[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: comments on <draft-ietf-spki-cert-theory-02.txt>

Ed Gerck <egerck@laser.cps.softex.br> writes:

> On Sun, 26 Jul 1998, Ian Brown wrote:
> >>Regarding cyber-world misconceptions, some think that by escaping
> >>names one can escape reality.  Others think that credit-cards deals
> >>would not need names or any real-life id, just assets. Surely, the
> >>merchant gets paid regardless, even if you use a false name.
> >
> >This is, after all, what matters to the merchant.
> No,since (as my text went) the merchant faces a non-zero risk of
> accepting a fake and untraceable name -- which he can't tolerate
> because he would bear the risk alone. NOT the bank, mind you --
> because the bank can cancel any payment made to the merchant up to
> one year AFTER the sales and (worse) the merchant has its merchant
> account cancelled if more than 1%(one percent) of transactions are
> cancelled.
There are two relevant types of transactions here:
1. Card Not Present
2. Card Present

These mean more or less what they say. If the cards is NOT
present, as in the case of a MOTO (mail order, telephone order)
transaction, and the cardholder asks for a chargeback on
the grounds of fraud, the merchant doesn't get the money.
(It's important to distinguish this from a chargeback on
the grounds of say, the goods never received, which is a different
case.) OTOH, in a Card Present transaction, if the merchant
authorized the card and has a signature slip, the merchant keeps
the money and the bank sucks it up. This is why merchants
often require ID for checks but almost never for credit cards.

Things may be different in Britain, but this is how it is done
in the US.

> >The bank wants to catch the person who made the fraudulent
> >transaction. The name on the card is not likely to help them do
> >that.
> The merchant pays!
Only under certain situations. See above.

Moreover, it's important to note what the credit card associations
think is the fix for this, and it's not to add identity to
credit cards. Rather, it's to make Card Not Present transactions
more like Card Present transactions. I.e. to make the user
sign with a digital certificate. And though it's got your name
on it, like the credit card, the important thing is the
binding to the PAN (Payer Account Number).


[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

Follow-Ups: References: