undefined | Better HN

0 pointsonion2k11y ago0 comments

Things are not the same here in the UK. Since we got chip and pin cards the onus is on the cardholder - it is assumed that you didn't keep your pin secure.

0 comments

dalke11y ago

When you say "I have a better solution", then it's very easy to believe that you mean it to be taken in the context of the original essay. In this case, the essay's author is located in the US, talking about credit card payments in the US. HN is also based in the US, and I am a US citizen, so the larger context is also US based.

Since you didn't mean it that way, perhaps you could mention that you're switching contexts?

In any case, according to my limited understanding, the UK regulatory landscape changed with the Financial Services Authority (FSA) Payment Services Regulations 2009.

The relevant rule is at http://www.fca.org.uk/static/fca/documents/fsa-psd-approach-... :

> If the payment service provider can show that the payer has acted fraudulently, or has intentionally, or with gross negligence, not complied with their obligations regarding the security of the payment instrument, the payer will be liable for all losses. To avoid doubt, it is not sufficient for the payment service provider to assert that the customer ‘must have’ divulged the personalised security features of the payment instrument, and to effectively require the customer to prove that he did not. The burden of proof lies with the payment service provider and if a claim that a transaction is unauthorised is rejected, the rejection must be supported by sufficient evidence to prove that the customer is guilty of fraud, gross negligence or intentional breach and the reason for the rejection must be explained to the customer.

Has it changed since then? According to http://en.wikipedia.org/wiki/Chip_and_PIN it hasn't.

seanmonstar11y ago

And what about online shopping, where you just typed in your card number into a site?

onion2kOP11y ago

There an "online pin" system called 3DSecure (also known as Verified By Visa) that uses a system of tokens passed by JavaScript to present the user with a form that's held on their bank's servers. Implementing it is optional for the merchant, but if they choose not to then they're accountable for any fraud. If they do then liability is passed to the customer.

It's all very favourable to the credit card companies.

j / k navigate · click thread line to collapse