Thread: Do banks think we are stupid?

Folks, let me try and put some order into the discussion, since there seems to be a few misunderstandings:

But the bank would rather do nothing and absorb the loss.

Since the bank has to pay for any fraudulent charges, I guess they have the right to cancel the card and send a new one [...]

Merchants are liable for credit card fraud, not the issuing banks. It's merchants that carry the costs involved. They lost the goods and they have to return the money to the issuing bank along with a chargeback.

The bank doesn't give out information as to which merchant compromised it.

The bank cannot know who did it, neither it cares. It's usually the merchants that trigger police action.

The chip is useless in preventing fraud. I've read about stores being broken into and their cash register hard-drives stolen. It seems they sometimes contain unencrypted PIN numbers from customers.

Again, would it make sense for the public to boycott such a store when it had its hard-drives stolen? YES, because that would put the pressure on point-of-sales terminals to make them 100% secure.

POS software cannot, I repeat, cannot store any kind of personal information about the purchase. This includes the PIN number for the issuing banks that have that system in their credit cards. The only thing that is stored is the issuing bank authorization code once the transaction is accepted, along with the transaction details, of course, for accounting purposes. This is a legal imposition that all POS software and hardware must obey, if they want to gain a licensed to be commercialized, or in the case of having been developed in-house, a licensed to be used.

Information in any legal POS software is transmitted between the merchant and the issuing bank in encrypted format and no data about the Credit Card is ever stored in the merchant computers. A merchant that gets robbed, and it is revealed their registers contained any kind of credit card information, is going to be in a lot of legal troubles. Over here, at least, a class action lawsuit will almost certainly be conducted by the General Prosecutor against the merchant.

This is true of magnetic band cards of Chip & PIN cards.

Mario F., I agree that POS software is secure in theory. I worked on POS terminals, mag-stripe decoding, etc. But believe me when I tell you I saw a news special on a recent phenomena of store thefts - showing security camera video of thieves taking the hard-drives out of some cash-drawer dealy... but I can not vouch for whether this equipment was a standard POS secure installation or some merchant's makeshift setup.

I also agree that a PIN is encrypted all the way down the wire (or wireless) of a hand-held keypad. The news item about the hard-drive thefts implied that there are cached & unencrypted PINs and/or credit card numbers on those drives... even if someone had to dig up so-called erased temp files to get at them.

I should point out that the bank rep that I spoke with explained that one of the triggers of a compromised card detection is when they see gas purchases or phone card purchases. Especially in another part of the country that's not usual. Because gas pumps do not require the "chip" to be read, nor any PIN to be entered, they are primary testing grounds for stolen or duplicated cards. The mag stripe readers on the gas pumps are not up-to-date with the chip technology. Of course no signature is required either.

I don't know why the purchase of phone cards are similarly favored by crooks. Perhaps there are automated vending machines that dispense such phone cards, and they have simple credit card readers.