Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers (computerworld.com)

Posted by BeauHD on from the class-action-lawsuit dept.

An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.

8 of 311 comments (clear)

  1. Down the rabbit hole by mattyj · · Score: 1, Interesting

    The processing of nearly every credit card purchase in the US eventually trickles down to one firm, so perhaps it wasn't the 'big four' conspiring.

    I'm not really sure why them setting the same date for themselves affects anyone. Just upgrade your damn terminal already.

    1. Re:Down the rabbit hole by peragrin · · Score: 4, Interesting

      Ah but that is half the issue. Chip readers once installed needed to be certified by the card companies. That certification. Is on average 12 months behind.

      So you see a terminal but do not use sticker? The software stack, connections, etc haven't been certified to use chips.

      Credit card companies failed to provide enough certifiers, and enough time to begin the change over. It has been mentioned by MasterCard executives that they never once talked about processing speed of the transactions, which is why Chip readers, take 30% longer to process after sending your card data.

      MasterCard Visa cared about their bottom line, and pushed responsibility to merchants, but didn't provide the tools for merchants to do it right.

      Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping, which is what happened last year. A Feb 1st deadline with a 6-12 month soft start 50% of fraud is paid both issues, and merchant would have been more successful,and less lawsuit prone.

      --
      i thought once I was found, but it was only a dream.
    2. Re: Down the rabbit hole by rickb928 · · Score: 3, Interesting

      Terminal hardware is certified before they are shipped.

      Software is updated, and verified before deployment.

      Nobody ships untested terminals. That's disastrous.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    3. Re:Down the rabbit hole by jittles · · Score: 5, Interesting

      Just upgrade your damn terminal already.

      Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification).

      That is untrue. You do NOT have to certify each deployment with the card companies. You have to certify the terminal hardware, the kernel on the hardware (card brand specific), the communication from the card terminal to the gateway, and the communication from the gateway to the processor. The processor has to certify from them to the card brand. Most gateways are offering certified hardware + software deployments that only require you to certify with the processor if you develop against their software. If you just take a package that is already certified, you have to do nothing other than meet your PCI requirements that you're already obligated to do. I spend my life writing card terminal drivers and everything I do has to be certified from the terminal to the payment gateway. This is my every day life. You would only need to certify if you made your own software implementation somewhere in that chain. If you write software below the gateway then you may not even need to certify with the card brand, you may be able to just certify with the gateway, depending on what exactly you did.

      The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations. This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.

      Which chain is this? Publix, for instance, chose to write their own card terminal application which requires all kinds of certifications with the card brands, terminal manufacturers, etc. That's a time consuming process. But I've personally had such a project go through certification in a matter of weeks. It's not the card brands holding things up.

    4. Re:Down the rabbit hole by Anonymous Coward · · Score: 4, Interesting

      In many cases (our stores, for example) the hardware was not available (from our credit card processor).

      We got our first chip capable machine in January -and it did not work. I plugged it in, ran a transaction, and got an error. After a couple of software updates -nope still not working with chip cards. Swap the hardware -still not working. Swap the hardware again -finally everything works. Hey look, it's February, 2016!

      We were charged extra fees from October thru February for not having compliant hardware in place. Hardware which was not available -according to the company charging us the extra fees for not having it yet.

      Who paid for the equipment? We did. We paid the credit card processor the amount they chose to charge us for the equipment that they said we had to have in order to do business.

      I think the upgrades were worth doing, but the rollout was handled poorly, and the companies responsible for setting the timeline profited off of the merchants inability to meet the deadline.

  2. Hope they get fined big for this by guruevi · · Score: 1, Interesting

    There is no reason to upgrade to chip cards except to benefit the card cartels. Forcing a small business owner to eat the fraudulent card charges is a big middle finger to these businesses, you can still fraudulently charge a chip card and the cost-benefit is just too insane for a business. Chip card transactions often not only cost more, but the readers and associated systems are a magnitude more expensive than their mag-stripe counterparts, for no good reason, I can get a Chinese chip card reader for $25, but the bank doesn't certify units under $250 and charge hefty monthly fees to use 'their' (same model) units.

    At least with a mag stripe, a developer could interface with a verifiable fully secure API, now you have to trust the banks and manufacturers not to screw with the system. To the strict letter, they can't even be considered PCI compliant because the owners have no control to change the passphrase or keys on them.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  3. Enter the 21st century, get sued? by thegarbz · · Score: 4, Interesting

    I mean it's high time that the USA got dragged kicking and screaming into the 2000s, but to sue the banks over it as well? I mean the USA has the current second highest amount of credit card fraud in the world behind Mexico who are also still in an age where they are marvelling about this fancy new thing called the internet.

    Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.

  4. Re:Not Sure if... by cayenne8 · · Score: 4, Interesting
    I hate the fucking chip things....

    I keep almost leaving my fucking card in the slot and walking away.

    With no PIN, I can't see how it is really any safer to me.

    And these days, half the time I get it wrong, if I plug it in, they say "no..still need to swipe", or vice versa.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........