Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Good ideas at the time.

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


                   

credit card transaction numbers

Secure credit card transactions with 'transaction numbers'
  (-1)
(-1)
  [vote for,
against]

The problem with credit cards is in the number. It should be a secret, to keep it from being stolen, but it's not. You are supposed to give the number to someone who wants to sell something to you.

Credit card companies try to address the situation by having you enter the expiration date, or the 'security code' on the back, but that just makes the credit card 'number' longer. If someone breaks into a database or steals your card, they have all the info they need.

I have a proposal for a more secure transaction.

When you are ready to buy something, the vendor gives you a (currency) total and their vendor ID. You give the total and the vendor ID to your bank, who then issues a transaction ID. It's only good for a certain amount of money, for a particular vendor. Anyone who steals this transaction ID can't get anything of value out of it.

The vendor then presents the transaction ID to the bank (or other financial institution) and gets a set amount of money, provided that they have the right vendor ID.

Right now, this would only work on the internet, where you could contact your bank immediately after you get the total and the vendor ID.

lawpoop, Jul 20 2003

[link]






       "If someone breaks into a database or steals your card, they have all the info they need."
Not true. Credit card numbers only need to be stored for recurring transactions (your AOL account, online RPG, etc). The PIN or security code need never (and should never) be stored.
  

       Who issues "Vendor IDs"? What constitutes a "Vendor"? What stops me from stealing your card and impersonating you AND a vendor?
phoenix, Jul 20 2003
  

       [user reference removed by request --admin] I deal with credit card transactions every day. I know whereof I speak.   

       "PINS are not used in credit card transactions."
Not true. They're called CVV, CVC, CVS or CID in the credit card world, but they amount to the same thing. I called them "security codes" in my first annotation.
  

       "People have quite often broken into databases and stolen credit card information..."
Reread my first annotation, please.
  

       "Vendor IDs are already issued ( I presume ) by VISA and Mastercard"
Nope. They're issued by your bank. They're non-portable and private.
  

       Note that I didn't say it was a bad idea (though I voted against). I only pointed out some shortcomings. The system does not prevent fraud. What it does is remove the vendor from the transaction. By this system, the vendor simply posts its vendor number and lets the customers purchase what they will.   

       From the customer's point of view, every purchase requires a trip to their bank's web page. The bank verifies the card is valid - which is easy for it to do since it issued it, but do you think the bank will do it for free?   

       If my bank's web site is down, I can't buy. How is the money transferred to the vendor? How long does that take? How does the bank verify the card is being used legitimately? A PIN? And if a hacker has inserted his own "Vendor ID" into the web site?
phoenix, Jul 20 2003
  

       My thought was that this would move power from the vendor to the consumer. Right now, Vendors are 'trusted' by the banks. Consumers are not. My proposal moves banks trust from merchants to consumers.   

       Merchants only receive payment mailed to a physical address. This prevents too much fraud, since PO Boxes and Mail Boxes etc are not allowed as business addresses.   

       So you actually have to have a physical address before you can recieve the benfits of fraud.   

       Right now, there are credit card terminals at almost every type of store. There are also ATMs at many stores. This is where consumer gets the Transaction number from their bank. They then give it to the merchant, who checks it with the bank. Consumer then gets thier stuff.
lawpoop, Jul 21 2003
  

       Without prejudice to [phoenix]' s comments or rebuttal, I like [user reference removed by request --admin]'s description of Amex's and Visa's systems. I also agree that vendors shouldn't keep your payment details where they can be stolen or else they should be held liable for losses thereby arising, but it is inevitable that many vendors will keep sufficient records to be valuable to a fraudster.   

       [lawpoop]'s idea that comnsumers could generate their own number using encryption that would allow encoding of value, date and purchaser's identity that could only be read by the credit card company is quite possible with public key encryption. My only concern is that having the credit card details in one's own computer would leave customers at risk from trojans and other hacking techniques. I can think of a dozen ways to attack it and I don't deal with security or fraud for a living.   

