Eric Hughes says:
Transmitting card numbers electronically over the Internet can only exacerbate that problem.
Yes, if transmitted in the clear, PGP is legal now :-). Vendors on the net need to be pushed to use encryption.
I'm not referring to the problem of sniffing credit card numbers off the net. I'm referring to the problem of credit card fraud by the operation on the receiving end. Even if the transmission is encrypted, there's still risk.
Eric is, of course, pointing out the fact that credit cards qua credit cards are inefficient. (By the way, the transmitting end is also a source of risk -- fraudulent possession of the card number is possible.) In general, you can't make credit cards secure by encrypting the transmission of the numbers because the credit card mechanism has inherent flaws irrespective of interception. The only information needed to use the card is the card number. Given the card number, there is no restriction on how much of an account I may draw. Stealing the (short) number, which must be communicated to use the card, is the equivalent of stealing the account. The merchant has no restrictions on how much he can draw other than the fact that he'll be caught if he draws more than he says he will. Fraud is naturally rampant, since it is childsplay to commit fraud. It is a major cost of the system. In even a primitive public key based system, there is no need to take anyones word for anything, and no need to reveal the "key" to the account in order to use it. Perry