Feeds

Chip and PIN: Caveat vendor

'Cardholder not present' liability

  • alert
  • submit to reddit

Security for virtualized datacentres

Comment I have recently been working on a study into electronic payments. I have also looked at the internal systems of one of the card issuers, and have been looking at the experiences of a start-up business. My conclusion is that whilst ecommerce is a win-win situation for the big banks and card issuers, it is a case of pity the poor trader!

A very good friend has just started a company that trades in stationery over the internet and he wants to be very competitive on price as well as service. Knowing that I have had an interest in electronic payments, he asked me to look at an issue he had identified. It appears that to trade over the internet he has to pay someone about 1.5 per cent of each transaction for the privilege. I was able to confirm that from my study this percentage appeared to be about the norm, and that I did not see much of a difference until trading levels increased significantly. We then got onto a subject very dear to my heart; what did he get for the 1.5 per cent? I said that as far as I could see, with the exception of maybe Datacash if you work in the online betting sector, and one or two other similar niches, you just got the basic service. This confirmed his fears. He had just been told that for "cardholder not present" transactions he would have to carry the risk of fraud. In addition, the big issuers - the big banks - do not even offer insurance for the traders to cover themselves.

This brought us back to another of my old time favourite subjects; what about Chip and PIN? It appears that if the cardholder is not present, the available checks are limited to asking for the card number, the expiry date, and the three digit security code on the back of the card (to ensure that the buyer does not just hold an image of the face of the card). So it is no wonder that the big explosion in crime at present is to intercept cards in the post! That ensures you have all the data you need, to buy what you want.

Luckily for my friend, the world of stationery is about large numbers of low value items like several thousand 12 inch rulers! But what would happen if you sell high value items like hi-fi or furniture, because surely that is what the dotcom revolution was supposed to do - replace bricks and mortar with clicks? But why cannot online systems ask for the pin number to be confirmed? I really do not understand what the point is of only protecting one aspect of electronic payments, when the big growth is in the "cardholder not present" field.

Returning to my friend's online stationery business; whilst I flippantly stated that it is a world about 12-inch rulers and erasers, they actually have a catalogue of over 17,000 items. I started to look at the large amounts of stationery I now use in my home office and to support the machine my daughters use for school, and how many trips to large stationery stores I could save by going online. Think about the paper you buy; A4 white for reports, various sizes of photo paper for your digital images, and heavier duty stuff for cards, the ink cartridges, the memory cards for your digital cameras, and you soon see this is a good couple of hundred pounds a year per electronic household. This is big business and it must be growing, even if this is supposed to be a paperless age. If the risk of trading online is being carried by the trader, that must mean that in the end they are passing it onto us, the consumer.

So once more I am left bemused by our financial services industry, which is apparently in solid good health but seems to take a very short-term view of each and every aspect of the cash cow that is its lifeblood. As I said in a previous article when I wrote about Chip and PIN, it seems to be a half-hearted approach to something which could add so much. By the way, I still see that most garages are not using Chip and PIN - even when they have the machines they still ask you to sign the confirmation! I would very much like to know what the industry intends to do to secure all electronic payments. At the end of the day it is not the big banks that pay, it is the small start-ups and ultimately the consumers, and we deserve to be treated better when the answer would appear to be there just waiting to be used. Lets see Chip and PIN implemented properly with no-one being able to override the system, and lets see the industry strive to stay ahead of the fraudster and protect us the consumers from the cost of that fraud.

© IT-Analysis.com

Related stories

UK card fraud hits £505m
E-crime to rocket in 2005
Retailers set straight on Chip and PIN
The chip and PIN insecurity card

Beginner's guide to SSL certificates

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.