|
flosofl posted:Is one contactless and the other require sliding into a chip reader? If not that, then it may be down to the chip supplier neither are contactless
|
#
?
Oct 31, 2014 05:48
|
|
|
|
| # ? Apr 26, 2024 06:14 |
|
|
mishaq posted:There are actually a bunch of people that are more spergs than me about chipped cards that keep track of places you can use it in the US now haha jesus christ these guys even made a website http://emvacceptedhere.com it's all walmarts
|
|
#
?
Oct 31, 2014 05:52
|
|
|
mishaq posted:Thank you for taking the time to write all that out, seriously. I love this thread. First of all, contactless chips are typically embedded inside the plastic - you can't see them. Second of all, that's usually just the plastics vendor. Take a look on the back of your card - sometimes the plastics vendor's name is on there. Gemalto tends to have big, fancy chips, while whoever American Express uses (it usually doesn't say) tends to look less impressive. None of this makes a difference in the functionality.
|
|
#
?
Oct 31, 2014 08:13
|
|
|
You can actually see the contactless chip and antenna on my card: Both Target and my grocery store have contact chip readers now, but I don't have any cards to try it out with. Should I be expecting all of my cards to be replaced with ones containing the chip soon? Is that why all of my cards have an expiration of 2015, or is that just a coincidence?
|
|
#
?
Oct 31, 2014 15:01
|
|
|
If you're bored sometime you can usually find the chip on contactless cards. It'll be a small square bump that appears when reflecting light off the card. Once when I was more paranoid and the tech was less common, I found the chip this way and used a small drill to remove it.
|
|
#
?
Oct 31, 2014 16:37
|
|
|
Progressive JPEG posted:If you're bored sometime you can usually find the chip on contactless cards. It'll be a small square bump that appears when reflecting light off the card. You can microwave it for a second, that is what crazies are doing to their passports.
|
|
#
?
Oct 31, 2014 17:38
|
|
|
Progressive JPEG posted:If you're bored sometime you can usually find the chip on contactless cards. It'll be a small square bump that appears when reflecting light off the card. I think you can use acetone to extract the chip and antenna and then mount it somewhere, such as a wristband, and then pay for things by Obi Wan Kenobi-ing the POS machine. People used to do this to their Oystercards for use on the London Transport. Acetone destroys the plastic card though.
|
|
#
?
Oct 31, 2014 17:45
|
|
|
Why does Discover not offer NFC/contactless enabled cards? Is this what's keeping them from joining in on the Apple Pay party?
|
|
#
?
Oct 31, 2014 19:39
|
|
|
Lolcano Eruption posted:Why does Discover not offer NFC/contactless enabled cards? Is this what's keeping them from joining in on the Apple Pay party? Discover does have contactless technology ("Zip") on a network level. Whether it is included on particular cards is the issuer's choice. There aren't many non-Discover Financial Services issuers of Discover-branded cards (I know FNBO has at least one), and I'm not sure if their cards supports Zip. A lack of functionality isn't what kept Discover from joining Apple Pay from the get-go. The reason was that Discover wasn't invited to help set what eventually became the EMVCo tokenization standard that is used for Apple Pay. Discover has been pissing off the other American networks lately, both by striking an acceptance deal with UnionPay, and by doing things like leasing its network to PayPal to help PayPal gain POS acceptance. Therefore, it isn't a shock that they weren't invited to the party. Since Discover wasn't privy to what was going on behind the scenes, they now have to play catch-up and build tokenization functionality.
|
|
#
?
Oct 31, 2014 20:06
|
|
|
Guy Axlerod posted:You can actually see the contactless chip and antenna on my card:  The expiration date is a coincidence (with the EMV liability shift), but most of your cards will nevertheless likely be issued with a chip going forward. Banks typically won't reissue your card unless you ask them to, it expires, or you lose it/have your old one compromised.
|
|
#
?
Oct 31, 2014 20:08
|
|
|
I've never been issued a contactless Discover or AMEX even though they both support it. I think new AMEX cards come with EMV chips but if yours doesn't have one you can request they reissue the card with one.
|
|
#
?
