Feeds

Chip and PIN: Caveat vendor

'Cardholder not present' liability

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Comment I have recently been working on a study into electronic payments. I have also looked at the internal systems of one of the card issuers, and have been looking at the experiences of a start-up business. My conclusion is that whilst ecommerce is a win-win situation for the big banks and card issuers, it is a case of pity the poor trader!

A very good friend has just started a company that trades in stationery over the internet and he wants to be very competitive on price as well as service. Knowing that I have had an interest in electronic payments, he asked me to look at an issue he had identified. It appears that to trade over the internet he has to pay someone about 1.5 per cent of each transaction for the privilege. I was able to confirm that from my study this percentage appeared to be about the norm, and that I did not see much of a difference until trading levels increased significantly. We then got onto a subject very dear to my heart; what did he get for the 1.5 per cent? I said that as far as I could see, with the exception of maybe Datacash if you work in the online betting sector, and one or two other similar niches, you just got the basic service. This confirmed his fears. He had just been told that for "cardholder not present" transactions he would have to carry the risk of fraud. In addition, the big issuers - the big banks - do not even offer insurance for the traders to cover themselves.

This brought us back to another of my old time favourite subjects; what about Chip and PIN? It appears that if the cardholder is not present, the available checks are limited to asking for the card number, the expiry date, and the three digit security code on the back of the card (to ensure that the buyer does not just hold an image of the face of the card). So it is no wonder that the big explosion in crime at present is to intercept cards in the post! That ensures you have all the data you need, to buy what you want.

Luckily for my friend, the world of stationery is about large numbers of low value items like several thousand 12 inch rulers! But what would happen if you sell high value items like hi-fi or furniture, because surely that is what the dotcom revolution was supposed to do - replace bricks and mortar with clicks? But why cannot online systems ask for the pin number to be confirmed? I really do not understand what the point is of only protecting one aspect of electronic payments, when the big growth is in the "cardholder not present" field.

Returning to my friend's online stationery business; whilst I flippantly stated that it is a world about 12-inch rulers and erasers, they actually have a catalogue of over 17,000 items. I started to look at the large amounts of stationery I now use in my home office and to support the machine my daughters use for school, and how many trips to large stationery stores I could save by going online. Think about the paper you buy; A4 white for reports, various sizes of photo paper for your digital images, and heavier duty stuff for cards, the ink cartridges, the memory cards for your digital cameras, and you soon see this is a good couple of hundred pounds a year per electronic household. This is big business and it must be growing, even if this is supposed to be a paperless age. If the risk of trading online is being carried by the trader, that must mean that in the end they are passing it onto us, the consumer.

So once more I am left bemused by our financial services industry, which is apparently in solid good health but seems to take a very short-term view of each and every aspect of the cash cow that is its lifeblood. As I said in a previous article when I wrote about Chip and PIN, it seems to be a half-hearted approach to something which could add so much. By the way, I still see that most garages are not using Chip and PIN - even when they have the machines they still ask you to sign the confirmation! I would very much like to know what the industry intends to do to secure all electronic payments. At the end of the day it is not the big banks that pay, it is the small start-ups and ultimately the consumers, and we deserve to be treated better when the answer would appear to be there just waiting to be used. Lets see Chip and PIN implemented properly with no-one being able to override the system, and lets see the industry strive to stay ahead of the fraudster and protect us the consumers from the cost of that fraud.

© IT-Analysis.com

Related stories

UK card fraud hits £505m
E-crime to rocket in 2005
Retailers set straight on Chip and PIN
The chip and PIN insecurity card

Boost IT visibility and business value

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.