Point of Sale cyberattacks – is certification enough?

a person making a payment using a smartwatch

The biggest news in payments security in the last month concerns allegations that point of sale terminals supplied by PAX Technology have been subverted to have the capability of launching cyberattacks. Details of the allegations can be found at Krebs and Bloomberg; in response, PAX Technology has published a rebuttal.

Chips, contactless, cards and confusion

Well, I’m back in America again and I can’t help but notice that the retail point-of-sale (POS) experience is getting weirder week by week. I’ll show you why in a moment, but first of all, just to remind you about the baseline, I should explain to foreigners that people here do have cards that have chips on. Lots of people do. They seem to hate them, but they have them.

The percent of cards with EMV chips grew by 10% from October 2015 to February 2016

From CardFlight EMV Migrations Tracker – April 2016

So 56% of cards presented to merchants in the US now have a chip on them. That’s good news, but on a personal level I continue to find the payment environment utterly baffling. For example, here is me trying to use Apple Pay. I tapped my phone on the contactless reader and was told to insert my chip card (which, of course, I did not have – it was back at the hotel).

Paying by phone

Later I happened to pop into Whole Foods, where my Apple Pay Amex worked absolutely fine, but I couldn’t help noticing the logos lined up along the bottom of the screen, showing Apple Pay, Android Pay and Samsung Pay as the equivalents (in acceptance terms) of Visa, MasterCard, Discover and Amex. I’m really curious to know what all this means to the average, normal shopper who doesn’t spend their whole life thinking about payments.

Paying by phone

At home, paying is boring. You know exactly what to do. If the terminal is contactless, you tap and go. If it’s not contactless, you insert and enter your PIN. That’s it. In America, it’s a completely different experience.

What to do?

Look at the terminal above, at a Starbucks. The clerk rang up my latte on the register, so I tapped my phone on the terminal (the screen was blank, but I assumed it was contactless). Nothing happened. The clerk told me that I have to use a card. So I took out my Simple chip and PIN debit card and inserted it in the reader (see picture). Nothing happened. The clerk tells me that the chip readers don’t work so I have to swipe it. So I take it out and swipe it, and it processes as a Visa signature debit transaction (which wastes Starbucks money and my time). It would have been quicker to go to the ATM in the lobby and draw out $20 (which would have cost me a $3 fee).

No Chip

When you walk up to a POS here, there’s just no telling what might happen. It might be contactless with the contactless turned off, it might be chip with the chip turned off, it might be stripe only. You can’t tell by looking at the POS, so some of the merchants (like Barnes & Noble above) have started using post-its or duct tape to create artisan POS signage. And when you do tap, insert or swipe there’s no telling what might happen. Sometimes you have to sign, sometimes you enter a PIN, sometimes you are asked for a zip code (I used 90210, and it didn’t work). Sometimes you don’t have to do anything. It’s utterly confusing to me and I’m supposed to know about this stuff.

Another taxi POS

In the taxi, I paid with Apple Pay (after authorising with my fingerprint) and I still had to wait for piece of paper to sign. I didn’t sign my real name, naturally. How is this all going to pan out (pun intended) ??? We went along to the NYPAY event “EMV 8 Months On” to find out. It turned out to be an absolutely super event, by the way. I thought quality of the discussion and the debate was absolutely excellent. Without caricaturing, I would say that the retailers were pissed about the whole thing, and with some good reason. They are faced with the cost of upgrades (some of which are still useless because of lack of certification) and a massive increase in chargebacks (with “no redress” or whatever the networks call it – i.e., the merchant can’t dispute) because of non-compliance. Consumers and retailers are also annoyed by how long EMV transactions take and they are confused (as I am) by the terminal designs.


Our very own Simon Laker was on the panel as an EMV expert. He pointed out that his US chip and signature card worked faster in a terminal in Bogota than it did in a terminal in New York, so it doesn’t seem to be EMV itself that is responsible for annoying US consumer and merchants, but something in the way it has been implemented. I suppose this is the sort of thing that can happen to issuers, processors and acquirers who chose the wrong consultants to advise them on important investments, but that’s by the by. The evening involved an odd coincidence that bears reporting. Part of the panel discussion was about restaurants and the essence was that restaurants haven’t bothered to upgrade to chip and PIN because in America people are used to giving their cards to staff. The cards are whisked away and then returned some time later with a receipt to sign. So… later that evening a group of us were having dinner nearby and when it came time to pay I handed my (UK Amex) card to the waitress and she disappeared off . She came back a couple of minutes later and politely asked me to follow her…

PIN! In a restaurant!

She lured me into a gloomy recess and asked me to enter my PIN. The restaurant had just upgraded their POS to chip and PIN, but it was in a fixed position and the payment process had not changed. Everywhere else in the world, the waitress would have brought a terminal with a Bluetooth, wifi or mobile connection to the table for me to enter my PIN and my card would not have left my sight. America has a way to go it seems to me. The next day, we went to another restaurant for breakfast and I spotted a new POS terminal by the door on the way. I assumed that this was their new upgraded EMV Bluetooth mobile-ready quantum blockchain super POS, but I couldn’t figure out where to insert the card. I did like the large, clear PIN Entry Device (PED) though and I enjoyed the satisfying clunking noise that it made when you entered each digit of the PIN.

EMV POS Upgrade

So great to see continuing innovation at POS in the Home of the Fee and the Land of the Brave. Meanwhile, I’m off down under to see what it’s like paying in a country where everyone uses contactless, never mind chip and PIN. The Land of the Wave, if you will.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights