Feeds

Chip and PIN: Caveat vendor

'Cardholder not present' liability

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Comment I have recently been working on a study into electronic payments. I have also looked at the internal systems of one of the card issuers, and have been looking at the experiences of a start-up business. My conclusion is that whilst ecommerce is a win-win situation for the big banks and card issuers, it is a case of pity the poor trader!

A very good friend has just started a company that trades in stationery over the internet and he wants to be very competitive on price as well as service. Knowing that I have had an interest in electronic payments, he asked me to look at an issue he had identified. It appears that to trade over the internet he has to pay someone about 1.5 per cent of each transaction for the privilege. I was able to confirm that from my study this percentage appeared to be about the norm, and that I did not see much of a difference until trading levels increased significantly. We then got onto a subject very dear to my heart; what did he get for the 1.5 per cent? I said that as far as I could see, with the exception of maybe Datacash if you work in the online betting sector, and one or two other similar niches, you just got the basic service. This confirmed his fears. He had just been told that for "cardholder not present" transactions he would have to carry the risk of fraud. In addition, the big issuers - the big banks - do not even offer insurance for the traders to cover themselves.

This brought us back to another of my old time favourite subjects; what about Chip and PIN? It appears that if the cardholder is not present, the available checks are limited to asking for the card number, the expiry date, and the three digit security code on the back of the card (to ensure that the buyer does not just hold an image of the face of the card). So it is no wonder that the big explosion in crime at present is to intercept cards in the post! That ensures you have all the data you need, to buy what you want.

Luckily for my friend, the world of stationery is about large numbers of low value items like several thousand 12 inch rulers! But what would happen if you sell high value items like hi-fi or furniture, because surely that is what the dotcom revolution was supposed to do - replace bricks and mortar with clicks? But why cannot online systems ask for the pin number to be confirmed? I really do not understand what the point is of only protecting one aspect of electronic payments, when the big growth is in the "cardholder not present" field.

Returning to my friend's online stationery business; whilst I flippantly stated that it is a world about 12-inch rulers and erasers, they actually have a catalogue of over 17,000 items. I started to look at the large amounts of stationery I now use in my home office and to support the machine my daughters use for school, and how many trips to large stationery stores I could save by going online. Think about the paper you buy; A4 white for reports, various sizes of photo paper for your digital images, and heavier duty stuff for cards, the ink cartridges, the memory cards for your digital cameras, and you soon see this is a good couple of hundred pounds a year per electronic household. This is big business and it must be growing, even if this is supposed to be a paperless age. If the risk of trading online is being carried by the trader, that must mean that in the end they are passing it onto us, the consumer.

So once more I am left bemused by our financial services industry, which is apparently in solid good health but seems to take a very short-term view of each and every aspect of the cash cow that is its lifeblood. As I said in a previous article when I wrote about Chip and PIN, it seems to be a half-hearted approach to something which could add so much. By the way, I still see that most garages are not using Chip and PIN - even when they have the machines they still ask you to sign the confirmation! I would very much like to know what the industry intends to do to secure all electronic payments. At the end of the day it is not the big banks that pay, it is the small start-ups and ultimately the consumers, and we deserve to be treated better when the answer would appear to be there just waiting to be used. Lets see Chip and PIN implemented properly with no-one being able to override the system, and lets see the industry strive to stay ahead of the fraudster and protect us the consumers from the cost of that fraud.

© IT-Analysis.com

Related stories

UK card fraud hits £505m
E-crime to rocket in 2005
Retailers set straight on Chip and PIN
The chip and PIN insecurity card

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.