Warning: This is a rant.
Mastercard and Visa drive me crazy. For many, many years, phone and internet-based merchants have been asking, loudly, for Visa/Mastercard (which, for all practical purposes, represent a duopoly in the US) to accelerate the pace at which they roll out customer security features. It is in the consumer’s interest and in the merchant’s interest to reduce fraud, but what is in Visa/Mastercard’s interest is maximizing the number of transactions, since they take a percentage of each transaction. The more transactions, the bigger the profit Visa/Mastercard make (they are not the same company, and their regulations differ, but only in detail, never in substance).
A few years ago, they introduced those security numbers on the back of your credit cards called the CVV2 number. That’s great. The idea was that CVV2 numbers would ensure that at the very least the person using the card has the credit card physically present, since merchants weren’t supposed to be permitted to store CVV2 numbers. The logic is good: If they’re not stored anywhere but the card itself, then you either have to get the cardholder to tell you what the CVV2 number is (phishing schemes, for instance) or have the card physically. Unfortunately, the rules that ended up being set in place do not actually guarantee that, and while they did end up reducing fraud overall, the impact was limited compared to what it might have been had Visa/Mastercard worried more about their customers (both the consumer AND the merchant) . Now, you’re allowed to store the CVV2 number, meaning that data theft leads to fraud that wouldn’t happen otherwise.
So, the next obvious “innovations” (if such a thing can EVER be said about the molasses-in-winter-speed dinosaurs that are Visa/Mastercard) are the “Verified by Visa” and “Mastercard SecureCode” programs that have been around for a bit now. Both of them are essentially the same thing: Pin numbers for your credit card. I know…believe me…I’m as blown away as you are. Imagine: A portable card representing access to money that is protected by a pin number. It’s like something in a sci-fi movie, isn’t it? It’s like they got a time machine and went to 1986 to find the latest and greatest innovations, and then cleverly exported them…to the future, where they were already commonplace.
On paper, it sounds great. If a merchant is enrolled in Verified by Visa (or Mastercard’s program) and a customer is enrolled in Verified by Visa (both the merchant and consumer have to independently sign up initially), then any transaction from that customer to that merchant is guaranteed by Visa, completely protecting the merchant against fraud. That sounds fantastic until you realize how unbelievably stupid it is to sign up for this kind of service as a customer. Then it just makes me angry when I think that they’re basically kow-towing to merchants like me by trying to stick a red hot poker up the ass of the people who trust us.
See, here’s the thing: The only way that Visa/Mastercard are willing to guarantee the merchant that a transaction isn’t fraudulent is to stick it to the consumer. The rules a consumer has to agree to when he/she signs up for Verified by Visa/SecureCode say that the consumer is not allowed to ever write down or communicate the pin code to anyone else. Great. Very logical. If someone does write it down or tell someone else, and he gets ripped off, my sympathy level is low. But what happens when the customer’s data is stolen?
Visa and Mastercard’s answers are that there are strict data protection rules in place, with hefty fines that prevent merchants from storing the pin number, and thus being subject to having that data stolen (violating Visa/Mastercard’s data protection rules is suicidal for a merchant, especially a small one. Each violation can literally run up to half a million dollars in fines.) Of course, that’s just nonsense. That means that they are intentionally luring customers into an agreement where the customer bears responsibility for a third party merchant getting hacked, and takes a financial hit as a result.
Imagine being that customer, enrolled in Verified by Visa. Visa calls you one day to ask about suspicious transactions with Iron Realms on your account, and you, being a truly unhip individual, inquire, “Who the hell is Iron Realms?” Visa simply tells you that you’re lying, since the only way that someone could possibly have gotten your pin number is if you gave it to other people. It’s simply inconceivable that technology is fallible, and that someone obtained your pin number illicitly.
I mean, this just drives me a little crazy. I hate dealing with Visa and Mastercard. They are almost universally hostile to the merchant, and when they’re not making new rules and imposing new costs on us, they’re turning around and trying to placate us by screwing the consumer. I totally understand that the value proposition of Visa/Mastercard relies on the perception that transactions are very (if not totally) safe, but their strident unwillingness to assume any responsibility for the trustworthiness of the payment network that they created really gets under my skin.
Disclaimer: Some of this info came out of a conversation with the head of the risk department at a merchant bank. I am just assuming what she told me is true and haven’t actually double-checked anything. I’ll add that when I asked whether Verified by Visa actually made any sense at all for a consumer, she said that while she recommends it to her merchants, she’d never recommend it to a consumer, as it makes zero sense from the consumer’s perspective. Probably why Visa is spending so much money trying to push it onto consumers.
10 comments
Comments feed for this article
May 31st, 2007 at 9:09 pm
Pingback from Villified by Visa
September 18th, 2006 at 6:47 am
Brask Mumei
Now you know why they offer free ipods for people to sign up for that program. I like the idea of Verified by Visa on paper. I’m quite willing to register a pin to reduce fraud - theoritically reduced fraud benefits the consumer when merchants don’t have to hike prices to take into account charge backs. But I did, as a consumer, read the fine print. I am thus trying my best to never sign up for that evil, evil, program. You are correct that by signing up to the program you lose all protection for all transactions done with the pin. Considering that only two times so far I’ve had my card cancelled due to it being stolen was when merchants managed to have my information stolen rather than negligence on my part, I think I have some reason to be leary about surrendering my protection.
My fear is that some large enough merchant that I rely on will decide that they have enough control of the market to screw the customer and will demand this program, forcing me to transition. I’ve made a point of educating people around me to the nature of this program, so I’m glad you have done so in a more broadcast fashion.
September 18th, 2006 at 9:29 am
Tuebit
Heh … in Canada, at least, the verified by visa FAQ appears to say that you’re still protected.
“Am I still covered by Visa’s Zero Liability policy if someone fraudulently uses my password?
Yes. Visa’s Zero Liability policy protects you against the unauthorized use of your VISA card even if someone fraudulently uses your Verified by Visa password. You must be able to establish to the satisfaction of your Card Issuer that you did not make the purchase.” from http://www.visa.ca/verified/card_faq.cfm
September 18th, 2006 at 9:45 am
Matt
Interesting, Tuebit. How effective that protection is derives, I guess, from how hard it is to convince the card issuer that you didn’t make the purchase.
–matt
September 18th, 2006 at 10:03 am
Tuebit
Hopefully, they’re “reasonable” about it. I was recently ‘forced’ to subscribe to the program (I forget what I was buying at the time … it was either sign-up, or don’t buy). I didn’t even think to investigate the impact on my liability for fraudulent purchases. Hopefully, I haven’t screwed myself.
September 18th, 2006 at 10:32 am
Brask Mumei
From the TOS from one of the Verified by Visa banks in Royal Bank in Canada…
“You are solely responsible for maintaining the confidentiality of your password, Registration Data and other verification information established by you with Verified by Visa, and all activities that occur using your password, Registration Data or other verification information supplied to or established by you with Verified by Visa. ” … “If someone gets hold of your RBC Visa card number and your password or other verification information, in a way that enables them to be used together, you will be responsible for all their use of the Visa card number.”
Then, later on, the mollify it somewhat:
“However, in the event that you can demonstrate that all reasonable precautions were taken to protect your RBC Visa card number and the confidentiality of your password or other verification information, you will not be held responsible for their unauthorized use.”
I’m glad they have at least added that clause. I do not remember it being there when I first read one of these agreements. I still don’t like the idea that *I* become responsible for the confidentiality of the password, and I’m worried about how I “demonstrate” a negative. How can I demonstrate to their satisfaction that I didn’t do something stupid with my password? Either they take my word, in which case this becomes a rather easy thing to fulfill, or they demand “proof”, in which case it becomes an irrelevant consolation as I can’t account for every hour of my life to show I didn’t leak the information somewhere.
September 18th, 2006 at 10:19 pm
Acrune
Those security numbers on all the credit cards are funny. At the place where I used to work, the credit card machine asked for the number, but one day I discovered that if you didn’t have it, you could just push enter and it would go through anyways. Wonder how many business have credit card machines that cheat like that.
I now work at Comp USA. Interesting to note that Visa has more uses then pretty much all the other credit cards combined, especially if you count the Visa debit cards as Visa. Also interesting that American express makes us do a little extra work in processing them. Thats the only card where we are required to enter a security number (the others don’t make us enter one, even if we enter the card number manually). We also have to use one of those old printing machines where you put the card and the receipt in, close it, and it prints the card number onto the receipt. Not sure if American Express requires the same thing of everyone.
Also rather striking that about 1/3 people either have no signature, or a barely visible one on their card.
September 19th, 2006 at 6:04 am
Andrew Crystall
Don’t get me started on the banking industry.
Hint: Bitslice processors. Used by NASA’s 70’s Space Shuttles… and the banking industry.
September 20th, 2006 at 8:30 am
Iruen
“Those security numbers on all the credit cards are funny. At the place where I used to work, the credit card machine asked for the number, but one day I discovered that if you didn’t have it, you could just push enter and it would go through anyways. Wonder how many business have credit card machines that cheat like that.”
In all the restaurants, shops and other money sinks I go I’ve never had to put my PIN number anywhere (I would refuse to do that in front of everybody just by principle). They have a receipt that I have to sign, without it being signed by me they cannot make VISA pay them if I refuse to pay. They need the physical card, though, if they introduce the name manually I have 24h to complain and reject the payment. So, lots of bussiness at least in Europe have credit card readers cheating like that.
September 21st, 2006 at 4:02 am
Andrew Crystall
mm. In the UK, Chin & Spin…er, Pin is now basically mandatory. So you have to pin. Everywhere.