Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Unveils Mobile Payment System

Posted by Soulskill on from the for-sniping-that-cup-of-coffee-at-the-last-second dept.

angry tapir writes "PayPal is targeting small businesses, service providers, and casual sellers on the move with its new PayPal Here service, which allows vendors to process a variety of payments including checks and cards using their mobile phones. The new service includes a free app and encrypted thumb-sized card reader, which allows merchants with an iPhone, and later Android smartphones, to process payments."

23 of 99 comments (clear)

  1. WTH? by ledow · · Score: 3, Insightful

    First question:

    Would you stick your card into that device and/or type you PIN into a random Android mobile?

    I think that should tell you everything you need to know about how much that will get used.

    1. Re:WTH? by plaukas+pyragely · · Score: 2

      I don't know how they did this but it *can* be safe. If encryption of card data happens on the device itself (not android application) then it should be fine.

    2. Re:WTH? by Lumpy · · Score: 4, Insightful

      Yes, a lot of people do this all the time. I have been using SQUARE on my iphone for a year now to do this for my small business.

      --
      Do not look at laser with remaining good eye.
    3. Re:WTH? by Overzeetop · · Score: 5, Insightful

      So you won't let the waitress swipe your card, but you'll let her take it into another room for several minutes?

      --
      Is it just my observation, or are there way too many stupid people in the world?
    4. Re:WTH? by krinderlin · · Score: 3, Informative

      Universe, I'm wishing desperately for mod points for the parent. People are so blind to just how horribly insecure the system is already. A rooted phone is the least of your worries. They just busted a skimming ring here in Atlanta restaurants a few months ago. This is no less insecure than what's already in place but far more convenient.

      As for the GP: Also, realize that most of this is US based and we don't use "chip & pin". Period. Also, most people run debit cards as credit cards. Companies actively encourage you to sign for purchases and not key in your pin with various rewards. Some banks even charge the customer a fee per pin-based transaction. These are magnetic stripe machines that always run the card via the Credit Card processing company (MasterCard and Visa), not via the bank. The rules are different for those, and you most certainly won't be using your craptastic PIN.

      I won't go into the level of security a 4 digit PIN does not provide given enough money you can get via fraud for a particular card.

    5. Re:WTH? by krinderlin · · Score: 2

      My partner's card got skimmed by a rig on a Bank of America ATM. I've been to ATM's before and noticed skimmers. I've seen handheld skimmers and attachments for portable terminals when I interned with fraud investigations at a major card processor. It happens more than you think, since the information is easily used to commit fraud with card not present transactions.

      In my entire life, I've been in exactly one restaurant with portable readers. They are extremely rare in the United States. This is mostly because every time the regulators try to up the security enforcement, the processors complain about the cost and turn around and tell merchants that everyone must buy new terminals. The merchants pitch such a hissy fit, nothing ever gets done.

      Unfortunately, the "terminal replacement" problem is so wide spread, it's impossible to vote with your wallet. Fortunately, big players like Visa and Master Card have gotten fed up with the merchants and have simply said, "Buy a new EMV contact and contactless (NFC, mobile wallets, etc.) terminal between 2013 and 2015. As of 2015, if a fraudulent transaction occurs that could've been prevented by EMV, then you are liable for it.

      The net effect will be similar to the UK where suddenly everyone has chipped cards and/or NFC wallets and merchants won't accept anything else. It's very sad that it's taken this long and the advent of NFC to get anything done.

      Also, for reference: Here's a local news report of the bust here in Atlanta.

    6. Re:WTH? by Anonymous Coward · · Score: 4, Insightful

      Mod this parent up. Posting as AC on purpose. I'll add that in a dispute over a debit charge, the problem as the cardholder is that you are fighting with your bank (debit card issuer) to get your money back.

      When disputing a credit charge, you are helping the bank (credit card issuer) that "loaned" you the money get *their* money back. With debit, the bank is not overly encouraged to spend a lot of resources on helping you get your money back as it isn't their money that was defrauded since there is no profit in it and the risk is that you (one customer) will leave for another bank, and there are barriers (hassle) to you if you do this.

      With a credit card, the risk is they will lose you as a customer (you will use some other form of payment) and lose their profit (interest and transaction interchange and data mining value - spend patterns, market analysis, marketing other products and services, etc.).

      The bottom line is that the security focus of the industry isn't to protect the cardholder from fraud, but the banks in protecting their revenue streams.

    7. Re:WTH? by JimWise · · Score: 3, Interesting

      Not XKCD, but still relevant:
      Dilbert gives credit card to waitress.

  2. How do they expect.... by Lumpy · · Score: 4, Insightful

    To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

    The internet is full of "paypal stole all my money" stories.

    --
    Do not look at laser with remaining good eye.
    1. Re:How do they expect.... by EvilIdler · · Score: 3, Informative

      It wouldn't be very usable in my country for long, because magnetic strip readers are being taken off the market (due to a large number of East-European criminals skimming cards). Smart cards have started to become a requirement, with legacy devices losing the functionality to read the strip. PayPal's solution is a bit too late to be that usable in Europe.

    2. Re:How do they expect.... by tlhIngan · · Score: 2

      To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

      The internet is full of "paypal stole all my money" stories.

      Depends. First, they're doing the easy way of taking 1.7% instead of 1.75%, and second, well, Paypal is the only company out there if you want to accept random credit card payments.

      Square basically is a merchant account with all the merchant account stuff. If you're just a small time seller off Craigslist and eBay, you probably cannot use Square without incorporating yourself as a business. With Paypal, you can.

      And that's always the funny thing - it's the one thing Paypal has over everyone else (Amazon Checkout, Google Wallet/Checkout/whatever they're calling it, Square, etc). I've never understood why it's only Paypal that can offer the "allow random Joe to accept a credit card payment" option. If you're not a company/non-profit org or something, accepting credit cards is extraordinarily difficult - your option really is Paypal.

      Visa's supposed ot have something similar, but that only works for Visa.

      As for all the paypal stole my money stuff - it's true. Except that merchants deal with this far more often, and often the agreement will state you cannot discuss this in public. At least if you wish to keep your account.

      Accepting credit cards in general sucks and I'm sure businesses would love to get rid of it, except they're convenient, and if you're big enough, cheaper than cash (handling cash costs money - extra staff training, safes, money dropoffs/armored car costs, etc).

      Though, I have also seen businesses push you towards Paypal because they charge less than their merchant account does. And I've also chosen Paypal over native credit card handling - one business really ticked me off by asking for a scanned image of my credit card "for my protection" (note - when a business asks you to do it - it's not for preventing fraud off your card, it's for protecting them. After all, if you used someone else's card, you're not protected (that someone else is)). I probably should've reported them because if their email gets hacked, boom your credit carde is all over the 'net with CVV and signature, too.

  3. Re:Why hasn't PayPal been innovated out of existen by CaptSlaq · · Score: 5, Informative

    Since you probably don't work in this space, I'll drop you a hint: https://squareup.com/

  4. Re:Just don't lose your phone. by American+Patent+Guy · · Score: 2

    I wonder what sort of damage losing your THUMBS could do to your business... I'm rather fond of mine!

  5. This is cool, but... by Overzeetop · · Score: 2

    Paypal is the refuge of last resort for processing things because they capture your money. Google and Square both sweep money into your account directly. And 1% back on debit card purchases from your Paypal account? Why not just use a real CC and get 1%-5% cash back, plus have your money in a real bank, and not have your account balance exposed to fraud.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  6. Dunder Miflin'ish by bubblegoose · · Score: 2

    Does this remind anyone of the episode of "The Office" where Dunder Miflin introduces a triangle shaped phone?

    --
    I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
  7. Re:Why hasn't PayPal been innovated out of existen by hobarrera · · Score: 2

    Because it's the only thing that works in most countries. Hell, it's one of the few that even exists outside the US.

  8. Re:Why hasn't PayPal been innovated out of existen by Goaway · · Score: 4, Insightful

    Because they don't abuse customers in general. They abuse sellers. The regular users who are paying are left alone, and thus the service is popular. Sellers don't really have a choice, and just have to put up with whatever bullshit PayPal comes up.

  9. It's actually quite safe.....as long as you don't by neokushan · · Score: 4, Informative

    Full Disclosure: I work in the credit/debit card industry. Specifically, I work in the part of that industry that involves testing the shizzle out of them.

    Your old magstripe only card isn't safe, the magstrip can be easily copied in a variety of ways. Readers are cheap and skimmers that are so small, they can fit inside ATM card slots, are easy to buy online (and don't cost much). Lesson? Don't use the magstrip for anything, ever.

    So what are you meant to do? Well, like a lot of the rest of the world, the US is switching over to EMV. In the UK, it's known as chip and PIN, but the basics are as follows:
    Instead of a magstrip, your card has a "chip" inside it. That chip is where the communications happen. Readers contact the chip and exchange a bunch of cryptographic data, but the key thing is that the chip isn't simply "read", but it performs calculations itself, using its own private keyset that cannot be read by the chip reader. I can't stress that point enough. There's no way to read the contents of the chips, all you can do is communicate with it.
    Each transaction is "Unique" and the card itself will sometimes request to speak directly to a Host (i.e. somewhere at your Bank's HQ), in what's called an "online" transaction. If the card chip isn't sure of a terminal, it will demand to go online before processing a transaction. Hell, sometimes it'll demand to go online just because it hasn't recently. The two then communicate in such a way that the terminal (the middle man) can't intercept in any meaningful fashion. Each message is cryptographically generated so that the host knows the card sent it and not some MITM.

    The bottom line? Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account*.

    *there is, of course, a small caveat to this. As I said, each transaction is unique, so theoretically someone could skim a single offline transaction from you, but if they try to replay that transaction, there's every chance the transaction will then go online (the terminal AND the chip can demand to go online at any point), in which case the host will void it immediately. There's also plenty of upper and lower transaction limits, so for example if a transaction amount is above say $50 or $100, it HAS to go online or will fail outright.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  10. Re:It's actually quite safe.....as long as you don by neokushan · · Score: 2

    Just to clarify your point, 2015 is for New Zealand and Australia, for the US/Asia it's 2013:

    (Not sure where you're based)

    http://www.atmmarketplace.com/blog/6355/EMV-deadline-for-U-S-ATMs-the-race-is-on

    However, considering the short time frame of this, I can't see how it's going to go smoothly. As you say, the merchants are all going to be very upset at this but tough to them - Europe has had EMV for years now, it's about time everyone upgrades.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  11. The trouble with Paypal... by bornagainpenguin · · Score: 2

    ...is that they are effectively a form of electronic currency for the internet. In itself that wouldn't represent a problem, but when Paypal's currency ceases to be neutral, such as it was in the whole Smashwords debacle it loses its value to most people because unlike the physical form it is not legal tender in all circumstances. Money needs to be neutral for it to work properly. Paypal has shown time and time again their willingness to muck about with what is considered legal tender with their currency so it is not a good option for people.

    Worse yet, considering it is highly apparent that Paypal was lying about the Credit Card companies pressuring it (given how they were so easily able to flipflop on the issue) this means their currency is not an honest one and cannot be relied on to retain value. While personally I have used Paypal in the past I and never had any trouble, I have also been careful to limit my interactions with them and actively sought alternatives where ever possible. As time goes on and the kinds of incidents like the Smashwords one continue to add up it only increases my resistance to using Paypal where ever I can avoid it.

    I imagine others feel the same...

    --
    Have a Virgin Mobile USA smartphone? Give VMRoms.com a try!
  12. Re:Why hasn't PayPal been innovated out of existen by Ihmhi · · Score: 2

    Great! Now all we need is for the vast majority of the Internet to support it like Paypal does.

    The only thing Paypal has going for it right now is the convenience. If you shop anywhere, you can probably use Paypal. Squareup - if it's really as good as you say - needs to get its foot in the door in a couple of big places and word will spread from there.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  13. Re:It's actually quite safe.....as long as you don by houghi · · Score: 2

    It makes me sad that this needs to be explained on a site like /.

    --
    Don't fight for your country, if your country does not fight for you.
  14. Re:Why hasn't PayPal been innovated out of existen by MickLinux · · Score: 4, Informative

    Nonsense. Don't you remember the fiasco about them claiming to insure against fraud? Then it turned out that they were "self insuring", and never paid once.

    I was one of those who lost something like $350 on it [the normal used price for that particular Quark Xpress]. I proved fraud 5 different ways: two of them were that the seller claimed to be selling a licensed copy of Quark Xpress, and actually delivered a Windows 95 user manual; and the seller claimed to be from the Antilles [not a Russian mafia hotbed] and shipped from Tbilisi Georgia, which would have caused me not to buy, right there.

    Anyhow, Paypal said that since he shipped *something*, they considered that a 'quality dispute', which they didn't cover.

    I never got my money back, and Paypal has never paid on the claim, and as far as I am concerned, *Paypal's fraud* worked hand in hand with the sellers' fraud.

    No, it is NOT TRUE that Paypal doesn't abuse customers in general. There is a class actual lawsuit that demonstrated that. I just never signed on to it, because plaintiffs in class action lawsuits typically never collect. But if Paypal ever wants me to consider doing business with them in any way, shape, or form, they'll first pay me back the money I lost, plus interest.

    And yes, I am aware that Paypal is in the middle of a media blitz right now, which means that they probably are paying for "online reputation protection" as advertised on National Public Radio, and therefore I am probably going to be modded with a combination of "Troll" and "overrated" to make my post vanish. I've noticed that that has been the pattern these days.

    So be it. I'm still going to post the truth.

    Saying "they don't abuse customers" is false. I'll assume you said it in ignorance.

    --
    Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's