Oct 31, 2014 22:40
|
|
|
Is it just me or does it seem like chip transactions take forever? Normally swiping and approval takes like 3 seconds but I was paying for groceries this afternoon and the people behind me were acting like I was an idiot for sticking my card in the machine and waiting an eternity for to approve. Actually didn't act, with quite a bit of disdain in self-checkout flat out said "What are you doing? You swipe your card, ugh." like I had never used a credit card before. with eye rolls when I said "If I swipe it it will just tell me to stick it in the machine". Although frankly the first time the guy had to show me where the slot was because it was completely hidden and not marked and most of the card sticks out when you put it in so it does kind of look like you are an idiot for doing it that way. Three Olives fucked around with this message at 23:51 on Nov 1, 2014 |
|
#
?
Nov 1, 2014 23:49
|
|
|
I'm on the unsexy side of credit card processing: actually figuring out how much this stuff costs and what we can do to control those costs (in a card not present environment, no less). Why is it so hard for our processor to tell us why our transactions are downgraded? They seem to have no ability to tell us anything I don't already know from basic transaction details.
|
|
#
?
Nov 2, 2014 00:12
|
|
|
Three Olives posted:Is it just me or does it seem like chip transactions take forever? Normally swiping and approval takes like 3 seconds but I was paying for groceries this afternoon and the people behind me were acting like I was an idiot for sticking my card in the machine and waiting an eternity for to approve. Actually didn't act, with quite a bit of disdain in self-checkout flat out said "What are you doing? You swipe your card, ugh." like I had never used a credit card before. with eye rolls when I said "If I swipe it it will just tell me to stick it in the machine". They do take forever. This is why contactless transactions became so popular in chip countries. This is also why lots of cardholders don't like chip and PIN. lavaca posted:I'm on the unsexy side of credit card processing: actually figuring out how much this stuff costs and what we can do to control those costs (in a card not present environment, no less). Why is it so hard for our processor to tell us why our transactions are downgraded? They seem to have no ability to tell us anything I don't already know from basic transaction details. I'll be honest - I don't have a straight answer for this. Who is your processor? This should be in your agreement with them, or it should be in the card network rules.
|
|
#
?
Nov 2, 2014 06:12
|
|
|
Would you mind giving a quick rundown of the actors involved in these payment systems (issuers, acquirers, networks, etc) that explains who (or what) they are, why they exist? I think I was able to retrospectively assign identities to them by reading your earlier posts explaining how these systems work, but can never be too sure. Also, which ones are paying which in apple pay vs google wallet?
|
|
#
?
Nov 3, 2014 18:20
|
|
|
Had an odd experience yesterday. Tried using apple pay at Macy's. Tapped the phone and authenticated with Touch ID. Got a message that said hold phone to reader. Waited a minute and then just swiped my card because didn't seem to be working.
|
|
#
?
Nov 3, 2014 19:20
|
|
|
serebralassazin posted:Had an odd experience yesterday. Tried using apple pay at Macy's. Tapped the phone and authenticated with Touch ID. Got a message that said hold phone to reader. Waited a minute and then just swiped my card because didn't seem to be working. The reader might be broken, the reader and your phone should both beep and your phone vibrates when it actually works.
|
|
#
?
Nov 3, 2014 23:29
|
|
|
I deal with fraud for a smaller Visa issuer, and believe me when I say that Chip and PIN can't come fast enough. Fraud, especially counterfeit card fraud, has skyrocketed in the last year, and our more sophisticated cardholders are already wanting plastics that support it. I can answer most questions about the fraud side of things if people are interested.
|
|
#
?
Nov 4, 2014 00:17
|
|
|
Can you explain in detail (step by step please) how these nefarious no-good fraudsters engage in this presumably lucrative business of counterfeit card fraud? And what they do to not get caught?  Seriously though, why the sudden increase? Because of the large-scale retailer hacks that have been happening?
|
|
#
?
Nov 4, 2014 00:58
|
|
|
Does iPay / EVMCo provide P2P encryption or just tokenization? One financial institutions support iPay, can other providers piggy-back off of the infrastructure?
|
|
#
?
