[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Card Not Present, was Re: FW: comments

Ed Gerck <egerck@laser.cps.softex.br> writes:

> On 27 Jul 1998, EKR wrote:
> >Ed Gerck <egerck@laser.cps.softex.br> writes:
> >
> >> On Sun, 26 Jul 1998, Ian Brown wrote:
> Although not the case here, it is also not so simple as you present
> it. If the machine is off-line, the merchant must check the
> revocation list and the signature. If the machine is on-line, the
> merchant must still check the signature. Other assumptions apply, as
> a function of amount, for example. 
The merchant isn't REALLY expected to check the signature.
How could he be when people often don't sign their cards?

> Or, if a male buyer presents a card with a female name and signs it
> -- the merchant cannot say that he used due dilligence, according to
> some.
I do not believe that the credit card companies in practice
charge the merchant in these cases. 

> >> >The bank wants to catch the person who made the fraudulent
> >> >transaction. The name on the card is not likely to help them do
> >> >that.
> >> 
> >> The merchant pays!
> >Only under certain situations. See above.
> >
> Yes, with the addenda above. Moreover, the case where the merchant
> does NOT pay is irrelevant for an Internet order. 
> >Moreover, it's important to note what the credit card associations
> >think is the fix for this, and it's not to add identity to
> >credit cards. Rather, it's to make Card Not Present transactions
> >more like Card Present transactions. I.e. to make the user
> >sign with a digital certificate. And though it's got your name
> >on it, like the credit card, the important thing is the
> >binding to the PAN (Payer Account Number).
> >
> Grandma chooses a bad password and looses her house is the
> counter-scenario here.

The Card Present/Card Not Present differentiation is not about
the customer's liability. The customer's liability is always
strictly limited in the case of unauthorized use. This
distinction is relevant to whether the merchant or the bank
eats the charge. The scenario you present cannot happen.

> Security and "Card Present" cannot be
> achieved by legal or administrative fiats.
"Card Present" certainly can because the distinction is legal.
Visa COULD choose to treat "Card Present" transactions the
same as "Card Not Present" and spread the difference over
all transactions. They don't because they have sufficiently
different cost structures that market segmentation is 

The primary difference between Card Present and Card Not Present
is that numbers are easier to steal than cards. Password/wallet
pairs aren't THAT difficult to steal, but they're sufficiently
more difficult to steal than credit card numbers that it's 
probably worthwhile treating them differently. 

[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

Follow-Ups: References: