On 25-Feb-12 15:46, Roland Perry wrote:
In message , at 17:30:39 on Sat, 25 Feb
2012, Adam H. Kerman remarked:
I routinely spend amounts of the order of a thousand dollars at
retailers by Chip and PIN card, and it's a one-shot process.

If that's true, then I suspect your credit limit is stored on the card.

It isn't. What you have to accept is that things are done differently in
USA vs the rest of the world.

Aside from our lack of EMV, things aren't done differently in the US;
don't take Adam's misunderstandings as authoritative.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

In message , at 15:39:25 on Sun, 26 Feb
2012, Adam H. Kerman remarked:
My one step: Enter PIN which is checked, and terminal asks CCC
for auth for the exact amount, checking for stolen
cards, floor limits and available credit.
Their one step: [Usually] CCC sends auth to retailer's terminal, which
displays "accepted".

Does the retailer also receive a transaction ID number, a number that
also appears on the cardholder's monthly statement?

If so, then the procedure is comparable to what happens here.

UK credit card statements (including Amex) don't usually have
transaction numbers.

What I was disputing was your retailer "two pass model", with the card
itself being authorised up to some "reserved" amount, ahead of the
actual amount being claimed milliseconds later by the retailer. I don't
know why they'd do that, rather than ask for authorisation of the actual
amount first, because in the UK the amount has to be known before you
enter your PIN into the C&P device, as entering your PIN is an agreement
to pay that precise amount.

The two-pass scheme is used in other circumstances, such as checking
into a hotel, when they often "reserve" an estimate of the final bill,
ahead of the day you eventually check out.
--
Roland Perry

On 2/26/2012 10:44 AM, Adam H. Kerman wrote:
Roland wrote:
at 14:02:21 on Sun, 26 Feb 2012, Adam H. remarked:

Like I said before, I had a $300 transaction in the USA which resulted
in the retailer having to make a phone call, and subsequently asking me
for ID (which I thought wasn't allowed, but there you are).

Why wouldn't he ask? Your transaction was flagged.

I was under the impression that merchant agreements in the USA did not
allow them to ask for ID. How they resolve flagged transactions, if
that's the case, isn't my problem.

Your card issuer didn't know you were traveling for whatever reason,
so the transaction appeared to be suspicious as it occurred in a
location they didn't expect it to be used in. Doesn't that sound
reasonable to you?

http://consumerist.com/2008/02/apple...agreement.html

I'm not reading that article, irrelevant to your situation.

To summarize the article, they can ask, but not record any info under
California law.



I think that anything that happens after initial denial and the call
into the authorization center changes the concept of what is and is not
allowed by the merchant agreement.

In message , at 15:44:06 on Sun, 26 Feb
2012, Adam H. Kerman remarked:
I was under the impression that merchant agreements in the USA did not
allow them to ask for ID. How they resolve flagged transactions, if
that's the case, isn't my problem.

Your card issuer didn't know you were traveling for whatever reason,
so the transaction appeared to be suspicious as it occurred in a
location they didn't expect it to be used in. Doesn't that sound
reasonable to you?

Yes and no. I'm a frequent traveller, and that credit card is an
affinity card for a global hotel/flyer club. They should not be
surprised if I travel (and have plenty of evidence that I do).

I'm certainly not going to ring the bank every time I head for the
airport. And this was the first time in years that any of my credit
cards was flagged just because I was travelling.

(I have had other cards flagged because I have dared sit at home and
book more than two flights in a day... but that's another story).

http://consumerist.com/2008/02/apple...agreement.html

I'm not reading that article, irrelevant to your situation.

You should, because it explains why they may have been outside their
remit in asking for ID.
--
Roland Perry

On 26-Feb-12 04:18, Roland Perry wrote:
In message , at 16:10:19 on Sat, 25 Feb
2012, Stephen Sprunk remarked:
AIUI, in Europe the customer is liable for fraud with EMV cards, which
is why banks and merchants have pushed it there--

Then your understanding is incorrect. There's no extra risk from the
customer using EMV.

Then what was with the numerous news and blog articles to that effect
several years ago, including (in the latter) instructions on how to
break the EMV chip to force signature transactions?

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

In message , at 11:12:33 on Sun, 26 Feb
2012, Alan Larsson remarked:
http://consumerist.com/2008/02/apple...agreement.html

I'm not reading that article, irrelevant to your situation.

To summarize the article, they can ask, but not record any info under
California law.

And they aren't routinely allowed to ask, under the merchant agreement.

I think that anything that happens after initial denial and the call
into the authorization center changes the concept of what is and is not
allowed by the merchant agreement.

Perhaps; if anyone has a copy of the merchant agreement, maybe they can
comment.
--
Roland Perry

On 26-Feb-12 04:39, Roland Perry wrote:
In message , at 16:55:37 on Sat, 25 Feb
2012, Stephen Sprunk remarked:
There's some over-simplification here. While I agree that some
retailers (especially high-margin ones like restaurants) may not
require a signature, there's a second floor limit above which they
have to call the credit card company. That limit seems to me to be
much lower than you'd get in the UK for a similar transaction
verified by PIN.

By "call the credit card company", do you mean actually speak with a
human, or just do a standard automated authorization?

With a human.

Perhaps I just don't spend enough money to run into that ceiling, but I
regularly charge amounts up to ~USD 3k.

My bank does periodically call me /after the fact/ to verify atypical
transactions, but merchants never see that: their authorization goes
through normally.

Like I said before, I had a $300 transaction in the USA which resulted
in the retailer having to make a phone call,

I'm almost certain that's because your bank flagged it as a potentially
fraudulent transaction due to being from a foreign (for you) country,
not due to the amount.

and subsequently asking me for ID (which I thought wasn't allowed, but
there you are).

I'm not sure whether it's allowed or not, but it's common at merchants
with high chargeback rates. You can always refuse to show ID, but
they're not required to accept the card anyway.

Yes, there are many demographic factors that correlate well with local
crime rates, and a customer can fairly accurately predict (from a brief
look around the area) whether prepayment is required at a gas station.
However, card processors don't care about demographics; they only care
about chargeback rates.

Notably, certain industries (eg. retail electronics) are known to have
high chargeback rates regardless of demographics;

And your hypothesis is that stolen/skimmed cards will turn up equally
likely in retail electronics outlets in the good and bad parts of town?

It's not _my_ hypothesis; it's a statistical fact determined by the card
processors.

I'm not sure about "equally likely" either, but retail electronics
merchants even in "good" parts of town have "unacceptable" chargeback
rates and are required to take extra steps that other merchants in those
areas are not required to take. It's possible such merchants in "bad"
parts of town are even worse.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

In message , at 10:18:39 on Sun, 26 Feb
2012, Stephen Sprunk remarked:
AIUI, in Europe the customer is liable for fraud with EMV cards, which
is why banks and merchants have pushed it there--

Then your understanding is incorrect. There's no extra risk from the
customer using EMV.

Then what was with the numerous news and blog articles to that effect
several years ago, including (in the latter) instructions on how to
break the EMV chip to force signature transactions?

Paranoia.
--
Roland Perry

In message , at 10:27:13 on Sun, 26 Feb
2012, Stephen Sprunk remarked:
Like I said before, I had a $300 transaction in the USA which resulted
in the retailer having to make a phone call,

I'm almost certain that's because your bank flagged it as a potentially
fraudulent transaction due to being from a foreign (for you) country,
not due to the amount.

I use credit cards in foreign countries regularly. This was due to it
being an electrical retailer without C&P (which you would not expect in
the USA anyway), and not either the amount or the location.

and subsequently asking me for ID (which I thought wasn't allowed, but
there you are).

I'm not sure whether it's allowed or not, but it's common at merchants
with high chargeback rates. You can always refuse to show ID, but
they're not required to accept the card anyway.

I did think about trying a different card.

And your hypothesis is that stolen/skimmed cards will turn up equally
likely in retail electronics outlets in the good and bad parts of town?

It's not _my_ hypothesis; it's a statistical fact determined by the card
processors.

I'm not sure about "equally likely" either, but retail electronics
merchants even in "good" parts of town have "unacceptable" chargeback
rates and are required to take extra steps that other merchants in those
areas are not required to take. It's possible such merchants in "bad"
parts of town are even worse.

And yet I can routinely buy things (expensive as well as cheap) in the
UK from electrical retailers, without any referral to the card company.
--
Roland Perry

On 26-Feb-12 10:10, Roland Perry wrote:
In message , at 15:39:25 on Sun, 26 Feb
2012, Adam H. Kerman remarked:
My one step: Enter PIN which is checked, and terminal asks CCC
for auth for the exact amount, checking for stolen
cards, floor limits and available credit.
Their one step: [Usually] CCC sends auth to retailer's terminal, which
displays "accepted".

Does the retailer also receive a transaction ID number, a number that
also appears on the cardholder's monthly statement?

If so, then the procedure is comparable to what happens here.

UK credit card statements (including Amex) don't usually have
transaction numbers.

Nor do any of my current US credit, debit or charge card statements. I
vaguely recall one bank including transaction numbers a decade or two
ago, but not since then.

What I was disputing was your retailer "two pass model", with the card
itself being authorised up to some "reserved" amount, ahead of the
actual amount being claimed milliseconds later by the retailer. I don't
know why they'd do that, rather than ask for authorisation of the actual
amount first, because in the UK the amount has to be known before you
enter your PIN into the C&P device, as entering your PIN is an agreement
to pay that precise amount.

The two-pass scheme is used in other circumstances, such as checking
into a hotel, when they often "reserve" an estimate of the final bill,
ahead of the day you eventually check out.

Hotels are the most obvious example, but restaurants with waitstaff do
the same thing: they will authorize the card for the subtotal (price
plus tax) plus a liberal estimated tip (eg. 20-25%). Either way, the
actual total isn't submitted until the transaction is
posted--potentially several days, not "milliseconds", later.

Most other merchants authorize for the exact total, since it is known as
soon as the purchases are rung up. The main exception is when the
transaction is below the merchant's "floor", in which case they aren't
required to authorize at all: they just post the transaction when they
get around to it--and if posting fails, the card processor eats the loss.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking