I was talking about buying from online merchants. I’m less familiar with the security implications of chip-and-pin or contactless card for in-person transactions. Do those technologies prevent the merchant from getting raw CC info?
Rightly or wrongly, I worry less about the security implementations of hardware point-of-sale terminals than the security implementations of small websites.
I mostly prefer Apple Pay for in-person transactions because of anonymity — my understanding is that it makes it harder for companies (other than Apple) to track my purchases.
> An enabled EMV terminal reads and verifies the card information contained in the embedded chip when inserted into the slot of the payment terminal. Like using the magnetic stripe, card data is then processed for payment authorization; the key difference is that the chip card generates a one-time code for each transaction while a traditional magnetic stripe card does not.
So, the merchant doesn't get the raw CC number; they get a transaction token.
This doesn't prevent someone from reading the CC account number off of the physical card, but unlike swiping a stripe, the act of purchasing via an EMV token means that the CC account number doesn't enter the system.
Bank of America automates the process of creating virtual cards for your account when you set up contactless payments such as Google Pay. It is not an anonymous service as the bank still keeps the transaction records and iirc, will occasionally sell or relinquish the data on request to 3rd parties or enforcement agencies.
Apple Pay is set up as a front for my credit card, which is a Visa card I get through my credit union. Whether it's Apple Pay or Google Pay (or PayPal, or others), I think the card provider is always going to have full records — in addition to the payment channel provider. So I should have said "(besides Apple or my card provider)" rather than just "(besides Apple)".
Yes mostly. The cell phone wallets were the convenience difference that caused merchants to upgrade their POS systems to support contactless. Before that there just wasn't much reason for merchants to change their existing card infrastructure. Now customers feel inconvenienced if they have to use a credit card.
I find it interesting because in my lifetime the UK went from magstripe (falling back to a carbon copy of the card with signature) to chip and pin, to contactless, and now smartphone. A lot of upgrading while the US just skipped it.
