Slashdot Mirror

If you read the MasterCard news article you'll find they're not doing CHIP+PIN, it's CHIP+nothing, and only in the US and Canada -- they don't say whether they'll switch to CHIP+PIN in the rest of the world or continue with the braindead CHIP+sign.

Sorry, UK guy here. Somebody seems to have a made a repost from the early 2000s...

We're just in the process over here of replacing chip and pin with 'contactless', thus removing the security that the PIN afforded us.

We have that in the US too (e.g., Visa payWave, Mastercard Paypass, Discover Zip. EMV can use either a contact smart card (ISO/IEC 7816) or a contactless smart card (ISO/IEC 14443). They both have chips; the difference is whether the reader communicates with the chip via electrical contacts or via radio waves.

Also, what's happening today is that US banks are changing who has to eat the cost of fraudulent transactions... it's not that the US is just getting EMV cards (or contactless cards) today. They've been around for years... Discover Zip was out in 2011 (however, it still hasn't become popular... probably because there weren't many terminals that could do contactless back then. Now that merchants are being forced by the banks to upgrade their terminals to support EMV, a lot are getting terminals that take both contact and contactless).

You are wrong about merchant liability and signatures The merchant is under no obligation to check the signature, not now and not in the future with a chipped card. The signature is simply used as an acknowledgment. In fact, as a merchant I am not allowed to check the signature or ask for identification, even if the back of the card has wording in the signature area asking to check the identification. Doing so is a violation of the merchant agreement with Visa, Mastercard, Discover, and Amex. As long as the transaction is approved and the customer acknowledges it, the transaction is considered valid.

This is not true. Since it has been a while since I've looked up these rules, I double checked my memory againstthe MasterCard Transaction Processing Rules (I did not check the other three major issuers). There is a procedure to follow if the credit card is not signed -- see page 66. In short, the merchant is required to get authorization from the bank that issued the card, AND require the customer to sign the credit card. "The Merchant must not complete the Transaction if the Cardholder refuses to sign the Card." Of course, I have rarely seen this rule enforced to the letter...

Wrong. The merchant's agreement says they are required to check. There's anecdotal evidence that CC companies audit merchants for compliance.

This is false. (Where are you getting your information from?) Not only are they not required to check, both Visa's and Mastercard's policies say that although the merchant may ask for ID, they cannot refuse a transaction if you refuse to show it.

Discover apparently does say that they should check alternate ID if there are any suspicions, although it doesn't require it all the time.

Sources:
http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf
http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf

It isn't the contact-less cards that are being proposed here.
Its the cards with smart chips built in, unlike those with mere NFC chips that you see in the US.

While traveling in the EU, we were advised by our bank to use a chip card, which they provided to us for nothing.
Image: http://www.mastercard.com/au/personal/en/images/Chip%20Card.jpg

The only difference here is that the chip on the card can validate the reader, and transmits data encrypted, so the entire transaction takes place encrypted from your card, to the bank, and back to the merchant's bank. Even if data is stored in the merchant's terminal, or intercepted along the way, its all encrypted.

And, as we all know that encryption is totally unbreakable, and completely safe. *cough*

This requires a change out of every credit card terminal in the country to be useful, and that will take a while.
Still its no guarantee, because the processing power to break the encryption is becoming more readily available, and the whole scheme is likely to encounter breaches in the future.

MasterCard already has access to personal data from the card issuing side (they can know everything your bank knows about you, which is considerably more than what a merchant might know). The issue here is that PayPal is acting as a screen so MasterCard/Visa cannot be sure of the nature of the downstream merchant (this is the data they are not getting from PayPal). This has monetary consequences for MasterCard because some of their fee structures differ by industry, but more significantly they track chargeback and loss rates by merchant industry. I think this is less about monetizing purchasing data (though there is certainly an element of that) and more about scaling their fee structure to known loss paterns.

what was supposed to be a 1BTC/$15 USD exchange turns into a 1BTC/$4USD exchange

Out of curiosity, do you have anything to back that up? Not doubting you, but I would have expected it to be a 1BTC/$15 exchange turning into a 3.75BTC/$15 exchange.

Remember the currency exchange on a credit card happens at the time of the transaction...

It's false. Though admittedly most people have this misconception if they don't frequently shop internationally. Both Visa and Mastercard calculate their currency conversion rates on a daily basis:

How does Visa calculate its rate? Every day—except weekends, Memorial Day, Christmas Day and New Year's Day—Visa calculates the rate for the next day's transactions.

MasterCard uses multiple market sources (such as Bloomberg, Reuters, Central Banks and others) to develop exchange rates. These rates generally reflect either wholesale market rates or government mandated rates that are collected during the daily rate setting process. The displayed rates are derived from the buy and sell rates included in the MasterCard daily rate setting process and do not include any charges or markups applied by the Issuer. Please note that due to possible rounding differences, the displayed rates may not precisely reflect the actual rate applied to the transaction amount when converting to the cardholder billing amount. The exchange rate that is applied to a transaction is the exchange rate as of the day of settlement which is the day that MasterCard determines the settlement amount to be exchanged between the acquirer and the issuer. The settlement date is therefore typically different from the date of the actual transaction. MasterCard does not provide the exchange rate when purchases are converted from the local currency by the merchant to the cardholder's currency at the point of sale.

He's right about the bitcoin volatility part though. The current market depth[http://bitcoincharts.com/markets/mtgoxUSD_depth.html] down to $4 is 246010BTC ($1616992 USD); so if someone had $1.6 million dollars worth of bitcoins to waste, yes it's possible to bring the currency down to $4 in a single order.

BJ away

And yet, some of those "violations" are in fact permitted:
http://www.mastercard.com/us/merchant/support/minmax_trans_amts.html

On the contrary. ID is not permitted to be required. See right here:

http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html

[On an OT note, since when does Slashdot require me to wait for an extraordinarily long period of time when I am just trying to reply with some simple information]

I'm not chopping up by debit MasterCard since it's also my ATM card, but I have moved all my automated payments to Amex and will no longer be using MasterCard for any purchases. (As a bonus, Amex also has much better cash back rewards.)

I'm also emailing several relevant addresses the following letter:

To whom it may concern:

I was disappointed when I heard that MasterCard had cut off payments to WikiLeaks (as reported at http://news.cnet.com/8301-31921_3-20024776-281.html), claiming it is participating in "illegal activity" even though WikiLeaks hasn't been charged or convicted of anything, and even though WikiLeaks's actions have been substantially no different than those of the New York Times, the Guardian, and other news sites that distributed the same material.

Now I see that MasterCard is also siding with the music and movie cartels in their war on technology (http://news.cnet.com/8301-31001_3-20025879-261.html), cutting off payments to web sites accused of file sharing, and lending support to the so-called "Combating Online Infringement and Counterfeits Act" which would grant the government the power to censor web sites without a trial.

It seems that every time I swipe my MasterCard, I'm funding an assault on freedom of speech.

December 19, 2010, was the last time I used my MasterCard -- and it will be the last time I use *any* MasterCard, or Cirrus, or Maestro, or anything related. In fact, I almost want to boycott Audi and the Olympics just for having similar logos.

I have three other charge networks to choose from, not to mention online payment systems and EFT. Comparing MasterCard to those, I see no advantages and two huge downsides. Goodbye.

Then you didn't read / hear what was said. Either that or your were on a source that withheld the fact that NONE of the payment systems were affected by the DDoS. It was solely their website / some web services, which has nothing to do with payments.

MasterCard Statement on Service Interruption to its Corporate Website

Purchase, NY, December 08, 2010 - MasterCard has made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally.

http://www.mastercard.com/us/company/en/newsroom/pr_service_interruption.html

Try this one: http://www.mastercard.com/us/company/en/ourcompany/officers.html it has pictures of board of directors.

I keep trying to read the story at http://www.mastercard.com/ but nothings happening.

In Firefox, just hold ctrl while repeatedly clicking the link. It will eventually load for you.

It's affecting debit cards too, dipshit.

No. It's not. It's not even affecting credit cards. It's affecting www.mastercard.com.

No problem. Just get it here.

I keep trying to read the story at http://www.mastercard.com/ but nothings happening.

The same fraud prevention policies apply equally to both credit and debit cards bearing the Visa or Mastercard logos, for transactions in which Visa or Mastercard is involved.

So, if you only ever use your "debit" card to perform "credit" transactions, and nobody has your PIN, you're just as well protected as you would be with an actual (debt-based) credit card.

However: Neither Visa nor Mastercard can do a damned thing if someone has your card number and your PIN, since a criminal in possession of both of these bits of information will just empty the account using debit transactions and the credit card companies simply aren't in the loop on that. In such cases, it's entirely up to your bank as to how you'll be treated.

More information from the horse's mouth is here. And still more, from that other horse, here.

Visa Signature, Mastercard, and AMEX already provide extended warranties when you purchase items with their branded cards. It's just that nobody ever knows these benefits. If you want to find out what benefits your cards have, see the links below (benefits vary by the bank and card- Citi may include different benefits than Chase, etc)

Mastercard
VISA Signature

They never, ever, asked for picture ID.

That's funny. The reason I stopped going to RS (in addition to all the reasons others have mentioned) is that they always demand a photo ID from me. The last time I refused and reported them for violating their merchant agreement with Mastercard

Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now,

Visa and Mastercard have already implemented this option. The only problem is the store has to be capable of handling it, and not all of them are, unfortunately.

https://usa.visa.com/personal/security/vbv/index.html?ep=v_sym_verified
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html

The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.)

This is wrong. PINs haven't been stored on the card for a long time (I'm not even certain they ever were for all cards). You can easily check this yourself with a relatively cheap reader, or you can build one yourself.

http://usa.visa.com/personal/cards/prepaid/index.html

http://www.mastercard.com/us/personal/en/aboutourcards/prepaid/index.html

I dunno, but MasterCard has the same rule:

5.9.3 Minimum/Maximum Transaction Amount Prohibited
A Merchant must not require, or indicate that it requires, a minimum or
maximum Transaction amount to accept a valid and properly presented Card.

http://www.mastercard.com/us/merchant/pdf/MasterCard_Rules_5_08.pdf

American express just says that merchants must not "impose any restrictions, conditions, or disadvantages when the Card is accepted that are not imposed equally on all Other Payment Products, except for ACH funds transfer, cash, and checks"

In order to accept credit cards, merchants agree to be bound by the card brand's merchant regulations. Part of these regulations state that (again, this is for CC transactions - Debit transactions are a different beast) for a CC transaction, no minimum transaction amount can be imposed by the merchant, nor can they add a transaction fee. For Mastercard, the URL for complaints is http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html. Visa doesn't have a form for it, but if you're curious, the Visa Merchant Regs can be found at http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf?it=il|/business/accepting_visa/support_center/tips_tools_downloads.html|Rules%20for%20Visa%20Merchants. Personally, I refuse to pay transaction fees or minimum transaction amounts. A business can refuse your business at that point however. Merchants can also offer a discount for cash, but they have to inform you of the discount prior to the initiation of the transaction.

The signature on the card must be reasonably close to the signature on the slip they sign.

Mastercard has a nice little web form to report merchant violations. It usually only takes one or two reports to get the merchant in line.

The policy is on their sites somewhere. I read it a while back when I had my merchant account and just showed something about a year ago but failed to book mark the merchant agreement.

Here is a PDF of MasterCard's rules though. Section 5.6.3 says "A Merchant must not refuse to complete a Transaction solely because a Cardholder who has complied with the conditions for presentment of a Card at the POI refuses to provide additional identification information, except as specifically permitted or required by the Standards. A Merchant may require additional identification from the Cardholder if the information is required to complete the Transaction, such as for shipping purposes. A Merchant in a country or region that supports use of the MasterCard Address Verification Service (AVS) may require the Cardholder's ZIP or postal code to complete a
Cardholder-Activated Terminal (CAT) Transaction, or the Cardholder's address and ZIP or postal code to complete a mail order, phone order, or e-commerce Transaction."

There is another section about minimum purchases too. Section 5.9.x is chocked full of goodies like not being able to charge more for using a credit card and no minimum charges, and so on.

I don't know if that helps you, Visa was the same when I had an account and like the op you were talking with said, Visa wasn't as pedantic about it but MasterCard are strict.

Mastercard has a web form where you can report merchants who require checking ID. It is not allowed by the merchant agreements they signed with Mastercard. I would record and report the date and the salesperson at the store, and ask who told them they have to ask for ID, if it is the store policy, etc.

http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html

While I agree that Verified by Visa is a marketing joke, encountering it doesn't prevent me from completing the transaction or make me switch banks/cards. After all, banks and credit card processors are the ones with far more liability, so why not let them take whatever steps they feel are necessary to protect the transaction.

Under the Fair Credit Billing Act (FCBA), credit card holders have a limit of $50 of liability for just about any charge you disagree with. This means "I didn't make it.", "I bought it, but never received it", "I don't remember it and you can't provide documentation that I made it". It's very consumer-friendly legislation.

What's more, even though the law doesn't cover charges less than $50 or more than 100 miles from you home address (an antiquated provision that didn't anticipate charges made by phone or internet), both VISA and MasterCard have zero liability policies that apply to all U.S.-issued cards anywhere they're accepted. This is way better protection than cash. If you pay in cash and the item is defective, but the store refuses to accept a return, then you're SOL. If you pay by credit card, you just dispute the charge. This is especially useful for car repairs that end up not really fixing the problem. For those saying they only use their card when they have to, that's stupid. If you have a card at all, you could end up with fraudulent transactions on your account, so having a card and not using it doesn't really protect you.

One important note about VISA's and MasterCard's fine print: VISA's policy only excludes PIN-based transactions not processed by VISA. MasterCard's excludes all PIN-based transactions. The FCBA only applies to credit transactions and therefore excludes ALL debit transactions (PIN-based are usually debit). Did you know that the credit card companies charge merchants about half as much for PIN-based transactions? Why do you think the machines at your supermarket ask you for a PIN by default? This is partly because using a PIN makes fraudulent transactions more difficult, but probably more due to the difference in legal liability the processor holds.

Seriously though, I've disputed numerous transactions under the FCBA. My bank (WellsFargo) handles disputes quickly and easily, and I've always either received all my money back or had the merchant fix the problem. I even had my card stolen in Mexico (copied, actually, since I still had the card but card was supposedly present at the transaction), and all charges were easily resolved.

Note that accounts under FCBA dispute are marked on your credit report, but I've never received a notice that I'm entitled to a free report because of it, so it must not affect your credit score.

So remember, kids:

• Under the Uniform Commercial Code, there's an implied warranty of merchantability on everything purchased in the U.S. unless otherwise stated.
• Always buy with a credit card.
• VISA is better than MasterCard (a.k.a. the Evil-O's. No, I don't work for VISA, but I used to work for a VISA subcontractor.).
• Avoid cash for anything you might ever consider returning
• Avoid debit and pin-based transactions like the plague. They're a conspiracy to shift legal liability onto consumers. If banks and credit card processors really cared about security, they'd PKI chips, PINs, and cardholder photographs on the actual card. But implementing these things is simply more expensive than simply shifting the liability to the card holder.

Actually, you should check your facts.

Any bank that issues a card with the Visa or MasterCard logo has agreed to meet or exceed the consumer protection policies of Visa or MasterCard. This is how it's ALWAYS been, debit card horror stories notwithstanding.

Visa:
"Debit cards have the same security protections as credit cards. Just like credit card cards, debit cards have Zero Liability* fraud protection and dispute resolution options."
http://usa.visa.com/personal/using_visa/personal_finance/debit.html

MasterCard:
"With your debit card, you'll enjoy great features such as worldwide acceptance at millions of locations, MasterCard Global Service, and Zero Liability* protection from unauthorized purchases."
http://www.mastercard.com/us/personal/en/aboutourcards/debit/standard_card.html

No, this protection is not mandated by LAW as it is with Credit Cards, but it is mandated by Visa and MasterCard who have ZERO INTEREST in seeing their good name tarnished.

