Fuck it up.

I have been saying this for two years now. EMV is an excellent system, we should do this in the US. So we did, after years of delays, push back, etc... Then we fuck it up on the end because we are too worried that the 'Merican consumer might haz a sad if they have to leave their card in the unit for the whole transaction (oh the horror!), and then they will haz a double-sad if they need to enter a PIN number.

I say fuck it, you want a more secure system? Deal will the extra seconds to complete your transaction.

business owners not having to begin paying a living wage, and continuing to have consumers pay their labor directly through tips. On a signature transaction, the customer can leave a tip, with the use of a PIN, the server has to ask right away if the customer wants to include a tip on the transaction.

I suppose you COULD start a restaurant where the food is free or costs less than the cost of doing business, so the owners themselves are paying the employees, but most people will eventually run out of money doing it that way. The business closes, the workers are unemployed, but at least "Fuck Capitalism".

The business model has been so successful, says Bar Marco founder Bobby Fry, that it is expanding the concept to sister restaurant The Livermore.

If this doesn’t sound like your typical bistro, it’s only the beginning of Bar Marco’s progressive approach. Earlier this year, the restaurant garnered national headlines when it announced it would completely eradicate tipping as of April 1. Instead, every employee now receives a base salary of at least $35,000 (plus bonuses based on profits,) health care from date of hire, 500 shares in the business and paid vacation.

How can it pull this off? The answer lies in a retooled menu comprising cheaper, local ingredients, and portions slashed into shareable platters. “Here’s the funny thing,” says Fry, “great ingredients are the only thing in this world where the higher the quality, the less the price.”

Bar Marco serves inventive fare, including a $17 dandelion risotto dish, a $14 espresso burger and $16 chimichurri meatballs. While menu prices did drop slightly to account for the new portion sizes, these new sums also increased to factor in employee pay.

Unconventional though the model may be, Fry — who founded Bar Marco in 2011 alongside high school friends Kevin Cox, Michael Kreha and Justin Steel—says it has succeeded far beyond any of their wildest dreams.

http://fortune.com/2015/06/11/bar-marco-no-tipping-policy/

reduced portion sizes. I'm am frequently crazed by how huge they are in so many restaurants. And especially if I'm travelling, it's not convenient to take things with. Plus, not everything re-heats very well.

But it does not change the premise that, one way or another, directly or indirectly, the customers pay the workers.

At the end of your sale the server will walk over with a device, you'll key in the tip and sign or enter your pin as your card needs to remain in the device for the duration of the transaction.

There are far more non-tipping retailers in the US than there are restaurants. So I really don't feel that this is the cause.

We do it all the time here in Norway, where we've been using chip and pin for ages. There's an option where the customer enters the final amount to be drawn from their account, so that they can add a tip to the amount entered as the minimum by the restaurant.

The US is very behind when it comes to payment options. When I moved to the US to go to college in 1999, I remember being absolutely amazed that I had to get a checkbook with my US bank account. My mom had used checks when I was small, but in 1999, they hadn't been in use in Norway for at least 5 years. In fact, seeing friends in the US use checkbooks still just reinforces how behind the US is when it comes to financial solutions, alongside having to deposit their pay checks, for example.

The merchant has no control over the pin requirement. That is up to the institution that issued the card.If the issuer does not require one- then the terminal will not ask for a pin entry. Even now, when asked many of the consumers have no clue what their pin number is- so it's pretty much the blind leading the blind in many cases. As for the online part of the warning- that is old news. It just common sense that if one avenue is blocked for a person looking to commit fraud they will eventually find another.

Stating that it will be configurable by the retailer.

If there is no pin set up by the bank/card issuer the retailer can't make it up out of thin air. If they would somehow configure their POS device to require a pin- and there was none on file at the bank how would that work? Most issuers are not requiring pins right now- they are using the dip/signature. Check out FAQ #4 at this link- it explains it pretty good.
http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php

But from my recollection, it will send the initial request with a pin, if the bank returns an ack that a pin is setup, it will prompt for a pin, if the ack comes back with no pin defined, it'll prompt a signature.

All I know is that I will A. Use my apple wallet if available, or B. Setup a pin on all my cards. If the retailer offers neither, I will avoid using my cards there. Cash always works.

Fine retailers $100,000 for each customer's credit card data that they compromise.

The problem will disappear in less than five seconds.

The card issuers. If I have a point of sale system that meets all requirements, I shouldn't be held liable if it meets all necessary requirements.

If the data is compromised due to a failure to "meet all requirements," then $100,000 per affected customer is a suitable penatly.

We'll be happy to ask customers to key one in or have a system that won't allow the transaction to go through without it. But the bank and card issuers charge us both for each transaction. I'm opening up a new business in 2016 and have purchased all the new card readers and wireless apple pay systems based on all new requirements.

