[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Card Not Present, was Re: FW: comments

On 27 Jul 1998, EKR wrote:

>Ed Gerck <egerck@laser.cps.softex.br> writes:
>> On 27 Jul 1998, EKR wrote:
>> >Ed Gerck <egerck@laser.cps.softex.br> writes:
>> >
>> >> On Sun, 26 Jul 1998, Ian Brown wrote:
>> Although not the case here, it is also not so simple as you present
>> it. If the machine is off-line, the merchant must check the
>> revocation list and the signature. If the machine is on-line, the
>> merchant must still check the signature. Other assumptions apply, as
>> a function of amount, for example. 
>The merchant isn't REALLY expected to check the signature.
>How could he be when people often don't sign their cards?

What I commented on was for the Card Present case. Not Internet.  Not
relevant here. However, to answer you: 

1.Depends on bank, country and card type. And, the bank-rule: if
  anything goes wrong, banks are usually the last in line to pay
  anything -- as enforced by the contracts that the banks themselves
  write for the customers to sign. Thus, some banks in some countries
  do demand a positive signature verification and they do require
  it sometimes against a photo-ID. That is usually done without you
  perceiving it, as when a car rental asks for your driver's license
  and the credit card. Or, in an international airport, also for your
  passport and Hotel address -- while checking on-line with the
  airline if you were really in that flight they offer you a
  "discount" for car rental...

2.Merchant's responsibility does not stop there. For example, the
  merchant is supposed to check the card's hologram -- that is why
  they are there in the first place.

>> Or, if a male buyer presents a card with a female name and signs it
>> -- the merchant cannot say that he used due dilligence, according to
>> some.
>I do not believe that the credit card companies in practice
>charge the merchant in these cases. 

Check with actual merchant contracts. Also, if the card appears to
have been cut in half or tampered with.

The bottom-line is: Why do banks charge merchants LESS, for Card
Present cases? Because  the bank relies on the merchant to verify
the card! If that is not the case, then the bank is carrying a higher
risk for less insurance coverage. Which the bank can't tolerate.

For example, suppose you have a "no card present -- mail order, phone
order" merchant account and... you use it off-line to approve cards
that you receive from Internet certified 128-bit SSL connections. Are
you commiting fraud? According to (for example) Bank of America, yes! 
And they will cancel your account if they *suspect* so. 

>> Grandma chooses a bad password and looses her house is the
>> counter-scenario here.
>The Card Present/Card Not Present differentiation is not about
>the customer's liability. The customer's liability is always
>strictly limited in the case of unauthorized use. This
>distinction is relevant to whether the merchant or the bank
>eats the charge. The scenario you present cannot happen.

The scenario is not about customer's liability. But, about customer's
capability to be liable. Take the name Mary Doe. Is she a naive
Grandma, a fraudulent Grandma or a sharp-witted Grandma? The merchant
can't tell.

>> Security and "Card Present" cannot be
>> achieved by legal or administrative fiats.
>"Card Present" certainly can because the distinction is legal.  

Not if the card is cloned, for example by collusion. While
distinction depends on predicates, I meant it in the context of your
concept, that digital certificates would provide for the "Card
Present" case to be achieved even when the card is NOT present. I
contest that both are equivalent and I disagree that such is secure.

>Visa COULD choose to treat "Card Present" transactions the
>same as "Card Not Present" and spread the difference over
>all transactions. They don't because they have sufficiently
>different cost structures that market segmentation is 

The data I have would mean suicide for VISA -- either in liability or
in market share. Which speaks well against monopoly. They don't
because either they would loose lots of money or because they would
loose lots of business to cheaper Card Present processors.

>The primary difference between Card Present and Card Not Present
>is that numbers are easier to steal than cards. 

I must again disagree with you. The primary difference is that Card
Present means a physical deterrent to thousands of simultaneous
transactions in a wide coverage -- the card itself. Plus other
benefits, such as requiring a person to carry and present the card
can lead to a series of trails (hotel number, appearance, accent, car
license number, etc). Which simply do not exist in the Card Not
Present case.

I would say that numbers are easy to copy, send, receive and paste
than cards....


Ed Gerck
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
-- Internet saves trees, WebBoy UMC saves PCs, you save time and money

Follow-Ups: References: