[cillian64]

I don't understand this at all. I really, really don't want to give my credit card details to some random webshop who are exceedingly unlikely to have solid security. If I can use PayPal or another well known payment provider, great, I don't even have to type in my details. But even a less well known PSP is more likely to get it right than a small business webshop.

A slightly jarring user interface seems a small price to pay for a much lower chance of my payment details being compromised. Is this a minority view?

[phil21]

> Is this a minority view?

I don't know, maybe. I have zero liability on credit card purchases, and while it's certainly an inconvenience I never don't buy something because my details might be leaked. Who cares, why put yourself through the constant mental effort for an event that happens maybe once or twice a decade if you are exceedingly careless?

I absolutely despise being sent to a third party site - usually a broken one that takes forever to load, with some annoying "security" authentication, or OTP, etc. when really all I wanted was amazon one click and to move on with my life.

By far the #1 way a small merchant can get me to click the buy button is make it easy for me to checkout and pay. If I have to sign up for an account, be redirected around the world, etc. I generally tend to lose interest and just go back to newegg/amazon. Note that this sometimes is a third party payment link such as Paypal due to the nature of the service - but you have to think about user experience first, not last.

Also your requirement makes absolutely no sense to me. If a merchant is compromised to the point that javascript can be injected, it's not much more difficult at all to direct you to a fake paypal skimmer that you likely won't notice. I agree it raises the bar a bit, but not by an appreciable degree.

[mrb]

"I have zero liability on credit card purchases"

Not quite right. Many banks make you liable for the first $50, for each occurrence of fraud. Also they typically require you to notice and report a fraudulent charge within 30-90 days or else you are liable for 100% of the amount.

[shoegumfoot]

In theory, maybe. But phil21 is correct that credit card users have zero liability in practice.

Most card issuers these days will proactively contact the customer to inquire about suspicious charges.

[eli]

Nope, if your credit card number is stolen and used online for a card-not-present transaction you have $0 liability by law.

[jghn]

The person said they have no liability, how is saying that many banks don't refuting what they said?

[_delirium]

More specifically: U.S. law puts a $50 cap on consumer liability, but many credit cards voluntarily lower it to $0. The $50 is a ceiling, not a floor.

[4ad]

I am not liable for credit card fraud. The last thing in the world I want is inconvenience for me, when it's other people's money at risk (bank, merchant, CC company, whoever), not mine.

On the other hand, Paypal itself is a liability. Blocking your account (and your money!) for months without recourse, randomly reducing expense limits to nothing (50 EUR) are not just some Internet stories, but things that have happened to me personally multiple times.

When my card was stolen (debit card even!), I didn't lose a dime, nor time. Bank just sent me a new card the same day. I didn't even have to report the fraud, they detected it themselves, as they are really good at that. They just called me to tell me about it, and that they sent me a new card.

[jliptzin]

As a merchant, I am the one responsible. When a stolen credit card gets used on my site, I am the one that has to pay for that (assuming Stripe does not block it through fraud prevention). Which is fine, because my fraud rate is very low. But it's an odd situation because in effect I am being penalized for someone else's lax security. Sure I could try to come up with my own fraud prevention algorithm but I highly doubt that as a small vendor I could beat Stripe in that department. So it doesn't matter how well I'm protecting my customer's card data, the fact is if someone's info is stolen from some other site or an atm skimmer or somewhere else, and then the perpetrator buys product from my site, I have to pay for that carelessness.

Personally I think the banks should be paying for the bulk of this fraud out of the 2-3% transaction fees, not merchants who may not have anything to do with the problem. This way, there's strong incentive to actually issue secure cards and improve security. Right now, it's no skin off their backs, so nothing is improving.

[ryanlol]

>Sure I could try to come up with my own fraud prevention algorithm but I highly doubt that as a small vendor I could beat Stripe in that department.

You're seriously overestimating the fraud protection Stripe does.

[jjnoakes]

You aren't liable for credit card fraud, but that money comes from somewhere. Today it is a small percentage charged to the vendor; do they pass it on?

And tomorrow, when the problem gets worse and the fees start to climb, will you still not care?

Why be content with a system that may indirectly charge you for other people's lack of security?

Why not look for ways to focus the cost on the vendors who lack security?

[ek750]

Yes, you're right, they pass it on. But as costs start to get noticible to the involved parties (direct and indirect), hopefully that would prod the ones that don't care now, to start.

[MrTonyD]

Some years ago I had a Bank of America credit card. My new card never arrived in the mail, and I discovered 3,000 in charges. When I reported it, Bank of America insisted that they had mailed me the card and that I was responsible for its use. I appealed, and they still insisted that I pay the bill. I don't know their logic - was it just some employees trying to increase profit - like Wells Fargo today? And what choice did I have? Hire a lawyer for $400/hour? Lose hours of work time fighting them? Allow my credit to be wrecked? So I paid them and got a different credit card. (They even fined me and charged me interest for the months I was contesting the charges.)

In the end, they hold an unfair power over those who they can extort. I wish we had much better consumer laws - to actually protect us.

[4ad]

> I wish we had much better consumer laws

We have excellent consumers laws in this particular regard. If only consumers fought for their rights instead of paying the mafia!

> Hire a lawyer for $400/hour?

You don't need a lawyer for small claims court.

[nommm-nommm]

Now (post 2009) you can make a complaint to CFCB who I hear is really helpful and pro consumer but I don't have first-hand experience with them.

They are who fined Wells Fargo.

[hoorayimhelping]

>Is this a minority view?

Most likely. The fact that you understand what is happening when your store webage you're on goes white the words in the www bar change and then you're on a different site and it's asking for credit card info kind of illustrates this point.

Could you imagine trying to buy eggs at the supermarket then when it comes time to swipe your credit card, being asked to leave all your eggs at the register, go over to a different store with your credit card, swipe your card there, sign the paper, then go back to the original store and pick up your eggs? I imagine that's how a lot of people visualize going to a PSP site to enter credit card info.

[X86BSD]

Doesn't Apple Pay make this a non issue?

Especially now that it can be deployed on websites?

[4ad]

Apple Pay online is great for convenience and security, from a practical point of view, but on a more abstract point of view I think something is deeply flawed about the payment industry if the solution is to add yet another middle man.

I want a world where payment is convenient, security is excellent, and there's no mandatory mafia of middle man between my electronic money and the merchant. It's fine that people chose to use banks voluntary, banks provide many services people want. But it should not be mandatory to use banks, if you chose to do so, and most certainly it should not be necessary to implicate yet another 3rd party to the transaction (VISA/Mastercard). And now we are adding a 4th party!

Whether to use a 3rd, 4th, 5th party should be users' choice. Some people value security, others privacy, others convenience; some people want 2FA for every transaction, some people hate PINs and want just to swipe a card, etc. All this should be client side; user's side. Open payment protocol with multiple implementations. Merchant just uses the protocol. If some new payment revolution is coming, merchant should just update his software.

We have technical solutions to do all this, but most people do not understand that this is possible, what the existing system entails; and the people in charge of this don't want to lose the power.

[tl]

Like so many other areas, it's really a shame that the industry can't co-operate here. Apple Pay works fine at the one location near me that supports it, but it's a headache for the merchant (I might be the only person who uses that payment system) and the consumer (lack of support elsewhere).

The equation for websites is similar given Mac users are a minority, and many Mac users use Chrome.