[thelist] Re: Shopping Sites, Credit Cards

Keith cache at dowebscentral.com
Sat Jun 29 02:29:01 CDT 2002

<quote> Carol
send Paypal with their link-click. I love PayPal because I refuse to
use any credit card, and they allow weird folks like me to link to a
bank account instead of a credit card.

I too love using PayPal when I'm purchasing, because I too use funds from
my bank account instead of from my credit card.

But, if you DO use a credit card, there is very important reason to use
PayPal, a reason that few consumers are aware of. When paying with PayPal
the "merchant site" NEVER gets to see the buyer's credit card info. Most
online credit card theft happens when someone associated with the website
(webmaster, host, employee, etc) steals the credit card info.  If you are a
a PayPal merchant you do not have a "merchant account" and it would be
illegal for PayPal to let you see that info.

In fact, this kind of internal "employee" theft accounts for more than half
of all credit card theft, offline and online. This kind of theft is
epidemic in mail/order-telephone/order businesses and becoming more
widespread on websales. The customer has no way of knowing how many people
in your web business may have "legitimate" access to that data in your
accounting and fulfillment functions, let alone "legitimate" access to it
while it is safely parked on the server or more safely in the company
customer service database. And any one of those people could be selling
that info in your company's parking lot or down at the cyber-cafe.

This internal company access control is the most overlooked part of "web
sales security" discussions. And yet, this is where most of the theft
actually takes place. If you store the credit card data, at all (on the
server or elsewhere), you need to have a secure access control, complete
with audit trails for each time the data is accessed. Even if you do pass
the credit card info through to a third party processor you can still be
open to internal theft. As the holder of a merchant account you will have
access to that cardholder info even if you did not process the actual
authorization. Just beware who has access to that info all the time that it
is in your possession, and be prepared to prove it.

But back to PayPal. This is something that really irks me about Peter
Thiel's sophomoric concept of his company. He thinks that the anonymous
nature of a PayPal transaction is valuable because it allows people in
countries with weak economies to move money into strong economy countries.
And yes, some countries indeed outlaw PayPal exactly on that basis. But,
this Mickey Mouse money laundering is insignificant. What's important is
that the buyer knows that joedink.com will NEVER get to see the credit card
number, and joedink can say, "Hey, it didn't get stolen here, I never got
to see it". PayPal should be making a big deal out of this anonymous
feature and they are instead hung up on playing 2 bit global politics.
Peter should take a look at the VISA S.E.T. protocols and the foundation
behind MS Passport. The fundamental idea behind both (from the banking
industry point of view) is that the "merchant" will not possess the card
number, eliminating the opportunity for internal theft.

Sorry Carol, I'm not sure I buy that one until they obtain a banking

PayPal does not have a "bank charter" because they do not engage in any
banking activity. They do not qualify for a charter any more than evolt
would qualify for a charter. Look at what it takes to qualify as a bank or
a saving and loan in California where PayPal is located, people deposit
money on the promise of interest and people borrow that same money with a
promise to pay interest. Evolt doesn't do anything like that and neither
does PayPal. There is not a single activity that PayPal engages in that
qualifies as a "banking" activity.

But that does not mean that PayPal is outside of the banking industry's
oversight. They haven't crawled up some pole and tapped into somebody's
telephone line to process $80 million in transactions per day.  In order to
process all those credit card transactions PayPal has a "merchant account"
through an acquiring bank. And just like any other "merchant account", the
acquiring bank represents the cardholder's interest and would shut PayPal
down in a heart-beat if the cardholder's interest is not protected. PayPal
doesn't qualify as a bank, they qualify as a "merchant", and answer to
their acquiring bank just like anyone else with a merchant account.

cache at dowebscentral.com

More information about the thelist mailing list