[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Card Not Present, was Re: FW: comments



On 27 Jul 1998, EKR wrote:

>Ed Gerck <egerck@laser.cps.softex.br> writes:
>
>> On Sun, 26 Jul 1998, Ian Brown wrote:
>> 
>> > Ed Gerck wrote:
>> >>
>> >>Regarding cyber-world misconceptions, some think that by escaping
>> >>names one can escape reality.  Others think that credit-cards deals
>> >>would not need names or any real-life id, just assets. Surely, the
>> >>merchant gets paid regardless, even if you use a false name.
>> >
>> >This is, after all, what matters to the merchant.
>> 
>> No,since (as my text went) the merchant faces a non-zero risk of
>> accepting a fake and untraceable name -- which he can't tolerate
>> because he would bear the risk alone. NOT the bank, mind you --
>> because the bank can cancel any payment made to the merchant up to
>> one year AFTER the sales and (worse) the merchant has its merchant
>> account cancelled if more than 1%(one percent) of transactions are
>> cancelled.
>Huh? 
>There are two relevant types of transactions here:
>1. Card Not Present

This is the relevant case here -- on-line transactions and the one I
meant. 

>2. Card Present
>

This is not the case here.

>If the cards is NOT
>present, as in the case of a MOTO (mail order, telephone order)
>transaction, and the cardholder asks for a chargeback on
>the grounds of fraud, the merchant doesn't get the money.

Agreed. This is the case I specifically targeted. However, the
situation is not so simple -- it is not just the case of the card not
being there. If the case is Internet order, then additional fees and
limits apply -- besides a MOTO case. 


>OTOH, in a Card Present transaction, if the merchant
>authorized the card and has a signature slip, the merchant keeps
>the money and the bank sucks it up. This is why merchants
>often require ID for checks but almost never for credit cards.
>

Although not the case here, it is also not so simple as you present
it. If the machine is off-line, the merchant must check the
revocation list and the signature. If the machine is on-line, the
merchant must still check the signature. Other assumptions apply, as
a function of amount, for example. 

Or, if a male buyer presents a card with a female name and signs it
-- the merchant cannot say that he used due dilligence, according to
some.

>Things may be different in Britain, but this is how it is done
>in the US.

With the addenda above.

>
>> >The bank wants to catch the person who made the fraudulent
>> >transaction. The name on the card is not likely to help them do
>> >that.
>> 
>> The merchant pays!
>Only under certain situations. See above.
>

Yes, with the addenda above. Moreover, the case where the merchant
does NOT pay is irrelevant for an Internet order. 

>Moreover, it's important to note what the credit card associations
>think is the fix for this, and it's not to add identity to
>credit cards. Rather, it's to make Card Not Present transactions
>more like Card Present transactions. I.e. to make the user
>sign with a digital certificate. And though it's got your name
>on it, like the credit card, the important thing is the
>binding to the PAN (Payer Account Number).
>

Grandma chooses a bad password and looses her house is the
counter-scenario here. Security and "Card Present" cannot be
achieved by legal or administrative fiats.

That is one important point: while credit card associations can do
that and may even rev up legal support for it, they must not impose
it upon customers with a "take it or leave it" attitude. 

This is IMO one important contribution of SPKI, when it proposes a
protocol that separates names from authorization. And, adds one more
voice to show that it is not possible to rely on digital certificates
to associate names with persons -- or, reference with sense. But,
that is also an old truth as Plato discussed thousands of years ago
with his cave metaphor, not to mention the well-cited Venus versus
Morning/Evening Star metaphor. 

Cheers,

Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
-- Internet saves trees, WebBoy UMC saves PCs, you save time and money


Follow-Ups: References: