Contactless Payments - part 2

, posted: 21-Sep-2011 15:12

Yesterday I blogged about feeling uneasy with the no-authentication-for-under-$80-transactions on MasterCards PayPass implementation for ASB Bank.  See here http://www.geekzone.co.nz/davidcole/7804

A number of the comments I received said "any fraud will be reimbursed", "its the bank or merchants taking the risk, not you", "they have insurance to cover that".  Yes they probably do.  I've been rung by ASB as a current customer to notify me of transaction found on a credit card I do use for internet transactions, and the process was remarkably simple and painless.  So I know it works.

But the issue is, why should something be implemented, that requires insurance and fraud protection.  Why not design it to lessen this risk.

I'm going to pull out of context some of the PCI DSS (link) requirements that service providers, merchants and banks have to adhere to:

8.2 Employ at least one of these to authenticate all users: something you know, such as a password or
passphrase; something you have, such as a token device or smart card; or something you are, such
as a biometric.

8.5 Ensure proper user identification and authentication management for non-consumer users and
administrators on all system components.

Ok, so these requirements really relate to the handling of card holder data, but why not apply this to your card.  The main piece of card holder data is your Card number, your PAN (Primary Account Number). To use the PayPass system you only have to supply one piece of card holder data - the physical card with the PAN embossed on it, why shouldn't requirement 8.2 also be applied, and a 2nd authentication criteria be used.

Pin numbers work, but can be slow when people miskey - but the really slow factor for these on EFT POS terminals is the time it takes to authenticate to the Auth Center - why not move the PIN authentication onto the chip, much faster (does potentially bring up the issue of cards being brute forced for pins).

Use biometrics - a thumbprint reader as part of the card, only a person with an authorised thumbprint can use the card - probably a little expensive, but hey it's my blog and I'm just spit balling here.

My point is, why implement something that needs some kind of fraud insurance to cover the banks and ultimately the consumer.  As the consumer you're paying for this in your bank fees and card fees.







Other related posts:
eReceipts - Why don't we have them yet?
Free $80 - come and get ur moneyz!!




comments powered by Disqus

davidcole's profile

davidcole Cole
Lower Hutt
New Zealand


Been thinking it would be nice to have a blog but not sure if I have enough to say.

I'm an I.T worker from Wellington New Zealand.

I like my toys so this will probably have posts about my dealings with those.

My Cellphone is an iPhone 5s

I run a NextPVR based PVR at home to replace my video recorder, DVD player and to host all my music. I'm also really big on Plex, for centralising all my music, videos and I've written a plugin or two for it for accessing live TV and for storing recordings with metadata.





TVNZ Ondemand App behind Unblo...
(27-Feb-2013 19:39, 11613 views)
Controlling a 12v fan from a r...
(17-Jan-2017 07:49, 9422 views)
eReceipts - Why don't we have ...
(12-Jan-2012 10:01, 8975 views)
OpenHAB and Bluetooth beacons ...
(19-Dec-2016 21:39, 8858 views)
PDF Forms - why you no boxes?...
(26-Jun-2012 09:04, 8111 views)
Free $80 - come and get ur mon...
(20-Sep-2011 13:11, 7759 views)
Contactless Payments - part 2...
(21-Sep-2011 15:12, 5409 views)
Little Boys and their Sewing M...
(27-Dec-2009 11:09, 5351 views)
RM3's also - but this time wit...
(16-Jul-2017 20:16, 5207 views)
TVNZ Ondemand App behind Unblo...
(1-Mar-2013 07:14, 4558 views)