Dear Linkedin,

Does your bank request/require that you change the PIN
on your ATM card every few months?

ATM cards are not passwords, they are a coarse form of two-factor
authentication - You have the card, you have the PIN.

You have to possess both in order to transact - at least in in theory.

Compare that with the secrecy surrounding the CVV - the "last three digits
on the number on the back of the card" which you are "not meant to tell
anyone" and which _will_ be different if your card is lost/stolen and
reissued.

If I'm not supposed to not "tell anyone", why is it even printed where I can
read it?

Are the bad guys winning though?

Are they really?

A friend would print in block letters in the sig area of his credit
cards "ASK FOR PHOTO ID". He said that almost always cashiers et al
would give a cursory glance like they were checking his signature and
say thank you and hand him back his card.

Maybe someone mentioned this but merchant card contracts generally
(always?) require that you NOT store CVVs when the transaction is
over.

It's just some double-check remotely that you physically have the
card, or did once in the past, etc. and doesn't imprint.

Credit card security is about percentages not absolutes, about the
cost-benefit analysis.

Many years ago I interviewed at a company which was building a big
honking multi-processor.

They had $150M in pre-orders from BIG CREDIT CARD COMPANY dependent on
the machine being able to run a bunch of anti-fraud algorithms they
knew were good (run against historical data) but couldn't run in
real-time, no iron was fast enough at the time.

BIG CREDIT CARD COMPANY estimated, as I remember, that if they could
run those algorithms it would catch about $50,000/hour in fraud, so
the $150M was a good investment from their point of view.

I didn't take the job and they never finished the system.

This seems like an altogether excellent time to haul out *this* old
chestnut:

  http://www.zug.com/pranks/credit/

FWIW, My cards have always said SEE ID, and I get about a 40% or so hit
rate on that. It's been odd recently, cause I sometimes forget, and the
privacy reflex kicks in and makes me want to say "Why??"

Cheers,
-- jra

My personal favorite is to ask if I spelled my name correctly?

Lyle Giese
LCR Computer Services, Inc.

If your card is not signed, your card is invalid and should not be
accepted by any merchant.

http://www.mastercard.com/us/merchant/pdf/MerchantAcceptanceGuide_Manual.pdf

Page 8-2; "Unsigned Credit Cards". VISA has similar requirements.

Writing "SEE ID" in the signature panel primarily makes your card invalid
*unless* your signature is also present.

One of the design goals of the V/MC system is that a cardholder is not
supposed to need anything other than their card and the ability to sign.
The comparison of the signature provided to the card signature is
supposed to be one of the primary ways to validate a cardholder, but of
course these days, most vendors are lazy and don't.

In fact, one of my favorite abusive merchant practices, trying to require
ID, is expressly prohibited:

http://www.mastercard.com/us/merchant/pdf/BM-Entire_Manual_public.pdf

Page 5-14, sec. 5.8.4, "Additional Cardholder Identification".

They're allowed to ask, you're allowed to refuse, and absent a good
reason, they're not allowed to refuse your transaction. Now, if your
signature doesn't match or something else is particularly fishy, yes,
then they should require it, but they cannot require it by default for
all transactions they process.

That and a "minimum charge" are among the two most common merchant
violations I see.

For MasterCard violations, report them!

http://www.mastercard.us/support/merchant-violations.html

... JG

One of the design goals of the V/MC system is that a cardholder is not
supposed to need anything other than their card and the ability to sign.

This seems to be different across the world. Here in Sweden, they don't really look at your signature on the card, they look at the name on the card, name on the ID and the signature of the ID (which is pretty much required if you don't have PIN).

The comparison of the signature provided to the card signature is
supposed to be one of the primary ways to validate a cardholder, but of
course these days, most vendors are lazy and don't.

I've seen people verify the signature in France and in some asian countries. I don't travel much these days, so I don't know the situation in other countries.

then they should require it, but they cannot require it by default for all transactions they process.

That and a "minimum charge" are among the two most common merchant
violations I see.

For MasterCard violations, report them!

Mastercard - A Global Technology Company in The Payments Industry

Is that policy worldwide or just for the US?

[snip]

That and a "minimum charge" are among the two most common merchant
For MasterCard violations, report them!

In the US, Credit card processing networks were forbidden from
prohibiting merchants from establishing certain "minimum charges" to
use a CC, merchants may also charge an extra fee to use a CC; see,
the Dodd-Frank Wall Street Reform and Consumer Protection act Of 2010;
   S 1075 page 693.

