Slashdot Mirror
Who Pays For Credit Card Breaches?
PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"
The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.
Wait, what?
The merchant who accepts the fraudulent charge eats the chargeback, not the one whose site is hacked. How does this encourage information security?
How do credit cards work?
Credit card companies are branches of banks (who else has money to lend?). They are affiliated, strongly, with insurance and investment companies. Just as any other large corporation when one division suffers a loss then, in nothing more than the ledger book, the losses are distributed amongst the other divisions.
Think about that next time the interest rates on home mortgages goes up, or the premium on the insurance plans, or when the quality of service for medical insurance goes down, or when the price of motor fuel goes up...
These things happen because the businesses are recouping losses. Why are credit card rates so high?
the NPG electrode was replaced with carbon blac
And here I thought they implemented PCI to make it easier to attach peripherals to your computer O_o I can't keep up with the world today.
Face it, you can have your credit/debit card information stolen by direct sight, security camera recording, straight through the network, by some guy getting lucky and guessing, by a social engineering attack and, i'm sure, by means I can't think of at the moment.
Hell, you aren't safe with cash, either; you could be mugged, oh and now they have your credit and debit cards, drivers license, and if you're completely stupid (or on your way from somewhere where you need it), your social security card.
Keeping it in the bank isn't safe, either. ATMs are prone to the same network attacks as credit/debit terminals; not to mention, that off-branded ATM may be logging your card number and PIN for the purpose of duplicating your card and using it to drain your account.
The most secure person I know lives behind a dumpster in the alleyway a few blocks down from where I work. He has no money, in any form, to steal. He has no belongings, save the clothes he is wearing. You know what, he's happy.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So what about all the stolen credit card information. You actually think people who steal information from a grocery store are going to spend it on groceries! "Yeaaaah boy... them hams weren't on sale..". Please just take a look at the credit card ads that go around with people voice synching the people who stole their information. The merchants have NO IDEA and NO METHOD PROVIDED BY THE CREDIT CARD COMPANIES to identify someone beyond the basics. Sure the above ad talks about people scanning the information passed along a network but still. They are going to take that information and use it with another merchant who had NO PART in the original theft. It's punishing the wrong people. There is no 100% secure method in existence. Fraud should be laid on those who make a profit off using credit cards. That's definitely not the merchants as they are already being robbed by the credit card companies. Up to 8% of a total sale goes to them. Seriously... who's the thief. Merchants don't have the power, money, or infrastructure to track down these thieves. The Credit Card companies do. Oh wait we should leave this up to the police. Yeaaaa... I'm an application developer and I've worked with credit applications. While the merchant obviously needs to bare the responsibility of making their networks as secure as possible the ultimate responsibility should NOT lie with them. It should lie with the credit card companies for making it so easy to steal this information. The new scanable credit cards are the WORST. You just have to walk near someone with one and walla you have all their information you need unless it requires the 3-4 digit number on the back. Even then the method used to steal these credit cards would still work. If you put the burden on those that loan the money it makes it makes them develop more secure practices. The merchant can't tell the credit card company how to make their cards or their security.
Merchants have been responsible, not VISA, all along. It's ALWAYS been that way.
I say that as someone who's been int he industry for ten years, so I'll admit maybe things were vastly different before I got here. But for at LEAST the last decade, merchants have eaten fraudulent charges.
Here's how it works in a nutshell. I'll assume an internet ("e-commerce") transaction since it's what i'm most familiar with.
1) Evil bad guy steals a credit card number.
2) Evil bad guy makes a charge from Bob the Merchant
3) Bob the Merchant ships Evil Bad Guy his product.
4) Joe, the actual owner of the credit card sees the charge on his statement.
5) Joe calls Bob the Merchant and says, "Why did you charge me?"
At this point, the only thing Bob the Merchant can do is issue a refund to Joe. He'll never see his product that Evil Bad Guy took, or the money, ever again. What happens is he refuses to give Joe his money?
6) Joe calls his issuing bank and asks for a chargeback.
7) Bob the Merchant is forced by his merchant account provider to refund the money to Joe. Also, to pay a chargeback fee of somewhere around $50, and if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again.
So who loses here? Not VISA. Not Joe, the cardholder. Not Joe's issuing bank. The merchant, is out product and money, and there's jack-all he can do about it.
There is only one exception I am aware of: Verified by Visa. If a merchant uses VBV on his website, then VISA will guarantee the charges, and if there is a chargeback, VISA will eat the cost. This is a HUGE change from how things have always worked in the past. However, no one uses VBV because it requires the CARDHOLDER to take extra steps to sign up and become active, but the CARDHOLDER has no reason to care, since he's already protected.
Anyhow. Long before PCI, long before CISP, long before any of the security standards were standards, the merchants were already responsible for all fradulent charges. It's the way things are. PCI makes a much cleaner audit trail when things go south, but it's not really about fraud nearly as much as it's about data security. There's a few tiny parts of PCI that address a few particular cases of fraud, and ALL the rest of it is about data security and handlling policies.
One of the largest CC heists of all time happened last year when MASTERCARD lost I forget how many card numbers, it was > 1 million cards though.
The Merchants who processed transactions with those stolen cards have to eat it?! How can that be proper?!
Further, as noted elsewhere, this does not penalize the proper people. If I am a merchant and someone buys something from me with a stolen card (even though I have great security, maybe I don't even store CC information, I just process the card and I'm done with it) I eat the chargeback even though it was www.flybynight.com who's site got hacked to provide the thief with the stolen card. flybynight.com doesn't pay a dime for their lack of security.
Uh bullshit. Let's say I'm merchant A, and I do everything by the book, and have never had a breach.
I can still get screwed if merchant B has a breach, as far back as a year ago, if I'm taking card not present transactions, and get stuck with an order from some punk who uses a stolen number.
Is it right that I get penalized for charges made and authorized by the issuing credit card company, due to no fault of my own?
