[LINK] itN: Visa to stop merchants storing cr card details

Roger Clarke Roger.Clarke at xamax.com.au
Wed Oct 17 08:32:56 AEDT 2018 

[Would it *really* be too difficult to establish law that precludes any merchant from storing the whole of their customers' credi-card details;  but permits them to store a (substantial) portion of it, and collect, use and immediately delete the (just-substantial-enough) remainder?

[1234-5678-1234-xxxx  mm/yy  xxx

[There's also an argument for requiring the customer to supply mm/yy as well, each time they transact - although that's primarily to reduce the cost, delay and interruption arising from using outdated expiry-dates.]


Visa to stop Australian online merchants from storing credit card numbers
Store checkouts to be issued with tokens to thwart breaches.
Julian Bajkowski
itNews
Oct 17 2018
https://www.itnews.com.au/news/visa-to-stop-australian-online-merchants-from-storing-credit-card-numbers-514044

> ... unprecedented pressure from the Reserve Bank of Australia and other financial regulators for banks and payments schemes to clean-up ballooning levels of online card fraud.
>
>Online payments fraud on all Australian cards hit a whopping $476 million for the 2017 calendar year, surging from $418.1 million in 2016 according to official statistics from industry body the Australian Payments Network released in August.
...
>The stubborn growth in online fraud has prompted high-level rethink of payments regulations, especially because banks for the most part pass through online fraud losses to increasingly angry merchants forced to pick up the tab.
>
>Over the last decade, the growth in online that has resulted in most fraud liability being shifted from institutions to merchants, creating what many believe is a perverse incentive for card issuers and payments processors to pay just lip service terms of fixing the issue.

[My impression has been that merchants have *always* copped most of it.  I remember a factoid from a conference in Wellington a few years ago, where the CEO of Kiwibank - a small and not-powerful institution - essentially had zero direct costs from card-fraud (as distinct from expenses trying to prevent it, and to manage it).]

...
>"COF tokenisation replaces card details with unique digital identifiers ('tokens') that are used for payment without exposing a cardholder's sensitive information," Visa said in a statement.
>
>"Each token is merchant-specific, so can only be used with the merchant where it is stored, removing any incentive for hackers to try to steal the account data."
...

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list