On 02/02/15 13:56, John Stoffel wrote:
Derek> Customer service. Americans are used to signing their stuff,
Derek> they will lose their PINs and have to have them re-sent to
Derek> them. They will need to wait for their assigned PIN in order to
Derek> use their card at all, as opposed to just being able to use it
Derek> as soon as they get it.
Cost. Chip+Pin requires new terminals for the merchants as I
understand it, which is a signifigant cost. I'd be *happy* to use a
Pin instead of the scrawl of a signature I use... it can't help but be
more secure.
I don't know what real security the signature provides now.
I think it has two functions:
1) require the clerk to look at the card, for whatever security value
that actually has (and it does make customers think that there is more
security than there is?)
2a) if the signature is not present (the merchant can set the level at
which the signature is required), then the merchant takes 100% of the
risk, otherwise it is split (in some way?) with between the merchant and
the bank.
2b) to remind the customer that they did in fact make that purchase
(when the signature matches)
Requiring the correct PIN adds at least another verification step that
can be automated. How strong that verification is is something that the
credit card companies have probably figured out.
Many gas pumps are asking for the billing zip code when using a credit
card, which is not as strong as a PIN (it isn't a secret usually) but
requires at least *some* knowledge of the address of the legitimate card
holder.
Note that several of the recent large-scale credit card attacks have
been attacks on the POS and back-office infrastructure, and
CHIP+anything doesn't help in those cases (as I understand it).
--david
--
David Parter
Director of Academic Computing Services
University of Wisconsin Computer Sciences Department
[email protected]
608-262-0608
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