Nov 4, 2014 04:16
|
|
|
Choadmaster posted:Can you explain in detail (step by step please) how these nefarious no-good fraudsters engage in this presumably lucrative business of counterfeit card fraud? And what they do to not get caught? That's the main reason, there are a lot of them, and for every one that makes the news there are several that are either never discovered or never disclosed. The way it normally works is someone who has the capability to print credit cards can buy compromised numbers in batches, either through criminal contacts or online. Each batch is tied to a geographical area. They may run a testing charge of a few dollars through a front company before printing the card, and if they do then they refund it right away, so the CH won't notice. Once they have the printed card, they may test it in something like a vending machine. Then, they typically go into a retail store and buy a gift card along with a few small items. If it goes through, they may try again right away, or in a few hours. Once the card is declined, it is thrown away. You won't get rich doing this, the vast majority of this type of fraud results in a loss of a couple hundred or less.
|
|
#
?
Nov 4, 2014 06:57
|
|
|
Konstantin posted:I deal with fraud for a smaller Visa issuer, and believe me when I say that Chip and PIN can't come fast enough. Fraud, especially counterfeit card fraud, has skyrocketed in the last year, and our more sophisticated cardholders are already wanting plastics that support it. I can answer most questions about the fraud side of things if people are interested. Chip solves counterfeit card fraud. PIN incrementally solves lost/stolen fraud. Worth noting is that just because people are asking for PIN doesn't mean that it makes economical sense to implement it. I wrote about why Chip and PIN adoption hasn't happened yet earlier in the thread. Choadmaster posted:Can you explain in detail (step by step please) how these nefarious no-good fraudsters engage in this presumably lucrative business of counterfeit card fraud? And what they do to not get caught? The sudden increase is because other countries have migrated to chip, making the US the last easy target for counterfeit card fraud. To make a counterfeit mag stripe, you need to skim the full mag stripe data. This can be done by mechanisms attached to ATMs or gas pumps, or through software infiltration like the Target leak, in which case the mag stripe data was intercepted before it hit the Target back-end and was stripped of the CVV1 (necessary to make a fake mag stripe card, but not stored in back-end databases - see my post earlier in the thread). It is important to make the distinction that in order to truly make an effective fake mag stripe card, you have to intercept mag stripe data BEFORE it hits the retailers' back-end databases, otherwise you won't have the CVV1. Interestingly, eCommerce card-on-file leaks are not useful to make counterfeit cards because the CVV1 is not used for eCommerce transactions, and you can't just put the CVV2 where the CVV1 should be on a mag stripe. The fraudsters aren't doing anything special not to get caught - it's just not that easy to find and arrest people performing this type of white-collar crime. Aleph Null posted:Does iPay / EVMCo provide P2P encryption or just tokenization? Just tokenization. Frankly, this is enough. Encryption doesn't have an incremental benefit for Apple Pay because the token can't be used without a valid chip cryptogram that is generated by the payment application on the iPhone's secure element and is verified by the issuer (both for the eCommerce and mCommerce implementation). Even if you skim the token number from an iPhone, you can't actually do anything with it.
|
|
#
?
Nov 4, 2014 07:31
|
|
|
Choadmaster posted:Can you explain in detail (step by step please) how these nefarious no-good fraudsters engage in this presumably lucrative business of counterfeit card fraud? And what they do to not get caught? Planet Money did a podcast describing where the fraudsters get their card numbers, the market for numbers and how the cards get used: http://www.npr.org/blogs/money/2011/06/16/137181702/the-tuesday-podcast-inside-the-credit-card-black-market http://krebsonsecurity.com/ is a pretty decent blog that tends to deal a lot with credit card fraud as well. Pissingintowind posted:Chip solves counterfeit card fraud. PIN incrementally solves lost/stolen fraud. Worth noting is that just because people are asking for PIN doesn't mean that it makes economical sense to implement it. I wrote about why Chip and PIN adoption hasn't happened yet earlier in the thread. Solves is a strong word, especially with some of the flawed implementations out there apparently. There's the Cambridge paper that talks about the poor random number generation in use in terminals and the ability to replace the UN with a precomputed one if you can do a man-in-the-middle attack. Then there's things like the Brazilian replay attacks that happened last month and I suspect that's just the tip of the iceberg as US Banks rush their chipped and contactless implementations through. Chip is much more secure than magstripe, won't dispute that.
|
|
#
?
Nov 4, 2014 15:13
|
|
|
fordan posted:Planet Money did a podcast describing where the fraudsters get their card numbers, the market for numbers and how the cards get used: http://www.npr.org/blogs/money/2011/06/16/137181702/the-tuesday-podcast-inside-the-credit-card-black-market Correctly implemented chip solves counterfeit card fraud. If banks don't bother validating cryptograms (my understanding of what happened in Brazil) that's the fault of the bank, not the concept.
|
|
#
?
Nov 4, 2014 15:19
|
|
|
Pissingintowind posted:Correctly implemented chip solves counterfeit card fraud. If banks don't bother validating cryptograms (my understanding of what happened in Brazil) that's the fault of the bank, not the concept. What I've been trying people is that EMV (and EMVCo) only solves problems without creating new ones if it is implemented correctly. The Brazil attacks were also using EMV cards against banks that hadn't issued EMV cards yet. You ask, "what's the point?" The point is: it worked.
|
|
#
?
Nov 4, 2014 17:35
|
|
|
This is an interesting read for me. I work on the other side of the chip card industry: personalization. Specifically the company I work for has software that programs the chip for issuance. It also does all the magstripe, printing and embossing on the plastic but that's not my thing. I write the scripts that personalize the chips. Hearing things from the payment side is really interesting. It's funny that the payment side of things seems to be a fairly fast-moving industry these days while the personalization side has really only made incremental changes in the past 15 years. I guess if anyone has questions about the chip programming side of things I can answer.
|
|
#
?
Nov 5, 2014 00:21
|
|
|
In the iPhone thread there's some  ness going on for them, just wondering if you can explain what's happening:Duckman2008 posted:So the issue I'm running into with Apple pay is it seems to be very generous on the range of NFC. dutchbstrd posted:This happened to me once at the Apple Store. I was showing the genius my appointment text and the Apple Pay stuff came up. goku chewbacca posted:It happened to me at the grocery store. I saw the Visa PayWave terminal light up blue, and when I pulled my phone out of my pocket it was already on and at the ApplePay screen asking for my fingerprint.
|
|
#
?
Nov 5, 2014 02:11
|
|
|
I just received what seemingly is a duplicate of my current amex card in the mail. Same number, expiration, and security code. Amex assures me that when I activate the new card, the old one is deactivated. But if they are visually the same, how can one be deactivated and the other be active? Is there hidden information in the mag stripe or chip? I know that for online transactions, the two cards are indistinguishable.
|
|
#
?
Nov 6, 2014 05:55
|
|
|
Lolcano Eruption posted:I just received what seemingly is a duplicate of my current amex card in the mail. Same number, expiration, and security code. Amex assures me that when I activate the new card, the old one is deactivated. But if they are visually the same, how can one be deactivated and the other be active? Is there hidden information in the mag stripe or chip? I know that for online transactions, the two cards are indistinguishable. Did you order a replacement card because of a damaged/worn magstrip or something? I'll let the guy that actually knows what he's talking about answer, I wonder if the cvv1 is different? If not, then they have to be identical. I also wonder what happens with EMV cards and you order a replacement due to damage/wear, are the cryptographic keys on the chip also cloned or different?
|
|
#
?
Nov 6, 2014 07:52
|
|
|
That's weird. Usually Amex increments the last number of the card number when they replace one. So it goes from 1001 to 1002.
|
|
#
?
Nov 6, 2014 13:49
|
|
|
mishaq posted:Did you order a replacement card because of a damaged/worn magstrip or something? The CVV1 only uses the account number, expiration date and service code to be generated so if the card number and expiration date are the same, the CVV1 is likely to be the same since the service code won't change just for a new card (I don't think, I'm not an expert on the host side of things). I'm not sure what would differentiate this card. For an EMV card the keys will be different as long as the diversification data on the card is different, they are diversified from a master key using data on the card. One bit of data used to diversify the keys is the PAN sequence number and that could easily be changed for a new card. It's usually for stuff like two cards on the same account for spouses or whatever but I can see them incrementing it for a new card. If they're using DDA on the card (which they should be since it's more secure) the DDA key is generated for each card so that one would be different.
|
|
#
?
