Notice: Undefined offset: 1 in /usr/local/src/wordpress/wp-content/themes/montezuma/includes/parse_php.php on line 79

Credit Card Security – corollary

In response to my prior entry, my son asked about using NFC (phone) for payment, rather than cash.   It’s not simple.   At this moment this country in a maelstrom of deciding what to do next.   Isis with C-Sam is an NFC mobile payment system that’s at least deployed in a few places, and it’s a consortium of Verizon, AT&T and TMobile.   They saw early-on that the crypto chip in phones is controlled by the carriers and took advantage of that, locking other payment processors out. (Like Apple did with Firewire’s high licensing fees and failed when everyone went to USB, even though Firewire was far superior)   Unfortunately though, NFC payments have been minimal in the past year, so some major retailers (7-Eleven, Best Buy, et al) have turned off NFC functions in their terminals as it costs (a few fractions of a cent) to keep them on!

Meanwhile, other payment processors were dissatisfied with the ISIS arrangement so have developed an ‘end-run’ around it, setting up alternatives, like a bar-code system (MCX – Merchant-Customer Exchange), a cloud-based system (HCE – Host Card Emulation” – G**gle, Paypal), and ‘card wallets‘ (‘card-on-file’).   MCX is a consortium made up of about 70 brands, including Walmart, Sears, Kohl’s, Lowe’s, Dunkin’ Donuts, etc.   MCX, where your phone displays a barcode to be scanned by the terminal, is marginally more secure than magstripe because once a transaction number is used once it can’t be used again.   So scrape the numbers, and they’re no good to be used again.   Newer Android phones have it, and the iPhone 6 will as well as NFC.   iPhone6 will probably use a fingerprint scanner as the second in the two-factor auth.   Apple hesitated in NFC because of ISIS, but then G**gle came up with the “cloud” idea (to bypass the carriers) and Apple is moving forward. (with -something-, which I’m sure will be entirely locked-down)

Card wallets let you store all your credit cards and reward programs in an encrypted file, which you open with a password.   When you authorize a payment the card info is transferred by NFC, although the info ends up in the same place as it would with magstripe, so I don’t see how that’s an improvement.

ISIS isn’t doing well.   Very few ever use it, because it’s hard to find a terminal in stores people frequently use. (chicken and egg problem)   I haven’t yet found reliable security info on it, but know it uses a crypto chip and unique transaction IDs, which is good.   Amusingly, ISIS is right now in the process of emergency rebranding, because if you’ve been following the news, the rise of the militant group Islamic State of Iraq and Syria (“ISIS” in the news), bombing and killing across northern Eye-Rack.

Any terminal that supports ISIS NFC, also supports EMV (chip in the card+PIN) which is finally in the process of being rolled out in the US, after having been used in the rest of the world for more than a decade, and just as frauds are emerging against Chip&PIN.   Europe is evaluating HCE.   EMV can be used by ‘dipping’ (slide the card in a slot on the terminal and wait a second), or by tapping like NFC.   EMV has proven highly secure worldwide (until recently), but cards won’t be fully replaced in the US until next year.   At first you’ll also need to sign for the transaction like now, but then there’ll be a gradual move to PINs only.

Another interesting thing is the credit card companies have finally come up with a way to shed responsibility for thefts onto someone else.   As of October 15, 2015, responsibility for amounts stolen will rest with the one ‘most responsible for allowing the theft’.   IOW if a retailer has failed to upgrade their terminal to EMV and a theft happens, that retailer must cover it.

EMV would be Ok with me, as would an NFC solution, but none of these closed systems addresses privacy and the breadcrumbs we all leave behind day-to-day.   Altcoins do address this.   I’ll wait and see what experts like Schnier say about MCX, although it seems clunky and stupid.   Nothing beats altcoins, if only they were generally accepted.   Altcoins are cash’s worthy successor.   So it’s cash for me while out and about, for now.

,'after' => '

') )