[9474] in cryptography@c2.net mail archive
Re: [FYI] Did Encryption Empower These Terrorists?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Sep 24 19:38:46 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Bill Frantz <frantz@pwpconsult.com>
Cc: lynn.wheeler@firstdata.com, Ben Laurie <ben@algroup.co.uk>,
cryptography@wasabisystems.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 24 Sep 2001 18:31:13 -0400
Message-Id: <20010924223113.640F17BFD@berkshire.research.att.com>
In message <v03110706b7d555f61a45@[165.247.220.34]>, Bill Frantz writes:
>At 10:11 AM -0700 9/24/01, lynn.wheeler@firstdata.com wrote:
>>as mentioned in the various previous references ... what is at risk ...
>>effectively proportional to the aggregate of the account credit limits ...
>>for all accounts that happened to have been stored in any account master
>>file ... is significantly larger than any particular merchant may have
>>directly at risk because of a security breach. in the "security
>>proportional to risk" theory .... the entity that has the risk should have
>>control over the security measures, those security measures should be
>>proportional to what they have at risk, and the cost of those security
>>measures should also be proportional to the risk.
>
>It seems to me that because of the $50 liability limit under US law, most
>of the risk is carried by the credit card issuers. They are also in a
>position to require proper security by contract with the merchant.
>
Actually, I believe it's by the merchants. Internet transactions
generally count as "card not present" transactions, which means that
the merchants take the risk.
--Steve Bellovin, http://www.research.att.com/~smb
http://www.wilyhacker.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
