In message <v03110706b7d555f61a45@[165.247.220.34]>, Bill Frantz writes: >At 10:11 AM -0700 9/24/01, [EMAIL PROTECTED] wrote: >>as mentioned in the various previous references ... what is at risk ... >>effectively proportional to the aggregate of the account credit limits ... >>for all accounts that happened to have been stored in any account master >>file ... is significantly larger than any particular merchant may have >>directly at risk because of a security breach. in the "security >>proportional to risk" theory .... the entity that has the risk should have >>control over the security measures, those security measures should be >>proportional to what they have at risk, and the cost of those security >>measures should also be proportional to the risk. > >It seems to me that because of the $50 liability limit under US law, most >of the risk is carried by the credit card issuers. They are also in a >position to require proper security by contract with the merchant. >
Actually, I believe it's by the merchants. Internet transactions generally count as "card not present" transactions, which means that the merchants take the risk. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]