Everyone has heard Debit Card Horror Stories. My suggestion is to have a critical ear and check the facts, instead of just passing-on the FUD.

I'm sorry, I got my X(insert natual element here) projects confused. I meant XStream http://xstream.codehaus.org/ not XFire. I use Castor, I just know others use XStream for the same thing I use Castor for.

Basically, if you use Castor/XStream to produce XML documents for your objects, it's dirt simple to pull in the document and use it in Flex. An example of a project where we've done exactly that is this product: http://www.mastercard.com/us/business/en/smallbiz/specialoffers/index.html

Using Firebug, you should be able to see the types of REST responses we are using in the app. They are all produced with Castor, and consumed with Flex's built-in support for HTTP and XML.

As for compatibility, last figure I heard was 93% of browsers have Flash 9. Considering included in the remaining 7 percent are mobile devices, tinfoil-hat wearers, minimalists, etc, the 93% covers most of my target audience.

9.11.2 Cardholder Identification
A merchant must not refuse to complete a MasterCard card transaction solely because a cardholder who has complied with the conditions for presentment of a card at the POI refuses to provide additional identification information, except as specifically permitted or required by the Standards. A merchant may require additional identification from the cardholder if the information is required to complete the transaction, such as for shipping purposes. A merchant in a country or region that supports use of the MasterCard Address Verification Service (AVS) may require the cardholder's ZIP or postal code to complete a cardholder-activated terminal (CAT) transaction, or the cardholder's address and ZIP or postal code to complete a mail order, phone order, or e-commerce transaction.

But either way, even if the written rules require that they not require ID, they ignore it at will. And your complaint will probably result in the vendor being sent a letter saying `don't do that!' and nothing else. Which the vendor will probably ignore, and nothing will change. Perhaps if lots of people complained at once something might change, but just one person? I doubt it.

In any event, `solely' gives them a pretty big out. All a vendor would have to say is that `Our policy requires that we check ID on all credit card and check transactions' and then by refusing to provide ID, you're violating their policy, and they can refuse to take your card and it follows the letter of the Mastercard rules. (It would weaken their case if they only checked ID on some transactions, of course.)

I wouldn't hold my breath waiting for the vendors to change their policies regarding this. Chargebacks are expensive.

Perhaps that is an International-only document.

In the USA, it is still a violation of a merchant's agreement with Mastercard to require identification. This form on the Mastercard site lets you file a complaint if a merchant insists on identification:

http://www.mastercard.com/us/personal/en/contactus /merchantviolations.html

http://www.mastercard.com/us/wce/PDF/MERC-Entire_M anual.pdf

Check page 71 under Acceptance Procedures for Purchase Transactions where it says

************

For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used), request personal identification of the cardholder in the form of an unexpired, official government document. Compare the signature on the personal identification with the signature on the card.

************

I didn't read the Visa Rules. I use Mastercard.

Internet merchants do have fraud protection options available to them. Any merchant being hit by a large number of charge backs should explore 3DSecure: http://www.cardwatch.org.uk/spot_and_stop/html/3ds ecure.htm?display=html http://www.visaeurope.com/merchant/handlingvisapay ments/cardnotpresent/verifiedbyvisa.jsp http://www.mastercard.com/us/personal/en/cardholde rservices/securecode/index.html When setting up with your payment services provider you should find out exactly what services they provide to help protect you from fraudulent transactions. Card holder address verification and card verification code/number (those 3 digit numbers on the back of your card) checking will help reduce the number of bogus transactions that get through 3DSecure will allow you to shift liability for charge backs from yourself to the bank.

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) and pg 48 of the MasterCard merchant rules (PDF).

I usually file a complaint here and check the "merchant required identification" box.

No, I hate being asked for ID when using my card. In fact, Visa and MC rules prohibit merchants from requiring you to show ID to accept a card. I go They can ask, but can't require it. They also cannot accept a card with "See ID" without making the cardholder sign it. See page 29 of the Visa merchant rules (PDF) and pg 48 of the MasterCard merchant rules (PDF).

