back to article Visa cries foul over Euro regulator's stronger authentication demands

The EU banking regulator’s plans to reduce fraud by obliging the use of passwords, codes or a card reader to authenticate electronic payments above 10 euros have drawn fire from the payments industry. Visa and others argue that mandated authentication checks put forward by the European Banking Authority risk disrupting online …

  1. Doctor Syntax Silver badge

    The politician's syllogism

    Something must be done. This is something therefore it must be done.

  2. Banksy

    Ridiculous

    Under the current arrangements the bank will bear the costs of any fraud (provided you haven't told everyone your PIN) so this new EU requirement doesn't offer any additional protection.

    1. Rich 2 Silver badge

      Re: Ridiculous

      Unfortunately this is not the case. The banks love to advertise that Jo Public will not be held liable for most fraud. This is true. However, the banks usually try and pass the costs on to the retailer - something the banks don't advertise quite so loudly. From previous experience running a small online retail outfit, I can say that the banks don't care a hoot about fraud. Yes, that may have to pay for some of it but it's more than offset by making card use as easy as possible and therefore increase volume of use - the cost of fraud to them is peanuts in the greater scheme of things.

    2. bombastic bob Silver badge
      Facepalm

      Re: Ridiculous

      "Under the current arrangements the bank will bear the costs of any fraud"

      shouldn't THAT be ENOUGH motivation to force the banks to secure THEMSELVES?

      Oh, noze - we must make this a *CRISIS* so GUMMINT can take more control!

      Brexit, anyone? [let's hope UK stores aren't negatively impacted from losing potential EU shoppers]

      1. Anonymous Coward
        Anonymous Coward

        Re: Ridiculous

        The retailers are only liable for fraud when they aren't following the card issuers and payment processor's rules. So if you don't follow PCI standards, or you accept a swipe from a card that has a chip and it proves to have a cloned mag stripe.

        The banks eat most of the fraud. Yeah, in theory it is passed along to the retailers as part of the processing fee, but if they were able to eliminate all fraud that's more money in their pockets. Even if competition forced them to pass some of the savings along to retailers, they'd keep some them as profits, so they have incentive to reduce fraud. But only to the extent the cost of fraud reduction is made up for by the actual reduction in fraud.

        The EU might as well require banks to prevent bank robberies while they're at it - that costs consumers money too.

    3. SImon Hobson Bronze badge

      Re: Ridiculous

      Also, and I know someone who's been through this, the bank will assume it was you until you prove otherwise. In this case, the person had his card skimmed at a local petrol station, and it was then used for a local spending spree. As the spending was mostly local, the bank just turned round and made him prove the transactions that weren't his.

      Some of them were easy, he could prove he was working elsewhere for some of them - had to provide copies of his shift rotas etc. But for others it simply came down to his word against the bank.

      Also, it's been proved beyond any doubt (search for the Light Blue Touchpaper blog) that the ship-n-pin system has serious flaws and is not as secure as the banks would have you believe. But, if the bank records show that your pin was used (even though one known flaw allows "PIN authenticated" transactions without the PIN) then they'll simply assume it was you or someone who you gave your PIN to - and short of taking them to court and calling expert witnesses you will not get you money back for that.

      So take these "guarantees" with a big pinch of salt.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ridiculous

        "Also, and I know someone who's been through this, the bank will assume it was you until you prove otherwise ... As the spending was mostly local, the bank just turned round and made him prove the transactions that weren't his."

        This should be a formal complaint to the bank. The FCA guidelines are very clear than when fraud is alledged, the bank *must* refund the monies *immediately* unless they can prove it is not fraud.

        About 2 years ago the FCA/FOS did get rather upset with banks behaving like you've just described (I believe this is due to violation of the provisions of the Payment Services Regulations 2009, although my memory could be playing up on that one).

        1. Anonymous Coward
          Anonymous Coward

          This is the difference between debit and credit

          With debit cards, they've already taken your money. You have to prove to them the charge was not made by you to get it back. With credit, it is just a mark on your account, and if you dispute a charge you don't owe the money unless after investigation they determine the charges were not made by you (and then the bank is reimbursed via chargebacks to the merchant(s) where the charges were made)

          This is why I never absolutely NEVER use a debit card. Not once in my life. I use credit cards for everything, because the protection laws in the US are so much stronger. I've had to dispute charges maybe a dozen times in my life over the years, and have never had any trouble with the process. I don't care that it takes them two months to investigate, because I'm not billed for those charges during the interim.

  3. Voland's right hand Silver badge

    Wonderful

    The regulation threatens to cramp one-click shopping and automatic app payment technologies for anything other than small payments, the argument goes.

    Excellent, where can I donate a beer to whoever came up with this idea. For once the regulator doing their job.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wonderful

      Excellent, where can I donate a beer to whoever came up with this idea. For once the regulator doing their job.

      I would politely suggest that you, Sir, are the sort of person who came up with the Locomotive Act of 1865. Of course, that was a time when British regulators were busy holding back the foul tide of progress, whereas the Europeans were busy wondering how to make money from innovation.

