Magnetic cards (and all existing RFID equivalents) are bad.
Instead of encouraging their use, we should be creating the mostly fraud-proof obvious alternative: one in which a single transaction does not give the other party permanent access to your wallet.
Picture a card with a key pad on it, for entering a dollar amount. The transaction (through RFID?) would be valid for only that amount.
All of the required cryptographic math has existed for decades. All we need now is the hardware and some infrastructure.
Entering an amount per transaction might be burdensome to the average consumer, which has a great time with just swiping cards and having all their transactions insured by the credit card company. Having a bulky keypad and a higher barrier of entry to buying that soft drink will have the majority complaining and opting out.
If your goal is verification, an alternate system might have a display on the card that simply verifies the amount charged on most recent transaction, signed by the card processor. Crypto on cards is cheap and tested. This will add no new tasks to those that don't care and provide for a peace of mind to those who do.
> Entering an amount per transaction might be burdensome to the average consumer
Shoppers have dealt with counting out money for millenia. The time spent is a small price to pay for total security against remote theft. At the very least, those of us who are not terminally lazy ought to have the option of paying it.
> a display on the card that simply verifies the amount charged on most recent transaction
Ever have your credit or bank card stolen? Thieves typically split their theft into numerous small transactions.
Keypad or not, information sent to conduct a physical, face-to-face payment should not be re-usable in any way.
> Shoppers have dealt with counting out money for millenia.
People have also worked 16 hour days to feed their families for millenia; no one's going to do that now. The amount of effort something takes almost always decreases.
> The time spent is a small price to pay for total security against remote theft. At the very least, those of us who are not terminally lazy ought to have the option of paying it.
How does this system provide 'total security' and guard against remote theft? There is no such thing as 'total security,' you're just mitigating risk. From the way it sounded, you punch in the amount at the time of physical swipe. Once you try to buy something online, you're outside the scope of your physical card.
I do agree however that you should be able to opt in for services that require more verification for transferring money. If you want to spend $25 to get an RSA token to provide a code every time you purchase something, I don't see anything wrong with that service being offered to you.
> Ever have your credit or bank card stolen? Thieves typically split their theft into numerous small transactions.
No, I guess I personally did not. As far as the information I read about and had limited contact when I was associated with a security lab, carders distribute cc numbers in the thousands and resell them, and eventually do get charged in small amounts. Again, I don't see how a two-factor system would prevent this. But also admittedly, I've never spent any amount of time thinking about it nor did I personally research into this.
> Once you try to buy something online, you're outside the scope of your physical card.
A built-in LCD gives you a single-use credit card number. (Such a product already exists, though a Windows-only PC app.)
> If you want to spend $25 to get an RSA token to provide a code every time you purchase something, I don't see anything wrong with that service being offered to you.
And yet the service is offered by no one, and I don't think anyone has yet tried and failed.
> Again, I don't see how a two-factor system would prevent this
A number is good for one transaction, like a gift card code. In the case of my proposed scheme, it is effectively a PGP message signed with your private key, containing the transaction amount, recipient, and a serial number. The bank shall not process any attempted transaction which is not signed by an account holder's key or contains a duplicate serial number.
totally. one of my housemates reads and writes magnetic strips for fun. we buy a couple memberships to something and then duplicate the cards to share.
If the card conditions of use say, or imply (eg by bearing a single name) that the membership is non-transferable and single user then it is fraud. Whether you find that reprehensible and whether it is illegal in your jurisdiction are different questions.
To increase the reliablity of a system, improve the weak links in a system, not the strong.
In a computer systems class we had a lecture about security and cryptographics. There were many case studies of fraud, and almost none of them were deciphering codes. There were many other way easier approaches to steal money from bank accounts.
> improve the weak links in a system, not the strong
How is the fact that a credit card number (given online or copied down by a waiter) gives armies of thieves continuous access to my account not a weak link?
They'll launch, make a couple hundred mil, then they'll get hit with fraud, a ton of people will lose money, and they'll be forced to shut down, since noone will want to use the service, in fear of getting defrauded.
Since there is no barrier to entry, it'll be like 2 weeks before someone comes out with a black market version, that will look exactly the same, but instead of processing credit cards, it'll store them for future fraud.
Will be like the ATM snooping devices, but instead of having to get into the bank, all you need is an iPhone, and some "small" business to rob people with. A taxi, or a newspaper stand.
Edit: If you are going to downvote, at least tell me how exactly do you think this will avoid fraud from fakers who imitate the look and feel of the device?
If you haven't read the PayPal story, you probably should. A good version of it is to be found in Founders at Work, as told by Max Levchin (the nerd who mostly solved fraud for PayPal). Turns out the early story of PayPal is the story of solving the fraud problem...so it is extremely relevant to this discussion. PayPal also started as a company doing security and payments on portable devices, so it's doubly relevant.
As far fraudulent devices, I think it's pretty safe to assume that people aren't going to be swiping their cards with random people; rather merchants and vendors that they already have a reasonable level of trust with, but in situations where sales would have been limited to cash only or more complicated and PO-based (trade shows, live events, sales guys in the field, etc.). It won't stop the kinds of fraud that already happens; like your waiter at a restaurant keeping lists of card numbers for sale on the black market. And, I guess it would make that kind of fraud easier, since the attacker would have more information.
But, people are, I think, pretty cagey with handing random people their credit card outside of the context of a reasonably trustworthy business. I doubt this will change that. I'm about the hit the road doing sales work for my company, and I can see this coming in very handy, and I don't think my potential customers would have any reason to be concerned about fraud (since they can easily check up on us, and know that I am who I say I am).
I didn't criticize the idea. I up voted the story.
I just answered specifically to the comment, referring to the security aspect. Paypal was losing 10 million USD from fraud, so hope won't do it for the security.
"assume that people aren't going to be swiping their cards with random people"
And, I'm not arguing with you. I think fraud will be a big part of the problem they have to solve. I'm just pointing out that fraud has been solved in other novel payment processing cases in the past and will be solved for this particular case by someone, possibly this company, possibly one of the several likely competitors that will spring up (payment processing is incredibly lucrative if you do solve the fraud problem well enough).
I'll also mention that folks swipe their cards in fake ATM swipers pretty regularly. It hasn't hurt ATM usage, in general. Likewise, PayPal fraud is still an issue that they fight every day...but PayPal is incredibly profitable. eBay and craigslist also have huge fraud problems, but again, the sheer volume of legitimate transactions and the value of the huge markets they serve is enough to overcome any misgivings people have about using the services. So, I don't think that fake swipers will make this particularly company any more or less trusted than existing providers that have to fight fraud (assuming they are vigilant about actually fighting it).
I wouldn't be surprised if they were working with Palantir (ex-paypaler company) and using their fraud detection software, since PayPal has already been through this whole ordeal, its probably a much more solvable problem now than before, at least someone has figured it out.
The interesting thing here is that PayPal made all their margins by encouraging people to use bank accounts rather than credit cards because they made almost no profit on credit card transactions. I'm interested in how this revenue model will work out, it seems like merchant services providers have arrived at their current model of business (arduous checks before granting accounts) out of necessity. Since Square is basically in the merchant accounts business (that's where their margin is) it will be interesting to see if they actually know something that merchant service providers do not about granting accounts to anyone who wants them without more verification.
I've always wondered why merchant service providers didn't instantly verify accounts and allow people to start charging immediately, but hold the captured funds while the account was verified with all the proper checks. Maybe that is what Square is doing.
there are a huge number of legit businesses that would benefit from this. i showed it to a few friends already.
why are we naysaying this specific business and not other point of sale things that operate the exact same way? what prevents someone from running a fake newspaper stand with a laptop and CC swiper? why is this product vastly different?
well, what makes an official looking device safe? ATM and gas station skimming is a big issue.
do they do restaurant payments different in the UK? would you simply hand your card over to a waiter to pay a bill? what prevents the waiter from just writing down your info? you wouldn't even see a device there.
i think that its just an issue of trust. you won't necessarily trust someone with a hacked together device on a street corner, but if its your cousin jim's glass blowing sculpture store, you'll probably trust anything they run your card through.
plus, in the US at least, we have a fairly robust consumer protection on cards. if you suspect your card to be compromised or see a charge on it you know isn't yours, dispute it and you'll probably have your issues resolved satisfactorily.
