EMV and Chip cards
squareup.comThis is a great move to help reduce fraud for their US merchants, but even more important is it expands their potential market. Adding a chip reader opens up the rest of the world.
However, I'm still not sure how they will handle the PIN part of Chip and PIN, as the usual requirement is that the PIN is entered on a dedicated Pin Entry Device which then only presents the unlocked smart card to the merchant register.
Yeah, this device would actually be useless in other parts of the world. e.g. in Australia you can no longer sign for credit card/eftpos transactions.
PayPal Here solution to this was to have a seperate Bluetooth card reader and pin pad http://techcrunch.com/2013/02/21/paypal-here-is-coming-to-th...
I think this only handles chip and signature cards, which is pretty useless.
Does anyone know if people can use chip and pin cards but only sign for them?
Depends on the card, which therefore depends on the risk profile that the issuing bank is willing to undertake.
There's a list of acceptable verification methods in the card, and a list of methods the device is can perform is contained in the terminal software. The intersection of these is what's usually performed.
(background - I wrote my first EMV processing kernel in 2001 and am currently working on a bluetooth-enabled card-reader and PIN entry device that looks like it will directly compete with the square device)
If the card supports it. Simplified: the card/chip has a list of "cardholder verification methods" ordered by preference If the terminal/reader supports one of these methods, the card/chip will use it.
Some cards are pin only - notably most of Maestro, Visa Electron and V-PAY cards.
A lot, a majority?, of chipcards issued in the U.S. prefers signatures - I'm uncertain what the percentage is for which doesn't support pin at all.
What's really frustrating is the preference for signature. It makes almost all US chip cards useless outside of the US and Canada because, for whatever reason, standalone terminals and even some online POS pads will trip over the "signature preferred" bit. It also means that cards like you list are not usable at a signature-only terminal, even one like SquareUp that can do online, live verification.
Why can't the US financial system just _follow_ the rest of the world for once?
I haven't run into the "signature preferred" problem yet with automated PoS terminals. Where did you run into this issue? I had no problem buying train tickets with my US-bank-issued EMV card at AMS airport using my PIN.
If I may ask, which bank issued yours? My (former) JPMC card didn't work at any unattended terminals like Luas stops in Dublin. When I went to some stores and used the PIN pad, the terminal spit out a paper for me to sign. I'm looking for a card that is confirmed to work as a PIN-primary card. So far, only the State Department FCU seems to have one.
Mine is a Barclaycard Arrival+ (http://www.barclaycardarrival.com/). It is not a PIN-primary card, but it absolutely works in PIN mode at automated PoS systems.
PenFed (https://www.penfed.org/visasignaturepoints/) also offers a true chip-and-PIN EMV card in the US (again, signature priority, but I've verified the PIN works at PoS).
I don't think your JPMC card has a PIN assigned to the chip. Its PIN can only be used at an ATM to get a cash advance.
Barclays is a British bank fwiw. They're likely to have all the infrastructure in place.
When EMV was first introduced in the UK (10 years ago...) you could opt to sign instead of entering a PIN number. If you try and do that now in most cases the transaction is declined by the bank. This can cause issues when travelling abroad to countries that aren't use to or don't have the hardware for EMV.
There was also a key liability shift, in that the bank would not accept liability for fraudulent transactions which had been signed for, if chip and pin was available.
No surprise, then, that chip and PIN pretty much became the default, purely because no retailer wanted to take the risk.
Actually as of tomorrow in Australia, you won't be able to sign if you have a card that uses a chip.
http://www.smh.com.au/digital-life/digital-life-news/pins-to...
You can implement the pin-pad via the square app. doesn't need to be implemented in hardware.
Not if you want approval from the payment card industry you can't.
They'll want proof that no other app can access the screen, that screen presses can't be recorded and lots of other stuff.
I'm going through this with a hardware pinpad at the moment, the list of requirements is very long and quite stringent.
--edit-- I'm not saying this is impossible, but I find it very unlikely. All the other EMV devices I know of that are designed for use with iOS and Android devices have built-in hardware pinpads because it's just easier... the PCI is very precious about PIN data. For good reason.
As a british immigrant to North America, I couldn't believe how far behind in this regard the States and Canada were. Canada has since caught up, but the US is only now getting there.
Anecdotal story: the only time my credit card has been defrauded is after a 3 day stay in the USA
I have read that after the EMV system was introduced in the UK the fraud rate actually went up. http://cacm.acm.org/magazines/2014/6/175170-emv/fulltext
> Log in to Read the Full Article
Care to explain how and why the fraud rate went up?
Chip and PIN cards are widely deployed here in Spain, and all cases of fraud around me involved drunk people not covering the keypad when entering their PIN. In ATMs there's a nice animation of a hand covering the number pad, but not on POS (LCD displays just say "Enter your PIN"), and many people are careless or forget to do so.
I used to hear more cases of CC fraud back when magnetic strips were used, but I might just be biased.
It's worth noting that because you add this chip, it doesn't necessarily mean you remove the magnetic stripe.
My VISA (issued by a Danish bank), has both a chip and the magnetic stripe.
Hopefully the data on that stripe becomes a lot less useful though, as part of the data is saying "I have a chip!" and the merchant is under financial pressure not to accept stripe transactions after switchover due to the liability shift.
That’s pretty much just so the card is usable in the US if you travel there though.
And also when the card reader in the store here in Denmark says "Use the magnetic stripe!" for some reason.
If I know your PIN I still need to have your card with the chip on it to commit fraud. How does that part work?
It's out of my area of expertise, but you should probably find information searching for "chip skimming" and the like.
Also, as your sibling points out, most chip and PIN cards still feature a magstripe to downgrade if necessary.
I think fraud rate didn't go up at all, but EMV (Chip and PIN) had a fraud reducing effect. Of course other factors changed. You'll find references at http://www.theukcardsassociation.org.uk/plastic_fraud_figure... and old news at http://news.bbc.co.uk/2/hi/business/4779314.stm neither of which require Log in to Read the Full Article.
I wonder what their plans are for NFC / PayPass / PayWave? Are there technological barriers to it? Could a NFC enabled Smartphone act as a payment terminal?
It's only on rare occasions now that I have to even put in a pin (in Australia), NFC style payment terminals are pretty much ubiquitous.
NFC payments in 80-90% of stores, many parking machines, >50% of vending machines.
I'm not an expert on this area but I believe NFC smartphones can't currently act as payment terminals because PCI rules mandate that such things should be self-contained single-purpose devices with their own PIN pad.
However, the game could change completely with the move to tokenization.
That's really cool that contactless is so ubiquitous in Oz. As a nation you guys are very much ahead of the game on the whole contactless/NFC thing.
I believe NFC smartphones can't currently act as payment terminals because PCI rules mandate that such things should be self-contained single-purpose devices with their own PIN pad.
The NFC cards, SIMs, keyfobs etc. don't necessarily require a PIN here in Poland; you're good for ~$15 USD (50 PLN).
If you need to pay more than that, you then have to enter your PIN as you suggest.
Limits the use cases to corner-shop-equivalent purchases, still quite a large market!
In Canada, some merchants are now accepting NFC payments without PIN for up to CAD200 (USD180). When they first arrived, limits were typically more like $25.
>> Could a NFC enabled Smartphone act as a payment terminal?
I don't know if there's a technical reason why not, but the security requirements for these devices are fairly stringent and getting a piece of software, running on a relatively open system with other apps from unknown sources all over it, well the certification folks would probably take a hell of a lot of convincing.
Not saying it can;t be done, but I don't think I'd like to be on that project.
Indeed, essentially this is a step behind the curve. While adoption isn't fast - the Netherlands is deploying both new cards to customers and new POS terminals with NFC built in.
A couple of data points:
American Express sent me a new card—unprovoked—about two months ago that is chipped. As mentioned elsewhere, it is a chip and signature card (as opposed to a chip and pin). I'm nothing particularly special as a credit card user so, if I received a card, seems the roll out has already well underway.
Another point is, as mentioned elsewhere, PayPal already offers a chip and pin compatible bluetooth device in a few countries marketed as part of their PayPal Here brand[0].
[0] - https://www.paypal.com/uk/webapps/mpp/how-to-use-paypal-here
IIRC the bank->merchant liability shift for the US is scheduled for sometime next year. The banks can't very well shift the liability if they haven't given their customers the new cards!
It looks like they're not able to power strictly off the audio jack anymore with this tech. The product brief indicates that it uses a MicroUSB charging connector. I wonder how many transactions a single charge can handle.
I'll be impressed if they've somehow managed all the data flows over the audio jack, personally... some sort of built-in modem?
Seems they want to sell the EMV card readers instead of providing them for free.
Honest question: does Square save money if credit card fraud decreases? It would make most sense that the parties who lose money when fraud occurs would offer these devices for free, or subsidize them, and I'm unsure of whether Square is one of these parties.
That's what they currently do with the magstripe readers. You then get a credit for the amount of the reader (limit 1 per account I believe). That makes it easier to avoid losing a ton of money when someone figures out another use for them.
Even today the language is to "order" a card reader, but there's no charge. So don't read into the phrase "pre-order" here. They used the same language when they started.
Can't imagine not using these ... the only problem is the cards are weaker and the chip starts to come out.
(Only if you don't use a wallet)...
And still no NFC.
If NFC ever takes off as a must-have in the payments world, I'm sure Square would try to use the NFC in phones through their app.
But given that they've already tried a "Just use the app, forget your wallet" approach that didn't take off like they wanted, I'm guessing they're not ready to try anything outside of mainstream payment cards.
NFC (specifically PayPass, PayWave & Interac Flash) is becoming fairly ubiquitous in Canada.
How is your experience with the reliability? I was recently up in Edmonton and anecdotally it seemed like people had serious issues with the NFC payment methods. Several times I saw people attempt to pay via NFC, try 5 times, then eventually pay via insertion+PIN. Looked profoundly frustrating.
In Australia, I would say about at least 75% of all in-person payments I make are with PayPass/PayWave. That other 25% is cash and the odd place that hasnt updated their terminals yet. Some banks will even give you like a 5% cash back if you use contactless.
It's very reliable and is the defacto method of payment in places like pubs. Often I'll hand my card over and they'll ask 'Can I just PayWave that?'
> How is your experience with the reliability? I was recently up in Edmonton and anecdotally it seemed like people had serious issues with the NFC payment methods. Several times I saw people attempt to pay via NFC, try 5 times, then eventually pay via insertion+PIN. Looked profoundly frustrating.
Here (Austria) that's mostly because some people have cards without PayPass and they are not aware that they need new cards for it. I never had problems with it and always use it (even for transactions > 25 EUR) in which case it prompts for the PIN. It's super convenient and much faster.
I regularly use it to pay for take-out lunches here in London, has always been pretty reliable.
I use it all the time here in the UK but if you bend/snap the card at all, it totally breaks and doesn't work at all. Even though the stripe and chip works.
Probably not a big problem but I have a tendency to sit on my card every so often.
That does happen occasionally, but I find it's fairly rare, at least for me.
After reading the wikipedia article on this, these cards seems to be full of fallback mechanisms that make them virtually useless for more advanced protection but in only a few constrained situations, and it's biggest benefit is that it allows MasterCard and the others to shift liability of fraud from the Bank to the merchant and the customer.
Nope.
It allows the shift in liability to the merchant if they don't perform a chip transaction.
Fallback is at merchant discretion, if they want to take transactions under those circumstances then that's their risk.
Other than that, no EMV is not perfect, but it's a DAMN site better than the everything-in-the-clear magstripe. Did you read the linked article about fraud levels?