[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Card Not Present, was Re: FW: comments



Ed Gerck <egerck@laser.cps.softex.br> writes:

> On 27 Jul 1998, EKR wrote:
> 
> >Ed Gerck <egerck@laser.cps.softex.br> writes:
> >
> >> On 27 Jul 1998, EKR wrote:
> >> 
> >> >Ed Gerck <egerck@laser.cps.softex.br> writes:
> >> >
> >> >> On Sun, 26 Jul 1998, Ian Brown wrote:
> >> Although not the case here, it is also not so simple as you present
> >> it. If the machine is off-line, the merchant must check the
> >> revocation list and the signature. If the machine is on-line, the
> >> merchant must still check the signature. Other assumptions apply, as
> >> a function of amount, for example. 
> >
> >The merchant isn't REALLY expected to check the signature.
> >How could he be when people often don't sign their cards?
> >
> 
> What I commented on was for the Card Present case. Not Internet.  Not
> relevant here. However, to answer you: 
> 
> 1.Depends on bank, country and card type. And, the bank-rule: if
>   anything goes wrong, banks are usually the last in line to pay
>   anything -- as enforced by the contracts that the banks themselves
>   write for the customers to sign. Thus, some banks in some countries
>   do demand a positive signature verification and they do require
>   it sometimes against a photo-ID. That is usually done without you
>   perceiving it, as when a car rental asks for your driver's license
>   and the credit card. Or, in an international airport, also for your
>   passport and Hotel address -- while checking on-line with the
>   airline if you were really in that flight they offer you a
>   "discount" for car rental...
This does not happen in the US. The merchant is in fact discouraged
from checking ID.

> 2.Merchant's responsibility does not stop there. For example, the
>   merchant is supposed to check the card's hologram -- that is why
>   they are there in the first place.
Yes, they are. But they're not expected to check the signature.
They're expected to check the CARD not the customer.


> >> Or, if a male buyer presents a card with a female name and signs it
> >> -- the merchant cannot say that he used due dilligence, according to
> >> some.
> >I do not believe that the credit card companies in practice
> >charge the merchant in these cases. 
> >
> 
> Check with actual merchant contracts. Also, if the card appears to
> have been cut in half or tampered with.
> 
> The bottom-line is: Why do banks charge merchants LESS, for Card
> Present cases? Because  the bank relies on the merchant to verify
> the card! If that is not the case, then the bank is carrying a higher
> risk for less insurance coverage. Which the bank can't tolerate.
>
> For example, suppose you have a "no card present -- mail order, phone
> order" merchant account and... you use it off-line to approve cards
> that you receive from Internet certified 128-bit SSL connections. Are
> you commiting fraud? According to (for example) Bank of America, yes! 
> And they will cancel your account if they *suspect* so. 
Absolutely. 

But this is irrelevant. My assertion is that the binding is between
the card and the PAN, not the card and the customer. The reason
that Card Present is cheaper is because the CARD is present, not
because the customer is verified.

> >The Card Present/Card Not Present differentiation is not about
> >the customer's liability. The customer's liability is always
> >strictly limited in the case of unauthorized use. This
> >distinction is relevant to whether the merchant or the bank
> >eats the charge. The scenario you present cannot happen.
> >
> 
> The scenario is not about customer's liability. But, about customer's
> capability to be liable. Take the name Mary Doe. Is she a naive
> Grandma, a fraudulent Grandma or a sharp-witted Grandma? The merchant
> can't tell.
This isn't relevant either, to the merchant, since he can
depend upon the acquirer to pay provided he follows procedures.

> >Visa COULD choose to treat "Card Present" transactions the
> >same as "Card Not Present" and spread the difference over
> >all transactions. They don't because they have sufficiently
> >different cost structures that market segmentation is 
> >worthwhile. 
> 
> The data I have would mean suicide for VISA -- either in liability or
> in market share. Which speaks well against monopoly. They don't
> because either they would loose lots of money or because they would
> loose lots of business to cheaper Card Present processors.
Right, but these are business reasons, not security reasons.

> >The primary difference between Card Present and Card Not Present
> >is that numbers are easier to steal than cards. 
> 
> I must again disagree with you. The primary difference is that Card
> Present means a physical deterrent to thousands of simultaneous
> transactions in a wide coverage -- the card itself.
Sorry, I should have been more clear. I regard that as part
of being easier to steal.

Ed, the issue at hand is whether the customer's identity is relevant
when credit cards are used. I maintain that it isn't because the
merchant isn't put in a situation where he needs to recover the
money from the customer, and the bank knows the identity of the
person responsible for paying the account -- who may or may not
be the customer. What here do you disagree with?

-Ekr

-- 
[Eric Rescorla                             Terisa Systems, Inc.]
		"Put it in the top slot."

Follow-Ups: References: