ChatGPT is not capable of writing production quality code. Many (most) companies have internal policies against deploying any code written by an LLM. The point isn’t to slow devs down, but to mitigate risk. This is especially important in the customer/payments stack. This is not the right place to “save a couple hours”. Maybe if this was for some one-off offline analysis, sure.

The fact that it works is insufficient proof that it was the right thing to do. Building a habit of relying on LLM generated code is an inherently risky practice, and ChatGPT will literally warn you against trusting its outputs. Sure, it lets you growth hack your way through sort term problems, but in the long term I’m not convinced this is responsible decision making at the current levels of LLM technology.

Or maybe I’m just a Luddite, stuck in my old ways.

Genuinely curious: How much time would you say you saved prompting for and then carefully reviewing and testing those scripts for bugs, versus writing them yourself?

And for context what's the average line count we're talking about here? Tens of lines? Hundreds?

Glad to see you active here in the comments. Apologies if my comment comes off harshly, my intent is not to tear you down. I think there is a lot of gray space when it comes to using LLMs for generating code. Your usage here is certainly interesting, and I appreciate the additional context and discussion you’ve been providing.

100% agreed, this is how I always treat it and working on the problem from the article was not an exception from this rule. I share minimum input, and never trust the output blindly.

It gets 50-60% of work done, and a really good basis for me to work on it. Especially when working with one-off, end-to-end relatively short scripts.

I can empathize with the author. The first time you write some code collaboratively with GPT and it actually works, you feel a burning need to shout about it. Because it's one of those moments where something "clicks" and you suddenly feel like you've discovered fire. Once you figure out how to work with them, it makes you excited for the future and you can clearly see where LLMs will fit permanently into your toolbelt. They're far from perfect now, and sometimes the time savings is a wash - you get instant specialized expertise that can produce code like a senior engineer, but you need to goad and coax it like it's a high maintenance intern. But the thinking power expended is still somehow lower - it's a new way of working with technology and deferring some of the grueling parts to the machine. This becomes especially obvious when the code requirements depend on an esoteric API or conventions that you'd normally need to spend time researching and manually enumerating.

Author here. My intention was to show that you can use it to help you get going quickly for a very practical, one-off, and self-contained use cases. As I mentioned in other comments already, I did not trust it blindly and did not share any sensitive data with it. Definitely not an ad!

Appreciate the comment! Just a quick note that this is my LI profile: https://www.linkedin.com/in/pmierzejewski/

Author here. GPT only got minimal context it needed to run the prompt. No customer data, no IDs, definitely no API keys were passed as a prompt.

My guess is the difference lies in the fact that the EU limits credit card fees to something around 0.5% That means the CC companies can't offload the financial burden of this onto the vendors (and they in turn onto their customers), which leads to them having an actual incentive to improve security.

Did you ever try a chargeback? With EU banks, it’s a bureaucratic process in my experience, filling forms, dealing with humans, waiting for merchant response, proving contact with them etc. US banks seem to operate on a magic word “chargeback”: you utter it, the charge is reversed, done.

As is often the case, the answer to the European asked question of "Why don't you just _____" is not "We seemingly don't want it", it's "America has a population 66 times that of Denmark."

Systematic change is slow and difficult. FedNow (secure, instant payments directly between accounts) was released 12 days ago, after nearly a decade in preparation.

Pretending that Americans just "don't want" more secure payments is just ignorant, in my opinion, and really screams that the author should spend more time with folks of other cultures.

> With phone 2FA all that needs to happen is you have your phone and wallet stolen.

Are device passcode and app biometrics insufficient security measures in the event of device theft?

Wild idea: What if secure digital payment was a public service.

> The EU caps it at 0.3% maximum

That's completely untrue. Most European businesses pay much more than that.

Was it at least one of the hardened forks of Magento 1?!

UPI is a terrible thing.

0) makes every transaction a trivial SQL query away for the government.

1) everything needs an SMS code. Just as we are trying to get everyone off SMS 2FA

2) doesn’t work for non-Indian numbers or roaming devices

3) can’t get an Indian SIM without proof of address etc. No burners in India

4) regulation expressly forbids devic-local biometrics. This is why there is no Apple Pay in India.

5) Biometrics must be stored with the government. “Unique Identification Authority (UIDAI)” - https://studentbriefs.law.gwu.edu/ilpb/2022/03/22/regulating...

"Hassle free peace of mind" meaning you do not need to remember a 4 digit code (or clicking "yes" in a phone app), while you need to check your credit card transaction list regularly to reject fraudulent transactions?

I find the effort of remembering the 4 digit code/having the phone much smaller than the alternative ...

The last link the in the chain of payment processors pay for it.

Ya, for Mastercard we use their Ethoca network. They are much more expensive, like $25 per resolved charge but now our chargeback rate is near 0% for Visa / MC and get incredible rates on the front end from such clean processing. Plus we never have to worry about chargebacks threatening our merchant account again.

I was visiting Seattle (from Vancouver) a few years ago, and they didn't want me to use my chip card as a chip card because if they did then I couldn't tip. What the heck is that all about?

Also, we're still hearing stories about merchants in the US starting to accept Apple Pay, whereas it worked fine in almost every retailer in Canada the day it was available - even though it wasn't available in Canada for a long time, American visitors (or Canadians with American credit cards) could use Apple Pay on launch day at any retailer that supported tap-to-pay, which was easily most of them.

I've started to see more and more servers using a mobile POS with built in credit reader and receipt printer. They hand it to you for tip and signature and you don't have to hand your card to anyone.

Things have definitely changed here recently. At least in San Francisco, at-table terminals are now the norm in sit-down restaurants. Staff generally use the same device for order-taking and payment.

> serve Y% more customers where Y > X and thus end up with more profit in the long run.

That’s the micro/local view, and any rational company in the US will do something close to that. There is no local incentive to set the “fraud/friction” to anything other than their competitors.

On the macro level though, if the dial is moved for everyone (i.e. by regulation; the card schemes have tried to make this happen via incentives in the form of the liability shift, but it still wasn’t enough), there’s a chance for increased total efficiency.

The cool thing is that Europe is running this experiment currently – let’s see how it goes.

I recognise that for the likes of McDonalds, the friction probably isn’t a benefit.

With that said, I can’t remember the last time I saw a POS terminal that wasn’t contactless.

More often than not I’ll go out with nothing more than my phone knowing that regardless of where I end up, I’ll be able to pay.

Features like SCA protect consumers and businesses alike.

The number of banks in the US seems perfectly normal. Germany has ~1500 for 80 million inhabitants, the US has ~4800 for 300 million.

I mean the "real thing" is 3D Secure, which isn't exactly 2FA and card issuer dependent, but makes things a hell of a lot more of a PITA to execute for fraudsters.

Lack of initial (mobile app push notification based) verification for saving the card data is the issue, no?

It's not leading the way technically but for the end consumer it might be better. If I get charged unfairly my bank will tell me to go to the police. Americans can easily just refuse it.

I'm sorry but using strong authentication to make my payment is not a burden, it's a bloody feature.

Here's how much of a "burden" that is: you hold your ATM card next to the terminal. Done. Paid. Every once in a while (based on a configurable max per week) it will prompt for a PIN. Which you enter in 5 secs. That would be 1 in 10 payments.

Online payment: scan payment QR with phone, which takes me to my banking app. Authentication is FaceID, TouchID or PIN. Then you click "Yes". Done.

Both methods are highly secure, require no or minimal input and are extremely fast.

The EU have effectively implemented 2FA for credit card payments online.

I pointed out a handful of ways the US are lagging far behind in banking.

How can they possibly be leading the way?

They’re stuck with a horribly outdated system that harms small businesses and exposes users to significantly higher levels of fraud.

It’s bizarre that so many people accept credit card fraud as just the way things are.

On the other hand, the EU caps credit card fees at 0.5% by law while in the US merchants will pay 3 times that at a minimum.

I suspect that in the US CC processors are incentivized to increase their processing fees to cover the cost of fraud instead of building features to prevent it because they can and it's easier than building features. Businesses are incentivized to increase prices to cover the cost of fraud (and CC processing costs) since processors offer such poor tooling to prevent it.

In the US the burden of fraud prevention is squarely on the honest consumer's wallet.

