Slashdot Mirror
Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers (computerworld.com)
An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.
It makes sense to impose some or all of the cost on the retailer because the retailer controls the number of terminals involved. If a retailer wants a greater number of secure transaction points it makes sense that the retailer pay for this business decision.
Because they are a federally subsidized and insured bank with monopolistic allowances.
If you want to be able to borrow money at 0% and lend it at 20%, then fuck you, do as you are told.
You are welcome on my lawn.
Maybe this is an American problem, who knows. In Canada, we have been using Chip and Pin exclusively for 5 years now. No swipe. We have even moved past chip and pin to a new technology called Tap, where we can just tap our card on the reader for any purchase under $50, or $75 at gas stations and grocery stores.
Both are safer because they use rolling codes built in to the chip. If someone skims your card the data they get is only valid for a few minutes after its used .
You get used to it. You don't forget your card. Time to join the modern era America.
Just upgrade your damn terminal already.
Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification). The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations.
This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.
I browse on +1 so AC's need not respond, I won't see it.
Europe here, same deal. I can't remember when I actually used that magstrip of my card outside of the US. Even third world countries have had chip readers in operation for years now, only in the US this seems to be a huge issue.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.
They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.
At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
Mag stripes will be around for at least a decade, and probably two or three. But they'll be slowly phased out over the next few years for most people most of the time.
The merchants have had plenty of time to upgrade,
Sort of, but not really. Unless you're Walmart or Home Depot, you don't write your own processing software, you rely on your point of sale vendor, and very few point of sale vendors were ready by October of last year. Many small businesses simply did not have the option to start doing EMV by the deadline.
and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.
Liability issues aside, any merchant complaining about EMV (with point of point encryption) is an idiot. EMV isn't about protecting consumers from fraud against their card (hence the chip & signature instead of chip & PIN), it's about protecting banks and merchant services from idiotic merchants who can't keep their network secure. Implement EMV with P2P encryption, and the merchant never sees the card in at all, and if someone breaks into their network, there's nothing to steal. Makes PCI compliance easier, and pretty much eliminates the chance of the merchant having to pay six figures to investigate a breach.
They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.
EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN) The consumer isn't protected buy the technology, the consumer is protected by the law, with a $50 limit on liability on a stolen card.
EMV is about protecting the banks and processing companies, who have nearly all the liability for fraud, and secondarily protecting merchants, because when fully implemented, EMV with P2P encryption means the merchant never sees the card info at all, and has nothing on their network to steal. All the worst breaches in recent years have been of retailers' networks, stealing millions (or 100 million+) card numbers at a time. And if the retailer is PCI compliant (as Target was, apparently), the banks eat the loss. EMV/P2P encryption eliminates that vector. That is the point of it.
And the upgrade is very, very much in the merchants' best interests because of that.
I can't remember the last time I saw a mag stripe machine, and if I did see one, I would pay cash.
Now explain why the POS vendors are losing revenue due to certification delays. Is is your theory that they're tanking their business to support the line? Or selling the dope? My theory is that you simply don't understand that level 3 certification is literally by deployment and too self-satisfied to consider that you might be wrong.
Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.
The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.
For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).
This is incorrect. The US requirement for "Online Only" is strictly for fraud liability. You can use offline PIN in the US (though it can be attacked). Furthermore, all EMV cards, including those issued in France have what is called a velocity limit on the card. When this limit is hit, the card itself requires the next transaction to go online no matter what. If the terminal tells the card that it cannot go online, then the card itself will either reverse a pending ARQC (online request) or will just immediately return an AAC (decline). This is true in all regions where EMV has been implemented.
This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.
This is also incorrect. The chip transactions in the US are slow because most banks have insisted on implementing EMV incorrectly. A properly configured terminal will process an EMV request in 1-2 seconds in the US. That's not (noticeably) slower than an offline approval. It is literally a few hundred milliseconds longer.
>The only fail I agree with is that you do not use your PIN.
We don't HAVE a PIN, so there is nothing was and choose to use or not use. There is no choice. No PIN.
>It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.
15 seconds is about 10 times longer than it used to take.
>I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like that. Why would you NOT take it out again.
Because instead of swipe and put in wallet, which takes 1 second, you have have to insert the card, wait for 15 to 30 seconds or longer, someone is distracting you, cashier asks questions, does something, hands receipt.... all the while, the card is still there saying "DO NOT REMOVE" and you don't notice when it says remove. Again, THERE IS NO PIN. There is no interaction with the system whatsoever after inserting the card. So it is easy to forget during that long delay.
>Corroded card? I have been using these cards for I do not know how long. Never had that issue.
That's great for you. But my card, which is stored only in a clean wallet, had fouled contacts in just 4 months. VISA card.
>So yes, we get it: people do not like
Don't be so condescending. I have no problem with change, I have problems with change that makes something WORSE that it was before- more annoying, less convenient, more time consuming, less reliable. And that is my experience with this so far.
EMV has nothing to do with protecting consumers, and has zero effect on security for the consumer. Steal the card, and you can use it, same as before (since it's almost entirely chip & signature rather than chip & PIN)
I cant beleive you wrote that entire post just to say "I know nothing about EMV".
EMV was never designed to protect against fraudulent transactions or to block stolen cards, it was designed to protect against card cloning. In this endeavour it has been hugely successful. Whilst you can clone EMV cards, it's such a PITA that no-one bothers.
Now the real defence that is stopping stolen cards that is going along with EMV is the elimination of signatures for purchases. This is because signatures are easily faked (including removing the old signature and putting your own on, which is pretty redundant as no-one checks it anyway). You cant sign for a purchase any more and enforcing this means getting rid of the old terminals which would ask for a signature. EMV is about protecting the banks and processing companies,
Again, you're wrong.
EMV terminals push the liability onto the banks and processors, non EMV terminals push the liability onto the merchant. So if a merchant using an EMV terminal has a fraudulent transaction, they're covered and the cost is worn by the bank or processor.
Calling someone a "hater" only means you can not rationally rebut their argument.