       Personally, I think Amex's solution is best and offers the most foolproof and backwardly compatible solution.
FloridaManatee, Jul 21 2003
  

       "Right now, Vendors are 'trusted' by the banks. Consumers are not."
Um, not really. The transaction is between the vendor and the consumer. If the consumer isn't trusted, the lack of trust is on the part of the vendor and for good reason. In the type of credit card transaction we're talking about, the card is not being presented to the vendor, only the card number. The number can be verified, but just because the number is okay, doesn't mean the card is being used legitimately. My company gets around this my shipping first orders to the address of record for the credit card. No exeptions. Subsequent purchases can be sent anywhere the customer desires.
  

       "Merchants only receive payment mailed to a physical address. This prevents too much fraud, since PO Boxes and Mail Boxes etc are not allowed as business addresses."
I'm not sure what you mean here, but I suspect you're thinking of the vendor being a fraud. But what vendor is going to wait 3-7 days to get his money? Hell, my company switched banks to reduce a 2-day float to one.
  

       "Right now, there are credit card terminals at almost every type of store. There are also ATMs at many stores. This is where consumer gets the Transaction number from their bank. They then give it to the merchant, who checks it with the bank. Consumer then gets thier stuff."
Okay, but this doesn't address Internet or phone orders. And why wouldn't I use a debit card (or just withdraw the cash if I'm at an ATM)?
  

       Again, this isn't an inherently bad idea, but there are a lot of loose ends. I think there are too many steps involved for the average consumer.
phoenix, Jul 21 2003
  

       It is true that vendors are trusted, and consumers are not.   

       If a vendor submits a card number for a charge or whatever, they are allowed to. They are trusted. Have you ever had a fradulent charge put on your card? How would that be possible unless Banks gave vendors the benefit of the doubt instead of you?   

       Right now any company that has my credit card number (and CID or whatever) can make a charge to my account, no questions asked. I find out about it only when I get my bill. My bank doesn't even bother asking me!   

       The problem with a debit card is that if it gets stolen and used fradulently (again, banks trust the vendors), then you are out more money than with a credit card. And notice how *it can get stolen*. If a vendor needs a code that's only good for them, for a certain amount, that code is worthless if it's seen or copied by someone else.
lawpoop, Jul 21 2003
  

       I believe Amex has, or used to have, a system where they would give you a bunch of credit card numbers each of which could only be used with a single merchant or for a single transaction (it would be useful to have some of each type, but I don't know if Amex does). Once one of the CC numbers is used, nobody else can use it but Amex will send the customer some more new numbers they can use.   

       Unfortunately, I suspect Amex probably has some sort of patent on this notion.
supercat, Jul 21 2003
  

       "It is true that vendors are trusted, and consumers are not."
Yeah, but you should see what a vendor has to go through to gain that trust! It's simply not worth it to the vendor to get in trouble with the credit card companies.
phoenix, Jul 21 2003
  

       Chip and pin is useless for card not present (ie internet or phone)transactions.   

       How about this to stop card-not-present fraud: When you get the card, you register your mobile number. When you do a CNP transaction, you give your details to the vendor, as at present. Vendor then does whatever they do to verify, which involves an interaction with the CC company. At this point, the CC company generates a random 4 digit number, which it sends to your mobile as a text message, along with the retailer name and the debit amount. You then have to tell the vendor the code, either over the phone or on a web page, and they include this with the card details. Only then is the transaction authorised.   

       Other advantages: you, in effect, get a digital receipt for the transaction stored on your phone, and you will be instantly alerted to attempted CNP fraud on your card by the arrival of unsolicited authorisation codes from the CC company.   

       CC companies could perhaps offer inducements such as low interest rates, cashback, free gifts, to customers who participate in this scheme.   

       Note that card present transactions proceed exactly as at present, as they are adequately defended by chip'n'pin.
Mickey the Fish, May 05 2004
  
      
[annotate]
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle