Monday, September 21, 2015

How Do You Want To Pay For That?

Magnetic stripe cards, touchless cards, chip cards, what does it all mean?  Read this to use the payment methods that will keep you safe from fraud.

I'll also talk about the opportunity toward the end in the "Business Opportunity" section.

Background

Introducing The Credit Card
First of all, a review of traditional cards:  Your card has a short, 15-16 digit account number printed on it.  You can use this number wherever you can't find a card machine, such as when you buy things online or over the phone, and it's raised so that the next time you step into a taxi without an electronic card reader, they can easily get the card number with their machine that inks the bumps on the card.  The trouble with that is it's really short and easy to steal, so the card manufacturers came out with magnetic card reader machines in the 1980s to make it more difficult to copy.

The CVV code is written on the card and is never raised like the account number is.  Payment Card Industry requirements dictate that the CVV should never be stored, though it may be used to reassure the card processor that the user had the card in hand at the time the account number was stored.

Single Use Card Numbers
If you have authenticated yourself at your cardholder's site (or another site you trust), the card provider trusts your active session more than any payment made with a 15 or 16-digit account number entered on another web site or over the phone.  Several of the cardholder sites offer a single-use alternative account number you can use to charge things to your regular account.  Simply login, generate the card number, copy it to your computer's clipboard, and paste it into the vendor's web site.

Single use card numbers can be used for a single transaction or a single vendor.  They are quite secure, cheap to issue, and though not as easy to use as a plastic card, they can be entered via any machine and provide reasonably good security, rivaling magnetic card security.

Despite their advantages, customers aren't using them, and many card issuers have discontinued this technology packaged in this form, but as you'll see below, the technology is available in similar formats that are more convenient.

Magnetic Cards
Your credit card has a magnetic strip on it.  Overall, the technology is similar to a cassette tape, using magnetized parts of the strip to store the information, which is easily scanned by the machine.  Besides including the account number and name you see on the face of your card, the magnetic strip provides additional information you can't see on the outside of the card.  This extra set of numbers is like a really long password, designed to tell the machine that the genuine card is present at the transaction, and provides some degree of assurance to the card processor that the consumer is probably there, and that this is not a scam.

When the card is swiped, a pulse of on and off signals are read using the magnetic reader in the device as the card moves through the slot.

However it's becoming increasingly easy to add additional tiny card readers to the magnetic stripe reader slot so that it's read twice (once by the machine and once by an imposter, and someone comes by later to collect their own device), or to add a device to record the signals over the wires between the magnetic reader and the rest of the machine.  Like a password, once recorded it can be copied to another payment device, such as another card, and then if used again the mag stripe machine can't tell the difference between a copy and the genuine card.

Sometimes the magnetic strip of a counterfeit card doesn't match what's printed on the card, which is why some machines ask the cashier to confirm the last 4 digits written on the card.

As of 4 years ago, illegally copied magnetic strip cards could be purchased for as little as $0.25 each (or so I've read).  The price is likely lower than that now.

Some of the new popular everything-in-one cards like "Coin" offer a magnetic stripe that changes to match a card.  They have the same benefits and drawbacks as regular magnetic cards.  However the newest of these also offer additional, secure ways to pay that incorporate the features below.  Seek these out!  You'll understand why in a minute.

NFC, "Touchless" Cards, Apple Pay, and Android Pay (formerly Google Wallet)
Near Field Communication (NFC) or "touchless" payment methods (except Samsung Pay) all work based on short range (within inches) radio waves.  The general idea of each of these is that the credit card machine can have a "conversation" about the transaction, and that some of the information is different with every transaction.  So your card's "password" that makes it unique changes constantly, and isn't easily copied.

These work on the premise that the card and the payment processor know a "secret" that is never transmitted over the air.  Copying this payment method is harder, but if you had a device to have this "conversation" with a card that is in your wallet, you could have the card authorize a payment without your knowledge.  I haven't actually heard of this being done, but it's made people nervous enough to start an explosion of wallets and pockets that advertise they can block signals to keep your cards safe.

Touchless cards also have a magnetic stripe for magnetic readers that don't support the touchless payment option, but the magnetic stripe is no better than any ordinary magnetic card.  Unlike the touchless radio responder built into the card (or phone), the information on the magnetic stripe never changes.

Apple Pay and Android Pay are more secure because both use a form of authentication on your phone to authorize the payment.  Your PIN is never transmitted over the air, but your phone won't authorize the touchless payment without it.

Samsung Pay will act like Apple Pay and Android Pay, but the value Samsung Pay adds beyond Android Pay (which is available on every Samsung device) is outside this category, and I'll cover that later.

EMV "Chip" Cards
Retailers and card manufacturers particularly like the chip cards because they use a randomized password similar to the NFC "Touchless" cards, Apple Pay, and Android Pay, but cannot be accessed without removing it from a jacket pocket or wallet.

Contrary to common belief, the chip on the card has nothing to do with the magnetic stripe on the card, and just like Touchless cards, the magnetic stripe is provided as a backup for when the more secure payment option is not available.  The chip is not accessed when the card is swiped.

Unlike touchless cards, chip cards require the machine makes physical contact with the chip.  If you've been to one of the many Wal-Mart stores now equipped (as of Summer 2015) with these readers you have probably seen the slot at the bottom of the card reader.  The card is inserted into the reader, and left there until the transaction has been processed.

These also have the advantage over Apple Pay, Android Pay, and even Samsung Pay of being able to securely pay at a restaurant without giving up your phone to the waiter or waitress that will scan the card somewhere out of sight.

Most card issuers are sending free replacement EMV cards to their customers already.

Samsung Pay
Android Pay is now available for all Android-based Samsung devices, so if you have a Samsung device you already have Android Pay.  The newest Samsung devices will offer Samsung Pay.

Samsung Pay operates in two modes:

  • It can offer the same touchless payment experience Android Pay offers (which is why they don't bother to make it available for older phones that can already use Android Pay)
  • It can use a special antenna on these newest devices to send out a series of magnetic pulses, mimicking the presence of a magnetic card
Nothing I've found really explains Samsung Pay's security features, but they advertise they're more secure than a physical card.  

If I were Samsung, I would use a single use, extended length card number in that transaction, and transmit it directly from the phone through the card reader.  This would provide the same degree of security found in touchless and EMV card account numbers, and if the card number were captured by an illegal magnetic card reader, it would be invalid because it's single use.

Changes Effective October 1, 2015

Effective October 1, if you (as a vendor) use a magnetic card reader to process a transaction, you will be liable for any fraud related to illegal cards copied from an EMV or NFC capable original card.

Samsung Pay transactions through a magnetic card reader should be exempt based on my understanding of the technology, but it's unclear whether card processors will be able to tell the difference between a secure Samsung Pay transaction and a magnetic card.

Business Opportunity

The business opportunity here is in the sale or lease of secure equipment to retailers that are still using magnetic reader equipment.  The motivation for them to buy is in what merchants won't have to cover in credit card fraud.  In addition, merchants will be able to protect their customers by allowing and promoting secure forms of payment, and won't be held liable if a customer uses an illegally copied magnetic strip card.  

Online transactions shouldn't be affected, but retailers should still always ask for the CVV code as that's harder to copy, and reduces transaction fees.

Because the retailer almost always pays the processing fees (and not the card holder), most card holders are unaware and unmotivated to do anything that would improve the security of their transactions.  

For Consumers

Credit card companies and vendors with old equipment will cover the cost of fraud, but it's a lot of hassle to straighten out your account and replace your card when fraud happens.  So protect yourself and get a secure way to pay.  It's free.