I usually file a complaint here and check the "merchant required identification" box.

Hopefully never. It's a violation of MasterCard, Visa and American Express's policies (almost certainly Discover's too) to check ID and I file a complaint every single time someone asks me for ID when I use my Mastercard because it pisses me off.

According the merchant rules, for MasterCard anyway, the merchant is suppose to check the signature and request ID as part of their compliance (section 2.1.1.2).

If a card is not signed, the merchant is suppose to obtain authorization from the card issuer, request ID and have the customer sign the card then and there (section 2.1.1.3).

MasterCard Merchant Rules

From http://www.mastercard.com/aboutourcards/faqs.html# q5 www.mastercard.com

Q: How safe are these transactions? Can't someone intercept the data or get incorrectly charged for purchases when carrying the card?

A: These transactions are just as safe as, if not more safe than, traditional payment transactions, as the PayPass feature incorporates special security technology to prevent "replay" fraud. MasterCard PayPass also provides more consumer control, since the card doesn't have to leave your hands to be swiped by the merchant. Additionally, MasterCard PayPass provides zero liability in North America, just like all MasterCard payment programs.

No It's not "like walking around with my card number tattooed on my forehead"

It doesn't really look like RFID more like a multipart handshake based on RFID technology

ISO/IEC 14443 has two-factor authentication.

What's the second factor? What people typically mean by two-facto auth is a physical token plus a PIN or password, but that doesn't square with the marketing literature or their "easier than cash" claims.

You can't steal the card number because the card doesn't transmit the card number.

Is it some sort of challenge/response thing? If so, where does the challenge come from? It seems like the challenge would have to come from the clearing firm, yes? But wouldn't that require a hot connection with good response time to get the exchange done during a wave?

Asking for ID before completing purchases with a signed card is _strictly_ against both Visa and Mastercard policy and can get a merchant in serious trouble. If it makes you angry then report it.

report

here:

forum post about it:

And here's one for Master Card--

http://global.mastercard.com/hk/faq.html#c_cust_se rv

Same as the Visa, be sure to let it load, or just do a text search for "minimum".

It already is! Visa "gift card" - like a regular gift certificate, up to $500 value, but in the form of a pre-paid Visa card. Mastercard have one too. Certainly not as anonymous as cash, but probably close with careful use and procurement. For that matter, you can even use one to obtain cash from an ATM, putting an extra layer in between you and the purchases...

You know, Mastercard, Amex, Visa, and Discover all tell you to sign your card as soon as you receive it. As an example, here's Mastercard's Fraud Info page.

I'm not going to do your research for you but I've seen statement mailers, various web pages, and other consumer info from each of them over the years that all said "See ID" or similar is not valid to put on the card. More importantly, unless that card is signed with your signature rather than some bogus phrase, you technically haven't followed your terms of the contract. Arguably they could claim that because you didn't sign the card, they aren't liable, because you didn't take the reasonable (and required under the contract) action of signing the card.

"See ID" is a nice idea, but it's kind of like that wacky MS EULA-bypass stuff we always see here. People get some idea that by finding a way not to take a specific physical action like clicking a button or signing a card, they've changed the contract. I doubt that would hold up. There may even be unintended consequences like claiming the cardholder didn't take the necessary and reasonable steps to protect the card.

(And in the case of the EULA-bypasser, MS might claim use of a "circumvention device" under the DMCA.)

most people put their card away quickly and furtively, triggering mental red flags, and then get pissy if you ask "Sir, may I see the card and a photo ID please?". So you lose either way.

You can't turn down a credit card purchase just because they won't show you ID. I guarantee after a few people fill out this form you will change your tune.

Also, I find it funny that "no ID required" is one of the big selling points banks are using to try and get people to switch to debit cards. There is no ID required for a credit card purchase either!

Taking upskirt photos with your Nokia 7650: Priceless

1000 lines of code: $500
SLOCCount program: Free
Knowing you have a billion dollars worth of code: Priceless

3. Caught by your mates jacking off in the shower. Priceless

3. Having the correct time, always: Priceless.