Magstripe: 1. Chip: -1

Being from the smart card industry, I usually don’t spend much time looking at things that work better by swiping cards than by using a good old smart card. Then, a few minutes ago, I looked at the promotional video for the Square payment service. Well, it’s definitely worth watching.

The basic idea is to allow anybody (with an iPhone, but Android and Blackberry to follow, if we can believe the open positions) to accept a payment using any U.S. credit card. The iPhone application has a few advantages:

  • With a very small attachment, you can swipe the card. Without it, you just need to enter the card data on the phone.
  • The customer signs on the iPhone, with a finger.
  • If the customer is a Square member, the vendor gets a picture for the authentication.
  • They even do automatic loyalty by mentioning the fact that a customer is a return customer.

Easy payments for individuals is just great. It allows me to accept payments from anybody with a payment card, and that’s really new. It makes NFC and mobile payment look sooo 20th century; who really wants another way to pay?

In the meantime, the smart card payment guys read the latest Ross Anderson paper.

A few thoughts about Square after the jump.

First, some good news: if you are in the USA; it is quite likely that Square will eventually work with your contactless card. It may even become the default interface if iPhone’s and other devices, if NFC becomes widely available. Why? Simply because in the USA, contactless cards simply emulate the magstripe, so the application can work in almost the same way: swipe and sign. The only difference is here the swiping gesture.

In Europe and elsewhere, things won’t be that easy, because we use the more complex EMV transactions, also known as “Chip & PIN” in some countries. I am not sure that Square can’t be done with EMV, but here are a few factors that will make it more difficult:

  • Keys on payment terminals. In EMV, terminals perform cryptographic computations, which means that they need to store keys. Of course, such keys could be managed on the SIM card, but this is not obvious.
  • PIN entry. In EMV, a PIN is entered on the terminal, and actually, a lot of the terminal’s security requirements are related to the fact that the terminal is a PED (PIN Entry Device). And well, an iPhone is far from being an acceptable PIN entry device.

Of course, there are security issues around Square, not all equal:

  • When signing up, one need to provide the iPhone’s unique identifier. If this thing is used for security purposes, it gets me worried that somebody may use a jailbroken iPhone to mount attacks.
  • If somebody uses a fake application, they may get an image of my magstripe and my signature. Well, anybody in a restaurant can do the same thing, so I guess that the risk is limited.
  • What if somebody pays me with a fake card? Who is liable for that? This is insurance matter, but it becomes one of my concerns if a become a “merchant”, and Square’s service agreement does not promise much.

Finally, I may be wrong, but from the information I have, I think that we (in France) will have to wait quite a while before being able to use Square in our country. Hopefully, we will find a workaround, and we will be able to get a similar application, because this is just something that I would love to use.

What about Ross? Well, I’ll get back to that soon, after discussing it around.

One Comment

  • lexdabear wrote:

    Yes, it really looks like a convinient way to do a payment transaction. The POS in your own pocket.. everyone can become a merchant. I also hope that similar technology will be available in Europe, and not only Magstripe, but also EMV compiant, pairing it contactless..
    Regarding your objection about the storage of key material in the phone, it may be overcome by using only online transaction via OTA? I would consider the SIM (as not in the field) a secure element, but this is another topic :).

Leave a Reply

Your email is never shared.Required fields are marked *