Have you really used a credit card with a chip to make a purchase at a store? It may not take 30 seconds for the transaction, but it certainly takes longer than 5 seconds for the chip to be read and the account verified.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Square Launches NFC Reader to Bring Apple Pay to Smaller Businesses
- Thread starter MacRumors
- Start date
- Sort by reaction score
Have you really used a credit card with a chip to make a purchase at a store? It may not take 30 seconds for the transaction, but it certainly takes longer than 5 seconds for the chip to be read and the account verified.
I was meaning support in Canada with chip and PIN.
We have our Square stands USB full - USB Scanner, Printer, and Cash Drawer. Since we are also using an iPad 2 it is not supported with this Square using Bluetooth. I have spare iPad 3's so I could make it work if Square actually supported Chip and Pin.
The business community also doesn't hate Visa and MasterCard's guts in other countries like they do here. Most businesses in the US would still be cash only if they could get away with it, so it's no wonder why they'd rather that using a card suck as much as possible.
Oh, and apparently First Data changed their firmware recently so the "hack" I was using to get around having to tell people how to use their own terminals doesn't work anymore. A lot of these places don't even know that they accept Apple Pay so I expect to start being shut down more often in the future. So no, we're not even close to every EMV capable terminal being NFC capable as well.
Magstripe cloning is one of the big fraud issues we're having though.
It would be great if all small businesses had Apple Pay. This is a good step in that direction. Unfortunately, there are a number of small businesses which are either using old-fashioned cash registers or old POS systems which don’t have USB ports. And yes, the Square reader has a USB port. The other problem is that you need a way of securing the reader because without a chain or something holding it to the counter, someone could easily steal it without the cashier or shop owner noticing.
You defended someone who doesn't have a clue about what he's talking about.
I explained about the encryption/ one time code, cloning, etc, and you think he knows more than I do about chipped cards? Fat chance... Don't quit your day job. Words can't express how idiotic you look.
There a reason America has half of the world's credit card fraud despite having only 25% of the total credit card population. Mag-stripe.
True, but that's not the real problem. The problem is that intercepted data (through a POS breach or a skimmer) can be used to make fraudulent purchases. EMV simply prevents intercepted data from being used to make a physical card. It does nothing to prevent intercepted data from being used over the Internet, nor does it prevent the interception of the data to begin with. So the result you see in EMV countries is that fraud simply switches to card-not-present Internet transactions.
The problem is that EMV was designed to assure that all physical cards are valid cards, without having to check in with the bank. This allows offline transactions, so EMV doesn't try do anything else security-wise. It was designed for a different problem, so it doesn't solve the problem we want it to solve.
Last edited:
How common is the former vs the latter though? Hint: European cards are being stolen and used in the US despite their owners not being here and the fact that the information on the chip isn't enough to make a working magstripe card.
Yes, POS breaches have been in the news lately, but they were only worthwhile to do because of our card system.
http://www.apca.com.au/docs/fraud-statistics/Australian-payments-fraud-details-and-data-2015.pdf
Look at page 8. Australia's fraud rates are the highest they've ever been. Page 9 shows that the counterfeit percentage went to card-not-present.
You're interpreting the situation wrong. As long as there's a hole, in this case US magstripe, fraud will migrate to that hole. When you plug it, it will migrate to the next hole, card-not-present. In order to make a real change, you have to secure the entire system.
The information on the chip is still adequate to make a working magstripe card. The only thing you're missing is the CVV, which is three digits. By simply guessing, you have a 1 in 1000 chance. If you assume they allow 3 attempts before locking out the account, then you have a 1 in 333 chance of simply guessing it.
When someone with a US card uses their chip card in Canada, it's treated like a Swipe card.
So I expect this is the same mechanism in place with Square. The card reader is running it "like a swipe card", which means the card has to actually allow that mode. So AFAIK that means Canadian chip cards on US square readers will be treated the same as NFC/Swipe and subject to the same limitations, while a Canadian chip card used on a Canadian square reader (which would need the attached PIN pad) would only allow transactions over the NFC limit if the PIN was entered. A US card used on a Canadian reader would be treated the same as a NFC/swipe card.
Basically, you probably wouldn't be able to spend more than 50$ on with the Square reader without a PIN with a non-US card. Because the nonce changes when you do NFC transactions, if you were at a convention you would eventually need to insert the chip card somewhere to keep using it. The US cards are essentially being treated the same as a swipe card as far as the reader is concerned. It has the upgraded security of EMV/NFC but it's being subjected to the NFC rules.
So that's good enough for food trucks and small conventions/flea markets.
That's the wrong context. That was in the context of "NFC accessories" instead of Bluetooth. Because NFC accessories don't have robust security mechanisms for things like Keyboards. The NFC "accessory" market is rather immature and this is certainly not what NFC was meant for. NFC was meant for "pin-less" access control and payments. It could also be extended to inventory control, but it should never be used as a means for two electronic devices to establish a permanent data connection.
No one ever said EMV would help with card not present fraud. Your link shows that counterfeit fraud did go down after they adopted chip, just as intended. Of course thieves will commit easier forms of fraud as a result.
The probability isn't 1 in 333 because the guesses depend on each other (i.e. you're not going to try 999 multiple times). Since the probability of not guessing the CVV correctly on the first attempt is 999/1000, 998/999 on the second and 997/998 on the third, there's a 99.7% chance of not guessing it correctly within three attempts. In other words, a 0.3% chance of a correct guess with any of those attempts.
What? No. It's the same chip that other countries use, just programmed so that it doesn't need a PIN.
Speaking of, why in the world do they call it EMV when its supported by so many more than those 3? 'Chip card' is just lame. Why not just 'smart card'
it's still far cheaper than the hundreds you have to pay to get a merchant account and then there's fees on stop of that.
Now I can't wait to see how long it takes them to update their stands etc.
I believe you can plug this new reader directly into the stand using USB.
What the bad guys do is they harvest thousands, tens of thousands, or even more cards. Then they just try random CVV across them all and the odds increase for a hit significantly. All they need is a few cards solved and they go shopping!
Because Europay, MasterCard, and Visa invented the standard - hence EMV. It now covers more cards, like Amex for example and they all own it now, but the name EMV is trademarked and already used so no need to change it.Speaking of, why in the world do they call it EMV when its supported by so many more than those 3? 'Chip card' is just lame. Why not just 'smart card'
FYI, smart cards use the ISO 7816 standard
It easily takes 20+ seconds to verify a chip card. When you put it in the right way, it says "DO NOT REMOVE CARD", and says that for 20+ seconds before it says complete. Have you ever paid with a chip card?
Many times, it doesn't take 20+ seconds except for once. Most of the time it's 5 seconds or so.
Do you stick your card in before the cashier is done ringing up your items?
Honestly there aren't many places that accept them so I can't remember for certain, but when I have the cashier tells me my total, I take my card out and insert it into the reader, and the display says "Do not remove card" for at least 20-30 seconds, then it finishes. The cashier is aware that I inserted my card too, so I'm not sure.
We know _why_ the chip cards are used.
We're annoyed that we have to stand there waiting 5-30 seconds for something which should be practically instant.
That it's protective doesn't mean that it's not annoying.