Is PIN entry with Square's new readers secure?


(Jolin) #1

In a post about last night’s Newsnight, @alexs mentioned that:

I was unaware of that, and had a look at the article and Square’s website. I’d always thought that Square wouldn’t be able to launch in the UK with their current hardware. My understanding of the EMV/PCI security requirements is that the PIN entry device had to be certified as an entire unit (and be tamper responsive), meaning that you can’t just run an app on a phone to collect PINs. But is seems that’s exactly what Square are doing – card details captured by their hardware reader, but PIN entry in an app on a phone. This is in contrast to similar products already in use, such as iZettle or SumUp which incorporate a keypad into the reader (in the case of SumUp, a truly awful keypad!).

I don’t know about anyone else, but I’d be extremely hesitant to enter my PIN on a random person’s phone, not knowing what else is running on it (especially an Android phone, given that there are less background software restrictions). Do any of the knowledgable participants on this forum have any insight? Is my understanding of chip-and-PIN security out of date? Should I not worry if I encounter this in the wild?


(Johnny Ellwood) #2

I have used and still use iZettle where the PIN is entered on the device you hand to the user, no actual input needed by the customer to the phone. But i have to agree, i would not feel safe popping my PIN into somebody’s phone especially, as mentioned, you could have screen recording software running in the back or a keylogger.


(James Billingham) #3

I was actually just discussing this on the Slack, and have tweeted at them about it - https://twitter.com/billinghamj/status/852831716599136256

Whether it can be considered as secure is one issue - and that is mostly dependent on the state of the device and Apple’s ecosystem.

However we can reasonably determine that it is not compliant with the PCI PIN-entry-device rules as defined here - https://www.pcisecuritystandards.org/pdfs/pci_ped_technical_faqs.pdf


(James Billingham) #4

Monzo actually do the same thing in-app which I’m also pretty unconvinced about, but as an issuer the PCI rules may apply slightly differently.


(knows someone who knows Tom quite well) #5

There are ways to determine if a device is jail broken or rooted, so I’d hope that Square are at least checking for the possibility of key loggers.


(James Billingham) #6

There are no reliable ways - they can all be bypassed/defeated by installing further tweaks


(James Billingham) #7

Sounds like they might have some kind of temporary exemption - though not sure how to confirm that - https://twitter.com/dgwbirch/status/852858849082167298


(Jolin) #8

I have to say that I’m unconvinced by that. I’d want to see proof of the waiver on the PCI website or similar. As it stands, Square do not have any PIN entry devices listed on the official PCI Security Standards Council website. I would expect their app to be listed as a PED, even if there were exemptions to go alongside it. I also am not sure what the justification would be for allowing an insecure PED for a trial, but I’m not in the industry, so who knows?

As a consumer, I would not use this if presented in a shop. If I were a merchant, I can’t imagine considering install a system that’s not fully-certified to the PCI and UK Card Association standards (e.g. Payment Card Industry (PCI) PoS PED process, and Assurance Level EAL4+ under the Common Criteria). See §4 in the Security guidance for card acceptance devices. Presumably a merchant with an un-certified system would be liable for fraud? Overall, seems like Square are chancers who have a business model in one country and are trying to expand overseas without understanding what’s required. :flushed:

Anyway, I emailed Square’s security address to ask about this, will post here if I get a response.


(Jolin) #9

Isn’t that different, because I am entering my PIN into an app I have installed on my phone? As in, theoretically, all parts of the system are under my control, and I’ve chosen to trust Monzo. Certainly all the other banking apps I’ve used also have PIN/security information entered directly via the touchscreen.

I thought there were a whole different set of requirements when you are do card acquiring in a public setting, where strangers are supposed to trust whatever system they are presented with. But you have a lot more knowledge of banking/finance regulations, so I’m interested in any elaboration you can provide.


(James Billingham) #10

See this doc on Square’s website: https://squareup.com/gb/guides/pci-compliance

Excerpt (emphasis mine):

Square meets PCI standards across software, hardware, and payment processing. For chip and PIN countries, we are working on evolving mobile security standards alongside the card schemes and PCI Council, where we are a member of the Board of Advisors. Just as there was previously no standard for card readers that plug into mobile phones, there currently is no PCI standard for mobile PIN entry. Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.

Seems pretty much untrue based on the docs I’ve seen… -_-


#11

The PCI docs I saw relate to ePOS terminals and other secure entry devices and not mobile/smartphone use.


(James Billingham) #12

This is a digital POS terminal no?


#13

No. There are digital pos terminals and there are phones and I feel that they are distinctly different. They need to explicitly cover mobiles/smartphones in their next PCI update/version


(James Billingham) #14

Would you just say that any touchscreen PDQ was a “digital POS terminal”? Many touchscreen PDQs have existed in the US for 10+ years.


(Jolin) #15

I’m not sure why onscreen PIN entry would be ok on a smartphone if it’s not on a digital POS. If anything, and ePOS system is a more controlled environment so should be able to be certified secure. And card acceptance using an iPod touch has been around for almost 10 years, always with an add-on PIN entry device (initially in Apple Stores, this was a special case that the iPod touch sat in). Why haven’t the standards been updated to take account of smartphone card acceptance over the past decade?

I’m not saying I don’t believe you, it just seems like an odd situation. Whilst Square might be a new entrant to the UK, what they’re doing is not new at all. Strange that the standards don’t account for this.


(Danny) #16

If someone gave me this to put my card in I’d say no


#17

yes I would say those touchscreens are covered by their digital POS term, though of course due to age and function many will not be compliant with current PCI


#18

maybe you wouldn’t but many companies like PayPay released devices like that to small businesses particularly in the US. If you chose not to use it well you just have to pay cash. That is the choice.


(James Billingham) #19

Right, but those are far more secure/controlled than what Square is proposing doing - a completely uncontrolled & unverified arbitrary personal device (iOS and Android), where the screen inputs can be trivially intercepted without detection.


#20

I think that is why Square are on their council and working groups as they are trying to help develop new PCI codes to embrace these developments