It's more the case that US Consumers are indirectly funding crime by banks turning a blind eye to fraud.

Oh, please. You're grossly misinformed. If anything, US is lagging lightyears behind Europe in terms of fighting fraud and fighting card schemes, which are stripping everyone equally in US, banks and customers alike.

PSD2 directive intruduced a lot of novelties, which no one at the time had (and very few do, not even US). For instance, specific to this situation - remote payments above 30 eur must be SCA (strong customer authentication, similar to 2FA, but more elaborate) verified (small value exception from PSD2 RTS). Also, banks must have both real time and post-time transaction monitoring in place, i.e. they must have systems to detect and prevent such fraudulent attemtps. There literally tens if not hundreds of fraud fighting measures in PSD2, which all banks (both acquirer and issuer) must come mply with. I could go on and on (not the place and format).

Frankly, it's utterly unbelievable that this kind of thing could happen without anyone (either acquirer or issuer) intervenining. Not what could (should) happen here in Europe.

Please, name an example. Particularly, EU being behind LATAM. As an expert, I'm honestly interested.

Define "We".

With a UK card pretty much any transaction I do online requires me to Auth it in app.

I even found I had to do it recently for things like car hire, and those websites are generally just wrappers around local company searches (though higher sums overall).

What do you recommend as an alternative to stripe?

Radar is included for free in the base offering.

It makes sense to me that zip codes don't matter (or might be a weak signal), since some countries might not have postal codes, or might have a different postal code format. But I agree with you that it doesn't make sense to not check the CVV and expiration date; both are printed directly in the card, and should match exactly (unlike the card owner name, which is also printed in the card, but the user might type it differently, for instance typing in full their middle name when it's abbreviated in the card).

I don’t understand not checking CVV and Expiration Date at all…

But for the other info, they could be carding for prepaid cards which have no name, address, or ZIP code to verify against?

The author is wrong about this.

Banks don't choose to accept incorrect name, invalid CVC, invalid exp date or wrong billing address. It's up to the user (in this case him) to enable CVC Check and AVS in his payment processor to fail payments that don't pass this check. It's also up to him/Stripe to implement 3D secure and trigger it.

https://stripe.com/docs/disputes/prevention/verification#cvc...

Even more funny is that in USA, the actual amount charged to the card is mutable. Take for example when you go to a restaurant and give your card, it's charged, and then you write out with a pen a tip amount, which at some future point gets added on to your charge.

I’ve seen verified by visa triggered a few times for online purchases

I have seen it multiple times at BestBuy.com and HomeDepot.com, and probably others.

Not even banks, only vendors are responsible if they do not upgrade their POS systems since sometime in the late 2010s I think.

See EMV fraud liability shift.

https://www.mastercard.us/content/dam/mccom/en-us/documents/...

> As someone whose lived in multiple European countries since I was born, I also don't understand this comment. I don't know anyone who uses these smartcard readers at home. I don't think it's common at all.

Which EU countries? Bank card readers are super common in .nl (ING for sure) and .be (just about every single bank there) for example.

Nowadays banks often allow to use either that or, say, an app on your phone or a dedicated physical token. For example you can confirm transactions you make on your computer by unlocking an app and confirming with your fingerprint from your smartphone. But that's semi- recent. Before that kind of 2FA became a thing, it was all done with card readers.

Some countries still live in the past like, I shit you not, Societe Generale in France still has a "2FA" where it shows digits randomly on the screen and you have to click you PIN (some people still have an account like that): that is however quite pathetic and not the norm.

If I want to buy anything online using any one of my credit card, I must put it in a physical reader and reply correctly to a challenge/response.

These readers are different from the electronic ID card readers, which are also used in many EU countries (for example to fill my taxes online).

> The PSD2 directive was an utter pain to deal with, but at least it stopped a lot of common scams and thefts in its tracks

Inded. More specifically SCA (Strong Customer Authentication) which is required by PSD2. VISA says the "SYH" (Something You Have) is either "a mobile phone, a card reader or other device evidenced by a one-time passcode".

Note however that I cannot log nowadays to any of my bank in the EU without having a big banner saying something like (paraphrasing): "WARNING: scammers are trying to steal your funds. Neither the bank nor the police nor anyone else shall ask you your PIN or to confirm anything on your card reader."

Basically: life is harder for scammers so they try to trick (mostly old) people into validating transactions over the phone.

But you do use 2FA when paying with your credit card online. What kind of 2FA does the bank providing your credit card mandate you to use?

Why do you think this requires a government mandate? What evidence do you have of counter-lobbying as opposed to simple consumer and retailer preference?

I have never ever seen an online payment processor that was capable of using a card reader to perform a transaction from a webpage (on a non-specialized device). I don't think there is even any established standard for using a smartcard from a website. WebUSB/WebNFC may work (although browsers have blacklists of vendor IDs to disallow access to e.g. Yubikeys, so at least some smartcards may not be accessible this way), but that's all experimental and questionable stuff.

It might've been possible someone had something like that in ol' good '00s with ActiveX, but that must've been surely an exception (and a security nightmare).

No it's much simpler than that. You either confirm the transaction on your phone with pin or FaceID, without the card involved. Or if the amount is too high (50k+ at my bank) or you don't have your phone, you use a small device provided by the bank.

The device reads your card, asks for the pin and then spits out a 2FA code to enter on the website or app. The old ones only did this code thing (usually with SMS as a backup way to get the code, but most banks have moved away from sms now). Some more advanced ones have a digital signing capability by taking a photo from a QR-like code on the computer screen and then displaying the signing code for you to enter.

These advanced ones are a bit out of use now that everyone uses the mobile app, except for business accounts and larger amounts like my bank's 50k limit on mobile app confirmation. But I don't regularly transfer more than 50k in one transaction anyway.

Edit: Here is a picture of one that we use with a large Dutch bank for our business account with the QR-code reading thing: https://4.bp.blogspot.com/-6c1NGHew1P8/VBqvTeqDQdI/AAAAAAAAf...

They're less common in the UK now mobile apps have taken over, but in the early 2000s banks would issue a standalone device to every customer. When making payments via online banking you'd put your card in the device, hit a button, and give it a code that the online banking page provided. The device then did some magic via the chip on your card to provide a code that you'd give back to the online banking site to validate that you were in possession of your card.

Some banks may have used this for 3D Secure during online card payments as well, but I've never encountered one. Validation for that in my case evolved from setting a password on my account, which they'd ask for some characters from, to tokens sent via SMS to my registered phone number, to a push notification from my bank followed by FaceID to authorise payment.

In person Chip & PIN, and more recently contactless, is ubiquitous. Magstripe payments are so rare I have to explicitly enable them in my bank's app for the card, and it'll turn itself off again 7 days later. I never encountered chip & signature until going to the US, where everyone in the group I was with looked at it like some sort of joke (and indeed it is, because there's no signature recorded against my card for validation).

Not everyone and it's not necessarily connected to the PC. Some card readers are, some aren't.

And there are two things that are not to be confused: electronic ID card readers (used for stuff like VAT tax filings, income tax filings, etc.) and debit/credit card readers (which may or may not be connected to the PC) used as 2FA (with a challenge/response). The ones that aren't connected to the PC generate a number which you then enter to confirm you login/order.

Many banks in the EU enforce at least one type of 2FA. The shittiest, most pathetic ones, still do it by SMS (but it's still 2FA and still better than nothing). Others use a card reader (in which you literally plug your bank card, which signs orders / challenge/response style and never leak the card's secret). Other give a physical RSA-like token with codes changing every x second. Others allow the use of an app on a smartphone to confirm transactions.

When I log to at least one of my bank I've got a list asking me which type of 2FA I'll use to log in and confirm payments. Card readers (two different types) are on the list.

I use that to log in, confirm wire transfer and buy stocks too.

No. Until I read the comment above, I had no idea that that even was something people actually use to make payments from home.

Most people have an NFC reader at least built into their phone.

"hegemony" n. leadership or dominance, especially by one state or social group over others.

"Hedgemony" is a war game focused on connecting policy and strategy. https://www.usmcu.edu/Outreach/Marine-Corps-University-Press...

https://developers.cloudflare.com/waf/rate-limiting-rules/ maybe?