[Would it *really* be too difficult to establish law that precludes any merchant from storing the whole of their customers' credi-card details; but permits them to store a (substantial) portion of it, and collect, use and immediately delete the (just-substantial-enough) remainder?
[1234-5678-1234-xxxx mm/yy xxx [There's also an argument for requiring the customer to supply mm/yy as well, each time they transact - although that's primarily to reduce the cost, delay and interruption arising from using outdated expiry-dates.] Visa to stop Australian online merchants from storing credit card numbers Store checkouts to be issued with tokens to thwart breaches. Julian Bajkowski itNews Oct 17 2018 https://www.itnews.com.au/news/visa-to-stop-australian-online-merchants-from-storing-credit-card-numbers-514044 > ... unprecedented pressure from the Reserve Bank of Australia and other > financial regulators for banks and payments schemes to clean-up ballooning > levels of online card fraud. > >Online payments fraud on all Australian cards hit a whopping $476 million for >the 2017 calendar year, surging from $418.1 million in 2016 according to >official statistics from industry body the Australian Payments Network >released in August. ... >The stubborn growth in online fraud has prompted high-level rethink of >payments regulations, especially because banks for the most part pass through >online fraud losses to increasingly angry merchants forced to pick up the tab. > >Over the last decade, the growth in online that has resulted in most fraud >liability being shifted from institutions to merchants, creating what many >believe is a perverse incentive for card issuers and payments processors to >pay just lip service terms of fixing the issue. [My impression has been that merchants have *always* copped most of it. I remember a factoid from a conference in Wellington a few years ago, where the CEO of Kiwibank - a small and not-powerful institution - essentially had zero direct costs from card-fraud (as distinct from expenses trying to prevent it, and to manage it).] ... >"COF tokenisation replaces card details with unique digital identifiers >('tokens') that are used for payment without exposing a cardholder's sensitive >information," Visa said in a statement. > >"Each token is merchant-specific, so can only be used with the merchant where >it is stored, removing any incentive for hackers to try to steal the account >data." ... -- Roger Clarke http://www.rogerclarke.com/ Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 http://about.me/roger.clarke mailto:roger.cla...@xamax.com.au http://www.xamax.com.au/ Visiting Professor in the Faculty of Law University of N.S.W. Visiting Professor in Computer Science Australian National University _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link