Slashdot Mirror
Who Pays For Credit Card Breaches?
PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing." "The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored... PCI pushes that burden downstream and forces merchants to... put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks... [T]he credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs...'"
The merchant has to make a living, the credit card company too. The money for fraud can only come from the end of the chain: the customer. The only notable thing here is that all customers pay, not just the ones who use a credit card.
The merchant who accepts the fraudulent charge eats the chargeback, not the one whose site is hacked. How does this encourage information security?
And here I thought they implemented PCI to make it easier to attach peripherals to your computer O_o I can't keep up with the world today.
www.timcoleman.com is a total waste of your time. Never go there.
Merchants have been responsible, not VISA, all along. It's ALWAYS been that way.
I say that as someone who's been int he industry for ten years, so I'll admit maybe things were vastly different before I got here. But for at LEAST the last decade, merchants have eaten fraudulent charges.
Here's how it works in a nutshell. I'll assume an internet ("e-commerce") transaction since it's what i'm most familiar with.
1) Evil bad guy steals a credit card number.
2) Evil bad guy makes a charge from Bob the Merchant
3) Bob the Merchant ships Evil Bad Guy his product.
4) Joe, the actual owner of the credit card sees the charge on his statement.
5) Joe calls Bob the Merchant and says, "Why did you charge me?"
At this point, the only thing Bob the Merchant can do is issue a refund to Joe. He'll never see his product that Evil Bad Guy took, or the money, ever again. What happens is he refuses to give Joe his money?
6) Joe calls his issuing bank and asks for a chargeback.
7) Bob the Merchant is forced by his merchant account provider to refund the money to Joe. Also, to pay a chargeback fee of somewhere around $50, and if he gets more than 1% of his charges returned as chargebacks, VISA refuses to ever let him do business with a domestic bank again.
So who loses here? Not VISA. Not Joe, the cardholder. Not Joe's issuing bank. The merchant, is out product and money, and there's jack-all he can do about it.
There is only one exception I am aware of: Verified by Visa. If a merchant uses VBV on his website, then VISA will guarantee the charges, and if there is a chargeback, VISA will eat the cost. This is a HUGE change from how things have always worked in the past. However, no one uses VBV because it requires the CARDHOLDER to take extra steps to sign up and become active, but the CARDHOLDER has no reason to care, since he's already protected.
Anyhow. Long before PCI, long before CISP, long before any of the security standards were standards, the merchants were already responsible for all fradulent charges. It's the way things are. PCI makes a much cleaner audit trail when things go south, but it's not really about fraud nearly as much as it's about data security. There's a few tiny parts of PCI that address a few particular cases of fraud, and ALL the rest of it is about data security and handlling policies.
Uh bullshit. Let's say I'm merchant A, and I do everything by the book, and have never had a breach.
I can still get screwed if merchant B has a breach, as far back as a year ago, if I'm taking card not present transactions, and get stuck with an order from some punk who uses a stolen number.
Is it right that I get penalized for charges made and authorized by the issuing credit card company, due to no fault of my own?
A lot of people will say that's the cost of doing business. The problem is, that there is no incentive to fix anything broken with the system as far as protecting MERCHANTS from fraudulent transactions. Fact of the matter, there's no incentive to fix all the things broken with the system that make identity theft possible, since the people who would be most motivated to fix those things (credit card bureaus and the issuing companies) have moved all the cost to the merchants and merchant banks, and the have no control over the bureaus!
As one who has worked part-time in a retail store for extra cash on top of my day job, I've found most customers now days prefer that you ask for ID. Up until now, store policy has been lax or even negative on the subject. For example, "if it's less than a hundred dollars or so (depends on season), don't bother the customer and ask ID unless it's AE or the card isn't signed."
Maybe some of these retail stores will finally make it policy to ask for ID when making a purchase. Wouldn't you like it that way?
Got suckered into a 15 year AARM mortgage with a pre-pay penalty and balloon payment? Education. Paid $30k for a Ford truck (which immediately dropped to a $19k wholesale value) and are upside down in value? Education. If there's one lesson...just one lesson...I could boil my entire MBA, stock market, and general life experience (regarding businees) into:
He who has the most accurate and timely information wins.
Coming back around full circle: This is why merchants should be responsible (and their banks). It forces them (and me!) to educate myself and minimize EVERYONE's risk. A previous owner left draft information for bank auto withdrawal in a binder, on the desk, by the door, for all his customers. Huge fraud potential. Some leave credit card information in the store after the day of sale. Huge fraud potential. I could go on, but I've proven the premise for my conclusion: You have to be active and reduce your costs through fraud prevention. How can I reasonably hold VISA accountable when I'm a merchant stupid enough to charge a card with someone elses name (I've seen guys try to use their wife's card....Dudes do not look like a "Wendy" to me).
On the flip side, I had a merchant pissed because I called in a charge back. Yeah he was pissed, because chargebacks increase fees a bank charge....but I gaurantee you he'll call next time he does an unauthorized pre-pay on my card. I manage a tech support department and we follow the policy I told him he should follow to reduce costs: Always call someone before you charge their card. In my case, he charged a 2nd $700 and then my wife said, "Should there be a 2nd one?" I said, "Nope" (not thinking two steps past why she asked) and so she called the credit card to charge it back. Whole thing could have been avoided.
So there you have it...I've mentioned my perspective from personally being both sides of the "coin" (and being accountable for the $$)....and I'd say the system is set up efficiently, and for the most part, fairly.
I am an online merchant and I use both Google Checkout (in the foreground) and Paypal Payments Pro (in the background) to process CC transactions. Both of those providers will (and have for me in the past) eat the fraudulent charges as long as I had taken all required steps to ensure the transaction was genuine.
For example, I had one $100 sale that, a few months ago, came back as 'fraudulent'. Paypal asked me to provided documentation to show the steps I took to verify the buyers information. I keep all these records, so I sent Paypal address verification, proof of delivery, etc. After about a week they contacted me, told me that I followed their verification process properly, and that they would absorb the cost of the disputed transaction.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
I'm absolutely shocked by the ignorance some people about credit cards. Now I'm not talking about a Joe on the street, I'm talking about people taking the orders. Many merchants favor convenience over everything else.
For example, in the order processing system I support, we mask the first 12 digits of the credit card when you retrieve an existing order. It didn't always do that, but it eventually did as part of an upgrade to comply with the PCI standards above. That makes sense, lots of systems started doing that even before the standards and now all of them do. But one guy wanted to argue with me that it will hurt his customer service because he can't read the card number. I explained to him that it's out of my control and that Visa imposed these restrictions on all computer systems and you can't buy a system that doesn't have this feature any more. Further more merchants and software companies could be fined by Visa if they didn't have these restrictions.
I was going to explain why Visa mandated the changed and explain card security when he demanded: "We'll take the chance, change it back." If I were his customer, I'd have yanked my business, knowing that it's an easy inside job for him to steal my credit card.
Also, it's happened to me twice recently, where two major chains I visited (Superfresh and Target) took my card and made me sign an electronic signature capture device for my signature. In both cases, the signature pad and/or pen was broken and was basically reading garbage. I could not write my signature. In both cases they said "we don't need your signature" and just ushered me out of line. Okay they are major chains, and could eat a charge now and then, but hell you would think they would care about their signature pads a little more. Maybe close the line or have replacements on hand to easily swap out. Everyone going through that line that day was a potential risk to the merchant for a chargeback, just because they didn't capture a proper signature. And that exposes me as well because I'm unable to sign my signature which leaves me open for question when signing other receipts.
The way security works now in credit cards I feel is good, and it's designed to increase the security on integrated systems. 80 to 85% of credit card number theft is an inside job. People stealing card numbers and internal information, and computers just make it easier to do that without restrictions on said computer. The merchant doesn't care if you get hit with fraud. Visa cares because if their cards are insecure, no one will use them. So Visa makes the merchant's care by assigning responsibility to them, because that's were most fraud occurs. It's very logical.
"All great wisdom is contained in .signature files"
A lot of people seem to have a misconception of exactly what PCI is, what it covers, and what it does.
d _the_pci_dss.htm
PCI affects all areas of the transaction stream.
When looking at ATM's for instance the units must be tested and Certified (InfoGuard, TNO and T Systems). If you attempt to open the device it dumps the program and tampers the unit so it can't be reprogrammed. this prevents a situation such as the one at stop and shop where a malicious party opened the POS device and apparently hooked up a device to sniff the card reader (article is a little vague on exactly what was done to the POS devices) There should be no place in between the PIN PAD and the CPU of the device where data can be read in the clear without causing a temper condition to the unit.
Some of these requirements are relatively new and some older terminals that are currently in place may not meet these requirements. Any existing units that are relocated or changed must meet the new requirements at that time. One exception to this is Data encryption. All terminals must now transmit data using 3DES encryption, any terminals that are not utilizing 3DES encryption and are running the older Single DES were to be taken off-line at the end of last year.
Also all software run on the device must be certified through testing and any software changes must be re-certified as well. Software is sent to the device in an encrypted format, routinely verified on the device for changes, and units must identify themselves with a unique set of keys in order to access updated software. On top of that each Switch (STAR, CORE DATA, ECS, LYNK, etc..) that the terminal may dial into has to certify the equipment and software to work with their systems before you can use that terminal to process transaction through that switch.
Now go to the company/merchant/etc.. that is processing transactions whether they be web based, Point of sale, or ATM. any company that has Card data on file is subject to PCI requirements as well. This can be everything from segmenting card holder data on the network, encryption the database containing card holder data, additional logging requirements that show who accessed what data, when and from where. Physical security, the PCI requirements are quite extensive. https://www.pcisecuritystandards.org/tech/downloa
If a card number is lost it costs VISA,or Mastercard about $60.00 to re-issue a new card. now if several thousand cards get lost those numbers can get large rather quickly. If you are PCI compliant as a merchant or processor, and have adhered to all 240+ requirements of the PCI certification that apply to you, and you loose card holder data, you will probably dodge the huge fines (think tens of thousands or millions of dollars here depending on the size of he breach) levied by VISA in case of a breach which is on top of the fees to re-issue the cards. if you are NOT compliant all those fines and fees will be passed on to you.
PCI is not an instrument put in place to address the use of a stolen card. it's to prevent the loss of large numbers of card holder data at one time.
I think it's great the industry is imposing the regulations on itself, some of which are extremely stringent. And it beats the heck out of how the government could butcher doing the same process by trying to regulate it.
far...out
Some friends of mine still tell a story from pre-internet days: an obviously fraudulent order was reported to the police, who actually took action(!) Two police officers dressed as couriers delivered a fake parcel and nicked the thief when he signed for it.
This is what really gets me about internet/mail-order fraud. The risks would be huge if the police gave a shit, since frequently it is blatantly obvious, and the thief has given the place and time he's going to receive the goods, and all that has to be done is turn up and put cuffs on him. No-one cares though.
They start to care when the amount of money exceeds trivial amounts, though. Not too long ago, I spent some time living in a house with a few guys (*cough* Craigslist *cough*). One of the other people in the house was actively engaged, I suspected, in some type of shady dealing. Needless to say, I moved out in a heck of a hurry. As it all came out later, this not-too-bright fellow thought he had discovered the perfect scheme: he was copying credit card numbers down at work, and then using them to buy things online, which he had shipped to various empty houses, and then he'd go and pick the stuff up later, and pawn or fence it on eBay. (And this is pretty much all I know about it; I don't quite get how he was getting the billing zip codes, which are usually required, or anything else.)
He got away with it for quite a while, too -- somewhere around six months, maybe more -- probably because he never used the same card more than once, never bought stuff from the same online store, and never charged more than $100 or so per card. But eventually the credit card companies must have caught on, and run all the accounts that had disputed charges through some sort of filter, and figured out that the common thread was the retail establishment where he worked. One day, according to the story I heard, they just walked in and arrested him. They had a stack of photos of him picking up packages from other people's houses, plus transaction details from the various merchants with the stolen CC numbers and the shipping addresses.
So both the credit card companies and the police have some level of interest in going after people engaged in fraudulent activity, but the bar seems to be pretty high. I've no idea how much money had to go missing before someone at one of the CC companies (or an automated program of some sort) decided to take a closer look and see what the common thread was, but it must have been in the thousands of dollars, perhaps tens of thousands.
In this case, I don't see how the merchants would have ever caught on; to all the places where things were ordered, it looked just like a regular transaction. It was only at the CC back offices, where they had the ability to cross-reference all the suspect accounts and see that they had all visited the same store within the past 24-48 hours (or whatever, I assume this is how they caught on), that they had the capability of doing anything. To push the financial burden out to the merchants, probably would have meant that he could have gotten away even longer.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Expanding on this thread. The credit card cartels actually benefit from the fraud since they can slam merchants with fees.
... charging fees based on the performance of the payment method.
If there were competition in the credit card business, then merchants could choose different merchant services, or have more say in which cards get used.
One way for merchants to deal with credit card fraud would be for merchants to tack different service fees on to different cards. A merchant might charge a 1 percent fee on checks or debit cards, a 3 percent fee on card A, a 4% fee on card B (which seems more prone to fraud), a 5% fee on card D (which requires higher merchant fees).
As it stands, of course, the credit card companies prevent merchants from the one logical course of action in the light of credit card fraud
The power of a cartel is that what goes around never comes around. And you you get to take a percent of what goes around.
My family owns a very small chinese food place. We had a mastercard account. My parents were ludites and refused to upgrade to an electronic terminal because they didn't understand how to use it. Our bank/merchant account reseller droped the imprinter proccess and implemented a complicated IVR. My sister registered a transaction on the ivr for 62.86. The IVR registere dit as 44,400.00 instead. We got a notice about it after and co-operated in resolving it for our customer. Despite the fact it was an obvious mistake and was greater then the actual limit of the customers card we got a charge back of $2456.00. Which is more then the total MC orders we get in a year. We tried for weeks to address this since we were sure it was a ivr error. especially since it exceeded the customers limit. but we had no course of action to resolve it as an error. we were stuck with a $2456.00 chargeback because the IVR either had a bug or did not do a proper check ont he amount. We dropped MC support and dropped all of our MC cards because of this. but it won't protect merchants form other arbitray decisions Visa/MC/AMEX make.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
There are better systems, just ask our Europeans counterparts. It's near impossible to buy anything in the UK (and I assume other EU countries) where the merchant does not have chip/PIN capability. Chip cards significantly reduce the risk to the merchant, and thereby reduce the discount rate paid, and provides the merchant with more chargeback rights.
