[665] in WWW Security List Archive
Re: Credit Card Security
daemon@ATHENA.MIT.EDU (Nathaniel Borenstein)
Wed May 3 14:21:28 1995
Date: Wed, 3 May 1995 10:20:26 -0400 (EDT)
From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: Paul Rarey <Paul.Rarey@Systems.DHL.COM>, briansp@umich.edu
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <14749.799495832.38@nsb.fv.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Excerpts from mail: 3-May-95 Re: Credit Card Security briansp@umich.edu (3985*)
> This is fine if your transactions are of a reasonably large amount (say
> over $30.00), and you've priced with the above in mind. If the
> transactions are in the "pittance" range, however, this becomes
> unworkable. Its too expensive.
Actually, there are more possibilities here than meet the eye. First of
all, please note that the $1 fee applies only when your account is paid
out, which happens currently at most once per week. The payout costs
you a flat $1, whether you've had one sale or a million sales. So this
fee is vanishing small for sellers of any significant size. The real
fees of interest to serious sellers are the 29 cents plus 2%.
This does indeed appear to put a floor on the transaction size -- a
theoretical floor of 31 cents, in which FV keeps 30 cents, and a
pragmatic floor considerably higher (~50 cents, say). And, in
practice, people selling things with FV today have a range of
approximately 50 cents to $600.00 (at least, those are the extremes I've
seen, but I don't monitor all the traffic). The "typical" transaction
seems to be in the $10 range, although there are a lot in the whole $1
to $25 range. And I know there are people who are already earning
significant sums of money via FV on both ends of this latter range, at
least.
HOWEVER, the lower end of this range is not as firm as you might think.
The FV terms and conditions explicitly PERMIT sellers to accumulate
small transactions into larger ones. Thus if you want to sell web pages
at a penny apiece, that's fine, but you just have to accumulate them
until you have enough of them on one FV account to make it worth
billing. This is actually a very plausible model for lots of types of
businesses. If someone only buys 2 or 3 penny items, you never bill
them, but that's a classic "free sample" situation anyway. And if you
think about it, given FV's email confirmation model, would you really
want your customers to have to answer "yes" to an email message for
every one-penny sale?
We're actually considering several services of our own that would use
this mechanism to sell very low-cost items in quantity using FV.
> So, First Virtual comes along and says "Hah, we'll put ourselves in the
> position to theoretically mediate ALL transactions!" But they're
> expensive, and someone may come along and do it cheaper. So I establish
> a First Virtual account, and then a Second Virtual account (the
> competitor who has just set up shop on the other side of the router), and
> I've even got an account with the VCU (Virtual Credit Union). Pretty
> soon I've got a dozen username/password pairs to manage again, and I'm
> back in the same situation I was before, except that I've spent $20.00 on
> setting up accounts with each of the transaction mediators.
Well, first of all, I think you won't see too many Second Virtuals, if
only because when you sit down and analyze the cost structure of
providing our services using credit cards, etc, you'll find our prices
are actually very low. I seriously doubt anyone will beat us on price
in the near future. We priced it so that it makes money only in
extremely large volumes (although, by the way, the volumes are growing
quite spectacularly, even faster than we'd hoped).
> Seems to me that a Digital Certificate model is the only really
> acceptable solution. [........] Am I in the right ballpark with this?
I think you may be in the right ballpark in the long term, but there are
still an awful lot of "gotchas" in the digital certificate area. My
take on it is that standards are progressing far more slowly than the
vendors involved would like you to believe (and yes, I'm active in the
standards efforts & am basing this on firsthand observation) and that
the legal situation is actually heading BACKWARDS -- witness the latest
spate of anti-cryptography rhetoric from politicians in the wake of the
Oklahoma bombing. If there were a standard infrastructure for digital
certificates, FV would very likely find some nice uses for it, but we're
not inclined to hold our breath or base any short-term plans on it. --
Nathaniel
--------
Nathaniel S. Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings Incorporated
Phone: +1 201 540-8967 (fax 993-3032)
FREQUENTLY ASKED QUESTIONS (& PGP key): nsb+faq@nsb.fv.com
-----VIRTUAL YELLOW RIBBON----zldf@clark.net----VIRTUAL YELLOW RIBBON----
> When privacy is outlawed, only Support the Zimmerman Legal Defense! <
> outlaws will have privacy! http://www.netresponse.com/zldf <
-----VIRTUAL YELLOW RIBBON----zldf@clark.net----VIRTUAL YELLOW RIBBON----
