Slashdot Mirror

← Back to Stories (view on slashdot.org)

Who Pays For Credit Card Breaches?

Posted by kdawson on from the buck-stops-where? dept.

PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"

5 of 313 comments (clear)

  1. The customer pays. Always. by Anonymous Coward · · Score: 5, Insightful

    The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.

    1. Re:The customer pays. Always. by Bastard+of+Subhumani · · Score: 5, Insightful

      To offset that, the prices are raised.
      If the market would stand that higher price, why wasn't it being charged to start with? Conversely, if the market won't stand it, then lower volume (yada elasticity yada) could mean the merchant makes even less money.
      --
      Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  2. Re:Misses the point by letxa2000 · · Score: 5, Insightful

    As a merchant, this is very annoying. If I submit a charge to Visa/Mastercard and it's authorized, I should be able to count on that unless the valid cardmember has a legitimate complaint that I did not resolve and charges it back. If the use was fraudulent, as the merchant I have absolutely no way to know that--that's why I'm asking Visa/Mastercard for authorization. If they authorize the charge then they think it's legitimate, too, so why should the merchant somehow be expected to think otherwise or be held responsible for 100% of the chargeback?

    To pay extortionate discount charges on every transaction and not even be able to trust that the charge is legitimate is abusive on the part of Visa/Mastercard. What's worse, a chargeback comes with a chargeback fee. So not only does Visa/Mastercard not get harmed by fraud, it profits from it. As long as that is the case, Visa/Mastercard has no motivation whatsoever to increase security and decrease fraud.

  3. Re:Article is Wrong by scribblej · · Score: 4, Insightful

    Well, of course I was exaggerating when I said "no one." But it's interesting to hear your view. :) I didn't realize newegg provided it.

    As for the "address" info - a very well-written system put in front of the credit card processing networks will do a real postal database lookup on an address. That's nice. It's also exceedingly rare. What you normally get for address verification is what the credit card processing networks themselves provide: AVS, the Address Verification Service.

    A few interesting notes on AVS:

    1) It only validates the digits in the street address and zip code, nothing else. So 123 Fake Street and 123 Oak Street are exactly the same in it's eyes.
    2) It never rejects a transaction. Even if the address is wrong, it's approved. It's up to the merchant to check the response from the credit card processing network that says "the address was right" or "the address was wrong" or a dozen values of "the address was kinda' right" and then void the transaction if the response is unacceptable to them.

    2 is becoming a little less true recently, though - several issuing banks have taken it on themselves to reject the transaction even if the AVS standard says they aren't supposed to. I think this is a good thing.

  4. Re:Misses the point by letxa2000 · · Score: 4, Insightful

    You have to look at it from the other perspective though - like any merchant I'm sure you receive your share of obvious frauds (the ones you delete without even turning on your brain - 400 units of $expensive_product to Lagos etc). Maybe you're honest enough to still decline them if you knew you'd get the money, but lets face it many aren't.

    I have looked at it from their perspective and it still doesn't make sense. If someone has a history of lots of chargebacks, that merchant gets canned anyway. If I'm entering ship-to and bill-to addresses into the system and if there's something that makes them (or their computers) uncomfortable, have the merchant call in for verbal authorization where the risks are explained to the merchant and/or Visa/Mastercard can say that they won't take responsibility for the charge.

    I'm not opposed to a merchant being expected to be honest enough to do due diligence. If I ship something to Nigeria and expect Visa/Mastercard to pay me, and it turns out to be fraudulent, they have a right to ask me what documentation or evidence I have that I made an honest effort to be reasonably sure the transaction was valid. If I failed to do that, they can expect me to pay for it. But if there's nothing Nigeria-like about the transaction, nothing raises my suspicion, I submit the card to Visa/Mastercard and they authorize it and confirm the zip code and CSV matches, I've done all I can. To then turn around and say, "Yeah, we know we told you the charge was authorized, we know you have the right address, zip code and CSV, but what do you know... our system sucks and even though you obviously have all the right data you could possibly provide, we're still holding you responsible."

    If a merchant is fraudulently processing charges or is accepting credit cards that are obviously stolen, that's a crime that should be prosecuted in a court of law. Simply assuming all merchants are crooks and arbitrarily taking back money you already gave them is simply not acceptable.

    A customer is in the "business" of buying. A merchant is in the "business" of selling. Visa/Mastercard is in the business of facilitating the transaction. That's their business and they need to make sure it works so the buyer and seller can do their business. It is not acceptable to hold either the customer or the merchant responsible for shortcomings in Visa/Mastercard's system. If a merchant gets an authorization number from Visa/Mastercard, that should be a done deal. If it's fraud, Visa/Mastercard needs to eat that charge. If that means raising the discount rate, fine, do it--and let merchants decide whether they're willing to accept credit cards given the real cost of accepting them; or the customers and/or merchants will demand real security.