Jerrold Leichter wrote: > There have been a couple of articles in RISKS recently about the fairly recent > use of a two-factor system for bank cards in England. There are already > significant hacks -
yes ... > and the banks managed to get the law changed so that, with > this "guaranteed to be secure" new system, the liability is pushed back onto > the customer. I'm not too sure what you mean. In the UK the merchant is not usually liable for card-present fraud. There has been / is about to be a change to the liability of the merchant, usually to the effect that if a fraud is successful because the merchant hasn't installed PIN equipment then they will be liable. A few banks are making merchants liable for all fraud if PIN equipment has not been installed. EMV said the change would begin on 1st Jan, but the banks haven't all implemented it yet. Many did so on 1st July. The change occurs in the contract between the aquiring banks and the merchants, not the law; the legality of the change is questionable, but as it is basically just a way to encourage retailers to install PIN equipment it has not been challenged afaik. There is no change in the merchant's liability if he has installed Chip n' PIN equipment - the tales circulating of all merchants becoming liable for all frauds are simply not true. There will also be a change in the way fraud claims are dealt with, to the almost certain disadvantage of the cardholder, as there is no physical signature to contest and at least in the first instance the issuers determine the "facts". However I am not aware of any changes to the law. There was a very recent Banking Ombudsman case where the cardholder had been grossly negligent about her PIN security, but her liability was still limited to £50 (which is a statutory limit and applies to credit cards, but not to debit cards - although it is in practice applied to them too). Usually the £50 limit is not charged by the issuing bank. However the customer eventually pays for fraud anyway, in the form of higher prices, so the issuer - merchant liability split is not of immediate relevance to the customer. It should be tilted firmly against the banks IMO though, as they are responsible for the system, not the merchants, who have no say, as EMV + AmEx is an effective monopoly. BTW, one of my banks recently sent me a leaflet which said Chip n' PIN was going to be introduced worldwide. Anyone know more about that? -- Peter Fairbrother --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]