Otdfbt

I was given by a seller an option to come to their office and swipe my credit/debit card there in their payment terminal.

Because it's a long way to get to their office, I asked the seller if he could just take my credit card details (number, expiration date, etc) over the phone and run the transaction by himself. He refused doing so.

I did not ask him why because he is a grumpy man.

What may be the reasons for this refusal, other than being mean?

If he has this payment terminal machine, does it not guarantee that he can run the transaction simply by having my credit card details?

Is it possible that running the transaction simply by using my card details, may cost the seller more than by me just swiping my card?

I see three possible reasons:

1. He doesn't have a secure way (or any way) to manually enter card details. Most payment terminals have a keypad and can support manual entry (or PINs), but everything else in the ecosystem has to as well. If he doesn't have a way (or doesn't know how) to get the terminal to prompt for manual entry, then that's not an option.


2. 
   PCI-DSS. It's possible that his PCI scope (how much liability he has) is based on never actually having the card number himself. Giving it to him over the phone would violate that. PCI violations could lead to the major card brands saying "You're not allowed to take credit cards any more", which would be fatal to most businesses these days. Violations would also leave him liable for any fraud that can be traced back to his store.


3. 
   Interchange rates. He almost certainly pays more for a manually entered card than a swiped one, because the latter is more secure. If he has a way for you to insert your chip, that's even better, as well as making him not liable for fraud if your card was stolen (since the card brands would eat it). So by making you travel out there to physically present your card, he's saving himself money.

To put #3 another way: By making you show up in person, he makes it less likely you're using a stolen card number (because you'll have a physical card) and easier for him to prove that you did actually authorize the payment (because you'll sign a receipt and/or be caught on a security camera). That makes it less likely that it's a fraudulent transaction, which is why it gets a lower interchange rate.

Using the physical card or not are two different scenarios, namely "Card Present" and "Card Not Present" (also known as MOTO as in Mail Order / Telephone Order). They may involve different contracts, different rates, different risks, and different equipment.

Some contracts will simply not allow Card Not Present transactions. You need to actually use the card in the terminal, either by swiping it, or by using the chip (and ideally pin). This adds an additional layer of verification (mostly if you use chip & pin, but even the magnetic stripe has info that is not available by reading the card), and the network and card issuer know if the card was actually used or not.

Likewise, some terminals will not enable you to do a card not present transaction. Even if it has a keypad, it may simply not have any feature allowing the manual entry of a card.

Since the merchant does not see the card, and none of the security features available with a payment terminal can be used, there is also an additional risk. This may involve higher fees for the merchant and/or a higher risk of a chargeback. Usually the risk lies with the bank if the transaction used one of the secure modes (chip + pin, or 3D secure when used online), while the risk lies with the merchant in other cases.

So, as a summary:

• he may just not be able to (contract or terminal won't allow it)


• it may cost him more (higher fees)


• it may involve a higher risk

Or he may just be grumpy :-)

The reason I would consider most likely is "liability shift".

When a card transaction is flagged as fraudulent, the issuer will check whether the merchant who accepted the payment met agreed standards of:

• Security: is the payment system properly isolated, access to card details strictly controlled, etc


• Authentication: did the customer provide evidence that they were the card holder

If these standards are not met, then the merchant is charged for the flagged transaction; something they obviously want to avoid.

If you walked into the office, they could:

• Demonstrate security by using a dedicated hardware device, and never see your card number


• Authenticate you using chip-and-PIN, or checking a signature (in places where that's still accepted)

If you were buying something online, the equivalent would be:

• Isolating the page where you enter your card details from the rest of the system, and never logging the details entered


• Authenticating you by asking you to complete a 3-D Secure challenge (Verified by Visa / MasterCard SecureCode, or the newer Visa Secure / MasterCard IdentityCheck)

If you give details over the phone, some security can be demonstrated, but there is a risk of the operator memorising your details, and there is currently no good system for authentication. So such "MOTO" payments generally shift liability to the merchant.

Assuming his terminal is even set up for manual entry, I'm going to guess it's one of two things, it's a lot more work that he doesn't want to do, or he's worried you'll claim fraud later and then he's out item and price.

• They pay higher merchant fees for card-not-present transactions. This is often the case for shops that sell high-price-tag items; they don't care about per-transaction fees, but haggle hard to get the best percentage fee. Those best rates come with strings attached.


• There may be a high level of scams run on these items. They fear (reasonably or otherwise) that this "voice on the telephone" who they've never met is keeping a distance for a reason.


• 
  They are liable for fraudulent transactions done with "chip cards" that aren't processed via chip. This "liability shift" is new, and was done to motivate merchants to roll out chip machines. This is just plain self-preservation on the merchant's part; in a high priced merchandise business, one fraudulent transaction can ruin your whole month.


• They are not equipped to securely handle your data via computer. Their systems would need to meet a "gold standard" of computer security called "PCI-DSS" which applies to every computer on every network capable of reaching that network.* This is a huge burden for a family sized business; it's simply impractical for them to comply.

Also, do not assume the ability to do perfect compliance with good policies. Having worked a high-value-item retail store, I can tell you that very often, the best you can do is honest and good salesmen who care about the customer and respect your business. If they loved technical stuff, they wouldn't be working here. They just can't/won't comply with the subtle details that are needed, and given the complexity you can hardly blame them. It is simpler to disallow the activity altogether, and set a good example by the owners not doing it either.

* The exception is things like the "swiper" machine or a "PayPal Here" swiperfob that use "Point to point encryption" aka a secure VPN tunnel, straight from the swiper to the bank's servers.