In a post about last night’s Newsnight, @alexs mentioned that:
I was unaware of that, and had a look at the article and Square’s website. I’d always thought that Square wouldn’t be able to launch in the UK with their current hardware. My understanding of the EMV/PCI security requirements is that the PIN entry device had to be certified as an entire unit (and be tamper responsive), meaning that you can’t just run an app on a phone to collect PINs. But is seems that’s exactly what Square are doing – card details captured by their hardware reader, but PIN entry in an app on a phone. This is in contrast to similar products already in use, such as iZettle or SumUp which incorporate a keypad into the reader (in the case of SumUp, a truly awful keypad!).
I don’t know about anyone else, but I’d be extremely hesitant to enter my PIN on a random person’s phone, not knowing what else is running on it (especially an Android phone, given that there are less background software restrictions). Do any of the knowledgable participants on this forum have any insight? Is my understanding of chip-and-PIN security out of date? Should I not worry if I encounter this in the wild?