"
(3) LIMITATION ON RESTRICTIONS ON SETTING TRANSACTION MINIMUMS OR
MAXIMUMS. (A) IN GENERAL.—A payment card network shall not,
directly or through any agent, processor, or licensed member of the
network, by contract, requirement, condition, penalty, or otherwise,
inhibit the ability (i) of any person to set a minimum dollar value
for the acceptance by that person of credit cards, to the extent that
(I) such minimum dollar value does not differentiate between issuers
or between payment card networks; and (II) such minimum dollar value
does not exceed $10.00 …
"

I was under the impression (I should dig out my contract) that
merchant contracts also forbid charging more for a charge than for
cash or conversely "discount for cash!" but I see so many violations
of that particularly at gas stations I wonder if that's negotiable in
the contract.

I remember my father buying a car and pulling out a credit card asking
if they accepted them? The dealer said sure no problem so he said fine
then take another 3% (whatever) off I'll pay cash/check.

A merchant can offer a cash discount.

--John

A merchant can offer a cash discount.

I believe that the law just recently changed on that account. I believe
that what Barry says was the old reality.

Mike

Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in
1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do
I pay the Credit price for it?

Cheers,
-- jra

I dunno, maybe they're an exception? Maybe it had something to do
with competing with the old oil company credit cards?

MIke

From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:18:06 2012
From: Barry Shein <bzs@world.std.com>
Date: Sun, 10 Jun 2012 14:16:10 -0400
To: Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: Dear Linkedin,
Cc: NANOG <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>

I was under the impression (I should dig out my contract) that
merchant contracts also forbid charging more for a charge than for
cash or conversely "discount for cash!" but I see so many violations
of that particularly at gas stations I wonder if that's negotiable in
the contract.

The 'true explanation' is even simpler -- your impression is incorrect. <grin>

In the U.S., Visa/Mastercard/Amex/Discover/Diners Club contracts all
expressly forbid charging extra for a card transaction. Using language
that applies only to a 'premium' or 'surcharge' applied to card transactions.

They do *NOT* forbid giving a discount for cash payment. They do not state
it =is= acceptable -- they are simply silent on the subject, which means that
it is not proscribed.

The logic: The card purchaser must be allowed to buy at the 'advertised'
price. Prohibiting discounts gets into a 'restraint of trade' issue.

Gas stations that offer a 'discount for cash' do not give that discount
even for 'house brand' cards -- which do not have any fees that are
payable to the issuer.

In fact, that's not true. Several chains, notably including Shell, have
at one time or another advertised that their house card (not a house-branded
credit card, but an actually gas charge card) took the cash price.

Cheers
-- jra

From: "Michael Thomas" <mike@mtcc.com>

A merchant can offer a cash discount.

I believe that the law just recently changed on that account. I
believe that what Barry says was the old reality.

Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in 1981.

Merchants have always been allowed to offer a cash discount. The ban is
(was?) on surcharges for card purchases. In practical terms, this means
that if you post only one price, it must be the card price, not the
(possibly lower) cash price.

Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do I pay the Credit price for it?

The "credit" price is subject to the merchant's discount rate,
regardless of the nature of the particular card used. The "cash" price
is the part of the "credit" price left after the discount rate is applied.

Say gas is $4/gal and the merchant's discount rate is 4%. That means
the merchant only gets paid $3.84/gal for card purchases. If the
merchant charges cash customers $3.84/gal, which is legal, they get paid
the same amount of money. However, it is illegal for the merchant to
post /only /a price of $3.84/gal and then charge card users $4/gal to
cover the card discount; that's an illegal surcharge.

S

From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:26:36 2012
Date: Sun, 10 Jun 2012 11:25:35 -0700
From: Michael Thomas <mike@mtcc.com>
To: "John T. Yocum" <john.yocum@fluidhosting.com>
Subject: Re: Dear Linkedin,
Cc: nanog@nanog.org

> A merchant can offer a cash discount.

I believe that the law just recently changed on that account. I believe
that what Barry says was the old reality.

You believe incorrectly.

Merchants have NOT, per Visa/Mastercard/Amex/Discover/Diners Club contracts
in the U.S., been prohibited from offering discounts for cash transactions
for more than 20 years -- based on my direct kowledge of such contracts as
a card-processing merchand.. TTBOMK, merchants were -never- so prohibited
by such a contract. There are 'restraint of trade' issues involved if a
contract attempts to place restrictions on transactions that do not involve
all the parties to the contract. Forbidding surcharges on transactions
paid for by the issuer's card -is-, on the other hand, fair game for the
contract under which the issuer agrees to pay for certain purchases.

Recently-enacted (2010) U.S. law *does* explicitly permit -- overriding any
contract terms to the contrary -- setting a 'minimum purchase amount'
for credit card transactions, as long as that amount does not exceed US$10.

