Slashdot Mirror

Read "What To Do if Compromised", the official instructions for merchants who accept VISA cards. Sony is clearly doing some of the things VISA requires: "Do not access or alter compromised systems, i.e. don't log on at all to the compromised systems. ... Do not turn systems off. Isolate compromised systems from the network ..." Then they have to call the VISA Incident Response Manager, and the full list of compromised cards has to go to VISA, which parcels it out to the issuing banks for card cancellations and reissues.

VISA has the contractual right to send in a forensics team. VISA will assess fines up to $500,000 if VISA's security requirements haven't been met. If compromised data includes PIN numbers for debit cards, or CVV2 data for credit cards, which merchants aren't supposed to store at all, VISA sends in a Qualified Security Assessor. They check that the systems are no longer storing that data, and that all historical data of that type has been erased, before they go back on line.

Now it's clear why Sony is off line. Their actions look like what happens when a major debit card breach occurs and VISA sends in the forensics and security teams.

So there's your answer when management doesn't want to have proper security on credit card data. VISA can and will shut temporarily down your ability to accept payments. You'll have law enforcement, forensic auditors, and security experts questioning your management. Your company may have to pay sizable fines to VISA. Your CEO may have to explain the screwup to reporters.

And that's the good case. The bad case is when VISA decides you don't get to accept credit or debit cards any more, permanently. This happens routinely to screwed-up small businesses.

This kind of scheme makes perfect sense to me. Then individual companies would become their own certificate authority and could self-sign as needed. As a consumer, the only decision I need to make is if I trust the destination and after doing this once I shouldn't need to do it again. Of course, as a company I won't have to keep shelling out pointless cash to a CA that doesn't really do anything for me.

If my next visit to https://visa.com/ turns out to be a phishing site (don't bother following the link, it appears Visa's site is SSL challenged), then I'll likely get a prompt that says something like https://visa4scam.com/ has a certificate that you don't already trust - do you want to trust it? Smart browsers could say stuff like did you know that you already trust a certificate from visa.com and it has a different domain or IP address, and even indicate that this may not in fact really be Visa.

Honestly, I'm not sure the identity checks associated with EV really mean anything either. It's entirely for encryption purposes, and as a hacker unless I can hijack the actual domain there isn't much I can do with it.

There are always exceptions, but for regular Brick & Mortar retailers, asking for ID is not inside the regs. I acknowledge, they are often ignored. here is the link-- the quote is from page 428

http://usa.visa.com/download/merchants/visa-international-operating-regulations-main.pdf Supplemental Identification - U.S. Region A U.S. Acquirer must not, as a regular practice, require a Merchant, and a Merchant must not require a Cardholder, to provide any supplementary Cardholder information as a condition for honoring a Visa Card or Visa Electron Card, unless it is required or permitted elsewhere in the U.S. Regional Operating Regulations. Such supplementary Cardholder information includes, but is not limited to: Social Security Number (or any part thereof) Fingerprint Home or business address or telephone number Driver's license number Photocopy of a driver's license Photocopy of the Visa Card or Visa Electron Card Other credit cards

The way I read this description is that a merchant is free to ask for a driver's license to verify identity as long as they don't photocopy it or record the number.

There are always exceptions, but for regular Brick & Mortar retailers, asking for ID is not inside the regs.
I acknowledge, they are often ignored. here is the link-- the quote is from page 428

http://usa.visa.com/download/merchants/visa-international-operating-regulations-main.pdf
Supplemental Identification - U.S. Region
A U.S. Acquirer must not, as a regular practice, require a Merchant, and a Merchant must not require a
Cardholder, to provide any supplementary Cardholder information as a condition for honoring a Visa
Card or Visa Electron Card, unless it is required or permitted elsewhere in the U.S. Regional
Operating Regulations. Such supplementary Cardholder information includes, but is not limited to:
  Social Security Number (or any part thereof)
  Fingerprint
  Home or business address or telephone number
  Driver's license number
  Photocopy of a driver's license
  Photocopy of the Visa Card or Visa Electron Card
  Other credit cards

First of all, if you've ever made an unusually large transaction on your bank account you may have gotten a notice that the transaction was on hold to prevent fraud. This has happened to me -- I think there was a waiting period of like 6 days or something. No law enforcement involved. The money wasn't "seized", it was just held up.

Second, I'm going to ignore PayPal for a minute and talk about a credit card network like Visa, because I'm very familiar with how it operates and the issues are similar. When a Visa bank accepts Visa payments on behalf of a merchant, part of the contract is that they can freeze your merchant account if there are indications of fraud. The money is frozen, NOT seized, though it may eventually be used to repay fraud.

The reason for freezing is simple -- if the consumer complains of fraud (such as no product received), there will be a Visa regulated dispute process. Law enforcement is not involved in this process. If the result of the process is that the merchant has to pay back the money, then the bank is ultimately responsible. If the merchant has committed mass fraud and absconds with the money, the bank could be out a LOT of money. That is why they freeze the account.

PayPal is in a similar position, but it rides on top of many networks instead of belonging to a single network like Visa.

As a 17 year old, I must agree with Eleannor or w/e on the fact that credit cards are often required to purchase things online. I would have loved to get TF2 and HL2 through steam when they were like $10 each, but I don't have a credit card and they require one, and my parents don't like using them online due to keylogger concerns (with which I agree).

If your worried about security, then use a Linux Live CD. Or if your parents won't give you their credit card, just buy a prepaid gift credit card. They are found in many big chain stores. When the card is done, get rid of it.

As a 17 year old, I must agree with Eleannor or w/e on the fact that credit cards are often required to purchase things online. I would have loved to get TF2 and HL2 through steam when they were like $10 each, but I don't have a credit card and they require one, and my parents don't like using them online due to keylogger concerns (with which I agree).

If your worried about security, then use a Linux Live CD. Or if your parents won't give you their credit card, just buy a prepaid gift credit card. They are found in many big chain stores. When the card is done, get rid of it.

If you use it as a debit card--snip--you are fully on-the-hook when it comes to losses - if they steal $2000 from your account, you have lost $2000 - there is no disputing charges or limited liability like with a credit card.

I worked at a financial institution, this is completely incorrect. Your liability is limited by law to $50, and most small banks and credit unions just limit it to -0-. Just make sure you have email alerts on so you know your card is being abused & call your bank & police if so.

http://usa.visa.com/personal/security/visa_security_program/zero_liability.html

http://www.fdic.gov/regulations/laws/rules/6500-1350.html

Verifiedbyvisa which will add an extra layer of security by demanding an OTP to be generated with the smart card of the VISA card; making fraud virtually impossible unless the card reader & code has been used.

I work in bank security, and I just wanted to offer some clarification on your rant:

If you want a more achievable answer in today's plastic world, DO NOT CARRY DEBIT CARDS. Debit cards do not offer you protection against loss.

A debit card can be used in two ways. It can either be used with a PIN in what's commonly called a debit transaction (or at an ATM), or it can be used as a "credit" transaction and processed through the Visa or MasterCard network. There is little to no protection against loss for the former of these transaction types, except keeping your PIN secure. The "credit" style transaction, on the other hand, is protected by a zero liability guarantee (at least Visa cards... not sure about MasterCard). Yes, your bank account may get cleaned out (or depleted up to the daily spending limit of your debit card), and outstanding checks may bounce, and you may have a freeze on your account until it gets resolved. However, this zero liability guarantee means any transactions found to be fraudulent will be reimbursed by your bank. The bank then goes after the merchant that processed the transaction to recoup their own losses. If you have a good bank, they'll also refund your overdraft fees. Debit or ATM transactions, on the other hand, are not covered by the same guarantee, so having your card skimmed and PIN captured is far worse - UNLESS your bank offers a guarantee on these types of transactions as well.

See http://usa.visa.com/personal/cards/debit/visa_check_cards_faq.html

Credit cards are limited by U.S. law to a maximum of $50 liability to the cardholder. Debit cards losses are usually covered by the bank, but they are under no legal obligation to do so.

Losses due to fraudulent transactions processed through the Visa network are actually covered by the merchant that accepted the transaction, not your bank. Your bank only covers "Debit"-style losses they agree to cover if they offer protection against Debit or ATM transactions, but that's not a standard program.

For ATM access, most banks will honor your request for an ATM-only card instead of accepting their default ATM/Debit card.

An ATM-only card means you will have to use ATMs more frequently, thereby potentially exposing yourself to skimmers, as well as use of your PIN in public. Since there's no zero-liability coverage with most banks for skimmed ATM transactions, you're putting your money at greater risk by doing this. Oh, and by the way, the skimmers have this one figured out too. You no longer have to worry about the shady looking person loitering near the ATM watching you enter your PIN. They install a tiny camera painted to match the fascia of the ATM, and they aim it at the keypad.

I have been telling people for YEARS how unwise it is to have or use a "debit" card with a Visa/MC logo on it. My bank kept INSISTING that I use one, and I would have to send it back and tell them to please send me a regular debit/ATM card. Many of the same people that thought I was "paranoid" and "obsessive" or just plain strange don't think so anymore.

You are paranoid. And ignorant. As long as you report the theft to your financial institution as soon as you learn about it, there are strong protections in place. It's simply not true that it's up to YOU to track down your money. It's up to your financial institution. They are required by law to credit you in the case of errors or unauthorized purchases, and are even required to issue a provisional credit in many cases before the investigation is complete.

A Visa Debit card carries the same protections as a Visa Credit card for signature based-transactions. PIN based transactions are still covered by Regulation E, which protects the consumer.

And there's no such thing as a perfectly good ATM card: with a skimmer, a fraudster can clone your ATM card and have your PIN. Fraudulent PIN based transactions are MUCH harder to refute. People call up all the time and say, "I have no idea how that person got my PIN number, I've never given it to ANYONE!" We (my bank) pull the ATM video, and sure enough it's their son/daughter. The consumer sheepishly admits, "Oh, well, I just told them my PIN once, months ago..." Given the choice between turning the video over to the police or rescinding the claim of unauthorized use, many people will choose the latter.

IAABG (I am a banking geek).

The rules for provisional credit on debit cards is very well established. They fall under Regulation E, section 205.11. The bank has ten days to get you a provisional refund, and can take up to 45 days in certain circumstances to complete their investigation and finalize the credit.

Make sure you get them a notice in writing! Once you do, they have ten days to credit you, and many banks will do it much faster. If the bank drags their feet, just tell them "I want provisional credit within the mandated timeline per Regualtion E".

Here's more on this topic:
http://www.bankersonline.com/technology/guru2008/gurus_tech022508c.html
http://usa.visa.com/personal/security/visa_security_program/zero_liability.html
http://finsolinc.com/Reg%20E%20EFTA%20Error%20Resolution%20Flowchart.pdf

The protection for misuse of debit cards is strong, you just need to know what to do. If your bank isn't responsive, Move Your Money to a smaller institution that cares.

The same fraud prevention policies apply equally to both credit and debit cards bearing the Visa or Mastercard logos, for transactions in which Visa or Mastercard is involved.

So, if you only ever use your "debit" card to perform "credit" transactions, and nobody has your PIN, you're just as well protected as you would be with an actual (debt-based) credit card.

However: Neither Visa nor Mastercard can do a damned thing if someone has your card number and your PIN, since a criminal in possession of both of these bits of information will just empty the account using debit transactions and the credit card companies simply aren't in the loop on that. In such cases, it's entirely up to your bank as to how you'll be treated.

More information from the horse's mouth is here. And still more, from that other horse, here.

What may happen is that most of the people who used credit (not debit) cards demand a chargeback from their bank, EA gets hit with thousands of chargeback fees, and EA's merchant bank kicks them into a higher cost credit card category for excessive chargebacks.

There are Visa procedures for this. This is a chargeback code 82 - "Duplicate Processing". Likely cause: "Electronically submitted the same batch of transactions to the merchant bank more than once". See "The Chargeback Life Cycle", page 71, for an overview.

Generally, if chargebacks exceed 100 chargebacks and 1% of transactions, the chargeback penalty provisions kick in. Thereafter, the merchant is charged $100 per chargeback by the merchant's bank. The merchant is forced into Visa's "High Risk Chargeback Monitoring Program", a $5000 "review fee" is charged to the merchant for the first month, and even higher fees are charged if the problem continues.

Even big merchants have to pay. The banks have to deal individually with each customer to straighten out the mess. They charge the merchant for that.

Incidentally, "No Chargeback" sales receipts are prohibited by Visa rules and will not be enforced by banks.

EA is telling their customers to contact their financial institution before calling EA. It would probably be cheaper for EA if EA dealt with the problems themselves, but their call center may be too small.

Some users are complaining that EA charged them partway through the billing cycle, when they didn't owe EA a payment.

Anyway, EA will be getting a big bill from their bank.

Okay working for a financial institution myself, I can tell you that it is very likely if the charges are on a Visa Debit Card, people do have recourse. Due to Visa's Zero Liability Coverage, people who bank with an institution that participates in the VZL are likely to get the funds back if they file a Dispute with their bank or credit union. Fees resulting from the erroneous charges are also likely to be refunded as well. However, each institution is different and some don't fully participate in the Zero Liability Program. If you bank with an institution that tells you to go fuck yourself, it's time to switch to a new bank, or better yet, just switch to a credit union.

So to summarize, call your bank if you were one of the ones fucked over by EA and request an immediate dispute on all charges beyond the one authorized and agreed upon charges (and then proceed to cancel your subscription to Warhammer). Also, as a word to the wise, make sure to ask your bank to stop subscription charges from EA. Just canceling and getting a new debit card isn't enough. If a merchant has an authorization for subscription billing, they can still bill the card even after the card is canceled, since they have an authorization already.

Ever heard of a Visa Gift Card?

If the person is there in person, then ID check...

Actually doing anything meaningful along that line is against the merchant agreements companies sign to accept credit cards.

From Visa's:

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures.
(That quote is in bold, page 29.)

Both VISA and Mastercard have very explicit regulations on data sharing, and how 'Cross Sales' are conducted: they both prohibit it in their merchant agreements.
VISA is somewhat lax on its enforcement, preferring to take a case-by-case approach if there is abuse, however has been cracking down significantly on this type of behavior of late: http://corporate.visa.com/media-center/press-releases/press969.jsp

Mastercard will fine and terminate merchants it finds passing CC information between third parties. Fines normally start at 25k per offense.

The storage of CC data is another highly regulated procedure. 'Normal' merchants are prevented from storing CC data, and to even handle it, normally have to become PCI-compliant.
The storage of CVV data is very, very regulated - You have to have PCI-level 3 compliance - something typically reserved for merchant processors themselves.

To say that no regulation exists is somewhat uninformed.

However, even with the above all in place, as these guys are all using merchant accounts, they're going to see all the CC/CVV information in the flux; as presented by the article, it's very common to use this data, if the merchants can 'stay under the radar'.

Use Firefox with NoScript, and only turn scripting on for sites that you trust to be secure (should be a pretty short list) or that you need to access and do business with. Be similarly protective with cookies. If you're aware of what's trying to run on your computer, then it's easier to notice XSS attempts when you see a script attempting to run from a different server than the site you're accessing.

The first time I ran across Verified by VISA, I noticed it had behaviour very similar to a classic XSS attack. It ran a script from a different site which, since my bank had outsourced the back-end authentication, wasn't recognizable as my bank. Attempting to do the same from IE or Safari didn't indicate a problem. I think that the security analyst and the technical architect who signed off on that disaster should be unemployable because the approach enforces bad browsing habits on customers. However I expect that they are actually probably more successful with that big a project on their resume.

I refuse to do business with vendors that use Verified by VISA because the extra hoop is for their benefit, not mine. If they use it, they get a slightly better rate from VISA because user fraud is lower, but there really is no benefit to me as a user. There is no improvement in my expectation that their systems are more secure with my banking info, particularly if that's the best design/implementation they can come up with.

Visa Signature, Mastercard, and AMEX already provide extended warranties when you purchase items with their branded cards. It's just that nobody ever knows these benefits. If you want to find out what benefits your cards have, see the links below (benefits vary by the bank and card- Citi may include different benefits than Chase, etc)

Mastercard
VISA Signature

I never asked the Amazon sales team because I never expected to get an answer like that

What. An honest one?

There are PCI Compliant service providers out there, in fact, Visa has a list of them[1]. I work for one.

[1]
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

Which is a measure of the low /relative/ importance of these documents.

How is it a "measure of the low /relative/ importance of these documents"? IDs and driver's licenses are very important as are passport. I wish they weren't but they are.

If you cannot make any credit card purchases

If you can't make normal purchases without a credit card then you seriously need to sit down and evaluate your finances. Actually credit cards like Visa used to have a rule that people could not ask for ID, those accepting CCs had to compare the signature on the receipt with the one on the card. I didn't know this until someone told me, I wrote "check ID" where I was supposed to sign the card. The person told me they could not check ids, that Visa did not allow it. As for making purchases without an ID, Credit Card Finder as this to say about not having ID:
"While a sense of security may be invaluable to some, in the long run, whipping out your identification whenever you use your card will get tedious and frustrating. If you ever lose your credit card or get it stolen in the first place, all you need to do is simply contact your bank ASAP and under normal circumstances, you will not be held liable for fraudulent use/charges of your card."

Ah, here we go, the Rules for VISA Merchants pdf has the rules for Signature and Identification on page 28. It first says to check ID if the card is not signed. On page 29 what it says about checking ID is this:
When should you ask a cardholder for an official government ID? although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance . Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID . Visa believes merchants should not ask for ID as part of their regular card acceptance procedures . Laws in several states also make it illegal for merchants to write a cardholder's personal information, such as an address or phone number, on a sales receipt."

Quite simply those who accept Visas do not need to check ID in most cases, they only need to compare the signature on the card to the one on the receipt.

Falcon

Have customers just select a password for each account. Retailers would verify the password the same way they verify CSC numbers now,

Visa and Mastercard have already implemented this option. The only problem is the store has to be capable of handling it, and not all of them are, unfortunately.

https://usa.visa.com/personal/security/vbv/index.html?ep=v_sym_verified
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html

The account number is simply placed on the card, and authentication comes from physical ownership of the card. (PINs don't count because they are unfortunately verified based on machine-readable information on the card itself.)

This is wrong. PINs haven't been stored on the card for a long time (I'm not even certain they ever were for all cards). You can easily check this yourself with a relatively cheap reader, or you can build one yourself.

It's possible for visa/mastercard/etc to run sites that accept their credit cards. You go to their site, enter your info and there you are. You don't enter your CC number anywhere but visa.com/mastercard.com/discover.com/americanexpress.com etc. Sites with merchant accounts send you to wlog https://visa.com/ccinfo/get_info?merchantaccount_id=12345&transaction_id=543210

Then the merchant account site queries a visa.com web service to get the information or just processes the transaction using their merchantaccount_id and transaction_id.

This service is kind of like what paypal does.

And you should know what the domain of your banking site is. Maybe browsers should bold the domain name that matched the cert and make it a different color for https sites. Some folks don't even have the url bar enabled. It should maybe be replaced with a non-optional notice of the domain you are visiting in that case.

I think you mean PA-DSS, which applies to payment application providers. PCI-DSS applies to the merchants themselves.

When you use the card in person, many employees will require photo ID before they swipe the card.

They are most lilely violating their Merchant Agreement. For instance, http://usa.visa.com/download/merchants/card_acceptance_guide.pdf says:

"Although visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID."

http://usa.visa.com/personal/cards/prepaid/index.html

http://www.mastercard.com/us/personal/en/aboutourcards/prepaid/index.html

What are you talking about? Visa/MC are the ones who charge it. How would it be against "Visa/MC regs" to charge a fee themselves? Have you ever had a merchant account? They list fee's right here:

http://usa.visa.com/download/merchants/april-2009-visa-usa-interchange-rate-sheet.pdf

Furthermore, if they get hundreds of thousands of charge backs, their rating with Visa/MC will drop like a rock, and their fee's will skyrocket (relatively speaking).

This is why in some stores that accept credit cards you will see signs saying that you may not use credit for purchases less than X.XX amount. This is because small transactions like that actually cost them more money than they make.

Those signs are (probably) in violation of their Merchant Agreement. For instance:

http://usa.visa.com/download/merchants/card_acceptance_guide.pdf

"Always honor valid Visa cards in your acceptance catagory, regardless of the dollar amount of the purchase. Imposing minimum or maximum purchase amounts in order to accept Visa card transactions is a violation of the Visa rules" [emphasis in original]

Have you looked at Verified by Visa? If you use it you're not supposed to be liable for chargebacks due to fraud.