Nov 6, 2014 16:19
|
|
|
Sorry for the delay, everyone. I was traveling, but now I'm back to answer more questions!Anti-Derivative posted:Would you mind giving a quick rundown of the actors involved in these payment systems (issuers, acquirers, networks, etc) that explains who (or what) they are, why they exist? I think I was able to retrospectively assign identities to them by reading your earlier posts explaining how these systems work, but can never be too sure. I would recommend you take a look through CardFellow: http://www.cardfellow.com/blog/how-credit-card-processing-works/ The issuer is the bank that issues your line of credit that sits behind a credit card, or the bank account that sits behind a debit card. Some examples would be American Express Bank, Bank of America, Wells Fargo, Chase, etc. The acquirer is the merchant's bank where they receive their card payments. The examples would essentially be the same as above. The network is typically both the brand and the processor used for authorization, clearing, and settlement between issuers and acquirers. Examples would be Visa, MasterCard, American Express, etc. There are situations in which the brand and network processor are different (for example, where a single nationalized domestic processor is used for all brands), but in the US, V/MA/AXP/DFS are both brands and processors. You'll note that American Express and Discover are fundamentally different from Visa and MasterCard. American Express and Discover can be (but don't have to be) the issuers and acquirers in addition to brands and processors. This is because they are both actually banks that can issue credit/accounts. Visa and MasterCard can only be brands and processors (pure networks) because they are not financial instructions, but rather, essentially tech companies. Payments is an interesting industry because you can keep adding new players into the above value chain. For example, there are issuer processors that operate between issuers and the network (typically used for issuer-side loyalty functionality), and there are acquirer processors that operate between the acquirer and the network (used for merchant-side loyalty or secure card number storage). Also, in some markets, big issuers "sponsor" smaller issuers and settle transactions between all of their "sponsored" issuers without reaching out to the network unless a transaction leaves the sub-network of their sponsors. Then you get into things like PayPal, which is a payment service provider that looks like a merchant to the networks, but to a cardholder, it is just another way to pay. Square is another example - it is essentially one big Chase-acquired merchant to the networks, but for each individual merchant that it covers, it is a pretty software, hardware, and pricing proposition. I'll describe below how the money flows in an example $100 transaction, then I'll go into how Apple Pay is different (only slightly) and how Google Wallet is different (dramatically, in its current form). These numbers are only representative. Issuers: - Receive amount of transaction from cardholder line of credit or bank account ($100.00) - Receive interchange from acquirer ($1.50 - per-transaction and ad-valorem components) - Pay network a brand fee ($0.05 - ad-valorem) - Pay network a processing fee ($0.02 - per-transaction) - Pay acquirer amount of transaction ($100.00) Networks: - Receive a brand fee from issuer and acquirer ($0.10 - ad-valorem sum) - Receive a processing fee from issuer and acquirer ($0.04 - per-transaction sum) - Set and settle interchange between issuer and acquirer, but do not collect any of it - Settle and guarantee amount of the transaction between issuer and acquirer, but never actually hold the money Acquirers: - Receive amount of transaction from issuer ($100.00) - Receive merchant discount rate from merchant ($2.00 - per transaction and ad-valorem components) - Pay issuer interchange ($1.50 - per transaction and ad-valorem components) - Pay network a brand fee ($0.05 - ad-valorem) - Pay network a processing fee ($0.02 - per-transaction) - Pay amount of transaction to merchant ($100.00) Merchants - Receive amount of transaction from acquirer ($100.00) - Pay acquirer merchant discount rate ($2.00 - per transaction and ad-valorem components) As you can see, the issuers stand to make the most (but they are also taking on credit risk), the networks make the least (but have the largest scale), and the acquirers have to cover the cost of interchange, network pricing, and their own operations when they charge merchants. Interchange is extremely interesting, because, as a network, high interchange encourages issuers to issue your cards, but if it gets too high, merchants won't be willing to pay the cost to acquirers and merchants won't accept your cards. Market forces typically keep interchange in check. In Apple Pay, the rumor is that Apple is getting paid around 15 basis points by the issuers. Issuers do not control interchange, and so have no way to recover this cost form merchants - therefore, Apple Pay does not cost anything extra. In Google Wallet, when you make a purchase, you are actually buying credit on a prepaid card issued by Bancorp Bank (unless you have one of the very few natively supported cards). This means that for your funding source card, Bancorp is the acquirer, but for the actual transaction, Bancorp is the issuer. Every transaction through Google Wallet is actually two transactions - a funding transaction, and a purchase transaction. It also means that Bancorp is eating the cost of high-end credit cards (high interchange products) as funding sources, while profiting on regulated-interchange debit cards as funding sources (the Bancorp prepaid card has unregulated interchange). Google isn't getting paid, except in data - in fact, they are likely paying Bancorp for losses on high-end credit.
|
|
#
?
