In a post about last night’s Newsnight, @alexs mentioned that:
I was unaware of that, and had a look at the article and Square’s website. I’d always thought that Square wouldn’t be able to launch in the UK with their current hardware. My understanding of the EMV/PCI security requirements is that the PIN entry device had to be certified as an entire unit (and be tamper responsive), meaning that you can’t just run an app on a phone to collect PINs. But is seems that’s exactly what Square are doing – card details captured by their hardware reader, but PIN entry in an app on a phone. This is in contrast to similar products already in use, such as iZettle or SumUp which incorporate a keypad into the reader (in the case of SumUp, a truly awful keypad!).
I don’t know about anyone else, but I’d be extremely hesitant to enter my PIN on a random person’s phone, not knowing what else is running on it (especially an Android phone, given that there are less background software restrictions). Do any of the knowledgable participants on this forum have any insight? Is my understanding of chip-and-PIN security out of date? Should I not worry if I encounter this in the wild?
I have used and still use iZettle where the PIN is entered on the device you hand to the user, no actual input needed by the customer to the phone. But i have to agree, i would not feel safe popping my PIN into somebody’s phone especially, as mentioned, you could have screen recording software running in the back or a keylogger.
I have to say that I’m unconvinced by that. I’d want to see proof of the waiver on the PCI website or similar. As it stands, Square do not have any PIN entry devices listed on the official PCI Security Standards Council website. I would expect their app to be listed as a PED, even if there were exemptions to go alongside it. I also am not sure what the justification would be for allowing an insecure PED for a trial, but I’m not in the industry, so who knows?
As a consumer, I would not use this if presented in a shop. If I were a merchant, I can’t imagine considering install a system that’s not fully-certified to the PCI and UK Card Association standards (e.g. Payment Card Industry (PCI) PoS PED process, and Assurance Level EAL4+ under the Common Criteria). See §4 in the Security guidance for card acceptance devices. Presumably a merchant with an un-certified system would be liable for fraud? Overall, seems like Square are chancers who have a business model in one country and are trying to expand overseas without understanding what’s required.
Anyway, I emailed Square’s security address to ask about this, will post here if I get a response.
Isn’t that different, because I am entering my PIN into an app I have installed on my phone? As in, theoretically, all parts of the system are under my control, and I’ve chosen to trust Monzo. Certainly all the other banking apps I’ve used also have PIN/security information entered directly via the touchscreen.
I thought there were a whole different set of requirements when you are do card acquiring in a public setting, where strangers are supposed to trust whatever system they are presented with. But you have a lot more knowledge of banking/finance regulations, so I’m interested in any elaboration you can provide.
Square meets PCI standards across software, hardware, and payment processing. For chip and PIN countries, we are working on evolving mobile security standards alongside the card schemes and PCI Council, where we are a member of the Board of Advisors. Just as there was previously no standard for card readers that plug into mobile phones, there currently is no PCI standard for mobile PIN entry. Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.
Seems pretty much untrue based on the docs I’ve seen… -_-
No. There are digital pos terminals and there are phones and I feel that they are distinctly different. They need to explicitly cover mobiles/smartphones in their next PCI update/version
I’m not sure why onscreen PIN entry would be ok on a smartphone if it’s not on a digital POS. If anything, and ePOS system is a more controlled environment so should be able to be certified secure. And card acceptance using an iPod touch has been around for almost 10 years, always with an add-on PIN entry device (initially in Apple Stores, this was a special case that the iPod touch sat in). Why haven’t the standards been updated to take account of smartphone card acceptance over the past decade?
I’m not saying I don’t believe you, it just seems like an odd situation. Whilst Square might be a new entrant to the UK, what they’re doing is not new at all. Strange that the standards don’t account for this.
yes I would say those touchscreens are covered by their digital POS term, though of course due to age and function many will not be compliant with current PCI
maybe you wouldn’t but many companies like PayPay released devices like that to small businesses particularly in the US. If you chose not to use it well you just have to pay cash. That is the choice.
Right, but those are far more secure/controlled than what Square is proposing doing - a completely uncontrolled & unverified arbitrary personal device (iOS and Android), where the screen inputs can be trivially intercepted without detection.
