Crazy_Fool - 1:44 am on Dec 21, 2002 (gmt 0)

>>The good thing about this is that the PIN verification is
>>not done on the merchant's server, so the merchant will
>>never see the PIN.

unfortunately, merchants collecting card numbers via SSL for manual processing via their bank merchant account will simply add a PIN field to their order pages and store or transmit all the details (card number, PIN, CVV number, name, address, telephone number etc) in plain text format exactly as they do now. fraudsters / hackers / criminals will still obtain these details in exactly the same way as they do now - accessing insecure web sites set up by people with little skill or knowledge and hosted on web servers run by people with little skill or knowledge. the fact that the merchants may not need to collet the PIN number means nothing - they'll ask for it because they think it will make their order form look more legitimate and that it will deter fraudsters.

i believe introducing the PIN number will do little or nothing to prevent fraud.

it'll take time for the PIN system to spread - cards are typically issued or 2 or 3 years at a time, so we're looking at a year or so before PIN numbers are used commonly on the net. by then, merchants and fraudsters will be collecting PINs just the same as they are collecting card and CVV numbers now.

i can only think of one way to really tackle credit card fraud on the net - legislation that is enforced rigidly. ie, make it illegal to collect card details with SSL for manual processing and force all merchants to use an approved online card processing company. this will prevent merchants from storing and transmitting card details in plain text format and will simply cut off the supply of card details to fraudsters / hackers etc. although cards will still be stolen in robberies etc, the thieves won't have the PIN numbers and won't be able to use the cards online as online sales will be through approved processing companies requiring the PIN number. this is only one method to seriously tackle fraud and it won't stop *all* fraud, but it would sure stop the majority of it ...

the shift of responsibility from the merchant to the issuer is a welcome move.