Nov 9, 2014 14:54
|
|
|
japtor posted:In the iPhone thread there's some This is very strange. NFC is inductively powered on by the terminal when very close - it is essentially off by default. Sounds like a faulty hardware issue. I'd be interested in hearing what the guy that knows about wireless transmission technologies has to say.
|
|
#
?
Nov 9, 2014 14:57
|
|
|
Lolcano Eruption posted:I just received what seemingly is a duplicate of my current amex card in the mail. Same number, expiration, and security code. Amex assures me that when I activate the new card, the old one is deactivated. But if they are visually the same, how can one be deactivated and the other be active? Is there hidden information in the mag stripe or chip? I know that for online transactions, the two cards are indistinguishable. There is "hidden" info in the mag stripe - the CVV1. Whether or not they gave you a new one is up to them. It is very strange that they didn't give you a new CVV2 (the 4-digit code on the front of the card for American Express), especially if your replacement is because you lost your old card. If your replacement is because the old mag stripe stopped working, they likely gave you a new CVV1 and asked your to cut up your old card. Why did you get a card replacement?
|
|
#
?
Nov 9, 2014 15:01
|
|
|
Pissingintowind posted:There is "hidden" info in the mag stripe - the CVV1. Whether or not they gave you a new one is up to them. It is very strange that they didn't give you a new CVV2 (the 4-digit code on the front of the card for American Express), especially if your replacement is because you lost your old card. If your replacement is because the old mag stripe stopped working, they likely gave you a new CVV1 and asked your to cut up your old card. I requested one with Contactless; however the new one they sent also didn't have contactless.
|
|
#
?
Nov 10, 2014 20:29
|
|
|
Pissingintowind posted:This is very strange. NFC is inductively powered on by the terminal when very close - it is essentially off by default. Sounds like a faulty hardware issue. I'd be interested in hearing what the guy that knows about wireless transmission technologies has to say. As I said in the other thread, it pretty much has to be some kind of weird hardware bug because NFC physically should not work beyond a fairly short range (inductive coupling doesn't work long-range, it isn't like RF where you can amplify a signal.) Modern NFC chips don't usually field-power by default, though many support it, but it doesn't really matter - the inductive mechanism is still the one used for communication.
|
|
#
?
Nov 10, 2014 21:29
|
|
|
I was at Home Depot earlier and got excited because I saw the little NFC logo on the terminal. Apple Pay popped up, said it was done, and then the transaction failed. It said my card was declined. I swiped the same physical card and the transaction went through. I tried to buy something small and the same thing happened. Apple Pay looks like it worked, failed, then the physical card went through with no problem at all. I'm going to have to seek out a Walgreens or something to try again, because that was a disappointing first use of Apple Pay. 
|
|
#
?
Nov 13, 2014 05:40
|
|
|
Yeah, I think at this point if they aren't on Apple's whitelist you should assume the transaction will be blocked. A lot of the retailers REALLY don't want this to catch on.
|
|
#
?
Nov 13, 2014 22:36
|
|
|
Agronox posted:Yeah, I think at this point if they aren't on Apple's whitelist you should assume the transaction will be blocked. A lot of the retailers REALLY don't want this to catch on. Home Depot was on the initial "won't work" list. I used my phone at the grocery store thirty minutes ago - it really does work well beyond the whitelist, minus a few well publicized examples and the blacklist that was released originally.
|
|
#
?
Nov 14, 2014 02:52
|
|
|
|
| # ? Apr 26, 2024 06:14 |
|
|
I still don't really get the point of a signature for fraud protection, especially if you swipe your own card and then write the signature on a terrible digitizer. Does it really reduce fraud to make me scrawl something?
|
|
#
?
Nov 17, 2014 17:55
|
|