January 02, 2005

Chip&Pin liability shifts from UK bank to retailer

This weekend, there was apparently a big shift in liability in the UK retail payments market. From the BBC. Over the last year (2004) something like 600k of the 860k automated tills have been upgraded to use a new chip&pin method of account authorisation. This method is new to the UK at least, the Continentals have been using it for yonks.

What was interesting was that those who have not yet upgraded have now been lumbered with the liability. This is one of those vexing issues that circulate around soft money transactions; when the transaction gets rolled back, who carries the cost?

Traditionally, it has been said that the larger party is "more responsible." In more than one sense of the phrase. But, banks have always balked at this, and have always sought ways to shift out of the liability as much as anyone lets them.

In this case, the deal appears to be that the retailers upgrade to chip&pin, and in return they no longer have to check for signatures and identity on signed transactions. That's worthwhile. But if they choose to not upgrade, then they incur the shift in liability. (Quite how this was done in legal or contract terms is probably not something they want anyone to poke into.)

So banks are still on the hook for transactions through upgraded terminals, which would amount to most of them, they hope. I guess we would now expect to see a lot of hacker attention in how to copy the cards and steal the pins; given the inherent _two_factor_ security involved here, that will be a lot harder. But not undoable.


Posted by iang at January 2, 2005 09:00 AM | TrackBack

This issue is linked to the recent security article on this blog. That is, when one talks of security, it is 'false sense of'.

My analysis suggests that this is a scammers gift. It takes the responsibility from the participants of the transactions and places it on the manner of the transaction. As soon as the card is cloned and the pin is stolen, someone can shop with a large degree of impunity.

Part of the propaganda that has oiled the introduction of the system is that when it was introduced in France 80 % of card fraud was reduced. This raises two questions ... was that 80 % of the instances of fraud occurring or was it 80 % of the monies nefariously transferred being reduced? Can someone dig up these figures? The other question is ... with what technology? That is, the propanganda figure assumes a static technological time line. The apparatus for fraud is the same now as it was then and it will be the same forever more ... simply, nonsense.

The last point ... if it's so good, why the liability transfer? Maybe this is what the banks have been waiting for for years ... a means of transferring liability without the non _cognoscenti_ loosing confidence in the system.

Posted by: Darren at January 2, 2005 09:28 AM

Ooooops ... strike the 'last point' from the record.

Posted by: Darren at January 2, 2005 09:54 AM

Certainly the attack model is clear: clone the card, crack the pin. But, Darren, why scratch your last comment on liability "from the record" ? Has the bank already found you and cancelled your card??? Is it too late to go to Brazil?

Posted by: Iang at January 2, 2005 10:12 AM

Hmm -- my understanding was that MERCHANTS now have the liability and thats that.

That is the New Order -- bakns FINALLY did it, they passed liability to the merchants.

(regarding the handful of merchants who have not upgraded to the chip and pin terminal, I have no idea where they stand in the system - probably just the same.)

The word "going around was" that "the whole chip and pin thing is a farce by the banks to move liabiltiy from the banks to the shops in terms of credit card liabiltiy"

ie, thus, the banks went to the government and said, oh, we no longer want liability for stolen credit cards - let the shops do it, ok ?

the government said "go fuck yourselves"

the banks said "Wait - we're going to introdyce this AMAZING NEW system that will change the universe! it is called .. uh .. um .. CHIP AND PIN! thats it! and it has to do with .. uh .. credit cards! If we foot the cost of introducing that amazing NEW BANKING SYSTEM! to BRITAIN! will you let us have what we asked for the in the previous paragraph?"

government - "oh, sure"

banks rush back to headquarters, hurriedly put in fone call to marketing department: "Quick, for christs sake, someone think up some sort of thing that has to do with technology and is called "chip and pin" !!! anything will do, hurry!"


thats how I heard it anyways ..

Posted by: Jape at January 2, 2005 10:13 AM

The banks are under pressure to reduce their cost and one of the contributing factors was liability. Since the exclusive ability to wire money has been taken away via the internet the cost must come down very soon and the liability must be transfered. The regulatory aspects of risk or liability transfer need to be backed into and the chief reason was security, but in reality it was a franchise to over charge. Now that the exclusive network is gone, the ability to over charge is also gone. So since they layered the risk and liability as the reason they must also back it out now. What lies they layed in over the years are now being removed.

The liability was always with the customer of the bank regardless of it being a merchant or a retail client and regardless of the media used for the transaction. Banks can charge back at will over an extended period of time and may or may not credit the payer of the now busted transaction. Upgrading simply makes things easier for the banks in any scenario. The securitization of consumer receivables also removes the portfolio risk from the bank as well. So now the banks have completed the cycle of risk removal but will suffer the problem of the fading transaction charges they have grown so fat on.

In fact there is an open space in the market place for private finance of consumer recievables via utilization of a private payment system. If merchants and consumers used a P2P system the acceptance of credit extended to either the consumer or the merchant could be sold off in portfolio sale just like the banks do. Since the network is no longer a consideration for a franchise the access to the consumer and the merchants is all that's left. Banks neither hold the debts portfolio or take risk in facilitating the transactions so what keeps merchants from dropping them or consumers from finding a new facilitator? Well, nothing but the chicken and egg scenario ... consumers want something everyone will accept and merchants want what consumers will use. The bank has a notional standoff going one that will be broken some day probably by a merchant that has a hot product and only accepts their form of payment for it, not some banks method. It will probably happen during some Holiday shopping season where the must-have product can only be purchased using one method. If the owner of that method of payment has planned well they can spring this into mulitple merchants because they have the consumers. So the creator of the next tickle-me Elmo or Ipod is the place to look and sometime around April when they plan their Holiday (Christmas) efforts. I suggest that the next hot product may very well be a toy of some sort. The leveraged launch could displace the banks in one year. The undoing of vast empires and the makings of new ones rest in the hearts of childrens' desires.

Posted by: Jimbo at January 2, 2005 02:03 PM

Jim, you should have seen what I deleted from the post ... maybe you did =-o

Posted by: Iang at January 2, 2005 03:31 PM

If I understand the BBC article correctly, we already have such a system in Germany. A very interesting aspect of these systems is card owner liability. If the card is reported to be stolen, and it's used afterwards with the correct PIN, it is assumed that the card owner has written down the PIN somewhere in the wallet.

After roughly a decade of operation, we finally face rogue ATMs (which use the same cards), real but instrumented ATMs which allow for PIN recovery by third parties, and probably rogue merchant terminals, too. (You can buy used terminals on Ebay and replace the electronics.)

There also was an initial problem with PIN generation and offline verification. According to the officail statements, completely random PINs are used today.

I believe the industry is gradually moving to hard-to-copy smartcards, but I don't think the new cards are fully deployed before 2006.

Posted by: Florian Weimer at January 2, 2005 05:51 PM

I think Jimbo's right. Ultimately banking comes down to trust. When the shops have access to the same credit-scores as everyone else, they're actually better placed to handle those liabilities than the banks. You're probably a repeat customer, so their past experience with you gives them an edge over the bank.

However, VISA issues credit cards, not the banks. It's VISA's monopoly, the banks are just tagging along for the ride. And VISA doesn't mainly insure the retailer against the customer, most of the "risk premium" is to insure the card-holder against fraud by the retailer. That insurance is the main reason to use a VISA card for big ticket items. VISA is vetting the retailer.

The VISA system is removing itself from one side of the equation, but it's still there. If a payment system involves trusting the retailer, then you have to keep VISA, or create an alternative vetting and resolution mechanism. (Amazon, abebooks, etc?) Real-time settlements can work for face-to-face transactions, but it can't deal with problems like non-delivery.

I like the idea of new cheaper payments systems, but it's going to take more than a toy to do it. It will have to be a more efficient way to handle risk. (Which in many cases might just be to cap the transaction size, and then leave it.) Saving 2-5% per tranaction just isn't worth the switching costs to most people.

You wouldn't be looking at ONE system, but a whole structure of systems to cover a range of risk scenarios. There will be times when the sum is so small that no-one cares about risk, and times when you want a formal contract and a lawyer. This change in the law just shifts the risk profile of credit cards.

My bet would be on mobile phones as wallets/smartcards with counter-party risk being hedged off in real-time in giant online micro-debit markets. Different (Ricardian?) contracts would provide the needed flexibility.

Something like that, I'm just guessing :-)

(The regulation of all this would be quite bizarre. Imagine having a trading account pulled for selling your ex-girlfriend short!)

Posted by: Thomas Barker at January 3, 2005 08:13 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.