      Funny how times change, eh?

      Personally, I accept the cost of fraud in return for the convenience, particularly when this latest idiocy is the sort of thing that "Verified by Visa" would tick all the boxes for.

      1. JimC

        Re: Locomotive Act

        178,000 injured, 7,300 killed in Road accidents 1930. That tide of progress came with one hell of a price. A bit more regulation might have saved a lot of misery.

    2. Dan 55 Silver badge
      Devil

      Re: Wonderful

      While we're at it, can they sort out contactless payments as well? Some banks don't give you the option of having a normal card, some don't even need a PIN for the first contactless payment to enable it (fraud opportunities with offline contactless payments when they send you your card via post?). ING Direct I'm looking at you. I cut into my cards to disable them and I shouldn't have to do that.

      @Ledswinger: Progress means making it easier for other people to take your money? VbV is bollocks precisely because it's a box-ticking exercise.

      1. AMBxx Silver badge

        Contactless Payment

        I agree, but easily solved with a 1cm cut in the right hand side of the card.

  4. Pen-y-gors

    Don't see whatb the fuss is

    If I shop on amazon (sorry...!) I have to enter my password, if I shop elsewhere and pay by paypal, I have to log in to paypal with a password, so it looks as if both those are already compliant. Of course if I'm trying to make a one-off purchase with a stolen CC then it'll be a lot more inconvenient.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't see whatb the fuss is

      Yes and no. Paypal and amazon are not banks, do not hold the money, they hold your card details. If they were hacked your details could be grabbed, so then no password needed for transactions as they can add those details to another shop. The additional authentication is with the actual payment processor.

      It shouldn't be a password, it should be a one time code, required, all transactions should be routed through a payment processors site, not the shop site for online shopping.

      This is already been partially done in some countries, hasn't caused the apocalypse.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    VerifiedByVisa always gets in the way....

    ...just topping up a phone by 10 Euro, WTF???

    1. Wensleydale Cheese

      Re: VerifiedByVisa always gets in the way....

      "Visa and others argue that mandated authentication checks put forward by the European Banking Authority risk disrupting online shopping without increasing security.

      Brazen cheek from the creators of Verified By Visa.

      Pot meet kettle.

    2. leexgx

      Re: VerifiedByVisa always gets in the way....

      low risk transactions should trigger the low risk URL response from that verified by visa site (unless you're outside the UK then i would want that to happen, as its likely fraud)

  7. Steve Davies 3 Silver badge

    Does this give Apple Pay the finger then?

    the 10 Euro Limit scuppers Apple Pay in its tracks.

    Unless Apple becomes a bank. Well that probably have more capitalization than many existing banks.

    I guess the EU would have us all using an Abacus.

    1. Velv

      Re: Does this give Apple Pay the finger then?

      Apple Pay is only a front end to your existing card.

      It may be that unlocking the phone is deemed sufficient authorisation in the chain.

    2. Anonymous Coward
      Anonymous Coward

      Re: Does this give Apple Pay the finger then?

      No, Apple Pay is already authenticated either by fingerprint or a passcode protected watch.

    3. leexgx

      Re: Does this give Apple Pay the finger then?

      apple pay requires you to use your finger to unlock the phone before allowing the transaction (actually i think you have to have your finger on the fingerprint sensor on the iphone as your tapping the phone on the reader for the payment) which is very secure (unless they cut your fingers off)

      Android pay errrr turn screen on works the same as contactless debit or credit card witch makes it very simple to use (unlock the phone to allow transactions over £30 if the shop supports it and it resets the 5 transaction limit per no screen unlock), but there is no option to force the phone to be unlocked first (witch can be Stupid easy feature to add to Android pay app "settings > require unlock to accept payment" option, i have asked google to add this option even if its not enabled by default having it, i would use my debit card on it if it had that option)

  8. Anonymous Coward
    Anonymous Coward

    Good.

    I suspect those criticising this measure have never been stung by the stress of fraudulent transactions on their account (regardless of whether they get it back eventually), or had their identities stolen.

    Otherwise, they might be a little less vocal in encouraging banks to make their systems less secure.

    1. Brenda McViking
      Facepalm

      Re: Good.

      No, I'm criticising it because of the additional attack vectors a european government mandated system would inevitably bring to the table. What was it you were saying about ID theft?

      And how does it make bank systems more secure anyway? It's the EU equivalent of mastercard securecode or verified by visa - which have been around for years as a bad solution looking for a problem, and you want to bring the eurocrats in to make it better?

      I can see them now - mandate a hashing algo for your card number and password, which they'll contract crapita to implement, (so that'll be md5, to save costs), and it'll then be mandatory to use that from 2018 onwards (when the euro decline has reached 10EUR = 1USD), and no exceptions.

  9. Unbelievable!

    Getting a bit sick of this type of thing actually..

    Not the crime, but the crazy regulations. Once again the sheeple with no intelligence, fall back onto some other sheeple that happen to be in power, to help them stop making dumb mistakes.

