How do I know the app with pin entry is not something knocked up by a scammer, especially if other providers start offering similar
2 Likes
lets hope any app won’t run on jailbreak or rooted devices!
1 Like
This is why I said earlier that the real solution is to not enter anything on an untrusted device, so transaction confirmation should be done out-of-band using a mobile app on your own (trusted) phone for example (kinda like Apple Pay but in that case there’s no card at all, everything happens on your phone).
With a card a bank could implement this by not requiring any CVM on the card itself (so no PIN nor signature prompt) but decline the first transaction and send a notification to the user’s phone. After the user approves the bank would temporarily allow a single transaction from the same merchant and the same amount. It would be an UX disaster but would solve the issue. Another option is to make the terminal wait until you approve the transaction but I’m not sure if that’s technically possible - I would expect terminals and card networks to have a request timeout after which they abort the transaction and consider it a decline.
2 Likes
If you get handed an Android device the answer is pretty easy: RUN! 
1 Like
Windows phone would be the most secure…but oops…no apps 
1 Like
The PCI Security Standards Council, which comprises the five largest global credit card companies, is expected to green light the way Square captures PIN numbers through smartphones. The move will frustrate big banks that make significant profit from older proprietary payments terminals with buttons.
The Australian Financial Review understands payment industry executives have been briefed by the standards body that it is close to finalising a new global standard for “PIN on glass”, or “Mobile PIN”, technology. This allows merchants to turn smartphones or tablets into a payments terminal by downloading software and plugging a small card reader into the headphone jack.
The final global standard, which could be published around the end of September, is likely to approve “PIN on glass”, according to payments industry sources.
(source: The Australian Financial Review)
4 Likes
To be honest I am glad PCI is relaxing their requirements on mobile PIN entry devices as in any cases consumers can’t verify whether a terminal is genuine or not before entering their PIN, so while it doesn’t improve security it will at least allow merchants to be more flexible and no longer be shackled to the physical payment terminals their banks force them to use with huge fees.
What happened to zapp, it sounded quite a good idea. Seemed to be a wrapper around faster payments (you scan a qr type code with banking app), feels somewhat safer than pin on glass
According to VocaLink:
"In June 2015, Zapp unveiled Pay by Bank app. This will be a universal symbol indicating to consumers that a retailer can receive a mobile payment directly from a bank app. Pay by Bank app is putting real time payments on mobile phones for the benefit of consumers.
Pay by Bank app will become the Zapp’s consumer facing brand from launch. It is the symbol that consumers will see and interact with and the one used by Zapp and its financial services and retail partners in their consumer marketing."
As per a previous post in this community Barclays have signed up to Pay by Bank (VocaLink's Pay By Bank app)
I’m not sure how much this will change those dynamics. There are already several alternatives to the big bank acquirers (iZettle and Sum Up being the most prevalent, but PayPal’s in the game, too). They just provide a small keypad, which in many ways is more convenient than if the merchant had to hand over their phone to every customer. The thing that ties merchants in to the big banks is not the hardware, but the contracts they sign and the larger POS system integration, or both (depending on merchant). Anyone who wants to escape the big banks has been able to do so for a while already.
in UK iZettle and PayPal Here I would have thought
Sorry, I meant PayPal, not eBay (I’m still trying to disentangle them in my mind), now corrected.
I’m in Edinburgh and have seen Sum Up at a few places over the last 18 months. Lots of iZettle for a few years. But I’d never seen a PayPal card reader until one a couple of weeks ago at a farmers market. I suppose it will depend on where you are as to what you see more, but based on my experience, I thought Sum Up was more widely spread than PayPal, which seems to have little presence. But I have no idea what the actual figures are.
I also have no ideas of the figures but have seen lots of iZettle and in both London and Essex seen both the white and the black PayPal readers but never seen a SumUp one yet. So perhaps it is regional.
1 Like
Interesting, but note that this will only be for transactions up to ~£10, so not quite the same thing, as presumably there’s no PIN required. The Square proposition does require a dongle (the lack of one is key to the purpose of the MasterCard 
scheme). And my security concern (and the EMV requirement for secure PEDs) with Square’s system is the need to enter my PIN into a random person’s phone.
On an unrelated note, why is that article using the old MasterCard logo?? You’d think a finance-specific publication would be a bit more switched on.
2 Likes
Richard, have you heard anything more about this? Square’s website still implies that their method has not been approved (right at the bottom of a long page saying how great their compliance is).
Just as there was previously no standard for card readers that plug into mobile phones, there currently is no PCI standard for mobile PIN entry. Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.
I’ve still not come across one of their readers, but I’d still be extremely hesitant/unlikely to enter my PIN into someone else’s phone. Was curious if when this “mobile PIN” is approved by the PCI council, whether there will be some way for us to know we’re entering our PIN into certified software.
I’m a little late to this one but this bit is complete crap:
Square is, and has always been, committed to innovating with payments industry leaders to make secure card payments accessible to all.
So, what about Blind and Partially Sighted people? They rely on the tactile buttons and the bump on the 5 digit to be able to securely enter their PIN.
I think it’ll be a lot less secure when a VIP asks the retailer to turn on VoiceOver or have to tell the retailer their PIN so that they can enter it onto the screen.
I do a bit of work for Talking Newspapers and as more of these Square devices are appearing, more VIPs are talking about the fact that they simply can’t use them.
Square still have to issue a terminal for the chip and contactless readers do they not? There’s no excuse not to issue one with buttons.
2 Likes
I think that’s mainly because everyone else only charges 1.75% and PayPal charge 2.75%
2 Likes
Banks can issue chip and signature cards for those people, at least last time I was with Nationwide it was mentioned in their marketing material.
Oh and also there is Apple/Android Pay which requires no interaction with the terminal at all, just unlock your phone and tap.
So you’re expecting VIPs to sign a screen they can’t see instead? How is that any better?
VIPs should get a Chip and Signature card just so they can use Square terminals, when everywhere else they can use Chip and PIN just fine?
1 Like