Slashdot Mirror

Can't be done. Visa, Mastercard, and Amex all have clauses forbidding those cash discounts, which can cause a merchant's account to be pulled.

This is a well-worn urban myth. Merchants absolutely can and do offer discounts for paying with cash -- what they can't do is impose a surcharge for paying with a card. Here's a recent article where Visa explains the difference.

So basically they raise their margin by 2% and then offer a discount for cash purchases? Boils down to the same thing as a surcharge except technically it isn't.

Not in Canada. This clause was forcibly stripped out of merchant agreements a few years ago. They really kicked up a fuss that the time, but life went on. Except for big ticket items, I don't know of very many places that charge more for using your visa. It definitely happens. Local farm supply retailers will charge an additional 2% typically for large ticket purchases like herbicides or fertilizer. But the fees could depend on the type of card.

According to the US Visa website, retailers can offer a discount for cash. But they aren't allowed to add a surcharge for credit cards. https://usa.visa.com/support/c.... smart of Visa to do it this way, but definitely favors them. On the surface it appears to be the same thing but actually isn't, as CC fees can be anywhere from 1 to 3% depending on the card. High rewards cards have a higher fee.

Even a 1% fee should leave these credit card companies in a very comfortable and profitable position. Greed is universal I guess.

Can't be done. Visa, Mastercard, and Amex all have clauses forbidding those cash discounts, which can cause a merchant's account to be pulled.

This is a well-worn urban myth. Merchants absolutely can and do offer discounts for paying with cash -- what they can't do is impose a surcharge for paying with a card. Here's a recent article where Visa explains the difference.

So "Gemini Advisory" says card fraud is up, huh? But Visa says that fraud is down. Who's right? I don't know, and don't feel like looking into the details of both reports. It's likely that both are right, and they're talking about different types of fraud. My understanding is that overall, fraud is down significantly, but some types of fraud are up, such as card skimming at gas pumps (since the chip conversion deadline for those is still in the future and very few of them support chips right now.)

Can't they just make an imprint of the chip in my card?

No they can't "imprint the chip" but there are procedures for handling this. https://usa.visa.com/dam/VCOM/... Start reading around page 25

(or remember back when they had those slide-things, they still have those for embossed cards).

Apparently, they are supposed to still have these and, if the card is embossed, use it if the chip and the mag stripe both fail. https://usa.visa.com/dam/VCOM/... The merchant takes on less liability if they do this instead of just writing out the number.

It has been annoying that I can't use my credit card at US gas stations since I have a foreign Mastercard and VISA and live in a 4 digit zip code. So they won't accept it at the pump.
I have heard that Shell have replaced all their readers with the ones that can read the chip because there were a demand that all gas stations updated their readers.
But now they have extended their deadline to 2020. :/ Oh well, I will in the states soon again so I will try to fill up at Shell to see if it works. :)

https://usa.visa.com/visa-ever...

The merchants that won't turn on their chip readers are already penalized (since 2015) by being liable for in-person fraud against their terminals, if the card used was chip-capable. In other words, both issuers and acquirers are incentivized to adopt chip-card.

For some merchants, however, the cost of a chip rollout might be more than the cost of eating the liability. The example that comes to mind is gas stations -- they have lots of readers, which are built directly into the pumps and not modular in any meaningful sense. I can imagine them being quoted astronomical costs to update them. And it's not that they are against chip card, because every terminal I see in the gas station is enabled.

Another example that comes to mind is automated parking machines. No one designed those things to be modular, and so who knows if there's even an upgrade path for them. For a small operator -- for example a mid-sized airport or a mall -- the cost could be truly out of proportion to just sucking it up.

The way I see it, this is a perfectly good bargain now (even a Coasian one) because they have both the cost and the liability. Let them figure out whether it's worth it for them.

That's because the figure appears to be wrong. Visa claims they can do 65k/second as of August 2016 ( https://usa.visa.com/dam/VCOM/... ) or about one per living person per day. And they can grow that number larger if they ever get even close to capacity.

I have the same problem when traveling in the US, I can't pay at at pump anywhere, I know a Conoco station where usually travel where I can pay at the pump so I go there when I am in the neighborhood. It is so annoying.
A few times it does work to type in a random ZIP code.
So I researched the problems and had hopes that the problems would be over since a colleague said that he could pay at the pump at all Shell stations on their road trip.
I believe that once they get around to use the chip on my card, it will be better, but that seems to have been delayed. :(

https://usa.visa.com/visa-ever...

This is the problem with /.'s moderation system - you write a long screed based on a bullshit premise and get modded to 5.

There is not law such as you've described. They don't need a law. It's part of the merchant agreement. But it gets better. In the US merchants may specifically add a surcharge to card transactions due to a settlement with the card industry:

https://usa.visa.com/dam/VCOM/...

So, basically, you're not only wrong, you are the exact opposite of true.

Have you ever heard of this: https://usa.visa.com/pay-with-...

Getting Visa is no brainer.

You make the assertion that anything people purchase fraudulently comes out of the store's pocket, not yours. Here's the thing: if the cost of fraud is 0.1%, then every $1,000 you spend includes around $1 of fraud coverage. If it's 1%, then it's $10. The difference between these, if you have $70,000/year to spend (e.g. a mid-level IT job, after taxes), is $70 vs $700.

Reductions in fraud translate to reductions in operational costs, and eventually reductions in consumer prices. The long and short of it is that yes, all this fraud comes out of your pocket.

In a larger economic sense, that kind of cost reduces total purchasing power. Firstly, by way of ineffective fraud controls generally requiring more effort per purchase volume; and secondly, by the simple increase of prices, reducing everyone's purchasing power per dollar while translating those stolen proceeds into someone else's hands (i.e. that guy has 100x as much money, and everything costs 1.01x as much, so you're 1% poorer and he's 9,900% richer). A total reduction in purchasing power means less stuff moving, which means less labor involved moving it all, which means fewer jobs and more unemployment.

Cashback comes out of your bank's fees to the merchant. The 1%-2% you actually get in total is compared to a 3.2% per-transaction fee, which bumps prices up. ON TOP OF THAT, the merchant is responsible for any and all fraud, which gets amortized as cost-of-risk. So a $10 good might be 32 cents extra so the merchant can cover those transaction fees and 1 cent extra to cover fraud; you pay an extra 33 cents, and get 20 cents back.

That fraud cost is comparatively small, but it does come out of your pocket eventually. Reducing and controlling fraud reduces those costs, and the bump in prices eventually decays away as inflation devalues money and prices don't increase quite as fast to match (10% more production, 15% more money, ~4.5% inflation; but the added production comes from lower cost in goods, so that $10 good becomes $10.40 instead of $10.45, or some such). Typically, blunt effort fraud controls exponentially increase in cost, and so new strategies are employed; and such new strategies reduce cost per transaction, which allows competitive merchant rates.

You might think of Visa and Amex here, although Visa and Mastercard are considered the big competitors. Visa publishes a huge schedule of fees, and they do in fact charge more if you're using a Signature Rewards card (1.6% for mine, 1.15% for some base cards, and as high as 2.4% for high-end rewards cards). Payment processors build on top of these, for example HELCIM.

The punch line is the total fees paid to banks, payment processors, and credit card companies has increased over the years, although so has the size of the economy--still, $20 billion out of $8.9 trillion vs $45 billion out of $12.5 trillion, or a 50% increase in proportion. We're getting better at fraud, too, so improved fraud detection is an expensive arms race.

Apple Pay is much worse than the NFC payments the rest of the world uses.

The US has had NFC payments for years. However, it never caught on here... I think people are paranoid about RFID. But Visa, MasterCard, and Discover all had contactless cards for a while, but it seems that the experiment was deemed a failure and they're phasing them out now.

https://www.visa.com/chip/merc...

There is no such law. The credit card companies tried to limit this behavior contractually and lost in court not so long ago.

I was wrong. There are no FEDERAL laws. There are, however, STATE laws. I was remembering (the gist of) California's, since I live here.

From https://usa.visa.com/support/c...

âoeNo retailerâ¦may impose a surcharge on a cardholder who elects to use a credit card in lieu of payment by cash, check or similar meansâ¦â
Statute: Cal. Civ. Code  1748.1(a) (West)

(It then goes on to discuss the discount for cash payment idea.)

That page also lists other state laws.

More general info is at
https://www.cardfellow.com/cha...

Sorry, UK guy here. Somebody seems to have a made a repost from the early 2000s...

We're just in the process over here of replacing chip and pin with 'contactless', thus removing the security that the PIN afforded us.

We have that in the US too (e.g., Visa payWave, Mastercard Paypass, Discover Zip. EMV can use either a contact smart card (ISO/IEC 7816) or a contactless smart card (ISO/IEC 14443). They both have chips; the difference is whether the reader communicates with the chip via electrical contacts or via radio waves.

Also, what's happening today is that US banks are changing who has to eat the cost of fraudulent transactions... it's not that the US is just getting EMV cards (or contactless cards) today. They've been around for years... Discover Zip was out in 2011 (however, it still hasn't become popular... probably because there weren't many terminals that could do contactless back then. Now that merchants are being forced by the banks to upgrade their terminals to support EMV, a lot are getting terminals that take both contact and contactless).

Great, another ACH debit mechanism, which means that when a fraudster empties a bank account, it stays emptied because there is nowhere the protection present that a credit card has in place.

In the US, this. VISA talks about Zero Liability, with restrictions. That's zero compared to the legal $50 liability.

The only difference I've found is that your bank account will be zero until the money is put back, and I don't know what happens to bounce fees that occur in the meantime.

Wrong. The merchant's agreement says they are required to check. There's anecdotal evidence that CC companies audit merchants for compliance.

This is false. (Where are you getting your information from?) Not only are they not required to check, both Visa's and Mastercard's policies say that although the merchant may ask for ID, they cannot refuse a transaction if you refuse to show it.

Discover apparently does say that they should check alternate ID if there are any suspicions, although it doesn't require it all the time.

Sources:
http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf
http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf

4 different Credit Card companies in the US (Visa, MasterCard, American Express, and Discover) will no longer cover fraudulent charges on non-chip transactions starting in October 2015.

Visa:

Effective 1 October 2015, Visa's global counterfeit liability shift will be instituted in the U.S for POS transactions. With this liability shift, the party that is the cause of a chip transaction not occurring (i.e., either the issuer or the merchant's acquirer processor) will be held financially liable for any resulting card present counterfeit fraud losses. The shift helps to better protect all parties by encouraging chip transactions that use unique, dynamic authentication data.

-- Source (PDF)

MasterCard:

The April 2013 acquirer readiness date is the first step in preparation for MasterCardâ(TM)s liability shift, which takes effect October 1, 2015. This liability shift directly affects acquirers and issuers as it pertains to counterfeit fraud. This means that the party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions. In addition, MasterCard supports a liability shift for lost, stolen, and never received or issued (NRI) cards to the party that does not support PIN as a cardholder verification method. If neither party supports PIN, only the counterfeit liability shift rules apply. The liability shift does not apply to Automated Fuel Dispensers (AFDs) until October 1, 2017

-- Source (PDF)

American Express:

Effective October 2015, American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years, until October 2017, before the FLS takes effect for transactions generated from automated fuel dispensers.

-- Source

Discover:

In alignment with U.S. EMV migration timelines, Discover is introducing Fraud Liability Shift for Discover Network (in the U.S., Canada and Mexico) and PULSE (in the U.S.), effective October 1, 2015 at point-of-sale terminals and Oct. 1, 2017 at automated fuel dispensers. This Fraud Liability Shift policy will be a risk-based payments hierarchy that benefits the entity that leverages the highest level of available payments security. As Fraud Liability Shift is already in place for Diners Club International (effective December 31, 2012 for mandated Participants), Discover will have one standard liability shift policy in place across all networks by October 1, 2015.

-- Source

So, I expect everyone in the US will start seeing new cards issued this year even if their card isn't set to expire.

Absolutely correct. In fact, merchants should not (cannot, in practice) ask for your drivers license to compare to your credit card. Visa's rules don't allow them to base a decision off of that. Once they touch a drivers license, they have now colored any future decision to reject the card as a payment type.

See the top of page 34: http://usa.visa.com/download/m...

They require merchants to suck up the cost of accepting Credit cards and not allowing a company to charge more to cover the credit card merchant fees. Of course 'cash discounts' can be done but that's uncommon.

Not any more:

Beginning January 27, 2013, merchants in the United States and U.S. Territories will be permitted to impose a surcharge on consumers when they use a credit card. Historically Visa has not permitted retailer surcharging, but allowing surcharging was a key provision required by merchants to settle long-standing litigation brought by a class of retailers in 2005.

There are states in which a surcharge for credit card usage is illegal, but these states typically allow for cash discounting.

The problem is knowing exactly when the 10% is, or having it when a merchant wants to verify identity on his Visa or Mastercard branded debit card -- despite the fact that it's expressly not required. I've got better things to do than earning a lifetime ban from Fry's Electronics after successfully completing a no-ID Visa purchase there...

http://www.mastercard.us/suppo...

A merchant must not refuse to complete a transaction solely because a cardholder refuses to provide additional identification information. However, there are certain situations where a merchant may require some personal information, such as a shipping address for online purchases. Additionally, if your MasterCard card is unsigned, a merchant should request personal identification to confirm your identify and ask the cardholder to sign the card before completing the transaction.

http://usa.visa.com/download/m...

Although Visa rules do not preclude merchants from asking for cardholder ID except in the
specific circumstances discussed in this guide, merchants cannot make an ID
a condition of acceptance. Therefore, merchants cannot as part of their regular
card acceptance procedures refuse to complete a purchase transaction because
a cardholder refuses to provide ID. It is important that merchants understand
that the requesting of a cardholder ID does not change the merchant’s liability
for chargebacks. However, it can slow down a sale and annoy the customer. In
some cases, it may even deter the use of the Visa card and result in the loss of
a potential sale. Visa believes merchants should not ask for ID as part of their
regular card acceptance procedures. Laws in several countries also make it
illegal for merchants to write a cardholder’s personal information, such as an
address or phone number, on a sales receipt.

Here's a shiny powerpoint to download. Click Here. They say it works. They also say some random number (that sometimes has a letter in it?) next to a $ sign with god awful English.

Seriously, click here.

It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.

It's both. You have the option to use it as a credit card:

"When you sign for your purchases, you get security protections that help prevent, detect and resolve fraud. Many rewards programs also require you to sign to collect rewards points. However, if you PIN for your Visa Debit card transactions, you may not receive the same security protections for Visa Debit card transactions not processed by Visa."

The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

In VISA's case, their recommendation is to compare the signature with the one on the back of the card. However they explicitly state (page 34) that merchants can't decline processing a VISA transaction if the customer refuses to show an ID for a signed card. I believe MC has a similar policy.

With many merchants never even touching the card, the cashier never even sees the back of the card signature, let alone have an opportunity to compare it to the receipt's signature.

Define 'protected'.

Well, according to the Visa and MasterCard contracts you sign, you, the consumer, are not liable for fraudulent or unauthorized usage of your credit card credentials. Here's Visa's statement and here's MasterCard's. Just for fun, here's Discover and American Express's, both of which promise zero liability if you act like a rational human being. And since 1998 the FDIC covers about $250,000 in losses relating to your bank account, including unauthorized use of your ATM card. So looking at all of those liability statements, since the data breach was not the result of gross negligence on the part of the cardholder, the cardholder is not liable for any fraudulent charges made in their name.

Furthermore if anyone steals my credit card, bank card, ATM card or card information, or if something happens to the bank, like a robbery or the bank folds (provided my bank is FDIC insured, of which nearly 7,000 banks are): I, the consumer, am not liable. Either my credit card company knocks it off my bill (in the case of credit card fraud) or the Federal Government covers the losses up to $250,000 per bank (in the case of ATM card fraud or bank losses).

Those are all legally binding contracts in the United States. The European Union has similar systems in place, and has had deposit insurance since 1994, though that just covers the minimum coverage mandated under EU regulations (current minimums are €50,000, as of 2008, more information here). Most countries cover up to €100,000, including Belgium, Bulgaria, Cyprus, the Czech Republic, Finland, France, Germany, Greece, Hungary, Italy, the Netherlands, Portugal, Spain, Sweden, and Slovakia (among others). The UK covers up to £85,000 in a rather complicated scheme of percentages, and the Irish government will guarantee all the money in your bank accounts.

Certainly seems safer than putting your money in an escrow account controlled by a marketplace known for its illicit drug trade, and whose predecessor was taken down amidst a murder-for-hire scandal.

One way it works is this http://usa.visa.com/merchants/...

Actually, modern cards not only have the contact chip but also a "Contactless" mode that can be used for small payments.

So you can pay for your Starbucks or bus fare instantly just by tapping your Visa card, no need to swipe or insert the card and enter a PIN number. This is all still more secure than Swipe & Sign, because the cards can't be easily cloned and theres a relatively low transaction limit.

Wrong.

Contactless is far less secure than magstripe.

"Contactless" is far less secure because it will wirelessly give out all the information on the front of the card (CC number, name, expiry date) to any system that asks for it. I have an application for it on my Galaxy Nexus (and the source code that doesn't censor the CC number is available on GitHub). Now you have the number, exp date and name on the card you can make online transactions with it and the best way to avoid detection by the bank is to make small transactions because they are less likely to be flagged or noticed by the user and the bank will write it off rather than doing any kind of indepth investigation (so as long as it's not directed to a real address, you're safe).

So you don't need to replicate the card to use it for fraudulent purposes. But if you would like to, just follow the specifications that are publicly available from Visa's website (same for MasterCard, haven't checked Amex/Discover, but no-one uses those cards outside the US).

Fortunately chip and pin technology is not dependent on contactless technology (actually it's the other way around).

They should have checked your ID since the card was unsigned. Also, Visa does more-or-less prohibit the checking of IDs; from the guidelines, "merchants cannot as part of their regular card acceptance procedures refuse to complete a purchase transaction because a cardholder refuses to provide ID": http://usa.visa.com/download/m...

Information about debit cards are NOT shared with anyone outside of the issuing bank.

I find that impossible to believe when the exact same processing system is used for both credit and debit cards.

Hell, there are even "rewards" programs for visa and mastercard branded debit cards. I think you would be hard pressed to explain how visa can do that without knowing your spending.

http://usa.visa.com/personal/cards/debit/visa_extras.html

does Visa give a damn if I clone my card and swipe the clone, instead of the one they mailed me, at the point of sale?

Yes, it's called card not present.

This shouldn't be a big surprise...the flat rate plan was clearly a loss-leader meant to gain marketshare.

Most of the fee you pay to companies like Square doesn't go to them. It goes towards the "Interchange Fee" charged by Visa, MasterCard, and AMEX. These interchange fees vary based on card type (for example, fees are higher on "reward cards"...that's what funds the "reward"), and transaction type ("card not present", for example, has a higher rate). Check over the interchange fees for Visa and MasterCard, and you'll see that Square doesn't have a lot of room to move below 2.75% and still make money.

The three big players in this "mobile payments" space are Paypal Here (2.7%), Intuit's GoPayment (2.75% flat, or $12.95/M + 1.75%) or, the aforementioned Square (2.75%). At the moment, if you're swiping more than $1295/M, Intuit's $12.95+1.75% would be the best choice...unclear though, how long that plan will be around since it's a loss-leader as well.

The market that's more curious to me is the "card not present" market...payment processors for websites. Stripe seems to be the darling of the Slashdot crowd, but their pricing is horrible. They offer 2.9% + $0.30 per transaction, and won't offer to discount it until you're doing $1M+ per year. Contrast with Paypal's Payment Pro which drops down first to 2.5%+$0.30 once you hit $3k/month, then down to 2.2%+$0.30 once you hit $10k/month. Stripe has a few features that PPP doesn't, but they would need to be real important to you to pay that much more.

The EMV standard includes "online PIN", "offline PIN", etc. and every terminal that does EMV is programmed by the issuing bank with their own preferred order of whether to try chip-and-pin first, chip-and-signature first and all of the other variations. BTW, in the UK it would be illegal for "all" new cards to have been chip-and-pin because the 2010 Equality Act requires merchants to accept chip-and-signature cards from persons with disabilities http://www.payyourway.org.uk/special-focus/chip-signature-–-alternative-pin/. Tesco got in trouble over that recently.

Here's an explanation from Visa of why they think chip-and-signature as first choice makes the most sense within the US given the way US telecoms charge, US law, etc http://blog.visa.com/2012/01/13/as-u-s-chip-adoption-advances-visa-provides-guidance/. More or less its because in the US we can afford for terminals to talk to the Visa servers to authenticate the card instead of needing "offline PIN" authentication that the terminal and card can do on their own.

As the US banks are issuing chip-and-signature-first cards to their patrons, you are now free to make jokes about Americans being mentally disabled.

A merchant can ask for your ID, but they cannot require it for acceptance of the card (maybe it will scare someone off, but a smart criminal would just refuse). In the case where the card is not signed (or has See ID or some other housewife-myth written on it), the protocol is for the cashier to ask you to sign the card in front of them and compare the signature to a government ID. In this case, it is not quite clear, but it sounds like they *can* deny you for not presenting ID. So basically, the unsigned/See ID trick only works once--the first time someone actually follows the rules and calls you out on it, they will make you sign the card.

Check out pages 33 and 34 (the written numbers, not the PDF numbers) of this PDF for more info: http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf. If you recall back to maybe the early 90s, there was a big ad campaign where celebrities (I think I remember a seinfeld one) would try to pay with a check and the cashier wouldn't take it since they forgot their ID...and then some random guy would walk in and pay with a CC without a question.

Post from Visa showing minimums are allowed. Based on Frank-Dodd act.

http://blog.visa.com/2010/09/02/minimizing-confusion-over-minimums/

A well established cryptosystem is already established and the crypto-token sits in the pocket of most europeans. Chip&Pin credit cards have the crypto inside to securely authenticate people, and most people in the western world have a credit card. The tokens are signed by the banks, and a rigid structure already exists to authenticate the users. a 15 euro reader (retail price) is all most westerners would need to buy to do this, if the retarded Americans would go to a chip&pin card instead of paying billions for credit card fraud

Chip & Pin is in the hands of most Canadians and has been for a long time as well... long enough that they're disabling the magnetic stripe readers in all of the country's ATM's, which they started doing earlier this month.

There's a problem with the Chip & Pin, though... that's the "easypay" option... http://usa.visa.com/merchants/payment_technologies/veps.html ... The last Visa card my bank sent me had one of those in it, in addition to the Chip & Pin. Needless to say I called them and demanded they send me a credit card that didn't have an RFID in it which could be used to pay without a pin or signature, but most people wouldn't.

Quite honestly, and on topic (for a change), I'm not too sure I'd trust the security savvy of a company that thinks it's good security to combine a Chip & Pin system with an RFID payment system in the same card.... I certainly wouldn't hold it up as something to be emulated.

As someone who studied the blasted VISA Merchant Regulations as I was learning a bit about e-commerce, I would direct folks to page 414 of the standard international operating procedures:

Core Principle 6.3
No Surcharging Unless Required by Law
Charging for the Advertised Price

Visa merchants agree to accept Visa cards for payment of goods or services without charging any
amount over the advertised or normal price as a condition of Visa card acceptance, unless local law
requires that merchants be permitted to engage in such practice.

what was supposed to be a 1BTC/$15 USD exchange turns into a 1BTC/$4USD exchange

Out of curiosity, do you have anything to back that up? Not doubting you, but I would have expected it to be a 1BTC/$15 exchange turning into a 3.75BTC/$15 exchange.

Remember the currency exchange on a credit card happens at the time of the transaction...

It's false. Though admittedly most people have this misconception if they don't frequently shop internationally. Both Visa and Mastercard calculate their currency conversion rates on a daily basis:

How does Visa calculate its rate? Every day—except weekends, Memorial Day, Christmas Day and New Year's Day—Visa calculates the rate for the next day's transactions.

MasterCard uses multiple market sources (such as Bloomberg, Reuters, Central Banks and others) to develop exchange rates. These rates generally reflect either wholesale market rates or government mandated rates that are collected during the daily rate setting process. The displayed rates are derived from the buy and sell rates included in the MasterCard daily rate setting process and do not include any charges or markups applied by the Issuer. Please note that due to possible rounding differences, the displayed rates may not precisely reflect the actual rate applied to the transaction amount when converting to the cardholder billing amount. The exchange rate that is applied to a transaction is the exchange rate as of the day of settlement which is the day that MasterCard determines the settlement amount to be exchanged between the acquirer and the issuer. The settlement date is therefore typically different from the date of the actual transaction. MasterCard does not provide the exchange rate when purchases are converted from the local currency by the merchant to the cardholder's currency at the point of sale.

He's right about the bitcoin volatility part though. The current market depth[http://bitcoincharts.com/markets/mtgoxUSD_depth.html] down to $4 is 246010BTC ($1616992 USD); so if someone had $1.6 million dollars worth of bitcoins to waste, yes it's possible to bring the currency down to $4 in a single order.

I'm sure Google has a similar thing going on like Facebook where companies can pay extra $$$ to get unfettered access to the data as part of "we may share your data with interested third parties".

No they absolutely do not: "We do not share personal information with companies, organizations and individuals outside of Google" (Ref: http://www.google.com/policies/privacy/). There is no "we may share your data with third-parties" clause in the Google privacy policy, unlike almost every other company out there. Read the links carefully and you will see that Google has one of the best privacy policies (at least in terms on sharing information with third parties). Also note that some of these companies have way more personal and sensitive information about you that Google.

Disclaimers:
      * I work at Google
      * These are entirely my own views and opinions and do not represent Google's in any way.

It is illegal in some U.S. States to charge more for a product or service if the buyer is using a credit card. Also, it is a violation of the merchant agreement with Visa, MasterCard, and American Express. This policy at Verizon is essentially a surcharge for payment via credit card. If one uses cash (cheque by mail, or ACH bank transfer), then there is no fee.

If one pays with credit card, then there is a "convenience fee" (surcharge). I suppose that their legal department could argue that they provide the Auto-Pay option for credit-card users to avoid the surcharge, but it remains debatable.

It certainly is not customer friendly. A more friendly way to cover their credit-card fees is to make the higher rate the standard price, and provide a discount for cash payments (cheques and ACH).

I'm also glad whenever a store checks my ID or the signature on the back of my card (which they are specifically forbidden from doing in their contracts with visa/american express/master card/discover).

http://usa.visa.com/merchants/risk_management/card_present.html

"6. Check the signature. Be sure that the signature on the card matches the one on the sales draft. Do not accept an unsigned card."

Go read actual contracts signed by actual merchants.
They all specifically preculde merchants from checking ID or the signature, even if the signature is blank.

This is because the agreements all have clauses that say you must match the terms of any competing card, to the benefit of the cardholder being able to complete the transaction.
If American Express lets the merchant require a minimum transaction amount for credit, but Visa doesn't, a merchant who accepts both American Express and Visa is not allowed to enforce a minimum transaction amount on American Express users.
The same goes for processing fees charged to the cardholder, ID verification, signature verification, signature requirements/thresholds, etc.
The only cards that don't trigger the must match clauses are store-specific cards (like a Best Buy card, or a Victoria's secret card), and debit/prepaid cards (they're an entirely different class of transaction).

Furthermore, security features, such as the digits on the back of the card, programs like Verified by Visa, and RFID/Chip and PIN/whatever shit are all optional and intentionally shitty. Banks foist these features on merchants because it puts the burden on the merchant when fraud occurs.

If you save your credit card on Amazon, they ask for the digits on the back of the card. These digits are never supposed to be stored, but Amaazon either stores them anyway, or verifies it once and then runs all future transactions without it. The lack of those digits does nothing to prevent a transaction from actually going though.

If you have noscript installed and you buy something on Newegg with a Visa card, the Verified by Visa redirect will fail. 5 minutes later your order will still go through.

If I clone someone's RFID-enabled credit card, and then make a fraudulent purchase, the merchant is ultimately on the hook if the actual cardholder initiates a charge back.

It's all horseshit, and the people paying for it are:
  - People who don't pay their balance off in full every month
  - People who don't notice fraudulent transactions
  - Merchants

I'm also glad whenever a store checks my ID or the signature on the back of my card (which they are specifically forbidden from doing in their contracts with visa/american express/master card/discover).

http://usa.visa.com/merchants/risk_management/card_present.html

"6. Check the signature. Be sure that the signature on the card matches the one on the sales draft. Do not accept an unsigned card."

You got me curious, so I went and checked.

There are actually rather a lot of places that take it, even where I live in Oklahoma. This includes my grocery store, my pharmacy, and a lot of the fast-food outlets I frequent. If they could get QuikTrip (the local convienence store champion) on board, it would work for most of the times I use my bank card today.

Here in Aus they have implemented a new system whereby you do not need to enter a pin or sign if it is a "small" amount (less than $100 at MacD's and less than $35 at Coles / Kmart stores) - Paypass / paywave.

It's been in for a couple of months, and is gradually gaining acceptance. There's a few problems though; one being the marketing material which clearly states that '.. there is no risk..'.

Let's see here. If I get mugged, said mugger can use my CC to their heart's content - so long as it is less than $100 at Macd's or less than $35 at a Coles (chain of stores et al).

The information provided states that any money lost on a stolen card will be refunded *after* the card is reported stolen. So, this opens up two new avenues:

1) Get mugged, and have your credit card joy ridden for a couple of hours

2) Get mugged, and have your credit card chip cloned

or even better, let's go for option
3) Your card information is recorded, and 'mysterious' $35 amounts keep appearing on your bills.. until you cancel the card..

I have asked, repeatedly, as to how to have this functionality disabled. Yes, I am security conscious enough that I want the 'hassle' of putting my pin in Every Single Time. Yes, even for 'small' purchases. Apparently, it can't be done - short of shredding your credit card.

Mainly, I am now concerned with young thugs trying to mug me. The "Zero Liability: If your card is ever lost or stolen, youâ(TM)re protected with Zero Liability for unauthorized purchases." ( Reference: http://usa.visa.com/personal/cards/paywave/index.html ) will *not* help with a broken arm or missing teeth.

This is what VISA advices to all merchants. It seems Sony either did not read that or decided to ignore it.

http://usa.visa.com/download/merchants/cisp_responding_to_a_data_breach.pdf
Make it a one-day story. By communicating
early and delivering on promised updates,
the company reduces the chances the media
may make more of the story than it might
deserve. The harder a journalist has to work
to dig up the information about your breach,
the more value the reporter and his/her
editors will place on the story — and this will
be reflected in where it is played and how
long it is considered newsworthy.

Sony:

"We're still working to confirm the security of the network infrastructure, as well as working with a variety of outside entities to confirm with them of the security of the system. Verifying the system security is vital for the process of restoration. Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online."

To understand this, read VISA International's "What to Do if Compromised..

"Working with a variety of outside entities to confirm with them of the security of the system." means VISA International and/or MasterCard, Inc have invoked their contractual rights to send in auditors, security experts, and computer forensics experts. They do that for big security breaches. "Additional comprehensive system checks and testing are still required, and we must complete that process before bringing the systems online." means "VISA, etc. won't let us go back on line until we pass their security tests."

So Sony isn't entirely in control of when they go back on line.

It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.

It's likely that Sony went off-line not because they wanted to, but because VISA International and/or MasterCard Worldwide ordered them to. See my post on "What To Do if Compromised". The contract that merchants must sign to accept credit cards gives the credit card companies the right to send in a VISA fraud team, a Cardholder Information Security Team, and a computer forensics team. VISA can insist that compromised systems containing credit card data be taken off line until examined. For a big breach, VISA probably invoked their right to do all that.

The process is expensive for the merchant who doesn't have the VISA-required security measures in place. They get hit with fines from VISA, the cost of the forensics work, and chargebacks from compromised credit cards. "If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident." Worse, from a business perspective, they can't accept credit cards again until VISA's team says they're secure.

Then comes the "Account Data Compromise Recovery phase. For the next 13 months, the merchant gets hit with charges related to compromised credit cards.

A merchant-side compromise of credit card data means the merchant gets stuck with all the costs of the breach.