    I'm tired of that.

    The idiots that need that kind of protection need to be allowed to screw up and learn from it, at least it's only money to the numbnuts. Who have plenty usually.

    It's not like Health and Safety ludicrousness (which is useful in that it saves idiots lives).

    No. i think the chumps should be more cautious. Else they are justifying the need for unecessary regulations costing us all money and problems.

    sorry for the rant. I understand when the down votes happen. dont feel bad.

    1. Anonymous Coward
      Anonymous Coward

      Re: Getting a bit sick of this type of thing actually..

      Hello. Just to let you know why I downvoted you. You are far too happy to use insults like sheeple and idiots. Please get down from your ivory tower. All idiots like me care about is the damned system works in the easiest possible way.

      Disclosure. I use Applepay and Apple Macs which I suppose condemns me for all eternity as a sheeple e.t.c. Now I shall duck below the parapet.

      Cheers. Ishtiaq

  10. Peter Prof Fox

    Only the card companies/payment processers can manage the risks

    All I can do with my card is not give it to all and sundry... Oh but I have to in every shop. I have to type in the verification code on any website without knowing if it's been compromised or if my device has been compromised. I've had my bimetallic (according to the Essex electronic crime officer) strip cloned at a petrol station. (Thanks for the dot-matrix printed victim support letter guys!)

    The retailer has a thousand vulnerabilities which are a nightmare to manage. How is Fred's Hotel or Joe's Garage supposed to take any meaningful technical precautions? A bit of CCTV? In the olden days there were paper vouchers to go with notes etc, on the till. Now figures might 'appear' but the trail will be cold by the time logs are analysed.

    So the banks/cc companies/payment processors are the only ones who can manage the maze of risks. The easiest, cheapest, what-we-can-get-away-with approach is unlikely to benefit customers and retailers, hence regulation is required.

    Whether piecemeal regulation is a long term solution is a matter for debate. IMHO I'd say that you should have a 'global' framework, good principles, auditing etc. which evolves slowly and also pragmatic regulations to deal with issues quickly until the 'global' system catches-up with the nimble nere-do-wells.

    Finally, if you steal my chequebook then I will find out and the plods might recover it on your person. If you steal my password then that's completely invisible. Those who control the payment infrastructure are the only ones who have a hope of managing this new environment. Let's hope somebody can force them to have half a thought for the others (consumers, retailers).

  11. a_yank_lurker

    ?

    Over here, the rule for getting fussy about verification is $25.00. Also, one item I have seen is the default delivery address must match the registered address for the card. I do not EU regulations but there could be a problem with the regulators setting rules and not updating them appropriately. Thus the merchants, banks, and card issuers do not do enough because they are compliant with the regulations. (See lifeboats on the Titanic).

  12. Jin

    Biometrics used with a fallback password would ruin the security

    Authentication by biometrics in cyberspace comes with poorer security than PIN/password-only authentication. This video explains why and how it is the case.

    https://youtu.be/5e2oHZccMe4

  13. Neil Barnes Silver badge
    Flame

    While it is still possible

    That some miscreant, under the unsuspecting eyes of my wife and presumably using a commercial card reader, can skim her card and that the resulting fake card can be used to withdraw cash in the USA, there are deeper problems in the system.

    I'm assuming that this is a magstrip copy and that it works because many (all?) US cash machines don't insist on the chip being present in a card.

  14. lglethal Silver badge
    WTF?

    I dont get the hate for this?

    I can understand Visa being upset. That might actually have to force people to implement 2 factor authorisation and yeah that will cost them some money in the short term, but el reg commentards?

    I already have so many sites that send me either an email with a link to be clicked on or send me a text message with a pin code or a notification to my phone with a new pin whenever something changes. Steam, my bank, Amazon. It's a 2 second job to go and check these, and give the correct code, and for that I get significantly better security. I cant see that as a bad thing. I wouldnt have any problem doing that for every online transaction, I dont understand everyones complaints. You cant accept an additional 2 seconds to make your purhcase in order to be sure your safe? Really?

  15. wyatt
    FAIL

    withdrawn as already mentioned (Verified by Visa).

  16. Anonymous Coward
    Anonymous Coward

    Meanwhile...

    My wife has just had to renew her card machine for her business, as she was told her old one was no longer "compliant". That conveniently means another long contract for a new card machine, of course. She is now awaiting the umpteenth phone call, as they have her address details wrong, her business name wrong, the machine is set up incorrectly with wrong details, and she just received a confirmation email containing the banking details of a completely different business, making her wonder who has her banking details. And this from the company that has all her details from the old machine. And they have the nerve to charge her £20 for doing a short box-ticking exercise as a PCI compliance check.

    Makes you wonder where the real problem exists.

  17. Jin

    Crying for criminal-friendly authentication?

    It’s really suprising to see so many people so tragically misinformed. Biometrics should not be brought in where you need to be security-conscious. This video explains why and how.

    https://youtu.be/5e2oHZccMe4

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like