Slashdot Mirror
Judge Allows Small Businesses To Sue Credit Card Giants For Forcing Them To Adopt Chip Readers (computerworld.com)
An anonymous reader quotes a report from Computerworld: A federal judge has ruled it is plausible that four national credit-card companies improperly conspired "in lockstep" to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases. In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B and R Supermarket and Grove Liquors -- which brought the lawsuit in March. Alsup's ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California. The two retailers are seeking to create a class-action case involving millions of small retailers who have been required under the Oct. 1, 2015 deadline to assume liability for fraudulent card charges if they haven't upgraded to the more-secure chip card technology instead of magnetic-stripe cards. The retailers believe there was industry conspiracy over creation of the deadline that violates fair trade practices. In the same ruling, the judge allowed two other retailers -- Los Angeles-based gourmet food chain Monsieur Marcel and New York-based grocery story chain Fine Fare -- to intervene in the case. Lawyers for the retailers have said a class-action lawsuit could include 8 million U.S. small businesses. They would seek repayment of the cost of upgrading to chip card readers and related software, estimated at $6 billion. However, the National Retail Federation has recently estimated the total cost of the conversion in the U.S. at up to $35 billion.
They're just not happy about the liability shift strong-arming them into this. But honestly? They SHOULD be liable when they're the roadblocks preventing customers from having good security. They're dragging their feet on this because it's an externality--they don't care if their customers get screwed, as can be seen with, e.g. the Target hack, but they do see a cost for newer, more secure equipment.
And I can tell you right now that they won't make proper upgrades unless someone holds a gun to their heads.
I'm not sure if I have any sympathy for these retailers. The card industry did not force them to accept chip transactions, they forced them to accept liability if they refused to accept chip transactions. You can still, to this day, accept magnetic stripe data instead of chip data. You can also choose to take cash at any time. They also gave the warning more than a year in advance and even basically extended the deadline past October 2015.
Disclosure: I do make money off the chip card transition. However, I make money off of magnetic stripe implementations also.
This "upgrade" is a complete farce. If they had moved to chip and pin then, yes, it would make sense for all businesses to adopt it. As it is, they moved from a "something you have" model to a slower "something you have" model. Without a "something you have and something you know" model, the upgrade is mostly just an inconvenience to all involved parties (except the credit card companies who can now defer more blame).
Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article? If it is being forced on a business, then the credit card company should be sending them out free of charge (assuming that the terminal will be paid off with transaction fees). I'm guessing this is not the case.
Otherwise, why is there are problem rolling out new terminals?
I can't figure out why retailers would refuse new terminals, unless they were being asked/demanded to pay for them.
If these new terminals are trully going to save the credit card companies so much money, it ought to have been a no brainer to provide them to retails on their own dime and see the return on investment come over time, rather than, essentially, demand the retails make investments solely for the credit card companies benefit (with the exception that if the cc co's are going to turn liability over to the retailers, then, yes, they would stand to save their own money, but only because of a change in business dynamics)
Again, I could just be shooting in the dark as I didn't read the article, just chiming in with an opinion and nothing to back it up, which is what slashdots all about, right? :)
I mean it's high time that the USA got dragged kicking and screaming into the 2000s, but to sue the banks over it as well? I mean the USA has the current second highest amount of credit card fraud in the world behind Mexico who are also still in an age where they are marvelling about this fancy new thing called the internet.
Being forced to upgrade to something which in every other country in the world has caused a significant drop in credit card fraud is a damn good thing, not a sueable offence.
Newsflash - retailers always had to eat fraudulent charges. This is true with swipe, and even the imprint machines (which are still used).
The chip machines shift the liability to whoever is least secure - if your bank still gave you a swipe card and the retailer can take chip, the liability shifts to the bank. If it is all the way, then liability shifts to the cardholder (for not protecting their card and PIN).
And yes, the machines are more expensive, but not by much, because everyone by now has been making chip-enabled machines for years. Heck, I'd be surprised if 90% of the readers actually had chip support, but was disabled because the rest of the world used chip. (In Canada, this happened a few years before the chip migration - and yes, retailers had to swap their "chip capable" machines with the exact same model, because the old unit had the chip unit disabled).
And yes, magstripe security. Yes, it was convenient to swipe at the POS and handle it all on one piece of paper. Unfortunately, Target, Home Depot, and dozens of other retailers have shown the folly of it. (Now the machines talk to the card machine and the amount is transmitted,and a success/failure is returned). The chip machines are a black box and communicate with the bank directly, so even stupid retailers can't be stupid anymore.
I wonder what makes Americans so resistant to change, and when they implement change, it has so many compromises to be unworkable?
Whether it be.
- Adoption of the metric system
- More sensible gun management
- Universal basic health care
- Writing dates mm-dd-yy
- Reform of you court/prison system
Australia has changed completely to chip cards. Mag swipe is no longer accepted.
For most merchants, transactions below $100, contact-less is used.
For over $100, a pin is required (and for some cards like amex, you need to insert the card for a chip read).
The transactions take around 2 seconds.
It works great. The $100 threshold is a good compromise for convenience vs fraud risk.
I assume you are complaining because your banks have stuffed up the implementation???
46137
Just upgrade your damn terminal already.
Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification). The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations.
This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.
I browse on +1 so AC's need not respond, I won't see it.
Any idea on who pays for the terminal upgrade, it wasn't mentioned in the article?
The terminal is owned by the merchant, so they pay for it.
If it is being forced on a business, then the credit card company should be sending them out free of charge
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do. At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
The merchants have had plenty of time to upgrade, and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.
They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.
At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
Mag stripes will be around for at least a decade, and probably two or three. But they'll be slowly phased out over the next few years for most people most of the time.
The merchants have had plenty of time to upgrade,
Sort of, but not really. Unless you're Walmart or Home Depot, you don't write your own processing software, you rely on your point of sale vendor, and very few point of sale vendors were ready by October of last year. Many small businesses simply did not have the option to start doing EMV by the deadline.
and plenty of warning that the end was coming. Most merchants support the change, since it is the merchants that pay the biggest price for fraud. That is why the plaintiffs are having problems organizing a class action. It is only a few whiners that are complaining.
Liability issues aside, any merchant complaining about EMV (with point of point encryption) is an idiot. EMV isn't about protecting consumers from fraud against their card (hence the chip & signature instead of chip & PIN), it's about protecting banks and merchant services from idiotic merchants who can't keep their network secure. Implement EMV with P2P encryption, and the merchant never sees the card in at all, and if someone breaks into their network, there's nothing to steal. Makes PCI compliance easier, and pretty much eliminates the chance of the merchant having to pay six figures to investigate a breach.
Ah but that is half the issue. Chip readers once installed needed to be certified by the card companies. That certification. Is on average 12 months behind.
So you see a terminal but do not use sticker? The software stack, connections, etc haven't been certified to use chips.
Credit card companies failed to provide enough certifiers, and enough time to begin the change over. It has been mentioned by MasterCard executives that they never once talked about processing speed of the transactions, which is why Chip readers, take 30% longer to process after sending your card data.
MasterCard Visa cared about their bottom line, and pushed responsibility to merchants, but didn't provide the tools for merchants to do it right.
Lastly an October 1st deadline is irresponsible, as the slightest hiccup destroys holiday shopping, which is what happened last year. A Feb 1st deadline with a 6-12 month soft start 50% of fraud is paid both issues, and merchant would have been more successful,and less lawsuit prone.
i thought once I was found, but it was only a dream.
Terminal hardware is certified before they are shipped.
Software is updated, and verified before deployment.
Nobody ships untested terminals. That's disastrous.
deleting the extra space after periods so i can stay relevant, yeah.
I can't remember the last time I saw a mag stripe machine, and if I did see one, I would pay cash.
If it doesn't make business sense, don't take credit cards. If you decide it is worthwhile for your business to take credit cards, then shell out for the equipment, and be prepared to update it every 10-20 years. Do you ask the central bank to supply you a cash register free of charge?
Chip and signature is not chip and PIN. Nothing you said is relevant to the US. This "upgrade" has downsides and no upside for the consumer.
But do go on about the entirely unrelated system you like.
Socialism: a lie told by totalitarians and believed by fools.
Now explain why the POS vendors are losing revenue due to certification delays. Is is your theory that they're tanking their business to support the line? Or selling the dope? My theory is that you simply don't understand that level 3 certification is literally by deployment and too self-satisfied to consider that you might be wrong.
Just upgrade your damn terminal already.
Many of them did. The problem is that the new terminals then need to be certified by each card company before they can be turned on, for each business (not just a hardware certification for the mfg, each deployment requires certification).
That is untrue. You do NOT have to certify each deployment with the card companies. You have to certify the terminal hardware, the kernel on the hardware (card brand specific), the communication from the card terminal to the gateway, and the communication from the gateway to the processor. The processor has to certify from them to the card brand. Most gateways are offering certified hardware + software deployments that only require you to certify with the processor if you develop against their software. If you just take a package that is already certified, you have to do nothing other than meet your PCI requirements that you're already obligated to do. I spend my life writing card terminal drivers and everything I do has to be certified from the terminal to the payment gateway. This is my every day life. You would only need to certify if you made your own software implementation somewhere in that chain. If you write software below the gateway then you may not even need to certify with the card brand, you may be able to just certify with the gateway, depending on what exactly you did.
The card companies have been dragging their feet getting them certified, particularly for small to mid sized businesses. However they did not extend the deadline for those companies that installed the terminals but can't yet use them. So these businesses did what they were supposed to do but they are in a bind now with liability shifted to them but they are unable to even accept chip cards because they can't get the big 4 to certify their installations. This happened to my local grocery chain. They have the new readers, had them well before the deadline, but they can't use them, even now almost a year after the deadline passed, because they are still in the queue for certification.
Which chain is this? Publix, for instance, chose to write their own card terminal application which requires all kinds of certifications with the card brands, terminal manufacturers, etc. That's a time consuming process. But I've personally had such a project go through certification in a matter of weeks. It's not the card brands holding things up.
In many cases (our stores, for example) the hardware was not available (from our credit card processor).
We got our first chip capable machine in January -and it did not work. I plugged it in, ran a transaction, and got an error. After a couple of software updates -nope still not working with chip cards. Swap the hardware -still not working. Swap the hardware again -finally everything works. Hey look, it's February, 2016!
We were charged extra fees from October thru February for not having compliant hardware in place. Hardware which was not available -according to the company charging us the extra fees for not having it yet.
Who paid for the equipment? We did. We paid the credit card processor the amount they chose to charge us for the equipment that they said we had to have in order to do business.
I think the upgrades were worth doing, but the rollout was handled poorly, and the companies responsible for setting the timeline profited off of the merchants inability to meet the deadline.
It isn't being forced on them. They have the alternative of not accepting CC transactions, which is something many businesses do.
They also have the choice continuing to use the old equipment, but they then accept responsibility for fraudulent transactions that could have been prevented by using chip cards. Hell, as far as I know, they still have the option of imprinting paper slips and depositing them at the bank like checks, but the costs all end up on the merchant, as they should.
At some point we need to have progress, and magstripes need to die. Many technical standards have deadlines where old features stop being supported.
All of this is true and still tangential to the anti-trust case. Anti-trust collusion that forces actions that are in the interests of society are still illegal. The ends do not justify the means. The key point is that the change was indeed forced upon the retailers because they were denied the right to choose a competing supplier, a right that was illegally removed through collusion.
The problem is that the shitty new card readers aren't secure either, because here in the USA we are chip and sign and not chip and PIN. All the same attacks against a stolen card will still work.
Federal law caps your liability at $50, but under the current PCI liability rules if your chip card is stolen and misused your bank is 100% liable for the fraud, because they could have put a PIN on the card but didn't. Neither you nor the retailer is responsible for a dime of the loss.
The chip has all the anti-skimming technology, regardless of whether it requires PIN or signature authentication, and both are equally excellent at preventing cloning full card data.
What all cards (both chip and mag stripe) still suffer from is the ability to steal the PAN and use it for online fraud. Mag stripes have the worst security, and are almost as easy to clone as pushing the green button on a copier machine. Europe's experience has proven that the effect of chips was to move the fraud online. But eliminating mag stripes is the next step in securing credit. None of the other measures can have much of a beneficial effect on security until that weakest link is removed.
And if chip and signature bothers you that much, nothing is stopping you for applying for a MasterCard from a bank that requires PIN authentication. Your current bank may not offer one, but some of the major retail banks do. Take action instead of whining.
John
The Chip+PIN combo i have been subjected to is incredibly inconvenient only to push the liability to my side of the table. It is not any more secure
Except for everywhere in the world where chip+pin has been implemented where the liability has not changed, the transaction is processed at a MUCH faster rate and the added security has decimated credit card fraud.
But other these little things your post was ... errr.... grammatically correct?
I must have missed the official announcement that "most" actually means "all."
"No onsite certification" is bunk. There is a suite of scripts that have to be run at each deployment to check for functionality and security. The Intuit material also says:
The problem is that EMVCo has been riding the "too may businesses waited to schedule certification until the deadline" excuse for more than a year -- as if that wasn't entirely predictable from the start. EMVCo is also owned by Mastercard and VISA (and JCB), which don't exactly have a lot of incentive to speed up the certification process now that transaction liability can be shifted to the retailers (they're not banks, but the banks are their largest and highest volume customers). They've cut down the number of testing scripts required and changed the rules to prevent chargebacks for low dollar transactions ($25), but otherwise haven't addressed the delays and their backlog of certification work.