I was attacking the line of thought that goes, "credit card security is already marginal, therefore why should anyone try to improve it in cyberspace"? this is circular reasoning. "why should anyone try to make something more secure when it is already insecure?"
In my post I am looking at this from an economics point of view. Simply put: If there is unlimited liability to the credit card holder because Mallet is stealing card numbers from the telco switch, encyrpted, plain text, it doesn't matter, there will no users. If there are no users then there will be no transaction fees generated, no transaction fees, then it won't be deployed. Therefore, there is no reason to develop the code or even read the latest and greatest specs. and we are all wasting out time.
I don't believe legal liability is the issue. many businesses operate despite the fact that they have large liability for what they perform. the issue is balancing the cost they are guaranteed through their charges with the liability they face. you are incorrect in thinking that individual credit card users buy credit cards based on the liability to themselves, from my point of view. individuals, even if they are theoretically liable for large fraud costs, simply are not going to be able to be held accountable for them. you seem to be saying that if credit card companies one day guaranteed they would be responsible for all fraud charges, we would have cybercash *now*. but credit card companies already do largely have to absorb the costs of fraud. they are *already* liable. and again, I don't think you will find the market really cares about liability prior to using the service. the individual generally assumes they are not personally responsible for fraud in the card, and the companies generally have to adhere to this paradigm. what if tomorrow a new credit card company started up saying, "we are not responsible for fraud. all fraud is the responsibility of the customer?" they would be laughed off the planet. such a plan is not even feasible. the consumer will simply cancel the credit card if they perceive they are being charged for fraud, and not pay the company insisting they are not liable (despite whatever agreement they signed).
We must recognize that no matter what code we write, how secure it is, it won't be used until the banks that must clear the transactions agree to accept the risks of loss in return for their transactions fees.
but this has *always* been the case. how is it not the case now? *all* banks are liable for the security of their schemes. why do you think they are not? why do you think they care so much about security?
I haven't seen this from any of this consortiums and would like besides publishing their specs for the best system agree that this risk bearing is a necessary step for electronic commerce to become a reality.
why do you think that nobody does not already realize this? isn't it patently obvious to anyone who starts such a system?
I would like to see members of the MasterCard and Visa coalitions comment on this aspect of the systems that are promulgating. The one who cracks this nut first without losing their shirt to Mallet will be the winner. The others that expect us to deploy systems based upon if Mallet breaks the system, the cardholder and or merchant pays is wasting our time.
who is proposing that consumers or merchants pay if a system is broken? why do you think that this is the case? what is more likely is that these fraud costs will be hidden in transaction charges, just like they are with current credit cards. the individual consumers and merchants will then be given the "illusion" that they are not paying for fraud, but this cost is actually invisibly included in their "transaction tax". for the above reasons I don't at all understand why you insist that acceptance of liability is the problem delaying introduction of digital cash standards. but one distinction I do realize has to be made in all this is the difference between "fraud" and "breaking a system". the latter is a far more potentially serious problem with cryptographic security than the former. in fact cryptographic security attempts to deal with all fraud by making "breaking the system" impossible, and succeeds to the degree it accomplishes this.