Comment by eduction
2 years ago
You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
I’ve recently seen more use of Apple Pay via websites. Assuming it works as Apple Pay usually does, this at least is technically more secure (though I don’t like giving Apple more power) since it’s basically an exchange of cryptographically secure/verifiable one time tokens.
PayPal is no one’s favorite but at least if you use that you’re not handing over your CC number. (And yet they seem to lock out tons of merchants, hmm)
Why are we still using credit cards? It’s not great as a consumer either - I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
> Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant. What you are doing is providing your card information to a PSP (payment service provider) that has been contracted by the merchant and will provide the merchant with a token with which the merchant can trigger a charge request to your card but only to their own pre-approved acquirer account. The merchant can do nothing else with these tokens.
A breach of the merchant's token database would be embarrassing but harmless. A breach of the PSP's database of card numbers would be bad and inconvenient for the cardholders, sure, but it would be a business-terminating event for the PSP as its PCI DSS [0] compliance would be shattered and it would be unable to operate again.
In summary, ordinary card payments are essentially as secure as Apple Pay. The only difference is that in one case you are trusting a gigatech brand which is very saliently involved in the process but whose side-business in payments has only operated since 2014, while in the other case you are trusting businesses that you may or may not have ever heard of —Adyen? Braintree? WePay? Worldline?— but that have probably been dealing with secure payment processing as their primary or only business for much longer.
[0] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec...
I think you missed the “over the internet” part. When you do a CC transaction over the internet, you give the merchant your CC number and all the other information needed to make a transaction happen. A legitimate merchant may pass that information directly to a PSP, but you can’t deny you’ve given the merchant the information. Surely you’ve filled out a CC form in a website before?
Yes, I have filled out a CC form on a website uncountably many times. I can also deny that I have ever given any merchant my card information (at most, if the merchant was utterly massive, I may have given my information to their own fully-owned subsidiary PSP).
My source is that I work in a payments backend software engineering team at a large company (FTSE 100) that provides an ecommerce platform for multiple medium-to-huge retailers worldwide. And yet, even at such a massive scale, neither our software nor let alone our partnered retailers ever even see the customer credit card number. It's not that we pass it directly to the many PSPs that we integrate with. Rather, only the PSPs' own systems actually see it. And yet, if you were to shop online on any of our retailer partners, as a customer you would still have the illusion that you are giving the actual merchant your number.
Could a non-PCI-compliant merchant ask you for your credit card number and store it themselves? Well, technically yes. But then they would not be able to do any legitimate transaction using it, as they have no way to use card numbers to get money into their bank account without a PCI-compliant PSP performing the transaction.
Could a non-PCI-compliant merchant integrate with a PSP in such a way that they send the inputted card number to the PSP [0] rather than the PSP receiving it directly? No, the PSP would laugh in their faces at the suggestion.
Could a non-PCI-compliant merchant ask you for your credit card number and details and then use them to buy stuff in your name for themselves? Yes, but "non-PCI-compliant merchant" is a very bad euphemism for "online scammer".
16 replies →
That's actually not how most of e-commerce payment works nowadays. If you use Shopify, merchant doesn't see your credit card. Same for SquareSpace. Same for Salesforce Commerce Cloud / Demandware, where everything is more often integrated with Stripe/Paypal directly and merchant never even see it. Very rare the merchants that will actually "see" your credit card.
Merchant doesn't pass your information to the PSP, you are actually talking to the PSP directly.
You don't send anything to the merchant. The information goes directly to the PSP and the PSP sends a token to the merchant.
This usually works by the PSP embedding iframes for the CC fields on the merchants site (so you're inputting directly to e.g. stripe.com)
6 replies →
You’re usually prohibited by the PSP from gathering or storing the CC details directly. You’ll notice you often don’t give the merchant the details directly.
Some large merchants do take the details directly, but they typically have to go through all the PCI compliance hoops and maintain that.
There are exceptions, but most of the time the merchant does not see your credit card details.
What prevents me from cloning some product's website and changing the payment form to send me the details instead, which I then submit somewhere else to purchase something online for myself? Not sure why Stripe or PCI is even important here.
(IMO) what GP was arguing for is that we should have a fundamentally asymmetrical form of payment, viz. the information I give for one purchase should not be able to be reused for another purchase, like a one-time token. Imagine if you had to send your private key every time you wanted to purchase something in crypto, for example.
This is correct and the GP is (confidently) talking nonsense.
However the big issue is most normal users would not have the ability to see if they're using an embedded iframe or cross origin JS from Stripe, Braintree, etc.
He is not talking no-sense. He is talking what he perceives as a user.
the same way that when you get a refund, you dont see the money back immediately. What the user doesn't know is that when you pay a business, the same thing happens, and the business don't get the money immediately.
And to pay by credit card feels much more insecure than using paypal or amazon pay, even if it isn't.
> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.
No. In best case, you’re giving your payment details to a PSP. A couple years ago NewEgg had a javascript skimmer on their checkout page that harvested all their customers payment details for months. Obviously anyone with access and intent could do the same for any payment page.
I've used plumbers and dentists where, over the phone, they collect your CC information, sometimes as a deposit before doing work.
Always made me nervous... are they writing it down? Typing it into their home-made software?
Those are MOTO (Mail Order/Telephone Order) transactions, and follow a different regulation than online card transactions. See here: https://docs.adyen.com/point-of-sale/mail-and-telephone-orde...
> I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype, and the billing is regular as clockwork. For at least of half of that time, I've complained about it vocally and customer service can't do anything. Now I think about this every single time I hear "AI-assisted fraud detection", and by extension, "AI-assisted security" and really "AI-assisted XYZ". Without another credit card, I guess I'd simply live in constant fear of being embarrassingly declined totally at random on any/every transaction. It's not like I* know the billing cadence, even though my bank has a decade of history.
Clearly they are simply selling my history to the highest bidder, because they certainly aren't using it to help me. On a related note, ever notice that vanilla "exact substring match" search even in gmail is just as bad as google web search? All these corporations that are allegedly indexing us to "value-add" with some perfect high-resolution consumer model can't even do basic shit despite all the spying. I almost expect* my privacy to be fucked, like I guess hey that's modernity. What never ceases to surprise me lately is how the pretense has kind of dropped and we get nothing in exchange, even petty conveniences.
> This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype
Why are you still with that bank? Even if you like everything else about them, couldn't you just open an account with another bank for Skype billing? Having more than one account is helpful anyway for avoiding having a single point of failure where you can't buy anything.
Unfortunately we didn't use the contactless change to finally fix this. NFC payments are still stuck in the world where the client doesn't have a way to make the payment themselves so has to trust the payment terminal the merchant puts in front of him with their secret information. The transaction should have been reversed. The merchant should have the dumb side, where they only communicate payment details, and the client's phone should be the one doing verifications and initiating the payment. It's bonkers that this hasn't become standard yet. Even more bonkers that internet payments didn't make the same switch long ago.
at least in this respect the now prevalent UPI (unified payments interface) used throughout India fares better.
each merchant -- even a roadside vendor or a mobile hawker of wares -- displays a QR code that has their payment account details / UPI handle.
Customer uses their own phone and UPI payment app to scan that QR code, look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
(a variation on this is: hand-held POS terminals display a QR code that also encodes the amount to be paid so that the customer doesn't have to punch in the exact amount).
and since this is a unified protocol the users are not stuck with a single payment app or a single payments processor or a single bank network to transact with each other. QR codes are universal - can be scanned by any UPI app.
I have other reservations about the digital trail this leaves for every petty transaction of your life -- and the small risk of a petty vendor being able to harass you later based on the information you leave in their records.
If we don't trust the government -- this makes us jittery about how much they can track you or even cripple your life by disabling a few key things that you need this all to work smoothly.
Those risks aside,this UPI system has been a boon to ease of transactions (without worrying about handling cash and change) across the country. Net positive with some scope for improving privacy protections.
> look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
Feels like a lot of work. I prefer just tapping my phone and then getting the amount charged pushed to my phone and watch so I can complain if its wrong whilst I'm at the checkout.
That would have been nice, but not backwards compatible with millions of POS terminals and payment processing setups out there.
One big advantage of contactless card payments as implemented in most countries is that you can seamlessly introduce it, making it look like a regular chip or even magnetic stripe transaction to the POS and everything behind it.
With the recent new QR systems around Southeast Asia, they got around this by adding support to existing terminals with just a software update. They print out the QR code for the payer to scan. It’s a bit janky, but works until the merchant updates their terminal to one with a screen capable of displaying the QR.
3 replies →
EMV is in a substantially better position than online credit card payments: the terminal cannot clone a card (though it sees a PIN and card number, it does not see the CVV, so it is not useful for online transactions, and the card contains private keys which are relatively hard to extract. The only remaining hole is creating a magstripe card, but these are becoming rare even in the US). The card does see and verify the transaction. The two main issues are the PIN entry onto the pad (which exposes some information, though with NFC this hole is somewhat removed), and the fact that the payment is still initiated by the terminal, with no way for the user to independently see the transaction amount before authorising the transaction (NFC on a phone can in principle fix this, though in a somewhat annoying manner: it could refuse the transaction the first time, then prompt the user, and accept the next transaction for the same amount).
This is how it works in a lot of places, including everywhere in China and parts of south east Asia. The merchant’s device displays a QR code, which you scan with your phone. The details of the transaction are shown on your screen, and you can select things like where the money should come from, sometimes discounts etc, and then tap to complete the transaction.
so that means that all payment methods must be stored on your phone? How is that any safer than Apple Pay or PayPal?
1 reply →
> You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Granted the entire system needs a revamp, but credit cards are one of the best tools we have to pay strangers right now. Credit card money isn’t your money being spent, and comes with a fraud guarantee. I would rather use a credit card than something linked to my money in a checking account for sketchy transactions.
Yes, it’s a hassle when the card number inevitably gets stolen, but NFC payments, etc are starting to tackle this.
One thing I’ve seen a lot is people misunderstanding credit cards. If you pay them off monthly, you usually get some kind of reward and additionally a huge layer of fraud protection from your personal finances. That being said, I also can’t wait until more secure credit card systems become more prevalent.
In much of the world, the "credit card" payment goes through a pre-paid card. Then you're actually putting your own money on the line, and even if there's a guarantee, it's a pain to actually go through the process of invoking it.
If this is one of the best tools, then I'm really dismayed at the state of payments around the world. SEPA bank transfers are so much better, even if they have other problems.
Define "much of the world", because that is absolutely not how credit cards work.
Paying with a credit card means your credit card company pays that charge for you. Yes, you are borrowing money from your credit card company.
Once a month (or whatever your billing cycle is), you receive a statement showing all the charges on your credit card. The statement will also show any credits if applicable (eg: refunds). The sum of all charges and credits is called the balance.
At this time, if you spot any suspicious or fraudulent charges on the statement, you call your credit card company as soon as possible to dispute those charges. If they are indeed fraudulent, those charges are reversed/removed.
If the statement looks fine, you pay your credit card company whatever balance is shown on the statement.
Note how your own personal money only comes into contact with the credit card at the time of paying off the charges on the credit card, and only after confirming the charges are legitimate. The credit card company has a vested interest in fighting fraud because it's their money on the line, not yours. This is why credit cards are considered safe and widely popular.
Contrast debit cards and banks, where all charges on your debit card come into contact with your own personal money immediately. Banks don't have a vested interest because it's your money on the line, not their's, so they won't be nearly as enthusiastic about fighting fraud on your behalf.
4 replies →
Is it? Last time my card was used in an unauthorized way, one phone call to the bank locked the card and had a replacement the following day, and I got a letter a few weeks later for me to sign to confirm it was a fraudulent transaction, that was it.
> you usually get some kind of reward
What kind of reward? I’ve always paid mine off each month and never gotten a reward on any of my ~15 cards.
cash back? airline points? I would say you must not be American but you said you have 15 cards so I don't know what to think.
1 reply →
My cc number is useless without access to my bank account. The hacker would also need to steal my phone and bypass the fingerprint scanner somehow to get in there.
>One thing I’ve seen a lot is people misunderstanding credit cards.
Practically all the credit card haters turn out to not understand credit cards, it's almost hilarious. Are people not taught even the very basic of financial know-how from anyone?
> Why are we still using credit cards? It’s not great as a consumer either
Because the big networks (Mastercard and Visa) as well as the issuer and acquirer banks spend insane amounts of money on advertising and lobbying - even in the EU where payment fees are capped, the cap on CC fees is notably higher than on debit card/SEPA fees, so there is a clear incentive for everyone in the chain to push for credit cards.
Additionally, issuer banks make a ton of money on interest which means they have even more of an incentive to push for CC usage.
And also this reliance on a few payment providers causes the same type of problems as this business have with Google - big businesses trampling yours on a whim, with no real recourse. The problem is actually far worse with payment processors, who are increasingly taking it upon themselves to be an unelected worldwide morality police, deciding which types of commerce shall be legal with their own de facto law
I've talked about this before [0], but tl;dr - American banks operate worldwide, and since they are subject to US laws, worldwide banking is de facto under US jurisdiction.
> The banks operate under a laundry list of laws outside of a criminal conviction, such as the Terrorist watch list as well as whole countries that are under US sanctions. US sanctions are a particularly large bite because the US will sanction you from the US financial system for working with the above, even if you are not under US jurisdiction.
> This, of course, doesn't mention the all the reporting used for detecting tax evasion or money laundering.
> US banks are absolutely a wing of the court by operating under the given rule of law, and through the US banks' worldwide influence this 'rule of law' gains a global prominence.
[0]: https://news.ycombinator.com/item?id=28820330
Is it? My bank accounts in two European countries have in the last year transitioned from Visa Credit Cards to Vise Debit cards. Because the banks in both cases wanted about 2.5 euro per month for something that does not provide any value to me. Unfortunately Visa Secure seems to be changing its validation mechanism every 3 months though, which each time is super annoying.
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
This is not mandatory by law though and mostly it's up to merchant to decide whatever they require 2FA or not. AFAIK payment processors like Stripe actually let you make 3DS (and whatever it called for MasterCard / AMEX) mandatory.
I guess problem is that in US you'll lose a lot of customers by declining payments without 2FA. Also likes of AMEX use 2FA via email so I guess there could be fraud too.
It is required by law (the PSD regulation, specifically) in many circumstances.
CC in europe require a 2fa confirmation where you recieve usually a notice of the amount you're approving
How does that work when you buy things in places where you don't have cell service?
Yes, they exist. Even in Europe.
The SMS (or more likely, bank app) confirmation thing only happens for online payments – and if you don't have internet, how are you shopping online?
For payments involving the physical card, the chip on the card and your PIN are the two authentication factors required. (Credit and debit cards are PIN-based in the EU; signatures aren't a thing anymore there.)
I guess in those cases, something offline like google authenticator (or similar) would be better.
And how does the PoS machine work then?
In the edge case where there is no cell service yet the PoS device has connectivity (e.g. WiFi or other cellular service) they might set up a WiFi access point for users to get push notifications (assuming the 2FA method is not archaic insecure SMS).
4 replies →
Card present and card not present transactions are differentiated.
It does work, though I am not 100% certain of how.
Something to do with having a “next authentication token” on your device already with a 24hr expiry.
You 2FA trough your bank app, SMS is too insecure for this purpose.
4 replies →
> Yes, they exist. Even in Europe.
You mean you have wi-fi, but don't have cell service?
That is like... super rare.
5 replies →
We’re still using credit cards because they severely limit personal liability. Many CC companies give you the ability to have temporary cards with short term expiration linked to your account. However, there is minimal incentives for you to do so.
The credit card company and indirectly the vendors carry much off the cost of fraud. The credit card company spends a lot of resources on preventing this fraud. Introducing a proper solution for online payments would allow them to reduce costs and offer better deals to vendors and consumers. They also are the only participant in this who is a individual participant rather than a group. It seems like this is the ideal setup for credit card companies to introduce innovative solutions. They have the incentive and the leverage, yet it's not happening. What am I missing?
You are missing that the credit card companies want less transaction friction. If they wanted security we would have chip + pin in the US like the rest of the world. Charging volume overrides everything. Interest rates and those that carry a balance more than make up for fraud losses.
Strong authentication/payment confirmation and strong consumer liability protection are not mutually exclusive.
In the EU, card issuers and merchants are required to use 3DS for e-commerce payments and PIN verification for in-person payments in many circumstances; yet chargebacks are still possible.
We use CC because the infrastructure is there and there is legally mandated (depending on jurisdiction) fraud protection. When you pay with CC, the issuer is potentially on the hook for fraudulent payments, so they are incentivized to provide the protections.
And of course there are many that use CCs for the purpose of a loan to purchase items they can’t currently afford.
Although you're right that Apple Pay is cryptographically verified, you may be surprised to know these two things:
1. you can charge any amount - the amount shown in the Apple Pay UI is arbitrary
2. you can make multiple charges, also of any amount (e.g. for a subscription)
It is tokenized, but practically it's just a card number you can charge like any other card number. It's also typically linked back to the original PAN, so multiple payments can be correlated together with ease
Your payment processor and the network has to trust you if you're reusing the Apple Pay cryptogram for a subscription payment. You _can_ do anything (e.g. you can represent yourself as an open loop transit network reader and get a card number without any authentication from express mode cards!), but the network will not allow you to succeed doing that for very long, if at all.
> Why are we still using credit cards?
Because they're accepted by pretty much everybody and nobody has come up with a system that is any better.
A multi-cryptocurrency payment system would be the perfect solution for online payments but unfortunately nobody has figured out how to solve the double-bullet problem which stands in the way of mass adoption.
Central banks are preparing to launch the digital euro and the digital dollar. Cryptos had their chance and they blew it.
No, it's really not. As a buyer I don't want irreversible transactions to someone anywhere in the world, I want something that if the seller isn't acting fairly (items not as described, not shopping orders, etc) I can lean on to get my money back.
That's why 3D secure exists: https://en.wikipedia.org/wiki/3-D_Secure
Blame your government for not caring enough to have it implemented
I hate 3D secure, it's a way for banks to move the liability and inconvenience to me, their customers. In most implementation, I need to wait for an sms, often that sms takes ages to come.
Then there's a bit of a monopoly with 3d secure implementation by cardinal.js and their solution falls down completely if you have a decent amount of traffic on the site (I have worked on flash sales websites, cardinal js is about as reliable as I can throw my car)
Blaming certain government can get you banned not only from facebook but from real life altogether.