilibrium again will be reached, and prices at all merchants will reflect the increase, one way or another, and the differences in price between merchants will again be due to all the other usual factors.
Same old story, same old Slashdot. See the similar thread from Feb 2003: http://it.slashdot.org/comments.pl?sid=54226&cid=
Same season, 4 years ago. Same story.
Re:Credit cards and small business (Score:2, Insightful)
The merchants can do little to enforce such a system, that's up to the banks and credit card companies; so it's their fault that most parts of the world are left with pretty insecure payment systems.