/ infosec

Messing about with payment networks

asking for trouble

Electronic Funds Transfer Point of Sale (EFTPOS)

This is a bit of a continuation based on my post regarding the 'error 53' situation, however more of a generalization on the global payments network.

Once again, many companies, small cafés, etc, are processing card payments with terminal provided by one of the many merchant services providers out there. These could be terminals that are only magnetic swipe enabled (rarer nowadays) or EMV/EMV with RFID (chip & pin, and 'contactless' to you and me).

A small caveat

This is a little bugbear of mine, but in all honesty, it's common sense. More and more shop/bar staff, for example as they store the EFT Terminals behind their bar, are taking your card off you and asking "Mind if I use contactless?".

Firstly, let's take this back a bit, you had a signature on your card, whenever you used to buy something, the cashier took and swiped your card, then the receipt was printed for you to sign. At that point, the cashier would check your signature on the card against the signature you had just provided, and authorise/decline the transaction based on their best judgement, that's absolutely fine, they are trying to make sure that you are who you say you are. In the states, all that's required in certain circumstances is your ID with a signature, and they can then validate your payment based on that.

MERCHANTS, pay attention...

By the way, if your card has no signature, the cashier should, by rights refuse to accept your card, even if it is a chip and pin card. If the cashier then gives you a pen to put your signature on the card, they are endorsing fraud, simple. Take note of this...

Upon the introduction of Chip and Pin, this effectively removed the need for the cashier or merchant to validate your identity.

The introduction of Contactless (RFID) based payments opened up a brand new avenue, not only for payments convenience, but for fraudsters too. All to often you have heard that your card has been skimmed or read along with all your other cards when you have been on the Tube (thanks TfL).

Back to my original point, well, the caveat anyway, if you hand your card to a merchant/cashier, which you should be wary of doing, they then ask, "Mind if I use contactless?", at this point, there are two answers, both of which are telling the merchant the same thing:

  • "NO, you cannot use my contactless functionality."
  • "No, you cannot use my contactless functionality, however I, as the cardholder (cardmember for us AMEX/Discover/Diners club people), would be happy to do so."

If at this stage, the merchant/cashier taps your card on their terminal, they have committed fraud, again, simple. Do not let the merchant "do" contactless for you. The merchant is authorising the transaction on behalf of themselves, effectively the same as you giving them one of your cheques and telling them to sign it themselves, or giving them an empty pre-signed cheque, or giving someone your card without having the signature on the back, you simply don't know what they are going to do with it or what they are going to charge you! I know there is a massive trust thing going on, but do not trust anyone that isn't you with your money.

What if they put through a £30 transaction and you didn't know about it? "Ah that's never going to happen, they wouldn't do that...", don't be so f**king naive, what's to stop them...

You keep hold of your card at all times. Things like Apple Pay are, in a sense, an absolute godsend for these kind of things, and, from my perspective anyway, it gives me a talking point and a bit of disciplinary point whenever someone offers their hand for my card and I know they are after using it for contactless. Yeah, good luck with my phone, last time I checked, you didn't have my fingerprints.

get back to the real point oh moaning one

OK, OK, Payments Networks, let's talk...

I've installed quite a few of these in my time, small cafés to large social clubs, and also consulted on some rather larger projects too, one of which was rather "fruity" ;)

Just to make a couple of points absolutely crystal once again:

  • No matter how small you are
  • No matter how big you are
  • No matter how much you process
  • No matter how many employees you have
  • No matter how much you think you know about networking
  • No matter how much you hate the idea of it
  • No matter by what method you transmit the cardholder data (VoIP, Ethernet, GSM, GPRS, POTS, PSTN, GPO, WiFi, WiMax, LTE, 4G, Pigeon, Snailmail, Paper Aeroplane, whatever)
  • No matter how bigheaded you are and think that you are one of those people that has that many little business acquaintances on the side, that you might even be the director for in a couple, that also don't need to go through as much rigmarole as others do, even though we are "just a..." ahem...

You have to be PCI Compliant and the network by which the cardholder data is transmitted has to also pass certain very stringent checks. Some companies may also have to get a QSA or an ISA to audit their networks.

UPDATE - 3rd August 2016

The Mirror wrote an article on Contactless payments, pretty much citing everything I said above...