As I noted, if the data breach is the result of a failure on the part of the retailer, then $100,000 per compromised customer is a reasonable penalty. You say that you're up to data and in compliance, and I believe you; the $100,000 won't affect you.

Next, hackers will be getting PIN numbers I imagine and we'll have to come up with something else.

As mmonk pointed out, the issues which are leading to these breaches are card-issuer-side because they don't want to implement the most-secure iteration of the technology. Perhaps we need to fine them for failing to implement technology that would prevent POS breeches. I'd go one step further and make large breaches grounds for revoking their ability to issue new cards.

I can promise you, if CapitalOne, Chase or AmEx saw this as an issue that could cost them $10B+ LOBs and not mere incidences of material losses they can write-down on the balance sheet and attempt to pin back on the consumer, it would be fixed tomorrow.

The rest is bust.

Imagine how many more jobs for cashiers and cash office people there would be if we eliminate plastic.

You terrible capitalist.

You should be pushing for the creation of a state owned social enterprise to provide your product and service, with ALL of us sharing the benefit of your ideas and labor.

By opening a business, thereby promoting the free enterprise business model, you are aiding the 0.01% against the rest of us.

Pretty much a fine (paid to who?) of that magnitude will all but stop retailers from accepting credit cards.

A data breach is always hanging over retailers heads. So they take proactive measures. Here is some reading on the latest PCI DDS standards: https://www.pcisecuritystandards.org/security_standards/documents.php

So as a retailer, you have fees associated with every credit card sale. This is (at least in my industry) a very large number. We could almost double profit, or in all actuality lower our prices if we did not have fees. But that's one of our costs of doing business. Those fees are also shrouded in ambiguity, to the point where the card companies were sued to have more open fee schedules.

Then you have PCI compliance. It's a nightmare to say the least. It's complicated, and at times ambiguous as to the rules or standards. We hire a third party to keep us up to date with the ever changing requirements... They also audit and look for holes that our security dept may have missed. Since data breaches are not just computer/network hacks, but can be localized to a single location or machine, they also visit (secretly) our locations looking for gaps. More money (but again cost of doing business) off the bottom line.

Then there is simple shit like operating systems. Just keep them upgraded, right? Not so simple. First you have the business needs, a back office, host systems, pos software... These are all provided (for us anyway) by a 3rd party. This company is big and holds a significant market share in the industry. Now these SW companies have to provide you with a working system on a supported operating system. Now you can't simply install their software on any old operating system. You see it has to be certified by the PCI to meet all requirements. In 2013, we could not get a Windows 7 or 8 operating system because it was not certified yet. No shit, it had only been available to manufacturing in 2009, yet 4 years later it was still not certified in 2013, and XP support was ending in 4/2014.

So what's a retailer to do? You can't just pack up and pick another SW vender. A project of that magnitude would take at least 2 years, and would be almost unaffordable. Then you also have the PCI fines. If you don't get your operating systems upgraded to a supported version, the PCI fines from Visa/MC/Amex start pouring in. More money off the bottom line, but that's just a cost of doing business.

So in the end, you pick an older embedded system, which you'll need to upgrade in 5 years, with only about 60 days to physically visit and swap out 100's of systems. More money off the bottom line to hire a 3rd party to help.

Then you have the payment systems. You and your POS provider have to have compliant and certified devices. Then they (POS provider), and your device (card reader) have to work together on a system along with your payment system SW vender and your credit authorizer to write, configure, and certify a solution, which Visa/MC/Amex/etc. did not even hand out the requirements until a few months ago. You need to have it installed by the end of this month, but you've not had anything delivered yet, because they are all still working on it and getting it certified. If you miss the end of the month deadline, you are now on the hook for all charge backs (these scams happen a lot). More money off the bottom line, but that's the cost of doing business.

Finally, as a retailer, you have a giant bullseye painted on your back. Imagine if you were handed a briefcase full of $1,000 untraceable money orders totaling 5 million. You were asked to keep them at home for one week. No big deal really. You lock them up in your safe and all is good. But how would you feel if there was a full front page article in the paper stating that you were holding that money in your house? Now you cannot store them elsewhere. You hire security, get an alarm, etc... Now you spent a ton of money securing it, but a criminal was still able to get in and take it. Is it your fault? You took measures. But one of your security guards, who had a clean record stole it. So, since 5 thousand of these money orders were stolen, you're on the hook for $500 million. But hey, that's just a cost of doing business.

Retailers have demonstrated repeatedly that they can't be trusted not to spill people's data, either through carelessness or through insufficient security. Do they face any real consequences now?

Fines? Meaningless, unless they're huge.

Lawsuits? Meaningless, because they'll take years and will seek to burden the plantiffs into abandoning the case.

Customers are inconvenienced, with personal data compromised, the full extent of which may take months, years, or decades to be discovered. Millions of people all wondering if they're going to be screwed when they try to get a mortgage or a car loan because they suffered identity theft thanks to Target failing to take care of business.

I'm sorry, but I'm simply not willing to let retailers off so easily, and I frankly don't believe that they'd abandon credit card sales, which would amount to losing upwards of 95% of their business and more than 99% of their online business.

If your card data is stolen, you really need not fear about identity theft. 2 of our cards were compromised in the Home Depot hack. We got new cards, had to spend 20 minutes of our lives re-setting up our auto pays, and that was the end of it. I consider myself a valuable individual and my wife more so, however I cannot value our 20 minutes at $200k.

Now the target issue was different, and they really fucked up. If you were a victim of that one, I'd say that you'd have grounds to sue.

Problem is you have retailers spending millions of dollars each year on fees and security. Then you have criminals working day and night fighting that security. Criminals will always be ahead of their victims. Otherwise they could not make a living at it and would not be criminals. A lot of these hacks of personal data or credit data are not always due to lax security. To fine retailers into non existence because of the actions of criminals will not solve the problem.

20 minutes X 1 million people = 20 million minutes = 333,333.33 man-hours. Kind of a big deal IMO.

And even if your 20 minutes isn't a big deal, the store/vendor/bank that fucked up needs to be held accountable to a degree that discourages from fucking up again in the future, and if everyone shrugs and says "20 minutes--meh," then it will continue indefinitely.


20 minutes is 1.38% of a day. Hell, that $50 item that Sally stole from Target represents far less than 1.38% of a store's daily intake, let alone the entire company's, but you can bet your ass that they're going to go after Sally for it.

Your example would be the equivalent of paying each of those folks $300,000 an hour for their time. You never said who gets the money.

I get that you are upset, and rightfully so. But the level of your fines would effectively kill any retailer or bank all on the actions of criminals not the retailers. Most retailers work very hard at securing their systems. It a tough question. Target had very secure networks, and the hack itself was beyond their control at the end of the day. However they screwed up by storing certain data that they really should not have, but there was no rule against it. Thus far it has cost them in the neighborhood of $140+ million dollars. That's no drop in the bucket.

That stated, each customer is entitled up to $10,000 from Target if they can prove a loss. That's a pretty significant amount.

Home Depot, which was a larger hack (56 million cards), was not Home Depots fault, so even if you have damages, you'd not be entitled to anything.

At the end of the day, I don't think that the fine of 100k per account would pass muster in regards to the 8th amendment.

Well, when I have to pay $187 for a $25 traffic offense, who gets the $162? It seems that we have a well-established mechanism in place already for distributing fines into public coffers. Use the excess, beyond compensation for injured customers, to fund those public services used so extensively by the retailers' employees, such as food stamps, WIC, LIHEAP, etc.

It is not uncommon for a private citizen to suffer fines and penalties sufficient to cause financial ruin. We can quibble about the $100K figure, which I should concede is a pie-in-the-sky amount intended as a crushing hammer-blow to an at-fault entity, but I'd be content with any amount that actually offset loss and served to deter future fault by the entity, rather than a slap on the wrist that provides little incentive to change.

Also, forbid companies to write off those fines as deductible losses.

Is that for real? I'd missed that figure, but I'd call it encouraging. "Up to" is problematic, because $0.01 is "up to" $10,000, but it's a start.

the merchant is not under any mandate to comply with EMV- only issuers and processors. What EMV really is for- a shift of liability off the issuer to the merchant for charge backs due to fraud. The issuer prior to October 1 was liable for those types of charge backs. So now, if a merchant is not set up to accept the chip/pin/signature they are responsible for the charge back. Also, EMV is not going to protect from a breach - it's designed more to stop skimming and cloning of credit card numbers- the chips cannot be scanned like the magnetic strip can.

Currently, no one faces any perceptible consequences except the consumer, the one party in these debacles who's least able to affect the outcome.

If the burder were placed on the retailer, the vendor, or the underlying bank, we'd see a much different situation. Instead, the customer has to change cards and update online auto-pays and worry about identity theft, etc., while the retailers/vendors/banks say "sorry, but we admit no fault."

Why is no one seriously, demonstrably on the hook for this?

So if there is a breach, there is nothing for them to get.

Our focus is on decoupling the card readers from the POS systems. This is huge as far as security is concerned. If your card data is decoupled and no card data is flowing through the POS, and you have 100% P2P encryption, you're visibility is exponentially reduced.

In Europe, they use a chip-and-PIN system, which seems a lot more secure than a signature system.

In fact, on my trip to Scandinavia, I had been requesting a signature form, but then I encountered someone who didn't have any and urged me to try my credit card's PIN. I happened to know it, and it worked, even in the Danish machine.