A lot of people will say that's the cost of doing business. The problem is, that there is no incentive to fix anything broken with the system as far as protecting MERCHANTS from fraudulent transactions. Fact of the matter, there's no incentive to fix all the things broken with the system that make identity theft possible, since the people who would be most motivated to fix those things (credit card bureaus and the issuing companies) have moved all the cost to the merchants and merchant banks, and the have no control over the bureaus!
As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."
Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?
the NPG electrode was replaced with carbon blac
"Likely there are a lot of cc debts which are simply never paid off"
The MAJORITY of that is medical bills. That's why the bank-ruptcy laws were changed.
No matter what people think about who should or should not pay, this was Stop & Shop's fault. The Globe article only slightly mentioned (was covered better on the news last night) that someone basically walked off with the PIN boxes, hacked them, and reinstalled. I know that there are ideas in some of these replies as to which business pays for stolen credit card usage, but Stop & Shop has got to do better than letting someone walk off with their equipment.
Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:
He who has the most accurate and timely information wins.
Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).
On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.
So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.
Look, I dont know what you all are talking about, but I work at a bank doing Infosec.
The issuing banks pay the bulk of costs in a breach, not the merchants. The merchants DO NOT PAY to have the compromised cards reissued, the banks do . In terms of merchandise, in my experience we have never gone to a merchant and asked for money to cover the costs of stolen goods either. If the crook gets away with the merchandise then theres not much to do.
PCI hasn't done much to protect anyone in my opinion, because the standards are still too low, the staffs are still to small, and not every merchant is compliant. The fact that one merchant, certified or not can expose millions is definitely a case of being strong as your weakest link.
The only glimmer of hope is that customers demand everyone do more and vote with their dollars. If people lose more faith in Internet transactions, there will economic hell to pay and everyone will suffer.
The merchant is the one responsible !
Do an experiment. Pay for stuff with a card for a week. Count the number of times that the clerk actually:
Looks at the name on the card.
Checks the back of the card for a signature.
Asks to see ID in the absence of a signature (or where you might write "CHECK ID" in big bold letters)
Asks to see your ID period.
You may be surprised. I routinely use my wife's personal card, which has only her name on it, and nobody even gives as much as a glance at the name.
It's really so bad, that when people do ask to see my ID (I write "CHECK ID" on all my cards.) that I thank them.
Point is: If a merchant can't be bothered to verify the identity of the card bearer, as well as the card owner, then they fully deserve to be out their merchandise and their money.
"I know that there are ideas in some of these replies as to which business pays for stolen credit card usage, but Stop & Shop has got to do better than letting someone walk off with their equipment."
I recommend a pressure plate with some C4.
I am an online merchant and I use both Google Checkout (in the foreground) and Paypal Payments Pro (in the background) to process CC transactions. Both of those providers will (and have for me in the past) eat the fraudulent charges as long as I had taken all required steps to ensure the transaction was genuine.
For example, I had one $100 sale that, a few months ago, came back as 'fraudulent'. Paypal asked me to provided documentation to show the steps I took to verify the buyers information. I keep all these records, so I sent Paypal address verification, proof of delivery, etc. After about a week they contacted me, told me that I followed their verification process properly, and that they would absorb the cost of the disputed transaction.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
EXACTLY!
Instead of working out a BETTER SYSTEM, they just pushed the fiscal responsibility for the FLAWED SYSTEM to the merchants.
The merchants are the ones LEAST ABLE to fix the existing system or implement a better system or validate that the transaction is legit.
The ONLY people that this is good for is Visa/Mastercard. They make huge profits without the risk.
I'm absolutely shocked by the ignorance some people about credit cards. Now I'm not talking about a Joe on the street, I'm talking about people taking the orders. Many merchants favor convenience over everything else.
For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.
I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.
Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.
The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.
"All great wisdom is contained in .signature files"
A lot of people seem to have a misconception of exactly what PCI is, what it covers, and what it does.
d _the_pci_dss.htm
PCI affects all areas of the transaction stream.
When looking at ATM's for instance the units must be tested and Certified (InfoGuard, TNO and T Systems). If you attempt to open the device it dumps the program and tampers the unit so it can't be reprogrammed. this prevents a situation such as the one at stop and shop where a malicious party opened the POS device and apparently hooked up a device to sniff the card reader (article is a little vague on exactly what was done to the POS devices) There should be no place in between the PIN PAD and the CPU of the device where data can be read in the clear without causing a temper condition to the unit.
Some of these requirements are relatively new and some older terminals that are currently in place may not meet these requirements. Any existing units that are relocated or changed must meet the new requirements at that time. One exception to this is Data encryption. All terminals must now transmit data using 3DES encryption, any terminals that are not utilizing 3DES encryption and are running the older Single DES were to be taken off-line at the end of last year.
Also all software run on the device must be certified through testing and any software changes must be re-certified as well. Software is sent to the device in an encrypted format, routinely verified on the device for changes, and units must identify themselves with a unique set of keys in order to access updated software. On top of that each Switch (STAR, CORE DATA, ECS, LYNK, etc..) that the terminal may dial into has to certify the equipment and software to work with their systems before you can use that terminal to process transaction through that switch.
Now go to the company/merchant/etc.. that is processing transactions whether they be web based, Point of sale, or ATM. any company that has Card data on file is subject to PCI requirements as well. This can be everything from segmenting card holder data on the network, encryption the database containing card holder data, additional logging requirements that show who accessed what data, when and from where. Physical security, the PCI requirements are quite extensive. https://www.pcisecuritystandards.org/tech/downloa
If a card number is lost it costs VISA,or Mastercard about $60.00 to re-issue a new card. now if several thousand cards get lost those numbers can get large rather quickly. If you are PCI compliant as a merchant or processor, and have adhered to all 240+ requirements of the PCI certification that apply to you, and you loose card holder data, you will probably dodge the huge fines (think tens of thousands or millions of dollars here depending on the size of he breach) levied by VISA in case of a breach which is on top of the fees to re-issue the cards. if you are NOT compliant all those fines and fees will be passed on to you.
PCI is not an instrument put in place to address the use of a stolen card. it's to prevent the loss of large numbers of card holder data at one time.
I think it's great the industry is imposing the regulations on itself, some of which are extremely stringent. And it beats the heck out of how the government could butcher doing the same process by trying to regulate it.
far...out
Credit card companies justify their ridiculous interest rates by pointing to the losses the "have to eat" when credit card fraud happens. Since they no longer have to eat those losses, where's my rate cut, you theiving bastards?
Credit card today is a dumb piece of plastic with no security to speak off. When credit card companies come up with a decent authentication scheme and implement it in ALL locations, they can pass the responsibility for fraud to vendors.
The problem is that Visa and Mastercard see PCI-DSS as a money-making venture. If you've ever read through the requirements, they are basically impossible to implement in the real world. Every change must be documented to the T, and approved, and first tested in a full dev environment. One problem with this is patching systems, how fast can that process really occur? If a vendor releases a patch, you're probably going to need 2-3 weeks to comply, but if you're breached within that time period, you can be fined hundreds of thousands of dollars by not having a patched system, and if you patch a live system within approval, or testing in a dev environment, or documenting it, you're in violation of PCI-DSS. The process is always going to be skewed to their benefit, and not to the merchants.
With all the fraud issues out there, it wouldn't take much for Visa/MC to almost entirely eliminate it with additional data verification requirements, the problem is they'd lose too much money if fraud didn't exist (Verified by Visa and Mastercard Secure Code are a step forward, but the subscription rate to those programs is extremely slim. Make it a requirement, and things would change). Did you know that on a chargeback, they charge the merchant $25.00, and still keep the interchange percentage they originally charged, and take the full charge amount back out of your account? It's a total racket.
when i swipe my debit card through the machine at stop and shop, it says "approved". At that point, the money is wired from my bank to stop and shop, and my personal information should be purged. or am i mistaken, and is there a reason for stop and shop keeping everyone's crdit and debit card numbers?
And it eats small retailers alive. Most small businesses can't AFFORD very much by the way of security, nor their own credit authorization system. So instead, they typically accept cards through a middle-man, that has terms which make you wonder how small retailers stay in business.
Say you pay for goods with a stolen credit card. For phone or internet verification, all you need is the verification code, which is listed ON the card. And if the cardholder denies the charges? The merchant gets hit. Say the merchant files a police report of fraud? The merchant still get hit. The authorization companies have no incentive to provide any security, and why? Most merchants MUST accept credit cards to survive. A large portion of their customers won't pay any other way.
Say you DO buy good with your own card, yet deny the charges later on. The merchant gets hit. Now, like a good merchant, they kept your receipt on file. It has your scribble of a signature, which(like most americans) vaguely resembles the half rubbed off scribble on your card. Is it entirely plausible to deny you signed it, and say your card was stolen.
The burden to prove fraud always lies with the merchant, who, in many cases, has no means to do so. The security for transactions always lies with a merchant, who in many cases, has no means to provide it.
Cards are a rather flawed system, particularly when not in person. Not to mention how unfriendly credit cards are to customers. It's wonderful to have cash now, but not worth the interest charges. Past that, their unfriendly to merchants, but due to the "convenience" of cards, they're all but required.
My friend had a cashiers check given to him by a 3rd party for a car he was selling. He took the check and deposited it into his account with a bank that sounds like TNC and is located in PA. Check clears, so he pulled out the money and uses it to buy a different car. Life seems good. A night or two later him and I decide to go shoot some pool and get some wings. He checks his account online, only to find it's nearly 3 grand in the hole. After a few rounds of calls to "TNC" he finally learns the cashiers check was a fake. Guess who's stuck with the loss even though THE CHECK CLEARED??? Not the bank! After some researching we've sorta figured out in the US and Canada, just because a check has cleared does not mean the check is legit and valid... apparently the clearing "process" is just a damn joke is just a delay for you to get your money, not time used to check everything is correct.
After contacting the local police and being passed over to the local FBI branch he came to learn this had happened a few times before in our area. I just hope the other banks actually protect their customers better than "TNC". Needless to say he switched banks after that, and when I moved my girlfriend into the dorms at *P*itt I yelled at the people pretending to be helpers for the freshman but who were really trying to get you to sign up at "TNC". Guess you could say leason learned the hard way.
None of your comments make sense for an online store. outside of standard card checking stuff, their is nothing we can do to stop fraudulent use, and we get screwed over and over again. We can't check a signature, can't suggest debit over credit to check PIN and can't make sure Wendy is really a woman. So, drop the attitude about 'education.'
Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.
This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.
They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)
He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.
So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.
In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Expanding on this thread. The credit card cartels actually benefit from the fraud since they can slam merchants with fees.
... charging fees based on the performance of the payment method.
If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.
One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).
As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud
The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.
This should be modded +5 insightful. People aren't very good at following money, and think corporations and even moreso the government are magical entities that grow money on trees. People who don't think customers are footing the bill for this are the same people that think that municipal WIFI is free.
From the summary:
there are tens of thousands of merchants who don't understand the basics of information securityNeither do banks themselves, sometimes. In the Netherlands where I live, banks would like to have their customers use 'plastic' wherever possible. With plastic meaning bank card + pin number, or a type of e-wallet called 'chipknip'. Credit cards are not a very popular payment method here AFAIK (these e-wallets aren't either, but that's a different story).
But the weird thing is: a customer is expected to keep his pin number a secret (eg. not write it down anywhere). At the same time, you're expected to type this 'secret' number into terminals at shops, gas stations, restaurants, grocery stores, etc, etc, etc, on equipment you can't verify whether it's tampered with, and under the watchful eye of security camera's and customers waiting in line behind you.
Keep something a secret, and use it in as many (possibly not trustworthy) places? I won't pretend to know much about information security, but that makes no sense.
Another example: recently an online payment method was introduced called iDeal. After placing your order on a webshop, the merchant sends you to your own bank's website, where you can enter password (or other method of authentication), and give the okay for specified amount to be transferred from your account to the merchant. Looks easy enough, doesn't it?
But: Helloooo! After many e-mail phishing attacks, people have been warned not to click on links they receive in e-mails, or follow links on untrusted websites. At the same time, they are encouraged to follow links provided by online shops, which they may not really know or done business with before. How is that webshop to be trusted? Because they have a decent looking site? Because they offer this payment method (and thus need to have some sort of agreement with a bank in place)? Because others have ordered items there? Come on! Don't be surprised if online buyers don't check anything anymore, after getting used to paying this way. Click icon, enter online banking password, done!
For clarity: you sign the 'okay' on your bank's website, using its normal authentication/confirmation procedure. It's like doing a money transfer via your own bank, but streamlined from webshops 'checkout cart' to 'confirm payment'. My critism doesn't involve the security of this particular method (with a customer that pays attention), but how it gets customers used to be on a webshop site, and 2 seconds later enter their online banking details (passwords etc). That sequence isn't a good thing to get used to, and it's ridiculous that banks are promoting this.
It's really a wonder abuses are rarely heard of, but I assume in most instances where it happens, word doesn't get out, and the costs are added to 'the cost of doing business' (=running a bank). There are several reasons I still prefer cash for day-to-day shopping, and the above is one of them. Welcome to our brave new world, where fiction and reality blurs increasingly into one.
My family owns a very small chinese food place. We had a mastercard account. My parents were ludites and refused to upgrade to an electronic terminal because they didn't understand how to use it. Our bank/merchant account reseller droped the imprinter proccess and implemented a complicated IVR. My sister registered a transaction on the ivr for 62.86. The IVR registere dit as 44,400.00 instead. We got a notice about it after and co-operated in resolving it for our customer. Despite the fact it was an obvious mistake and was greater then the actual limit of the customers card we got a charge back of $2456.00. Which is more then the total MC orders we get in a year. We tried for weeks to address this since we were sure it was a ivr error. especially since it exceeded the customers limit. but we had no course of action to resolve it as an error. we were stuck with a $2456.00 chargeback because the IVR either had a bug or did not do a proper check ont he amount. We dropped MC support and dropped all of our MC cards because of this. but it won't protect merchants form other arbitray decisions Visa/MC/AMEX make.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
The biggest problem for consumers is not getting back the money they lost. It is repairing their credit record. We have a situation where three credit bureaus are collecting and disseminating private financial data about consumers. There is little or no control for the consumer over what information is given out in a credit check and to whom, and there is little or no control for the consumer about what information hits their credit report and what impact it has. Scour the web, and you'll find plenty of horror stories about consumers who have tried to clear their credit records of erroneous entries. In an identity theft situation, a consumer requires a team of lawyers working overtime to even partially restore their credit record after such an attack. What we need in this country is a complete revamp of the credit system that provides the following:
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Here is my experience with accepting credit cards directly through a merchant account:
-You process a transaction.
-It passes all fraud checks by the merchant account and processor.
-You're happy because you've made a lot of money.
-You transfer the money to your account a month later when you pay yourself.
-All of the sudden, 3 months later, you get a chargeback notice and all of the money is withdrawn from your account.
-You have to file paperwork with the merchant service in order to dispute the chargeback.
-If you are selling a non-shippable product (like software) you are completely screwed and will never get your money back.
-Eventually if you have enough chargebacks the merchant service cancels your account and puts all of your money on hold.
-You revert entirely to paypal.
I had higher hopes for Google Checkout since they claim to have great fraud filters: not true. They are even more misleading.
The system SCREWS small businesses like mine. You receive no training in preventing fraud and when you finally catch on it's too late. Luckily my customers are happy to pay through paypal, which has a much lower rate of fraudulent transactions, but it makes my business look less professional to not accept credit cards directly.
Is it really so hard to put a password on a credit card? That's all I ask for: one little password. That would virtually eliminate chargebacks.
Cards are a rather flawed system, particularly when not in person. Not to mention how unfriendly credit cards are to customers. It's wonderful to have cash now, but not worth the interest charges. Past that, their unfriendly to merchants, but due to the "convenience" of cards, they're all but required.
Cards are effectively required because of one thing: ATM surcharges.
Customers use credit cards, and their kin, debit cards, because it's obnoxious and impractical to use cash anymore. If you get your paycheck direct-deposited into a checking account, it's much easier to pay with plastic (and then either write a single check at the end of the month, or have it debited electronically) than it is to go to the ATM, withdraw cash, pay with cash, and then deal with the resultant change. Plus, it's difficult to find an ATM that doesn't charge you a fee for getting cash.
To a consumer, using cash costs money -- if you withdraw in $50 increments, it could be as much as 4-6% ($2 to $3 per ATM transaction) -- while using a debit or credit card is free.
If it weren't for ATM fees, I'd probably still use cash more often. But given that my bank doesn't have any local branches, and it's a pain to constantly worry about where the nearest fee-free ATM is, it's easier just to use plastic for everything. There are more merchants around who accept credit cards, than there are fee-free ATMs.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
"Who Pays For Credit Card Breaches?"
The Goatse.cx guy.
It is my opinion that companies do not need to hold on to detailed credit card information one second after they receive payment. I was shocked that companies have the detailed credit card numbers and expiry dates months after the money has changed hands. The only company that should have that information is the Credit Card Company themselves. If every company that allows credit cards hold on to that kind of detail, then this very personal information is available at much too many points. In fact once the money has changed hands from the Visa for example, the retailer does not need anything more than the date of the transaction, and approval number. Everything else should be transmitted or shipped to the credit card vendor. Much in the same way Cheques are done. You would not imagine that a giant retailer would hang on the details of your personal cheque, with your account numbers, any more that they should hold on to your complete credit card data. Perhaps they might want to hang on to that little slip of paper with my signature, however that does not have the detailed credit card number (it is covered with security asterix) or expire date. As the world gets more and more dependant on electronic transactions, security for personal data becomes more and more important.
Credit Card companies also share the blame. Do you know how EASY it is to open a fraudulent credit account without your knowledge? When we were separated, my ex forwarded all my mail to a PO Box without my knowledge/consent, opened a credit application in my name, filled it out, and returned it. She used all my personal information and signed her name, and checked herself as authorized user. If I had not caught that, the cards would have been mailed to her PO Box and I would have never known about them until she maxxed out the $12,000 credit limit. I had a suspicion about my missing mail and filed my own forwarding, and I caught it in the nick of time.
The CC company was way too lax in authorizing an account using an application THAT DID NOT EVEN HAVE MY SIGNATURE. As you can imagine, I went through the roof and blocked her from everything, including any chance of opening new accounts or loans. That single event did more damage to her case in divorce court than anything else. She got nailed on financial abuse because this event occurred AFTER I filed papers - very big offense.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Just have to toss this in quickly. I've been on the LP side of things and such before for a decent-sized national chain. The merchant pays for it if it can be proven that no precautions were taken by the merchant or it was negligent. First thing they ask for is the original signature slip or the digital form. No signature? You get charged. Signature doesn't even come close to the name? You get charged for it. As well, using various techniques they can tell if it was a man using a woman's card or other way around. Usually in a fraud case, the card is used numerous times and trending, requisition for tapes and bank attempts of cash withdrawals can proof without a doubt that you as a merchant was negligent in your duties as outlined in your merchant account agreement (You have read it, haven't you? Have you called to ask questions?) As mentioned, the cost always ends up at the customer, just like shoplifting does. It is unfortunately a cost of running a business. While banks profit from fraud, per say, it actually loses money to hire people to deal with fraud, to track it, to follow it back. They are interested in recouping the cost of fraud that can't be directly attributed to merchant fault. This fee is moreso in place as a penalty to those who didn't do their job right and to encourage change. What's to stop a business from taking potentially fraudulent sales by not following good steps such as checking ID, making sure the ID is real (to the best of your knowledge, I've seen some KILLER fake IDs in my time that have fooled the police even,) verifying the card number matches the digital version of the number, and make sure the signature is similar (either to the card or to the ID, or both.) It is a privledge, not a right to accept VISA/MC and it makes you money. If you find yourself loosing money due to these rather than make it, either because you can't manage your own fraud policy or that you are a large target for credit card fraud, then you need to figure out if it is worth it as a business option. Its like buying a house. You buy a house, it looking like a great deal. 5 years later your furnace blows up, even though you had it inspected before the purchase and the previous owner said it was fine. This is like trying to go after the old homeowner because it blew up; Whether it blew up because you never had the gas elements cleaned or it blew up just because it happens, it's your responsibility. You either should have been prepared or its your own fault for it, noone elses.
I'm assuming that in such a case the cards would be either tagged or disabled? I know when my girlfriend's card went through a retailer that was found to have been hacked at the time (or had an employee stealing CC #'s) it was cancelled by the CC company and she had to wait on a new one.
Ah, but these companies have important uses for this information. A few years ago, I noticed that when I checked out at Meijer, I would often receive coupons for products related to previous purchase that were unrelated to what I was buying at the time. How did that happen? Well, the only commonality (other than me, myself) was my credit card. Apparently, using your credit card to track your purchases is not against their merchant agreement. It should, however, be against the law.
Credit card companies and banks never ate the loss, don't today either.
In the US, credit card related losses to banks and credit card companies are 100% deductible off their tax bill. That means that it is the US government and US taxpayers that are paying because of the lost tax receipts from the deductions.
One quick way of tightening security at banks and credit card companies, and having them cooperate with investigations of credit card theft and ID theft is to take away their deductions for thefts. Make it 75% deductible next year, 50% the following year, 25% after that, then zero on the fourth year out, watch how fast the banks and credit card companies will get their asses in gear and cooperate with investigations. Only when the thefts really hit their bottom line will they get serious about security. And anyone reporting on this issue needs to state the situation like it really is, the taxpayer/government pays, not the banks/credit card companies, for thefts, only then will the public really start to understand the situation for what it really is. Instead of thinking of how bad it is for banks/credit card companies, or merchants to eat the losses.
Well, normally your credit card information does not include address, unless they are shipping something. However.... for the most part our names and addresses are in the public phone book. I am more concerned with the Detailed CC information.
In the US, merchants are amazingly sloppy about checking a signature match.
I've routinely signed my signature on my wife's card at checkouts and on pizza orders and despite the fact that I'm obviously not a Sarah and our signatures are very different it has never been questioned.
At least in europe they actually examine the match and will require further identification if they aren't satisfied that it's a consistent signature.
It just so happens that I manage a credit card fraud department. The merchants would like you to believe they are taking the loss on fraud but that is not the case. The bank issuing the card is most often takes the hit. The merchant has almost no responsibility at all to ensure the card is not fradulent. They have no obligation to verify ID or signature. In fact any signature at all makes the charge legal. I have seen fraud cases where the merchant verified that the person with the card was not the card holder and still put the transaction through. They followed the rules and the charge is good.
Under Visa's rules the card holder is not liable for fraud. Once the card holder identifies a transaction as fraud the bank has to refund the money. If through research it is determined that the charges were valid the card holder is charged not the merchant. There are some situations where the merchant is responsible but they are not the majority of cases.
There is also the cost of re-issuing compromised cards. Our cost of re-issuing cards following the TJ Maxx breach will probably reach nearly $100,000. Where do merchants lose that kind of money?
Merchants have always been responsible for the costs, sure, and there's precious little chance of Lord Visa actually doing anything to *really* shore up security in their system, like say, making the lending banks more culpable. But having seen this sorry drama myself first-hand, I can tell you that whoever supplies the infrastructure to the merchants is an important piece of the puzzle as well. Not all merchants use a little black swipe-box for credit transactions. The bigger they are, the more likely it is that their credit authorization system will be tied directly into their point-of-sale system, and most merchants don't create their own POS.
For example, BigMart buys a HAL register system with its attendant back-end. The registers handle the swiping, and the back-end send the charges to the lending bank. Well, if the security on the back-end sucks (open ports/unpatched systems, anyone), then the system gets cracked and BigMart is left holding the bag. Welcome to the wonderful world of CISP return-of-compliance. And the HAL company certainly isn't going to be paying the costs.
CISP and PCI have improved the situation by mandating better security models. But when it comes down to liability, it's still a dog-eat-dog "whose ox is being gored" world of big business. Have a good lawyer.
Daniel Crawford
..And the issuing bank for that MC/VS card is somehow able to know automagically the moment someone's card goes missing? Your merchant processing agreement (MPA for those in the industry, the thing you sign to establish a cc processing acct) clearly states you take responsibility. An authorization is saying that there is enough money on the card - NOT that the person in front of you is who they say they are. That's why industry best practices are to verify the signature on the back when it's retail, check address if moto/ecomm, and check CVV if ecomm. If the signature looks iffy, the address or Card code is incorrect, you are to void the transaction and DENY that form of payment - That you don't is you taking risk onto yourself. And if it's credit card fraud, you were ripped off, that's not the bank's fault.
[sarcasm]
But don't listen to me, I don't work in the Credit Card Processing industry or anything.
[/sarcasm]
Ah, but you forgot about the part where two weeks later you call your credit card company and say, "I never bought this, I have no idea what this charge is for." The credit card company then calls the merchant and says, "The customer said they did not recognize this charge, do you have an invoice?" And the merchant says, "I delete 100% of all my customers credit card information, I have no way of looking up a charge to a specific credit card to give you an invoice." And the credit card company says, "Ah, don't worry, we'll just hit you for the full cost of the item plus a chargeback fee."
<sarcasm>Wow, it's REALLY in the merchants' interest to delete your credit card information the second they receive payment.</sarcasm>
Dumbass.
Don't forget that prices are determined by both Supply and Demand.
Raising merchant credit card fees is a negative stimulus on supply (fewer suppliers, since it costs more to supply). Basic microeconomic theory would state that a constriction in supply would cause prices to increase and quantity supplied to decrease. To what degree depends upon, as you noted, "yada elasticity yada".
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I don't know about the US, but here in Spain, you always have to show your ID if you're using a credit or a bank card. It doesn't matter whether you have signed it or not. I can't imagine just being able to walk into a store and hand someone a credit card, when the store has no way of confirming that it is yours.
I can run transactions through with my credit cards and completely wrong addresses, and still have AVS tell me as a merchant that the address matches the card's billing address. How is this possible? It's up to the issuing bank to compare the addresses, and many issuing banks, rather than doing the (easy, automated, computer) work, just tell you that the address matched when it's nowhere even close. Yet who pays if someone makes a fraudulent charge, even if the bank erroneously (or lazily) says the address matches? Not the bank... the merchant pays.
My truck is like a series of tubes.
Here are my golden rules of being a happy customer:
1) If I do not like a place, I don't shop there.
2) If I feel a place does not like me, I don't shop there.
3) I always pay cash, except for 3 or 4 online purchases per year.
I have a credit card for these online purchases, and I have individually
negotiated a low limit on monthly transactions with my bank.
4) I never give out personal information to retailers unless I am 100% convinced
that the database this is info will be kept in is secured against any sort of
cybercrime by state of the art security measures.
Currently, Rolodex data storage systems satisfy this requirement.
5) I do not use discounts or rebates of any kind
6) I do not shop at places that offer shady discounts or rebates, if I feel I
pay for them or other customers are taken advantage of.
Maybe I am missing some of the "greatest deals" and "free offers" this way, but then, on the other side, I save up on a lot of worry and hassle.
Your merchant processing agreement (MPA for those in the industry, the thing you sign to establish a cc processing acct) clearly states you take responsibility.
I'm not disputing that that's what the MPA says. That doesn't make it right or fair anymore than the fine print in Microsoft's EULA is right or fair just because they decided to make it so.
An authorization is saying that there is enough money on the card - NOT that the person in front of you is who they say they are.
Obviously. This works great in card-present transactions. Over the Internet, though, the merchant is in even less of a position to know whether the transaction is valid than Visa/Mastercard. At least Visa/mastercard has access to the billing address, their computers can look at past history to see if the charge is unusual, etc. If they can't act as intermediary in card-not-present transactions, they shouldn't offer the service. Then all Internet merchants (and phone merchants, and those that bill credit cards automatically each month like cell phone companies) would look for a viable alternative REAL FAST. And there'd definitely be one real quick if Visa/Mastercard was no longer a monopoly.
Truth is, if that happened, Visa/Mastercard would be among the first to come up with an alternative because it'd be in their best interest to do so. The reason they don't know is because, like I said, they're a monopoly and are content to just screw the merchant. This is not sustainable and WILL eventually change.
Truth is, if that happened, Visa/Mastercard would be among the first to come up with an alternative because it'd be in their best interest to do so The alternative is to verify the address/zip info and Mastercard Secure Code or Verified by Visa. The card code on the back of the card as well. I agree that ecommerce/moto transactions put a lot of the risk on the merchant, but it's the nature of the environment you're in.
They fail to mention that increasingly often the companies and merchants make the customer pay for credit card theft. I know several people in person who are still in legal battles against their credit cards companies who are trying to make them pay for fraudulent charges. Unfortunately they have some of the best lawyers and this is just another one of many reasons not to use credit cards.
The point is that Visa/Mastercard aren't just saying "Internet is dangerous, you're on your own." They're essentially doing it for all merchants. Whether the card is present or not, Visa/Mastercard will charge back the amount in question if it is determined it was fraud. What if the card is present, you ask for ID, and the thief has an ID that looks valid and which matches the card? Then it's your word against Visa/Mastercard's and guess who is going to lose 10 times out of 10?
The current policies of Visa/Mastercard are unacceptable across the board. Arbitrarily holding the merchant responsible for all fraud is not acceptable whether it's an Internet or card-present transaction. As I've said, the customer is in the business of buying, the merchant is in the business of selling, and Visa/Mastercard is in the business of making some money facilitating the transaction. A customer is at risk because he can buy bad goods that could go bad at any time, the merchant is at risk because he can get sued by a customer or, in the case of brick and mortar shops, they can be held up. There's risk all around. The only one that's completely insulated from risk is Visa/Mastercard when, ironically, they're the ones with the deepest pockets and yet they don't even share the risk for the part of the transaction that they are involved in.
Like I said, it's unacceptable. It's a monopoly that's abusing its power exactly as a monopoly or cartel usually does.
They don't need the whole CC number and exp date for that, do they? You name, and approval number should do. That will take them to your invoice.
Anybody that accepts a third party check of any kind is asking for trouble. Red flags everywhere. Read the damm check, a Cashiers Check is not what you think it is.. not a guarantee that the check is "good".
Freedom is not FREE
You dont even have a clue. I worked credit card fraud for years, you don't even have a clue as to what is really happening. The fault is with the CC company, the merchant and the person who had it stolen from.
Freedom is not FREE
It bombed for a couple of reasons. First, it made heavy use of public key cryptography, and on the CPUs of the day that sort of encryption would have slowed each credit transaction by at least three to six seconds. Second, the merchants didn't like it because it was complex and very large, producing authorization message sizes ten times larger than anything they were used to (and thus ten times slower over their over-burdened networks.) But the most important reason it bombed was that it rendered Visa irrelevant. SET made authorization transactions so strong that they could be passed securely and directly to your bank, even over the public internet. There was no need for the data to flow through the consolidating and percentage-skimming hands of a Visa provider or a secured network, because the data blobs were securely armored.
The first objections above could have easily been overcome by Visa. For at least the last 20 years Visa has been strong-arming retailers into installing new systems and upgrading hardware through the threat of rate hikes. Do you think the retailers wanted to install expensive mag stripe readers back in the 1980s? They didn't want to spend the money, but they didn't want to have their rates jacked up by an extra percentage point either. Virtually every other Visa "innovation" (such as 3DES and PCI) has been introduced with the same strong-arm tactics. So if Visa wanted SET to succeed, they would have simply threatened another rate-hike to non-compliant merchants. But since no such threats came down, SET withered quietly away.
So all these credit-card leaks from various merchants over the last ten years could have been completely avoided except for the deliberate interference of Visa. Think about that.
John
It's really even worse than you portray it. Yes, the merchant has to eat the cost, but it's worse than that. Let's look at a simple example.
Merchant sells widgets for $100 at a gross profit margin of 20% (i.e. the cost of goods sold is $80). Let's say someone fraudulently purchases one of his widgets, which results in a chargeback of $100 to the merchant. The merchant is also out the $80 he paid for the widget. What this means is, the merchant now has to sell an additional 9 widgets to recoup the cost of one fraudulent transaction, before he makes a single penny to pay rent, utilities, payroll, and put food on the table for his family.
With smaller profit margins common amongst small merchants, the problem is compounded. At any rate, chargebacks are devastating to small business.
I don't give a flyin' flippin' fritatta that requiring ID is against the MC merchant agreement. When it comes to fraud, MC doesn't care, and the issuing bank and acquiring processors don't care either - they're still making bank on the interchange fees. The merchant is ultimately responsible, and if the merchant wants to takes steps to protect themselves from fraud, even if it disagrees with some agreement of dubious legality, I'm all for it.
I work in the Credit/Debit card industry, and it is my opinion that the merchant agreements are made under duress. You agree to the Visa/MC rules, or you don't take Visa/MC credit/debit cards - and if you don't take plastic, you probably can't compete.
So to the GP - go ahead. Threaten the merchant with a complaint if they insist on ID. Threaten their livelihood.
It is, after all, your birthright to be a dick.
Honestly, it's the way it should be, though the credit card companies need to do some work too. I've had fraudulent charges go through without a hitch that didn't have the right name or security number, so basically somebody just put in a random number and name and it still went through!
Certain stores have started asking for zip codes for AmEx cards, to 'help protect you.' That's Wal-Mart, Target, many gas stations, etc. Other stores, like Radio Shack, Micro Center, and Fry's, try to create buyer profiles of customers, so they will ask for your name and information when you buy stuff. Sometimes they claim it's mandatory for things like rebates.
Anyway, I'm sure most of us just give the zip code if asked. And we're used to salespeople looking at the backs of our cards, too, so someone can easily memorize the 3 or 4 digit number in the time it takes to pretend to look at the signature.
Internet merchants do have fraud protection options available to them. Any merchant being hit by a large number of charge backs should explore 3DSecure: http://www.cardwatch.org.uk/spot_and_stop/html/3ds ecure.htm?display=html
http://www.visaeurope.com/merchant/handlingvisapay ments/cardnotpresent/verifiedbyvisa.jsp
http://www.mastercard.com/us/personal/en/cardholde rservices/securecode/index.html
When setting up with your payment services provider you should find out exactly what services they provide to help protect you from fraudulent transactions.
Card holder address verification and card verification code/number (those 3 digit numbers on the back of your card) checking will help reduce the number of bogus transactions that get through
3DSecure will allow you to shift liability for charge backs from yourself to the bank.
Signing the back of the card is not some sort of signature verification, as though the pimply-faced, $5.50/hr, checkout clerk is somehow some sort of certified signature expert and can verify that the faded, washed-out signature on the back of your card matches the receipt you just signed. Signing the back of the card says, "I have read and understand the terms and conditions for use of this card, and I agree to them."
Unless your John Hancock really looks like "Please ask for ID", then your card is invalid and should be rejected as such.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
It's the same way with medical insurance. Some companies are more reliable than others.
Just the other day I had some company demand refunds for patients seen in 2005.
Here's a couple perfectly valid reasons why a merchant might want to hold on to such information:
1) Transaction history for research (chargebacks, billing disputes, tax purposes, etc)
2) No reciept returns. "No reciept, no problem, if you paid with a card, I can look that reciept up here."
3) Catching fraudulent returns. I once caught a guy who was trying to return stolen merchandise for cash, the way it worked was he returned a stolen item for store credit, and picked up a slightly more expensive item, he paid for that with his debit card (cash equivilent transaction). He would then head to another store in the chain and attempt to return the item for cash back, insisting that he had bought the original (stolen item) with the debit card he paid the difference on. A quick transaction check shows a few months of small purchase large return transactions on this card, and no original purchases. A little bit more digging shows no original purchases associated with this customer at all. The end result is fraudulent transactions are stopped and a shop lifter is uncovered.
While #3 certainly isn't common, #2 and #1 are common enough that I see many merchants being perfectly justified in storing such data. I also see the public being justified in holding that company liable should such data be compromised.
T Money
World Domination with a plastic spoon since 1984
Extremely misleading--borderline falsehood. True: credit card issuers must have bank charters, but there is no requirement that they participate in retail or commercial banking. Also true: There has been consolidation in the monoline credit card industry, such that there aren't any more large monoline credit card issuers, but that was not always the case. Before 2004 or so, MBNA, Capital One, and Providian were the third, fifth, and seventh largest credit card issuers (respectively), and were monoline. MBNA and Providian were bought, Capital One decided to go into retail banking and bought some branch banks (they offer deposit accounts, auto loans, etc. now) My point is, credit card companies are not automatically branches of large banking conglomerates.
That's sort of true for AmEx, and B of A (if you really want to consider them investment companies... they are certainly bottom tier in that department... and B of A offers some insurance, but is certainly not a major player), but what about Capital One? What's in your wallet, man? ;) (just a little joke... I know who ya are)
That is really out of touch with reality. Most large business groups do not keep poorly-performing lines of business open for long. They tend to be more focused on profit, not shunting losses among divisions.
Pure tinfoil hat thinking. Plain and simple. A company isn't going to bleed losses in one LOB just because another is profitable. And credit card interest rates have zero to do with the price of gasoline in China.
Credit card interest rates are high because credit risk is high.
Think about it. Let's say you charge up $5,000.00 on your credit card. You get a bill from MBNA/Bank of America/WhoeverOwnsThemThisWeek for $125.00 (2.5% of your outstanding balance is a common minimum payment). At this point, you have three options:
What does that have to do with the price of tea in China or the interest rate on your credit card? Because the CC company's only recourse if you decide not to pay is to make menacing phone calls (until you realize you can just tell then to quit calling and they are required by the FDCP Act to stop), they have a ton of losses. That 18% interest rate you pay is to cover the fact that the CC company is taking on an enormous credit risk.
That's why mortgage rates are so much closer to the prime rate. Very low credit risk. You no pay, bank take your house and you wind up homeless in la jolla. End of s
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Why would I not pay for groceries with a credit card?
And why are you holding up everyone in line by paying with a check? It's not 1982 anymore, buster.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Do you really want to bet your "I don't know how valid it is" position against MasterCard's army of lawyers who say it's valid?
More importantly, Do you really want to pay your own lawyer, your own court fees, and possibly MasterCard's legal fees, for the privilege of asserting your "I'm not sure if it's valid" defense against a time-tested, professionally-written agreement?
From one small business owner to another, I'll advise you to read what you've agreed to and abide by it. Ultimately the choice is between you, MasterCard, your attorney, and your attorney's children who you will put through college with all the legal fees you'll be paying.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
You still do not convince me that they need the whole credit card number and expiry date to do what you are saying.
The persons name, type of CC, approval number, and last 4 digits of the CC.
If a hacker were to steal that information it would be of no value except bragging rights.
IF the merchant needs more DATA than that they can ask for it from the merchant bank. Especially for chargebacks. The Credit Card company would provide all the data for that, just like a bounced check.
- Stand back, take a deep breath, and look objectively at your situation.
- Admit that it is entirely your fault and that you are not a victim. You agreed to pay 16% interest on that credit card. You bought more house than you could afford. You failed to maintain sufficient liquid savings for emergencies. You charged that plane ticket. No corporation is out to screw you--you screwed yourself.
- Admit that only you can fix this problem. You created it, now you need to fix it.
- Call your credit card issuer and ask for a lower interest rate. Let them know that you are in financial dire straits and that you have been advised to declare bankruptcy. That's not lying--I'm advising you right now. (Don't really declare bankruptcy!)
- Search online for a credit card with a lower interest rate. Check bankrate.com, google, and the other usual suspects. Try to find one that also has free balance transfers. With an 800 FICO, you'll qualify for any card.
- Can you pay off that ticket within a year or six months? Get a card with 0% on balance transfers as a teaser. Do not charge anything else on that card! You have been warned. DO NOT DO IT. That will be a very expensive mistake.
- Can you borrow the money from a family member at a more favorable rate? I mean, it was for grandma's funeral.
- Most importantly, convince yourself that when you agree to something, and when somebody holds you to your agreement, you are not being screwed. You are being treated fairly. Don't agree to something that you find..well.. disagreeable.
:)
Again, I'm sorry for your loss. Just keep a clear head and you can solve this one, ASAP.Good luck!
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I'm not nice.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
Is it the same as Visa? Because they just replaced my MasterCard with a Visa...
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
The person is committing credit card fraud, and IF he pulls one over on you, all MC/VS is saying is "look, it's not the issuing bank's fault, and it's not the customer's fault. We weren't told this was a stolen card until 2 days later...and you could check if it was him. Did you get a signature? Did you verify it's the same as that on the back of the card...etc"
If someone gives you counterfeit/stolen bills you don't go "damn that US currency! If only it wasn't a monopoly!" It's not MC/VS fault this happened with the card. The only person that can check the signature is you. If it doesn't match up, void the transaction and ask for another form of payment. If they give you stolen money to pay for that big screen tv, that'll be taken back for the original owner too!
It's up to the merchant at that point to follow up against the person that commited fraud against them. It's not the cardholder or the currency maker (MC/VS in this case) fault.