When you say "I have a better solution", then it's very easy to believe that you mean it to be taken in the context of the original essay. In this case, the essay's author is located in the US, talking about credit card payments in the US. HN is also based in the US, and I am a US citizen, so the larger context is also US based.

Since you didn't mean it that way, perhaps you could mention that you're switching contexts?

In any case, according to my limited understanding, the UK regulatory landscape changed with the Financial Services Authority (FSA) Payment Services Regulations 2009.

The relevant rule is at http://www.fca.org.uk/static/fca/documents/fsa-psd-approach-... :

> If the payment service provider can show that the payer has acted fraudulently, or has intentionally, or with gross negligence, not complied with their obligations regarding the security of the payment instrument, the payer will be liable for all losses. To avoid doubt, it is not sufficient for the payment service provider to assert that the customer ‘must have’ divulged the personalised security features of the payment instrument, and to effectively require the customer to prove that he did not. The burden of proof lies with the payment service provider and if a claim that a transaction is unauthorised is rejected, the rejection must be supported by sufficient evidence to prove that the customer is guilty of fraud, gross negligence or intentional breach and the reason for the rejection must be explained to the customer.

Has it changed since then? According to http://en.wikipedia.org/wiki/Chip_and_PIN it hasn't.