Overreacting, shallow, misleading and bait-link article.
Overreacting:
- the most up-to-date technologies for anti-credit card fraud, namely variants of smart card/EMV, are already available and widely used by all the large credit card providers and banks in the EU and Asia (excluding domestic transactions in China and Japan). There are even US providers who use it in some situations.
- in addition, most merchants in those regions have upgraded their PoS terminals for smart cards and in some cases refuse to accept non-smart credit cards.
- he made no case for how HSBC money laundering and subprime crisis have anything whatsoever to do with anti-fraud credit card technologies. Just randomly put it out there...
Shallow:
- Not even a minor reference to the specific technology being discussed is made, only a vague mention of "public-key cryptography".
Misleading:
- the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
- the key moment at which the new infrastructure is rapidly rolled out and fully enters the public consciousness is associated with the "liability shift" when credit card infastructure providers push liability for fraud to merchants, therefore forcing merchants to upgrade their equipment and processes:
-- Mastercard is implementing a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. For ATMs, the liability shift date is in October 2016.
-- Visa is implementing a liability shift for point of sale terminals on October 1, 2015. For pay at the pump, at gas stations, the liability shift is October 1, 2017. For ATMs, the liability shift date is October 1, 2017. [1]
Bait-link:
- a solution is already out there. It is based on "public key cryptography". Whether it is "simple" or not is a matter of opinion at this point, without any further clarification by the author. Nothing he has proposed has improved on the solution.
> the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
And why is that, you think? People are somewhat surprised that a magstripe is still even considered valid here and have been for years. I've seen zero chip readers in the US. It's been more than five years since I've heard of a merchant using magstrips in the EU.
The industry in the US isn't toothless. Nor is the government. They seemed perfectly capable of banning betting and sales of illegal goods or donations to causes they disapprove of. Yes, they are now starting to roll out stuff. I have no idea how they're going to do it seeing as they're apparently still living in the remote past. Can they roll out all this by 2017? Perhaps. Meanwhile, in the EU Square Up is distributing free chip readers for android or iphone, same as the US side does for magstripes. Which they can then transmit over the nice 100 Mbit fiber. Apparently, it wasn't that damn hard, except in the US.
I was in the US last summer for two weeks, and I saw several. Perhaps because I'm used to chip and pin?
> in the EU Square Up is distributing free chip readers for android or iphone
No they aren't, I think they said they were going to but there's no way to get one from them right now.
On the small business angle, chip and pin in the UK has been a nightmare for small retailers. It's been in for several years now and things like Square are much more recent. A chip and pin device is not cheap - far more than many small businesses can afford.
By 2015 (which is the liability date for point of sale terminals and you bet your boots they will change those machines quickly once it's costing them money) Square and things like it will be mature and ready, so hopefully you guys will make the transition much more easily than we are!
Banks make money on transactions regardless of whether they are fraudulent, criminal, or not. I think the argument is that as long as banks profit from illegal activity (identity theft) they have no incentive to take steps to reduce that profit. They lose money if the security is too strong or too weak. Apparently the security we get is just right (for the banks).
I agree he the OP is overreacting and thin on details (and whiny) but this post completely misses that the main thrust is card-not-present situations and the US.
As part of EMV, the liability is typically shifted to the merchant for non-EMV authenticated transactions. This provides strong motivation for merchants to do a better job of filtering out fishy transactions.
The only solutions I've seen to using EMV itself for online/phone transactions involve having a more advanced card (i.e. with LCD token readout) or a standalone card reader to interact with the chip.
Merchants already have to pay back the transaction, plus a charge, plus we're out the merchandise. We already have plenty of incentive to spot fraudulent transactions.
This isn't a book, and you aren't paying for it. Also, books are also assumed to be a finished product if they're being published, unlike a blog post that explicitly states it's the first of several. Not really an applicable analogy.
So is he planning on modifying the blog post to be of higher quality, or is it okay to be sloppy because he'll totally explain everything in the next chapter?
Overreacting:
- the most up-to-date technologies for anti-credit card fraud, namely variants of smart card/EMV, are already available and widely used by all the large credit card providers and banks in the EU and Asia (excluding domestic transactions in China and Japan). There are even US providers who use it in some situations.
- in addition, most merchants in those regions have upgraded their PoS terminals for smart cards and in some cases refuse to accept non-smart credit cards.
- he made no case for how HSBC money laundering and subprime crisis have anything whatsoever to do with anti-fraud credit card technologies. Just randomly put it out there...
Shallow:
- Not even a minor reference to the specific technology being discussed is made, only a vague mention of "public-key cryptography".
Misleading:
- the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
- the key moment at which the new infrastructure is rapidly rolled out and fully enters the public consciousness is associated with the "liability shift" when credit card infastructure providers push liability for fraud to merchants, therefore forcing merchants to upgrade their equipment and processes:
-- Mastercard is implementing a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. For ATMs, the liability shift date is in October 2016.
-- Visa is implementing a liability shift for point of sale terminals on October 1, 2015. For pay at the pump, at gas stations, the liability shift is October 1, 2017. For ATMs, the liability shift date is October 1, 2017. [1]
Bait-link:
- a solution is already out there. It is based on "public key cryptography". Whether it is "simple" or not is a matter of opinion at this point, without any further clarification by the author. Nothing he has proposed has improved on the solution.
[1] http://en.wikipedia.org/wiki/EMV#United_States