Still Another Attempt to Prevent Credit Card Fraud
The UK press is abuzz with reports that CNP (Card Not Present) fraud is at an all-time high and growing at an alarming rate. We can all thank Chip and PIN cards for that. Chip and PIN cards did exactly what I believe it was supposed to do - move the fraud liability away from the issuers and onto the e-Commerce merchants.
So now Visa Europe is scrambling to get still another fraud fighting tool out the door. You know, like Chip and PIN, VbyV, CVV2, and the others. This one is a one-time-number generator built right into the card. Can you imagine how much this one will cost to replace after the next Hanaford-type incident?
According to Heise Online Visa is touting this as “milestone in fraud prevention.” Sure, just like all those others I mentioned. Still, If the PIN can be recorded surreptitiously, the card will prove no more secure than its predecessors. Instead of cloning the card, the fraudster would then merely need to steal it. So what’s the point? That’s pretty much the way it is now.
Visa is developing still another dubious, if not down-right worthless, technology just for the sake of showing cardholders that they are doing something. However useless that something might be, at least Visa can advertise that they are doing something. You know - kind of like advertising the fact that credit cardholders’ money is safe if their cards are stolen. Sure enough that’s true, but it’s not Visa’s doing. It was mandated by the FTC many years ago.
I love to see rebuttal comments like we had on the telephone call-back service but I doubt that Visa or MasterCard will respond. Come on folks - no guts or no rebuttal? Which is it?
One-time password is a good option, But how do you say its useless? and what if the key is recorded, anyway its a one-time key right?
July 30th, 2008 at 2:00 amI really don’t have anything to add to this piece, but just wanted to first thank you Tom for all your effort on behalf of merchants accepting credit cards. The industry is so screwed up beyond belief it is nice to have a place where ideas and issues can be discussed.
Secondly, I am disappointed to see more people are not making use of this site. I realize most merchants are terribly busy, but it might help if you promoted this forum more in your alerts (or have I been missing something?)
Last but certainly not least, I am very tired of the outrageous fees I am charged, the way chargebacks are handled, and the overall treatment of the merchants by V/MC, etc. AS for the fees, the only thing that makes it a little easier to handle is that I can pay my suppliers by credit card (most of them anyhow) so I manage to get about a percent back, but even still, I’m probably getting hit with higher prices anyhow. Chargebacks ( I get very few as I screen carefully and am in a unique demographic) are handled as if I am guilty until proven innocent, with the burden always on the merchant, and not a lick of investigatory work on the part of the CC co’s. I sometimes think this is a profit center for them. Most of the chargebacks could be stopped dead in their tracks if they would bother to pickup the phone. They have a lot of nerve charging $15.00 just become some ahole customer wants to give me a hard time for their misunderstanding.
Anyhow, you at one time seemed to be entertaining the idea that we could possibly band together to get group rates which would be more favorable. Is this still something you are considering?
If I posted this in the wrong place I apologize.
Thanks again.
Art
July 30th, 2008 at 3:37 amNISH:
I didn’t say “useless” I said “dubious, if not down-right worthless.” :-)
According to the quoted article, Visa says “If the PIN can be recorded surreptitiously, the card will prove no more secure than its predecessors.” This is the case with Chip and PIN cards now so what’s really gained with the new technology?
Do I have an answer? No. Truth is, there probably isn’t one and maybe that’s the point. All the technologies work when things go right but there is always going to be credit card fraud. But I think this initiative smells of marketing hype.
I’ve publicly stated (on CBS Evening News, National Public Radio and others) that the credit card companies have a revenue stream from chargeback fees and there is no financial incentive for them to to do anything about fraud except move the liability away from the issuers and on to the merchants. Their response has been to call the claim “ludicrous” but they have yet to convince anyone that a half a billion dollars in chargeback fees is anything but a cash cow.
July 30th, 2008 at 7:35 amART:
Thanks for the kind words.
I’m not big on self-promotion. Merchant911 membership continues to grow slowly and that’s OK. I do it all out-of-pocket in my spare time after a full time job, three e-Commerce sites, and a brick and mortar so it is what it is and will be what it will be.
Yes, I still believe there is strength in numbers, both financially and politically. I’m just not sure what the magic number is. Is it our current strength of 3,750? Is it 5,000? I don’t know the answer to that one. And of our current 3750, there are only a few dozen that contribute to the alerts and the forum that are available to members. And then there’s my time factor. There’s much that I’d like to accomplish yet but limited hours in a day. The blog post above went out at 11:00 PM last night - this comment is being typed before 8:00 AM before I head to my office. Merchant911 and all that goes with it is a full time job that I just don’t have the time for. I’ll keep on keeping on.
July 30th, 2008 at 7:49 amThis blog entry and response all discusses how the new tech is not enough to battle the issue, but forgets the big point, the way it is today is worse. As security experts say, nothing is secure, but if we can move from level 0 to level 5 maybe someday we have a chance to get to level 10 (being nirvana). Also, about this liability shift from issuers to merchants, for CNP transactions, there is something called Verified by Visa, MasterCard SecureCode…implement this correctly at least most of the chargeback headaches (I didn’t say all…) will be taken care of.
August 5th, 2008 at 10:18 pm