CVV (was: Re: bloomberg on supermicro: sky is falling)

George Michaelson ggm at
Thu Nov 8 09:16:36 UTC 2018

There are two parts of the problem. The first is the assumption of
risk: the current model of operation in the US (like in other western
economies) puts the onus of risk of misuse of the card on specific
actors. When you change the basis from signature (fraud) to chip+pin
(leak of knowledge) you have to change the legal basis. Remember, this
is an economy where WRITING CHEQUES is still normal. Clearly, the
legal basis of money transactions in the US is hugely complicated by
savings and loan, credit unions, banks, state and federal law, taxes.
We all have some of this worldwide, they have a LOT.

Secondly, the cost basis. Who pays? In most of the world the regulator
forced cost onto specific players because they could, and forced
people to tool up because they could. But, the costs did have to get
met. Some people paid more than others. In the US, for reasons not
entirely unlike the first set, *making* people do things with cost
incursion is remarkably difficult. Making the Walmart brothers re-fit
every terminal, when they can go down to DC and buy votes to stop it
happening, Making Bank of America spend money re-working its core
finance models to suit online chip+pin when it can go down to Walmart
and lean on the owners to go down to DC and buy votes...

Seriously: Its not lack of clue. Its lack of intestinal political
fortitude, and a very strange regulatory and federal/state model.
On Thu, Nov 8, 2018 at 4:11 PM Mark Tinka <mark.tinka at> wrote:
> On 11/Oct/18 21:31, Chris Adams wrote:
> > Requiring an ID is also a violation of the merchant agreements, at least
> > for VISA and MasterCard (not sure about American Express), unless ID is
> > otherwise required by law (like for age-limited products).  I've walked
> > out of stores that required an ID.
> It has always been curious to me how/why the U.S., with one of the
> largest economies in the world, still do most card-based transactions as
> a swipe in lieu of a PIN-based approach.
> In South Africa (and most of southern Africa), all banks make the use of
> PIN's mandatory, for all types of cards. With the rest of Africa using
> credit cards more recently, I imagine they are also PIN-based.
> Europe also use PIN's, as far as I have experienced.
> Asia-Pac was swipe-based for a long time when I lived there, but I know
> places like Malaysia and Singapore have started a major PIN-based
> transaction drive in the past 3 years.
> 3D Secure for the online version of the transaction also means your card
> number and CVV number are less susceptible to fraud via restaurants and
> the like. Of course, this is not fool-proof, as both the merchant and
> bank need to support and mandate this, which is not well-done at a
> global level.
> Mark.

More information about the NANOG mailing list