[vrprabhu]

Quote:

Originally Posted by binand

Even your VbV/MSC password that you enter once per transaction goes only to the issuing bank. But the scheme being discussed involves sending the PIN to the merchant's website or his payment partner's website.

PIN at POS is not as easy at looks the way it functions or the way we think about it.

Data encryption takes place at the POS terminal. The PIN validation takes place at the issuing bank level.

There are also standards set by PCI - DSS with regard to these. There is a rigorous testing and certification for the processes. If anyone tries to tamper with the POS terminal, it will simply stop functioning. (One problem in India is that during shopping, the card is swiped twice - once at the billing terminal and again at the POS - at many shops).

Even if the PIN is noted down by the merchant, it is practically impossible to misuse it - unless the card data is skimmed and the card is cloned.

What actually happens in our country the merchants are not liable when counterfeited cards are accepted by them - whereas in Europe / UK the law protects the customer and merchant is liable for frauds.

So, don't worry about PIN input at POS - only ensure that both the card and the pin are not given to the merchant. Ideal way is to get the card swiped in your presence and input the PIN there by covering the key pad.

[binand]

Quote:

Originally Posted by vrprabhu

PIN at POS is not as easy at looks the way it functions or the way we think about it.

Data encryption takes place at the POS terminal. The PIN validation takes place at the issuing bank level.

The discussion is about using the PIN as the second factor in online (CNP) transactions.

Quote:

Originally Posted by vrprabhu

What actually happens in our country the merchants are not liable when counterfeited cards are accepted by them - whereas in Europe / UK the law protects the customer and merchant is liable for frauds.

I am of the opinion that both these view points are wrong. One cannot attribute to the merchant the expertise and investment to detect counterfeit cards. The liability should always be on the issuing bank - they are the ones who ultimately sign-off on the transaction. I am hopeful that some of the RBI's directives of late is heading in this direction.

[Chetan_Rao]

Some interesting points there, but don't answer my issue directly.

My ICICI Bank Credit card (chip & magstripe) DOES NOT ask for the 4-digit PIN for either transaction type (online or card-present/swipe at POS). Online transactions ask for VbV code, while POS transactions happen just by swiping/dipping the card into the terminal.

What am I missing?

[fiat_tarun]

Both my credit cards (HDFC & Citibank) do not ask for PIN. It's only the Debit cards that require it, as the RBI has mandated this.

[JohnyBoy]

Quote:

Originally Posted by binand

...
I am of the opinion that both these view points are wrong. One cannot attribute to the merchant the expertise and investment to detect counterfeit cards. The liability should always be on the issuing bank - they are the ones who ultimately sign-off on the transaction. I am hopeful that some of the RBI's directives of late is heading in this direction.

You are right. Bank is responsible, not the merchants. As long as the card swipes properly and get a 'Authorised' response for the transaction, the bank's job is done. Then it's up to the bank. (Except cases where customer denies he has done the transaction. In that case it is the responsibility of the merchant to provide proof - signed transaction slip).

Anyway, the banks will always try to blame the end customer when some fraud happens.

[binand]

Quote:

Originally Posted by Chetan_Rao

Some interesting points there, but don't answer my issue directly.

My ICICI Bank Credit card (chip & magstripe) DOES NOT ask for the 4-digit PIN for either transaction type (online or card-present/swipe at POS). Online transactions ask for VbV code, while POS transactions happen just by swiping/dipping the card into the terminal.

What am I missing?

- RBI had asked all banks to have the infrastructure in place for processing Chip-and-PIN transactions by 30/6/2013 (later extended till 30/11/2013).

- RBI had asked all banks to ensure all their cards currently in circulation are Chip-embedded cards by 30/11/2013.

- RBI has asked all banks to ensure all Card Present debit card transactions are Chip-and-PIN transactions starting 1/12/2013. Swiping is completely eliminated for debit cards.

- RBI has not said anything about when they plan to make Chip-and-PIN mandatory for credit cards for Card Present transactions.

- Some banks have anyway gone ahead and made Chip-and-PIN transactions the default. Many haven't, though they have all issued chip-embedded cards.

[Chetan_Rao]

Quote:

Originally Posted by binand

- Some banks have anyway gone ahead and made Chip-and-PIN transactions the default. Many haven't, though they have all issued chip-embedded cards.

Thanks!

Therein lies the crux of the issue.

Given the risk of fraudulent transactions, I'd think everyone would jump at more security options. Apparently not. They'd rather wait till it's made 'mandatory'.

[binand]

Quote:

Originally Posted by Chetan_Rao

Given the risk of fraudulent transactions, I'd think everyone would jump at more security options. Apparently not. They'd rather wait till it's made 'mandatory'.

Security is never evaluated in a vacuum - not at an individual level, not at the corporate or government level. It is almost always a trade-off between costs and benefits. I expect so far the costs were higher than the perceived benefits in the banks' calculations.

Once it is regulated/mandated, the cost of non-compliance gets added to the mix, and suddenly it becomes appealing to deploy it. :-)

[AbhishekB86]

HDFC is starting to annoy me with calls much before my due date of payment and this is happened for the first time in 3 years this month. I am getting an average of 5 calls daily. I've used HDFC CC for 3 years now and have never made any late payment. In fact most of times I ensure I pay the full due amount. However, there have been instances in 2011 where I purchased a lot of things but paid subsequently every month and have never defaulted/or made any late payments.

This is why it is starting to annoy me. I get 2 automated calls and 3 calls from representatives daily. I have deposited the payment today morning and even after communicating the same to the agent I am getting repeated calls.

I also have a StanChart credit card and traditionally I've used it as a secondary card but now am thinking if I should just pay for HDFC and stop using it as a primary credit card. I don't want to be called 5 times a day much before the last day of payment. Highly annoying. HDFC card expires in April and I don't think I would want to reissue another credit card from them.

Also from in the bank experiences, HDFC is slowly starting to behave worse than public sector banks. I am not at all I saying I need hospitality in a bank but a little bit of politeness doesn't kill anyone. StanChart on the other hand is a pleasure to deal with.

[phamilyman]

SCB are no less a bunch of idiots. They sent a replacement credit card (due to frequent intl travel) without telling me to my office. For reasons known to God, it wasnt delivered (no idiot called me or the office landline either!!) - then they blocked my existing card. Its now been almost three weeks into this madness and no end in sight - they have taken two weeks and have not yet dispatched the card again to my home address.

On top of it, there's blatant lying by the Customer care staff, every time I call, i'm told, you only requested the dispatch in the previous call only sir.

They are otherwise awesome but I am thoroughly disappointed with their current behavior.

[Akshay1234]

Quote:

Originally Posted by AbhishekB86

Also from in the bank experiences, HDFC is slowly starting to behave worse than public sector banks. I am not at all I saying I need hospitality in a bank but a little bit of politeness doesn't kill anyone. StanChart on the other hand is a pleasure to deal with.

I got an HDFC card this past week, and I am already irritated with them. They gave us a Regalia credit card, which is apparently one of their best. Now it does come with an add on, and I found out that when the add on card is used all the alerts come to the primary card holders mobile no. Its a small thing, but ridiculous. I have a Citibank Platinum card too, and on that there is an option to have separate alerts for each card, and not all card alerts going to the primary card holders number - which is actually good since the person using the card should get the alert and know how much was charged. Was thinking of making HDFC my primary card and keeping the Citibank as a secondary card, but doesn't seem like thats going to happen.

[shankar.balan]

Call centres and BPO's do more damage to brands that can be imagined. Un trained staff, poor information availability and flow, poor quality resources and labyrinthine processes cause more heartache to consumers than anything.

[noopster]

Quote:

Originally Posted by Chetan_Rao

My ICICI Bank Credit card (chip & magstripe) DOES NOT ask for the 4-digit PIN for either transaction type (online or card-present/swipe at POS). Online transactions ask for VbV code, while POS transactions happen just by swiping/dipping the card into the terminal.

What am I missing?

Chip cards by default do not ask for the PIN to authenticate. I have had my HDFC and Axis bank cards replaced with chip cards even before teh recent decision to PIN-enable them. Interestingly, the PIN authentication was not enabled on the existing chip card- both banks instead sent me a replacement chip credit card with a separate PIN.

I have tried the HDFC card several times and in almost all instances it asked for the PIN and accepted it for the transaction. Only in one instance did it approve without the PIN, which I found surprising.

[iamswift]

Quote:

Originally Posted by AbhishekB86

HDFC is starting to annoy me with calls much before my due date of payment and this is happened for the first time in 3 years this month. I am getting an average of 5 calls daily.

Banks are supposed to thrive on late payment of credit card bills; this is a surprising act

Today, I used my newly-issued, password-protected, chip-embedded Axis Bank Platinum Credit Card for two purchases. On both the occasions, the PoS terminals asked for the password. After entering the password, the payments were approved.