Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers

An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.

Retailers are holding us in the stone age

They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.

And I can tell you right now that they won't make proper upgrades unless someone holds a gun to their heads.

Not Sure if...

[jittles]

I'm not sure if I have any sympathy for these retailers. The card industry did not force them to accept chip transactions, they forced them to accept liability if they refused to accept chip transactions. You can still, to this day, accept magnetic stripe data instead of chip data. You can also choose to take cash at any time. They also gave the warning more than a year in advance and even basically extended the deadline past October 2015.

Disclosure: I do make money off the chip card transition. However, I make money off of magnetic stripe implementations also.

Re:Not Sure if...

[markdavis]

I would +1 you if I had points.

The chip thing is a disaster as far as I am concerned:

* It is slow as molasses. Just unreal!
* It encourages you to forget your card.
* The other day it took 5 MINUTES for it to finally work at a store, the stupid contacts on my card are already corroded and the card is only 4 months old. Guess what, if it doesn't read, they wouldn't allow me any other way to use the card (key it in or swipe it). So it is NOT RELIABLE.
* There is still no PIN, so it doesn't prevent anyone from picking up my card and using it.
* It doesn't protect anything with online purchases.

Fail for consumers
Fail for stores
Fail for security
Fail for convenience
Fail for economy

*FAIL*

Re:Not Sure if...

[houghi]

The only fail I agree with is that you do not use your PIN.

It takes about 15 seconds for the payment. Due to postings here, I have tested it and also looked at other people trying it out.
I have NEVER forgotten my card, ever. I put it in, type my PIN and take it out while I have my wallet in my other hand. Almost everybody does it like that. Why would you NOT take it out again.
Corroded card? I have been using these cards for I do not know how long. Never had that issue. It does happen that sometimes the card or the reader fails. However when you see how many million of transactions fail, this is an minute amount and the magnetic strip fails more than the chip percentage wise. It is just not used that much any more in Europe.

It was not intended for online purchase security. You could even claim that it does not help open a beer and even if true, it is not relevant.

So I agree with the PIN part, the rest are apparently issue that have to do with the Imperial system as the rest of the world does not have an issue with it and many have moved on to even more modern things, like wireless payments for smaller amounts.

So yes, we get it: people do not like change. It happened when people where forced to go from Win3.1 to Win95. It happens all the time when things change. I know people moaned when HD was deemed stoopid for TV. It is happening now allover again. People do not like change.

There is also a reason that many banks in Europe block the cards for the USofA and you have to ask them to activate it. If that is the case, how bad is the issue in the US you think? Or do you think that walking around the city and throwing in windows is good for the economy, because the window makers are making more money?

Good

[somenickname]

This "upgrade" is a complete farce. If they had moved to chip and pin then, yes, it would make sense for all businesses to adopt it. As it is, they moved from a "something you have" model to a slower "something you have" model. Without a "something you have and something you know" model, the upgrade is mostly just an inconvenience to all involved parties (except the credit card companies who can now defer more blame).

Resistant To Change?

[labnet]

I wonder what makes Americans so resistant to change, and when they implement change, it has so many compromises to be unworkable?

Whether it be.
- Adoption of the metric system
- More sensible gun management
- Universal basic health care
- Writing dates mm-dd-yy
- Reform of you court/prison system

Australia has changed completely to chip cards. Mag swipe is no longer accepted.
For most merchants, transactions below $100, contact-less is used.
For over $100, a pin is required (and for some cards like amex, you need to insert the card for a chip read).
The transactions take around 2 seconds.

It works great. The $100 threshold is a good compromise for convenience vs fraud risk.

I assume you are complaining because your banks have stuffed up the implementation???

Re:Down the rabbit hole

[ShanghaiBill]

Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?

The terminal is owned by the merchant, so they pay for it.

If it is being forced on a business, then the credit card company should be sending them out free of charge

It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do. At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.

The merchants have had plenty of time to upgrade, and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.

Re:Enter the 21st century, get sued?

[stephanruby]

Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

The new chip system in the US works differently than the chip system in Europe, so no, the US isn't being forced to adopt what the rest of the world is already using.

For instance, in France I can use a European chip card in a restaurant in the middle of nowhere where there is no cell phone reception (or no landlines), and the transaction gets reconciled later when the transactions get uploaded. In the US, under the new system, no one is allowed to keep the data around for later reconciliation, even in an encrypted form, so that means that the multitudes of authentication handshakes must occur correctly before the transactions get authorised (even if the amounts in question are tiny).

This is why using smartcards in Europe takes no time at all to get authorized, they're actually faster than magnetic debit/credit cards. But this is also why the current smartcards in US (when used through the chip) are so slow, although in theory they're supposed to be more secure than the European smartcards.

Re:Down the rabbit hole

[plover]

The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.

Federal law caps your liability at $50, but under the current PCI liability rules if your chip card is stolen and misused your bank is 100% liable for the fraud, because they could have put a PIN on the card but didn't. Neither you nor the retailer is responsible for a dime of the loss.

The chip has all the anti-skimming technology, regardless of whether it requires PIN or signature authentication, and both are equally excellent at preventing cloning full card data.

What all cards (both chip and mag stripe) still suffer from is the ability to steal the PAN and use it for online fraud. Mag stripes have the worst security, and are almost as easy to clone as pushing the green button on a copier machine. Europe's experience has proven that the effect of chips was to move the fraud online. But eliminating mag stripes is the next step in securing credit. None of the other measures can have much of a beneficial effect on security until that weakest link is removed.

And if chip and signature bothers you that much, nothing is stopping you for applying for a MasterCard from a bank that requires PIN authentication. Your current bank may not offer one, but some of the major retail banks do. Take action instead of whining.