This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

Ironically, the Whirlpool page is still available in the google cache of the thread.

What I want to know is why the CVV numbers were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS).

In order to accept credit cards, merchants agree to be bound by the card brand's merchant regulations. Part of these regulations state that (again, this is for CC transactions - Debit transactions are a different beast) for a CC transaction, no minimum transaction amount can be imposed by the merchant, nor can they add a transaction fee. For Mastercard, the URL for complaints is http://www.mastercard.com/us/personal/en/contactus/merchantviolations.html. Visa doesn't have a form for it, but if you're curious, the Visa Merchant Regs can be found at http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf?it=il|/business/accepting_visa/support_center/tips_tools_downloads.html|Rules%20for%20Visa%20Merchants. Personally, I refuse to pay transaction fees or minimum transaction amounts. A business can refuse your business at that point however. Merchants can also offer a discount for cash, but they have to inform you of the discount prior to the initiation of the transaction.

Not being able to verify signatures a recent change with Visa.

If it's a recent change with Visa then somebody better tell them to update their website. Page 28 of that document if you are wondering.

The burden is NOT on the merchant if they followed the agreement and the card issuer gave them the green light on that sale.

Operative word being if they follow the agreement. Note: If the transaction is accepted with a non-matching signature and it turns out to be fraudulent, your business may be liable, even if all other procedures were followed.

Most credit cards must have a signature on the card. Therefore, if you have a credit card, you have 2 of the 3.

At least Visa says you will have a signature (near the bottom of the page). "See ID" is not a signature. So, the Visa stuff there says you ask them to sign it and show some form of ID. Check the signature on Visa versus the ID signature. You then run it into the system and have them sign the sales slip. You check the signature on the sales slip against the Visa card. Now it is signed....

I think it has to do with the fact that by signing the card you are signing an agreement that you agree to the terms and conditions. Or something like that.

And for reference, Visa documentation says on all cards: "NOT VALID WITHOUT SIGNATURE" (although mine says UNLESS SIGNED, same idea)

That's what I'm trying to figure out as well.
From the RBS Payroll card Fact Sheet (found on here)

Are payroll cards reloaded with additional cash, or do employees receive new cards each time they are paid?
Payroll cards are reloadable with funds loaded onto the cards directly by the employer. The cards are not reloadable with cash by the cardholder.

So to me they sound like a reloadable debit/credit card (like you could give away as a present or something), where only the business can reload it.
(Maybe a better example, at least if I'm understanding this right, they have those Visa Gift Cards (details) you put money on and give away as a gift. Person with gift card uses it as a credit card until it is out of money. In this case, the person giving them away can add more money after you have the card. So the money is in a bank somewhere, just not directly in an account that the user controls. At least that's how this sounds like to me)

but I haven't ever used it by just waving it. Paywave If you thought RFID was scary...

Nah, I think he meant "Visa Mobile": http://usa.visa.com/personal/using_visa/visa-mobile/index.html

There is no reason it should be tied to one platform though.

I use http://www.visa.com/visabillpay/ , these guys present my bills, and notify me by email. one day i login to their site and cross check the amounts with my electronic pdf bill i get from the actual service provider and then pay from visabillpay. these guys have service in USA , Singapore and India as of now

You are mistaken and I don't know why people continue to perpetuate this myth. According to the Visa Debit Card page they offer the same zero liability protection to all cards processed on the Visa network. This policy started in 2000.

I note these are the US Visa pages. Do you have anything which confirms that this policy extends worldwide?

You are mistaken and I don't know why people continue to perpetuate this myth. According to the Visa Debit Card page they offer the same zero liability protection to all cards processed on the Visa network. This policy started in 2000.

I note these are the US Visa pages. Do you have anything which confirms that this policy extends worldwide?

You are mistaken and I don't know why people continue to perpetuate this myth. According to the Visa Debit Card page they offer the same zero liability protection to all cards processed on the Visa network. This policy started in 2000.

You are mistaken and I don't know why people continue to perpetuate this myth. According to the Visa Debit Card page they offer the same zero liability protection to all cards processed on the Visa network. This policy started in 2000.

Sorry, but the above is not true at all. Merchants that use VBV or SecureCode know that one of the main benefits is that the card scheme accepts liability for fraud.
Proof here: http://usa.visa.com/merchants/risk_management/vbv.html

While I agree that Verified by Visa is a marketing joke, encountering it doesn't prevent me from completing the transaction or make me switch banks/cards. After all, banks and credit card processors are the ones with far more liability, so why not let them take whatever steps they feel are necessary to protect the transaction.

Under the Fair Credit Billing Act (FCBA), credit card holders have a limit of $50 of liability for just about any charge you disagree with. This means "I didn't make it.", "I bought it, but never received it", "I don't remember it and you can't provide documentation that I made it". It's very consumer-friendly legislation.

What's more, even though the law doesn't cover charges less than $50 or more than 100 miles from you home address (an antiquated provision that didn't anticipate charges made by phone or internet), both VISA and MasterCard have zero liability policies that apply to all U.S.-issued cards anywhere they're accepted. This is way better protection than cash. If you pay in cash and the item is defective, but the store refuses to accept a return, then you're SOL. If you pay by credit card, you just dispute the charge. This is especially useful for car repairs that end up not really fixing the problem. For those saying they only use their card when they have to, that's stupid. If you have a card at all, you could end up with fraudulent transactions on your account, so having a card and not using it doesn't really protect you.

One important note about VISA's and MasterCard's fine print: VISA's policy only excludes PIN-based transactions not processed by VISA. MasterCard's excludes all PIN-based transactions. The FCBA only applies to credit transactions and therefore excludes ALL debit transactions (PIN-based are usually debit). Did you know that the credit card companies charge merchants about half as much for PIN-based transactions? Why do you think the machines at your supermarket ask you for a PIN by default? This is partly because using a PIN makes fraudulent transactions more difficult, but probably more due to the difference in legal liability the processor holds.

Seriously though, I've disputed numerous transactions under the FCBA. My bank (WellsFargo) handles disputes quickly and easily, and I've always either received all my money back or had the merchant fix the problem. I even had my card stolen in Mexico (copied, actually, since I still had the card but card was supposedly present at the transaction), and all charges were easily resolved.

Note that accounts under FCBA dispute are marked on your credit report, but I've never received a notice that I'm entitled to a free report because of it, so it must not affect your credit score.

So remember, kids:

• Under the Uniform Commercial Code, there's an implied warranty of merchantability on everything purchased in the U.S. unless otherwise stated.
• Always buy with a credit card.
• VISA is better than MasterCard (a.k.a. the Evil-O's. No, I don't work for VISA, but I used to work for a VISA subcontractor.).
• Avoid cash for anything you might ever consider returning
• Avoid debit and pin-based transactions like the plague. They're a conspiracy to shift legal liability onto consumers. If banks and credit card processors really cared about security, they'd PKI chips, PINs, and cardholder photographs on the actual card. But implementing these things is simply more expensive than simply shifting the liability to the card holder.

The reason why you don't get cash discounts anymore is that it's against Visa/MC/AmEx merchant terms and conditions.

Always treat Visa transactions like any other transaction; that is, you may not impose any surcharge on a Visa transaction. You may, however, offer a discount for cash transactions, provided that the offer is clearly disclosed to customers and the cash price is presented as a discount from the standard price charged for all other forms of payment.

Merchants are not allowed to set minimum or maximum amounts for transactions on Visa. I'm too lazy to find it, but I know Mastercard has a similar rule.

In response to the Anonymous Coward, they are allowed to give cash discounts, but it has to be clearly stated to the customer before hand. A couple of the local computer stores here do this, but they have labels all over the store saying "All prices are 2% cash or debit discounted"

Source:
For the US (I'm in Canada, but I can't find the doc on visa.ca). See Page 9/10:
http://usa.visa.com/download/merchants/card_acceptance_guide.pdf

[...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.

They do. They also impose fines. PCI Compliance and PAPB.

http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html/

This is why PAPB "payment application best practices" from Visa should be mandated across the board. It ensures that all sensitive data (Primary account numbers, PINs, etc.) and other user sensitive information is not stored on the system, unless it is encrypted. This could go a long way to saving us alot of headaches!