[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Card Not Present, was Re: FW: comments
On 27 Jul 1998, EKR wrote:
>Ed Gerck <email@example.com> writes:
>> On Sun, 26 Jul 1998, Ian Brown wrote:
>> > Ed Gerck wrote:
>> >>Regarding cyber-world misconceptions, some think that by escaping
>> >>names one can escape reality. Others think that credit-cards deals
>> >>would not need names or any real-life id, just assets. Surely, the
>> >>merchant gets paid regardless, even if you use a false name.
>> >This is, after all, what matters to the merchant.
>> No,since (as my text went) the merchant faces a non-zero risk of
>> accepting a fake and untraceable name -- which he can't tolerate
>> because he would bear the risk alone. NOT the bank, mind you --
>> because the bank can cancel any payment made to the merchant up to
>> one year AFTER the sales and (worse) the merchant has its merchant
>> account cancelled if more than 1%(one percent) of transactions are
>There are two relevant types of transactions here:
>1. Card Not Present
This is the relevant case here -- on-line transactions and the one I
>2. Card Present
This is not the case here.
>If the cards is NOT
>present, as in the case of a MOTO (mail order, telephone order)
>transaction, and the cardholder asks for a chargeback on
>the grounds of fraud, the merchant doesn't get the money.
Agreed. This is the case I specifically targeted. However, the
situation is not so simple -- it is not just the case of the card not
being there. If the case is Internet order, then additional fees and
limits apply -- besides a MOTO case.
>OTOH, in a Card Present transaction, if the merchant
>authorized the card and has a signature slip, the merchant keeps
>the money and the bank sucks it up. This is why merchants
>often require ID for checks but almost never for credit cards.
Although not the case here, it is also not so simple as you present
it. If the machine is off-line, the merchant must check the
revocation list and the signature. If the machine is on-line, the
merchant must still check the signature. Other assumptions apply, as
a function of amount, for example.
Or, if a male buyer presents a card with a female name and signs it
-- the merchant cannot say that he used due dilligence, according to
>Things may be different in Britain, but this is how it is done
>in the US.
With the addenda above.
>> >The bank wants to catch the person who made the fraudulent
>> >transaction. The name on the card is not likely to help them do
>> The merchant pays!
>Only under certain situations. See above.
Yes, with the addenda above. Moreover, the case where the merchant
does NOT pay is irrelevant for an Internet order.
>Moreover, it's important to note what the credit card associations
>think is the fix for this, and it's not to add identity to
>credit cards. Rather, it's to make Card Not Present transactions
>more like Card Present transactions. I.e. to make the user
>sign with a digital certificate. And though it's got your name
>on it, like the credit card, the important thing is the
>binding to the PAN (Payer Account Number).
Grandma chooses a bad password and looses her house is the
counter-scenario here. Security and "Card Present" cannot be
achieved by legal or administrative fiats.
That is one important point: while credit card associations can do
that and may even rev up legal support for it, they must not impose
it upon customers with a "take it or leave it" attitude.
This is IMO one important contribution of SPKI, when it proposes a
protocol that separates names from authorization. And, adds one more
voice to show that it is not possible to rely on digital certificates
to associate names with persons -- or, reference with sense. But,
that is also an old truth as Plato discussed thousands of years ago
with his cave metaphor, not to mention the well-cited Venus versus
Morning/Evening Star metaphor.
Dr.rer.nat. E. Gerck firstname.lastname@example.org
-- Internet saves trees, WebBoy UMC saves PCs, you save time and money