[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Card Not Present, was Re: FW: comments
Ed Gerck <firstname.lastname@example.org> writes:
> On 27 Jul 1998, EKR wrote:
> >[snip, already discussed]
> >Ed, the issue at hand is whether the customer's identity is relevant
> >when credit cards are used.
> The issue here was based on Ian's comment:
> "the merchant cares about the payment authorised by your account
> number, not your name."
> to which I said NO -- and explained:
> 1. The merchant carries the burden of fraud in the Internet
> credit-card case. Up to one year after the transaction, plus a fine,
> plus a cancelled account if the chargebacks exceed 1% -- a large
> accumulated liability issue.
Yes, that's true, but if you were using digital certificates,
then part of the purpose of the exercise would be to move
the Internet transaction closer to the Card Present case.
I'm sorry this wasn't clear.
> 2. When Mr. X uses Mrs. X's credit-card (even with her authorization)
> then Mr. X is technically commiting card fraud -- hence cardholder's
> names are important.
I do not believe that this is in fact the case.
> My original comment intended to clarify those two items -- which are
> IMO relevant to SPKI as they are often and wrongly cited as an
> example why names are not important in some cases. Well, in the
> credit-card case they are, specially in the Internet case and
> specially to the merchant. Who does not get paid regardless.
Nope. Identity still isn't important. What IS important
is that the merchant believes that the charge won't be repudiated,
which is only tangentially related to identity.
> >I maintain that it isn't because the
> >merchant isn't put in a situation where he needs to recover the
> >money from the customer,
> Well, if the merchant gets for sure a charge-back from the bank in
> case of card fraud in the Internet case, plus a fine, plus a
> cancelled account above 1%, then how can you say that the merchant
> isn't put in a situation where he needs to recover the money from the
> customer? If the bank does not pay, if the bank insurance does not
> pay, and the merchant is charged with it -- then, who pays?
This is only true in Card Not Present. In Card Present, it's
handled differently, as I indicated previously.
[Eric Rescorla Terisa Systems, Inc.]
"Put it in the top slot."