This week PayPal introduced Here, their mobile payment processing application for Apple iOS and Android devices. The good news is that PayPal Here at least appears to encrypt cardholder data, but that appears to be the extent of the good news.
If you pay attention to the latest Suzie’s Lemonade Verizon Wireless advertisement, you will see Intuit’s GoPayment solution on a tablet computer processing a payment. In another bit of good news, the Intuit GoPayment solution is also encrypted.
But what is most disconcerting is that this is just another in a string of mobile payment processing solutions to be introduced with no way of knowing whether or not the security claims are accurate or can even be trusted. This is because the PCI Security Standards Council halted last year the certification of any of these mobile payment processing solutions through the PIN Transaction Security (PTS) and Payment Application Data Security Standard (PA-DSS). Do not get me wrong, the Council was in a tough spot and did not have a plan as to how to deal with these solutions, so the called a halt while they went back and reassessed things.
However the marketplace is not waiting. So while the marketplace continues to deliver solutions, the merchant is left to their own devices to know whether any of these mobile payment processing solutions can be trusted. And what I am fearful of is that small merchants, who are the marketing target of these solutions, will be put out of business should the device somehow be compromised or they lose a device.
So what are the questions surrounding the PayPal Here?
First, what is the encryption algorithm that is used? I am guessing that they are using DUKPT, as that is common with these sorts of devices, but it is something that should be explicitly identified in their FAQ. What PayPal currently says is, “… the PayPal Here card reader is encrypted and is backed by over a dozen years of experience of providing buyers and sellers the highest levels of security.” If they are using DUKPT, can the key be changed? Most of the mobile solutions I have seen do not allow for the key change under DUKPT which could be a problem.
Then there is the fact that you can manually enter a cardholder’s information through the iOS/Android application. Given the fact that these systems are notorious for having keyboard loggers of industrial strength that means that any manual input will be recorded in the device. I am guessing that would include cardholder name, PAN and expiration date. However, if PayPal Here collects the CVV/CVC/CID value in manual entry that would be an extremely bad thing as the device will retain that until it overwrites it months later. Again, there is no documentation to determine what is allowed to be manually entered, so we cannot assess how much risk this might introduce.
But the scariest feature of the PayPal Here is unrelated to credit cards; it is the remote capture of checks. PayPal Here allows the merchant to scan a check and then submit it to their financial institution. Again, given the data retention of these devices, I can only guess that the check images processed through the PayPal Here application will remain on the device until the space is needed which could be months. The problem with all of this is that if people think credit card security was questionable, check processing security is nonexistent. As a result, anyone with a modicum of knowledge could use the check information on one of these devices to drain every bank account stored.
Let us hope that the PCI Security Standards Council and the card brands quickly get back to certifying these applications so that merchants are not using insecure payment solutions.