[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Card Not Present, was Re: FW: comments

> > 2.Merchant's responsibility does not stop there. For example, the
> >   merchant is supposed to check the card's hologram -- that is why
> >   they are there in the first place.
> Yes, they are. But they're not expected to check the signature.
> They're expected to check the CARD not the customer.

The merchant is not expected to have expertise in checking signatures
but if a question arises they had better have the signed reciept if they
want to be paid.

Nor are they particularly expected to do much checking of the card
and in any case it is difficult to think of many circumstances in
which a forged card would be available for inspection by anyone
other than the merchant!

> > For example, suppose you have a "no card present -- mail order, phone
> > order" merchant account and... you use it off-line to approve cards
> > that you receive from Internet certified 128-bit SSL connections. Are
> > you commiting fraud? According to (for example) Bank of America, yes! 
> > And they will cancel your account if they *suspect* so. 
> Absolutely. 

The main issue with 'card present' is not the fact of the card 
being present but the body purporting to be the holder who presents
it. A fraudster is put at considerably greater risk if they
present a stolen card in person than if they do so via the Internet.

The issues involved in the SET protocol have very little to do
with the philosophy of PKI. They begin and end with the question
of risk management in the context of a vast deployed infrastructure
which has much less intrinsic security than anyone would like.


Follow-Ups: References: