Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Rating the payment options

Kenneth van Wyk | Feb. 27, 2015
How does the security of 3 mag-stripe credit card alternatives stack up?

EMV is the metric system of payment systems: It's widely deployed around the world, with the notable exception of the U.S. Current plans are to roll out EMV in the U.S. in 2015 or 2016, but we've been waiting a long time.

I've used EMV cards for years, because I do a lot of international travel for work. Early on, I had great hopes that they would solve a lot of security problems, but I have come to see their shortcomings. Yes, EMV cards are more secure than traditional credit cards, but many of them still retain a magnetic stripe, for purposes of backwards compatibility. So an unscrupulous merchant can swipe an EMV card through the reader, and there you are, back at square one. If you have an EMV card, remember that there is no reason for the merchant to swipe it, so just refuse to hand it over.

Another problem is that the chip itself can present POS terminals with your account number. That means that a POS terminal infected by malware could harvest account data. Combine that with a static PIN, and it's quite possible to compromise an EMV card. In fact, it happened to me in Singapore last year.

Verdict: EMV is far better than mag-stripe, but it sure isn't a silver bullet.

Google Wallet and Apple Pay. These contactless payment systems use near-field communication (NFC) technology for communication between a smartphone and a POS terminal. And both systems use a technique called tokenization, whereby the actual account number is not presented to the merchant. One-time tokens are used so that eavesdroppers, including malware on a smartphone or POS terminal, will not be able to reuse any information they may be able to collect.

But Google Wallet and Apple Pay treat account data very differently. Google Wallet stores account data at the back end, in Google's cloud service, while Apple Pay doesn't present account data to either the merchant or Apple itself. The account itself is held only by the card issuers.

Verdict: Both Google Wallet and Apple Pay are substantially more secure than mag-stripe systems, and arguably more secure than EMV. Why isn't everyone on the planet using them?

Well, for starters, they both require current or recent model smartphones to function. That makes the cost of entry pretty high.

And not all merchants are supporting Google Wallet or Apple Pay yet. That situation is improving pretty rapidly. A vast array of banks have lined up to support one or both systems, and new merchants promising support seem to be popping up weekly (including, notably, the U.S. government). Square, whose Wallet app I already mentioned, has announced that it will be coming out with Apple Pay support later this year. That could be a huge boost for Apple Pay, since small-to-medium-sized merchants will be able to support the system without having to buy expensive new POS terminals.

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.