From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jun 10 13:34:06 2012
Date: Sun, 10 Jun 2012 14:33:03 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
Subject: OT: Credit card policies (was Re: Dear Linkedin,)

> From: "Michael Thomas" <mike@mtcc.com>

> > A merchant can offer a cash discount.
>
> I believe that the law just recently changed on that account. I
> believe that what Barry says was the old reality.

Perhaps, but Cash/Credit for gas dates back to before I moved to Florida in
1981. Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do
I pay the Credit price for it?

It is, and *ISN'T*, 'cash'.

Unlike cash (and like a credit card), it is simply an instruction to a third
party to pay the retailer a specified amount. And as such, is subject to
the terms of the contract between -those- parties as to how payment is made
an what charges are imposed.

Unlike a credit card, the money _is_ immediately dedecuted from your bank
account.

Like a credit card, it is the third-party clearinghouse that gets the mone
from you, and passes it on to the retailer. AFTER extracting their charges
for the service they provide.

You pay the 'credit' price, because the card issuer, and the clearinghouse
operations _charge_ the merchant the same amount for those transactions as
for 'credit' ones. Thus the merchant does not receive any of the benefits
of a 'cash' transaction, so there is no 'discount' to pass on to the buyer.

At one point, VISA, charged -more- for debit transactions than credit ones.
Despite the fact that there was -zero- risk to them on the debit transaction.
VISA got sued over the matter, since (at that time) it was impossible to tell
whether the card number presented was debit or credit. Thus the merchant
could not determine, in advance, what their 'cost' for the transaction was.
As a result of the lawsuit, the cost differential between credit and debit
transactions was eliminated.

> That and a "minimum charge" are among the two most common merchant
> violations I see.
>
> For MasterCard violations, report them!
>
> Mastercard - A Global Technology Company in The Payments Industry

Is that policy worldwide or just for the US?

Despite the "/us/" in the URL, the guide has sections for geographic
world regions, so it seems safe to conclude it's worldwide. I have
not followed all the geographic subsections to discover what regional
variations may exist; I leave that exercise for anyone who finds it
of interest.

... JG

From: Jay Ashworth <jra@baylink.com>

Even Further Off-Topic, isn't "debit" supposed to be "cash"? Why do
I pay the Credit price for it?

It is, and *ISN'T*, 'cash'.

Unlike cash (and like a credit card), it is simply an instruction to a third party to pay the retailer a specified amount. And as such, is subject to the terms of the contract between -those- parties as to how payment is made an what charges are imposed.

Unlike a credit card, the money _is_ immediately dedecuted from your bank account.

All of the above is completely irrelevant to the merchant.

Like a credit card, it is the third-party clearinghouse that gets the mone from you, and passes it on to the retailer. AFTER extracting their charges for the service they provide.

FWIW, this is known as the "discount" rate.

You pay the 'credit' price, because the card issuer, and the clearinghouse operations _charge_ the merchant the same amount for those transactions as for 'credit' ones. Thus the merchant does not receive any of the benefits of a 'cash' transaction, so there is no 'discount' to pass on to the buyer.

The merchant's discount rate varies between card types. That's why many
merchants don't accept AmEx, DC, CB and Nexus: their discount rates are
higher than Visa and MC. For a low-margin business, the difference in
rates can make the difference between profit and loss on a given sale.

At one point, VISA, charged -more- for debit transactions than credit ones. Despite the fact that there was -zero- risk to them on the debit transaction.

Wrong. Even debit cards present a risk of chargeback due to fraud.
However, the fraud rates are lower due to the us of PINs, so the
discount rate is also lower.

VISA got sued over the matter, since (at that time) it was impossible to tell whether the card number presented was debit or credit.

It's still impossible to tell, which is why most card terminals ask
whether the card is credit or debit. If you press the "credit" button,
even if the card is a debit card, it is processed as a credit card--with
the credit card discount rate. That's why Visa's advertising and
contests promote customers using signature (i.e. "credit") transactions:
Visa gets more money that way (at the cost of their merchants).

As a result of the lawsuit, the cost differential between credit and debit transactions was eliminated.

... except it's still there, though perhaps in the other direction.

The discount rate for "debit" transactions is lower, but a PIN must be
used to get that rate. The exact rates vary between card networks, card
processors and even merchants, but a few years ago the numbers I heard
were 4% for "credit" (i.e. signature) transactions and 1% for "debit"
(i.e. PIN) transactions. That is why those nifty PIN terminals appeared
everywhere virtually overnight: saving 3% on every "debit" transaction
easily paid for all those new terminals.

S