Generally we don't let our cards out of our sight. Indeed most of the time I handle my own card and it's only rarely that a shop assistant will handle it. (So writing down info isn't a big concern).
The portable POS devices allow the customer to tip as well BTW.
"They" don't run cards much any more. It's a case of consumers putting their own cards into chip+pin devices and keying in their PIN.
Sure @ disputes, we have similar, but it's an extra hassle and not fun.
at some point in time, there's a layer where you have to give someone some level of trust. again, in the case of ATM and gas station skimming, even official looking devices can be malicious.
also, what are your thoughts on online purchases? you're relinquishing a certain degree of control there, too.
disputing isn't fun or convenient, but if it wasn't there or it was worse, i don't know that the CC system would be as popular or successful. its one of the reasons why debit cards had a rocky start.
I'm pretty sure this is a risk borne by the credit card industry already. Unless I'm misunderstanding something, this is essentially the same risk as that of handing your credit card to a waiter.
This device can be used with any computer or smart phone. I'd be worried about businesses using insecure computers connected to the internet instead of POS machines where people don't click on links to install untrusted software.
I thought about this but I don't think it's any worse than the status quo.
A scammer can today get hold of a fake taxi badge, pass a skimmer back to the passenger saying it's going to take payment and achieve the same end.
Presumably the argument against square would be that it will desensitise consumers to the risks associated with this and they'll drop their guard.
I think this might make sense if consumers had any guard in the first place. However since I'm sure the average person would hand their credit card to a taxi driver to skim today it's hard to see that Square changes anything.
At the end of the day this will come down to people being careful about who they hand their card to - just as they are (aren't) on the internet.
Exactly. I can rent some storefront right now and set up a fake card swiper. Maybe the barrier of entry for this kind of thing is lower... but is it lower than creating a web page and stealing credit card numbers?
The beauty of credit cards is that you're not responsible for fraud. I know that when I go to a restaurant the server could easily take a quick cell camera shot of my card, but I accept that risk because I know that I monitor my card activity and that I can recover that money if it does happen. The same applies here.
Your iPhone leaves a data trail, at the provider, at wifi spots, at bluetooth sensors. Now someone who is technically adept could muddy that trail considerably. But the basic forensic evidence is still there. And remember, for the most part criminals are human, and make human mistakes; they will do a transaction in full view of a security camera, or something equally dumb. It's no better and not much worse than the systems we have now.
Magstripe readers have been within the reach of any reasonably-clever fraudster for a long time. Attaching them to an iPhone and using audio modulation for the signal doesn't magically open the floodgates to card skimming and duplication.
This isn't even as big a threat as, say, making people acclimated to the idea of joining open wireless networks at coffee shops -- card skimming at least requires physical access to the card for a few seconds.
Fraud is much less likely here than on PayPal, for example, for multiple reasons:
a- Card present. Chances of fraud when the card is swiped are much lower than when it isn't (for obvious reasons).
b- Signature. This lets you have a basic form of authentication for the user after the fact (oh, didn't make this purchase? Why is this your signature?)
c- Location. Each purchase is tagged with the GPS coordinates from the phone.
d- If need be, pictures. You could always snap a quick photo of the cardholder if the transaction comes up as a serious fraud risk.
Yes, there are still risks of the person skimming your card info, or stealing your CC number another way, but these are risks present in the entire credit card system.
It's certainly much safer than PayPal, and they're doing alright.
It looks to me like the iPhone is the user's own iPhone, in which case the user will have installed the software on the phone side themselves. So I guess the flow would be: user starts software; merchant takes phone and plugs in device; software checks device and makes sure it is authentic; then UI presents signature page to user.
What is the hole in this? I'm not saying there is no hole, and I did like your question (and upvoted it), but I'm wondering if you can think of a good attack that I'm missing.
Edit: Instead of "iPhone" I should have said just "phone" since it will be on multiple platforms.
Only thing I can think of would require uploading malicious software with a modified version of the square device but that doesn't look possible, yet.
Why not just use your phone to pay, for example the business owner gives you a qr code that you scan in then use an app that interfaces with your paypal account that pays the business they get confirmation you don't have to worry about using extra hardware,
or why can't the business owner give you a number to text and then collect payment through that then you don't even need a smartphone any cellphone will do.
Really things would be more secure if I could send money to an account rather than have them remove money from mine.
what if you were the owner of the iphone and square hardware and the business or person you were giving money to had a barcode/number/qr code that you would scan/enter which would go to a third party(probably square) service that verifies your account is in good standing and tells the receiver on their iphone/android then the transaction is completed square takes a small cut 1 cent per transaction for being the trusted middle man. No worry about using untrusted system or anything.
You are doing everything on another person's gadget. Any verification Square can come up with, can be bypassed by simply not implementing it.
Verified icon? Easy JPG
Encoded credit card #s? Who said the fraudsters would need to use your tool?
Square Verified badge? Easily copied.
It basically boils down to trust issue, early on, consumers will just be unaware of how vulnerable they are, but then stories will start popping up all over the place about how so and so, paid with a credit card for a taxi ride using Square, and then got hit with $5K in credit card fraud.
As BigO said (or implied at least) above any such device needs to be mine. I should get a transaction ID from the seller and use an encrypted text message or other interaction with my bank to forward the money to the seller - on completion they see their tx-ID as paid and I go on my way with my acquired goods.
The Square system is like me handing over a pot with all my money in it and saying "take what you like". Whilst the above is akin to me passing the money to an esscrow (my bank) and them checking it is OK and telling the receiver of the funds.
Sure a fraudster can get hold of a fake merchant ID and encode the transaction value, ID and their merchant ID with an acquired private key - but that merchant ID can just be locked when fraud is spotted and decrypting the data off the wire is going to require lots of resources.
why would someone involved in credit card fraud care about regulatory barriers and patents? These will be the same people who sneak into ATMs, and modify the readers.
Why wouldn't it just work to use the camera and do OCR on the front of the card... seems like the little gizmo is way overkill for something fairly simple.
Funny, but there's something serious lurking in this comment.
Think about how US dollars declare, on the face of the bill, that the currency is good for all sorts of transactions (all debts, public and private). Even a beggar can get in on the use of this currency. People can easily give to a beggar with almost no overhead, and the recipient can spend the currency almost anywhere.
Credit isn't anywhere near that yet, especially since transaction fees are non-trivial. However, there's been a pretty major barrier to receiving credit payments, and even if someone was willing to pay the fees, there hasn't been a good way to interface with it.
Let's say I pay for two coffees with credit, and a friend wants to pay me with credit for one of the coffees. Even if I were willing to pay the transaction fee, I couldn't take their credit card, easily. PayPal is close to that point, but square is closer.
Settling trivial, private debts with credit will be just as good as any currency that works for all debts, public and private.
With private debts, I believe credit card companies will treat that as a cash advance so the transaction fees will be pretty high. Maybe you can use bank accounts for that but the transfer will probably not be instantaneous.
Great so instead of repaying my friend $10 I can repay him $10 and pay the bank a transaction fee for the privilege ... something there is not making me shout for joy.
In order to make $90,000 begging, you would have to get $250 every day of the year. This seems highly unlikely. I'd say most beggars make more like $20 a day, but I'm just doing armchair science here.
While commuting back and forth to Seattle on the ferries, my dad said he heard a couple people comparing how much they'd made begging that day and it was in the $200-$300 range. They had been disappointed in the "slow" day.
Right, I don't understand the downvotes though, I was simply giving the only data point I had. Anecdotal though it is, from this, I don't see it as entirely unreasonable for someone in a larger city like NYC to make as much as my original post's grandparent suggested.
I also don't see any reason for two beggars talking amongst themselves (albeit loudly enough for others to hear) to inflate their daily income more than $100 or so, _especially_ if they're commuting (which costs ~$7/day) to do so.
>I also don't see any reason for two beggars talking amongst themselves...to inflate their daily income
Well, the short answer is pride. The long answer would be that they do it for the same reasons that you or I would do it if we were asked our salary on a form, knowing that it would be compared, even anonymously, to others. It's the reason why HR firms basically ignore any data that asks an employee for their salary as being inaccurate.
yes but you have to look at the density of people.
$250 every day = $25/hour if you "work" 10 hours a day. So 1 person donating $1 every 2.4 minutes.
In that 2.4 minute period, there are probably 1,000 people walking by. Is it really that far fetched, that 1 out of those 1,000 people will "give back"? Especially in a city like New York where there are plenty of high income individuals?
Analysis is not evidence. Yes, it sounds reasonable. But that doesn't mean it's true. There are many factors your simple model doesn't take into account.
I guess the problem is reasonable to me is not necessarily reasonable to someone else. It still blows my mine that someone could make so much money begging. I haven't read the above posted article, but it still seems unlikely to me that beggars make that much money.
Perhaps a better way of putting it is: The average beggar doesn't make anywhere near that much. I can imagine some especially good ones that make a solid living doing it, but most don't make much.
The person he replied to said it "seems highly unlikely". This isn't a peer-reviewed journal here. We're speculating. I will mention that I gave $20 dollars to a girl last week who claimed she had had her stuff stolen and didn't have enough money to get a train back to her house. There's a significant chance she was scamming me, and the point is, with a plausible story, I'm pretty sure you can find many "suckers" every day.
I, too, think it's highly unlikely that a panhandler is clearing $90k a year, since that would place them in a higher income bracket that every working person I know in NYC. I meant his analysis sounds reasonable, not that it actually is. That's the problem with using simple models: you're seduced by simple reasoning applied to complex problems. The ancient Greeks analysis of matter sounded reasonable, too. It is only with further reflection that the reasonable sounding analysis does not hold up.
This is peer-review. I'm curious what the truth is, so I'm going to consider the validity of someone's speculation and criticize it accordingly.
This American Life did a podcast (can't find it at the moment) where they followed two guys who decided to become homeless, and beg for money in NYC while trying to write poetry and stories. Each guy easily cleared 60k, as I recall. So it's definitely doable.
In fact, another article I read told about a couple in Portland, Oregon that cleared 50k between the two of the begging.
This American Life source does not appear to check out on 60k while homeless figure:
"Gregory: I was making 60 grand a year, 60 grand, not working hard. If I wanted to push it I could push it to 70. They want you to do over time on Wall Street. Wall Street judges you by your overtime. So yeah, I was raking it in. And I was spending it just as fast on alcohol. I would get up at 8 at night, take a shower, have a pint of Jack Daniel?s on me when I got into my car and drove to work."
Poetry sample:
"A Few of My (cough) Favorite Things"
Waking up achy, And out in the open.
Guard dogs are barking. Before words are spoken.
Wrought iron benches, That causes suff-ring.
These are a few of my favorite things.
Taking a shower, With four dozen others. Moving around,
In a stench that can smother. Finding that you,
Are the source of the stink!
These are a few of my favorite things.
When the bottles dry, And the smokes are gone,
And I'm feeling low
Interesting idea, I really like the hardware piece.
Not sure how large of a market there is for this. Mom + Pop stores use CC terminals (cheaper than an iPhone), so that leaves this open to mostly people who accept payment outdoors at farmers markets, sports events, etc..
For that to work you'd have to be comfortable giving a merchant your credit card, which isn't a sure thing considering they can disappear without a brick+mortar store. Also, the merchant would have to be comfortable giving a customer their iPhone. I know I wouldn't want to hand out my phone to random people on the street.
That being said, it looks cool and if I had a store I would definitely give it a try.
it's unclear to me whether you need a merchant account to use square; i'm assuming from "0-$60 in under 10 seconds" that you don't.
if you don't need a merchant account, the market for this is massive. there are millions of people who provide services and sell products who take cash, check, or paypal only. many of these people are dying to take credit cards with zero hassle, which square lets them do.
I thought about that too. Someone has to have a merchant account, so it's possible all of the payments go through Square and they act as a clearing house where they redirect payment to the correct merchant. I could see that leaving them vulnerable to chargebacks. I wonder what kind of rates they're offering to users.
Is it cheaper than getting a terminal? The idea behind this is you already have a cell phone. Why by an additional device to do this, which worse yet has a bad interface and can't be upgraded.
And they say innovation is dead in the U.S. Using the audio jack to read credit cards, brilliant.
Thinking out loud: I assume it reads the strips and converts the information to tones - but I would love to read more about it. I just want to plug it into my computer and see what comes up in Audacity when I scan a card.
I think this device/feature overwhelms the service as a whole actually.
I think the opposite is true. The hardware is almost a gimmick to push what is otherwise a potentially powerful service.
The theory behind this app is that individuals are now empowered to take credit cards for anything they previously would have had to take a cash or check for, which is increasingly important in our society where credit cards are becoming the normal way to pay for things.
As for the hardware, it's a pretty old trick. Though I don't know any of the specifics of this device, you don't need to look any further than your graphing calculator to see the idea in use.
Yes, paypal does something similar for online payments. I'm pretty sure the lag for merchants is longer.
Note that PayPal was revolutionary and is worth many billions of dollars - largely because they could handle the fraud this kind of configuration causes.
Wireless terminals have been available for a long time. Verifone has sold thousands of wireless terminals with a built-in GPRS and ethernet. You can easily find them for less then $200 and are purpose built for retail.
The last thing I want to do is to hand my $699 iPhone over to a customer, especially with a usb attachment or delicate accessory in it's headphone jack....
I seriously gotta wonder how the iPhone of some random person (which has various third party apps on it, etc.) is going to meet the kind of security requirements the card issuer cares about: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu...
Theoretically you could use any headphone extension cord to ease this problem considering it most likely uses an audio signal to pass the information. This would in turn let you attach the reader elsewhere on the phone.
Although it seems like part of the point is to have a tiny device you can just pull in and out of your phone at need be.
It's in closed beta with a number of vendors, like @sightglass & @lilybellesf. According to their Twitter, they're taking beta applications later today: http://twitter.com/Square/status/6242394391
So our family business has been taking credit cards for 9 or 10 years - it's a mobile business, so we have always had to use a cell signal. The earlier machines were bulky and monstrously expensive, and so were the analog service plans for them. But now, data transfer is cheap, and card readers are as low as $400.
I think it's also worth noting that, in that time, we've never had a problem with our card reader (the latest, we've had for about 4 years) but my ipod touch, which is a year old and sees far less punishment, has a broken home button.
The feature I'm most excited about is e-mail receipts. If I never had another paper receipt again, I'd be perfectly happy. I also think using the audio jack as the reader is incredibly smart.
Actually, there are two things about this system that I really like:
1. I can see a future where paper receipts are a thing of the past.
2. If someone uses my card fraudulently, I'll receive an e-mail a minute after it happens alerting me that something is amiss.
Interesting that all transactions show up as from squareup.com. This means that actual vendors are just virtual accounts and they could benefit from the economies of scale and can be provided those cost benefits that square up obtained. This most likely would be cheaper then any plan a small merchant would be able to get on their own.
I wonder what the overhead is per transaction (usually a small fixed fee as well as a percentage of the overall transaction). Having worked with some small retail shops, you usually trade off either a higher per transaction cost with smaller percentage fees for large ticket price items or the other way around for quick-serve restaurants for instance.
Credit card issuers (i.e. the bank that owns your cc account) trust the track data on the magstripe more than just the PAN embossed on the front of the card. This affects interchange fees, transaction costs, etc.
it would be neat if customers could download an app that would interface with a store using square.
the customer could browse the menu, buy the product (coffee or whatever) and prepare their order before even getting to the store, then walk in, transmit the order wirelessly (or through the internet to the store) along with their stored payment info to the store's register and have everything processed right away without having to swipe anything or even stand in line.
i'm sure there are existing iphone apps that do this for particular stores (chipotle comes to mind) but if it was a generic app that automatically worked with any store that accepted square, it would be pretty convenient.
I am excited about this ... at the same time, it would need some specific features for me to be a customer.
This would be ideal for us at tradeshows and seminars. We attend/sponsor about 5-10 per year and do quite a bit of business at a few of them. Instead of having a dedicated laptop in the back for sales, this would be much easier.
On the other hand, we already have a merchant account (with Brain Tree). Plus, we have older clients still paying us with PayPal subscriptions. The last thing we need is another gateway/merchant company.
I suspect there are many other businesses like us.
I hope they are either very flexible or license the technology to other companies.
Innovative! Door to Door newspaper selling, Collections. Food Carts, Local Car Service, Donations. Anyone can take a payment for a service in real time. The transaction fees, security perception and ease of signup will determine it's adoption. The hardware cost can be reimburse to the client from the transaction fees.
I'm very impressed by the quality of the front page. Instantly I knew what the product was about. The style of the site is very professional. And the information at the bottom of the page is extremely well organized.
I haven't seen a web site that communicates this effectively in a long time. Kudos to the front page designer!
Faster, which is not a trivial thing at all if you've got a line of potential customers (some of whom may change their mind or never get in line in the first place if things take too long), and there's additional data on the magstripe that proves the card is really present, which allows you to get better rates with your merchant account. If you have to key in the number and expiration, you'll pay higher rates.
Is it not obvious? Why don't retail stores type in your credit card information instead of swiping it?
Chip and PIN doesn't seem to exist in the US so I'd imagine they're not targeting it immediately. I don't see why they couldn't expand the hardware to support it though.
"This means that adding support for EMV to existing payment applications can be a daunting task!
Furthermore, the demands of providing an EMV solution do not even stop once all the necessary processing has been implemented, thanks to the extensive type approval process enforced by the governing body, EMVCo. Before any EMV-capable solution can be deployed, there are thousands of tests that need to be passed to validate that the implementation conforms to the EMV industry standard, and as the EMV specifications are regularly updated this becomes a major task in itself! This is why many businesses requiring an EMV "Chip & PIN" solution choose to license a purpose-built EMV software kernel rather than developing their own."
To me the biggest roadblock to widespread adoption is the fact that many small merchants want cash & not plastic, not because a card-reading device is expensive, or complicated, or what, but because cash is off the books.
I see this and I think...why hadn't PayPal done something like this already? It would make perfect sense for them have come out with something like this a long time ago, but who knows...
True, but why not revisit the concept at some point especially since a lot more people are walking around with PDAs/smartphones/etc. now than when they first started.
I don't really understand the niche it's aiming to fill. Most stores/restaurants have portable card readers these days, so is it a poor-mans one of those?
I guess I'm wondering what use-case it's aiming at.
Also I absolutely would not trust someone swiping my card through one of these. I like a closed box that is obviously provided by a bank, which cannot be tampered with. Not an iphone that could be doing anything with my details.
Why exactly do you assume that a credit card reader is a "closed box that is obviously provided by a bank"?
I've implemented point-of-sale systems before, and lemme tell you, there's nothing magical about a magstripe reader, a microcontroller, and a bit of firmware.
Think for a second about recent credit-card purchases you've made. If your habits are anything like mine, aside from gas stations (where the reader is usually integrated into the pump), most card "swipes" happen through either a peripheral device connected to a generic PC, or a compact card reader with little more than a keypad and phone jack, with no visible branding, certification, or tamper-resistant seals in sight.
Nope. Perhaps this is a country thing.
In the UK pretty much everything happens in a specific looking chip+pin reader POS device. They all look pretty much the same and are pretty secure afaik.
(Also most places in the UK will not swipe your card anymore. It's all chip+pin).
OK It seems the issue is that the US is far behind in this. Pretty much every restaurant in the UK has portable POS devices waiters carry around to take payment. Pretty much every shop has the same standard looking POS chip+pin devices.
Maybe this is a European thing, but here in London every restaurant has a number of portable card readers. (Everyone here also uses chip & pin, though, too.) As a consumer, it's awesome... much faster than the old days, and a hell of a lot easier to split the bill when you want to do that.
Yeah, I noticed that when I was in London a few months ago. They're almost non-existent in NYC as far as I can tell, and that experience has been consistent with my experience elsewhere in the US.
Perhaps the London merchants are required or otherwise incentivized to use portable ones?
I am in Philly and I am using XIPWIRE and so are all my friends to make transactions with our phones. AS far as I know none of us have had any trouble and the fees are super low.
Magnetic cards (and all existing RFID equivalents) are bad.
Instead of encouraging their use, we should be creating the mostly fraud-proof obvious alternative: one in which a single transaction does not give the other party permanent access to your wallet.
Picture a card with a key pad on it, for entering a dollar amount. The transaction (through RFID?) would be valid for only that amount.
All of the required cryptographic math has existed for decades. All we need now is the hardware and some infrastructure.