Granted, if the merchant puts out a Visa or MC logo, they still have to honor swiped transactions (not withstanding that one Brick Lane curry house that kept saying no-no-no-chip only -- but I digress), but will do everything in their power (and the merchant agreement) to dissuade swiped transactions.
Anyone who's had to work with Mastercard Visa, AMEX, Discover, JCB/Diners, and the rest know how bad it can be. But remember, these are just the associations. Look to the members who make up these organizations (or sit on the board of the publicly traded ones) and ask them why they haven't increased security. That's you BoA, Chase, Citi, and the rest.
But then again, one step down the food chain (and off to the side) are the acquirers. If they and the the ISO's under them would provide merchants (their clientele) with chip/PIN solutions, that would go a long way to help the merchants out. Supporting such solutions, on razor thin margins (measured in single basis points in the most competitive markets) is always low on the list (along with decent merchant reporting).
But, then again (2), the issuers would have to have products that support Chip/PIN. The only one I ever see, AMEX Blue, may be a good card, but I bet it's still used 98% of the time as a regular old track 2 swiped transaction. I'm interested in any large merchant that has card readers capable of chip transactions.
So, you have the unholy triumvirate: banks and issuers that give out cards; ISO's / acquirers that accept card and settle for the merchant; and the associations that sets the rules for card acceptance, fraud processes, and such. If I was Visa, I'd issue a mandate to, err, issuers, that as of date x, all cards must be chip capable (with world-wide standards). At date x+n, acquirers, ISO's, and merchants must be capable of accepting Chip/PIN cards or face fines.
Anyone who has had to deal withe craziness of PCI and it's predecessors knows the frustration, fear, and pain of not meeting association deadlines.
And while I'm on it, what is the adoption rate of Verified by Visa or the other SET-based solutions? These offer reduction is discount rates too, if implemented.
Sorry for the rant, but having a waiter tell me to go down to a cash machine because by US-issued credit card isn't chip capable has got me a little feisty.
That number is written down on the credit card itself. Also, it's transmitted along with the credit card number itself, even if it's not stored. Why not using one-time passwords? You get a list of numbers and are asked for one if you want to do a transaction. The list is issued by post and then you didn't even need ssl for security.
The merchants can do little to enforce such a system, that's up to the banks and credit card companies; so it's their fault that most parts of the world are left with pretty insecure payment systems.
Extremely misleading--borderline falsehood. True: credit card issuers must have bank charters, but there is no requirement that they participate in retail or commercial banking. Also true: There has been consolidation in the monoline credit card industry, such that there aren't any more large monoline credit card issuers, but that was not always the case. Before 2004 or so, MBNA, Capital One, and Providian were the third, fifth, and seventh largest credit card issuers (respectively), and were monoline. MBNA and Providian were bought, Capital One decided to go into retail banking and bought some branch banks (they offer deposit accounts, auto loans, etc. now) My point is, credit card companies are not automatically branches of large banking conglomerates.
That's sort of true for AmEx, and B of A (if you really want to consider them investment companies... they are certainly bottom tier in that department... and B of A offers some insurance, but is certainly not a major player), but what about Capital One? What's in your wallet, man? ;) (just a little joke... I know who ya are)
That is really out of touch with reality. Most large business groups do not keep poorly-performing lines of business open for long. They tend to be more focused on profit, not shunting losses among divisions.
Pure tinfoil hat thinking. Plain and simple. A company isn't going to bleed losses in one LOB just because another is profitable. And credit card interest rates have zero to do with the price of gasoline in China.
Credit card interest rates are high because credit risk is high.
Think about it. Let's say you charge up $5,000.00 on your credit card. You get a bill from MBNA/Bank of America/WhoeverOwnsThemThisWeek for $125.00 (2.5% of your outstanding balance is a common minimum payment). At this point, you have three options:
What does that have to do with the price of tea in China or the interest rate on your credit card? Because the CC company's only recourse if you decide not to pay is to make menacing phone calls (until you realize you can just tell then to quit calling and they are required by the FDCP Act to stop), they have a ton of losses. That 18% interest rate you pay is to cover the fact that the CC company is taking on an enormous credit risk.
That's why mortgage rates are so much closer to the prime rate. Very low credit risk. You no pay, bank take your house and you wind up homeless in la jolla. End of s
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock