---

@Shock wrote:

Good info nyancat, I stand corrected. 

---

Thanks, it's not my point to try and be a bit jerkish about it, it's just a myth that's actually really hurting our security. The most important thing is to move away from the magnetic stripe, which is easily copied and has no dynamic data at all. People don't like insert EMV for low-value transactions due to speed and clunkiness. Contactless is even more fast and convenient than magstripe however. Thus, acceptance of contactless will make a huge difference to security. 

Also, at the many merchants that do not have EMV enabled but do have contactless enabled today, contactless magnetic stripe data (which refers to the message format, it is NOT the exact same data) is the most secure way we can pay at those merchants.

In an all-EMV environment, online authorised contactless actually protects our privacy better than contact EMV, because the major contactless cards do not pass our names on to the merchant. American Express, for example, replaces it with "Valued Cardholder" in the contactless info. This is to protect against privacy invasion by tap-skimming, but it also protects our privacy from merchants.

Replay attacks of contactless MSD are possible, yes. But they're so small of a risk and purely on the level of theory - they're just not high value propositions to scammers. The idea that people won't move from something that is horrifically insecure (magstripe) to something that's got some low-value theoretical attacks (contactless MSD) because they're worried about security is just bizarre to me.

From a true SECURITY perspective, contact EMV is probably a bit better than contactless, since replay contactless MSD data could theoretically be obtained from a compromised contactless terminal, but contactless MSD will be phased out soon enough and again, such data is very low value and there's no evidence of it being used. From a PRIVACY perspective, contactless is a lot better than contact or swipe, because the merchant doesn't get your name. Both are worlds ahead in security from magnetic stripes.

Contactless cards are not carried by many banks right?

---

@Anonymous wrote:

---

@nyancat wrote:

---

@Shock wrote:

Good info nyancat, I stand corrected. 

---

Thanks, it's not my point to try and be a bit jerkish about it, it's just a myth that's actually really hurting our security. The most important thing is to move away from the magnetic stripe, which is easily copied and has no dynamic data at all. People don't like insert EMV for low-value transactions due to speed and clunkiness. Contactless is even more fast and convenient than magstripe however. Thus, acceptance of contactless will make a huge difference to security. 

 

Also, at the many merchants that do not have EMV enabled but do have contactless enabled today, contactless magnetic stripe data (which refers to the message format, it is NOT the exact same data) is the most secure way we can pay at those merchants.

 

In an all-EMV environment, online authorised contactless actually protects our privacy better than contact EMV, because the major contactless cards do not pass our names on to the merchant. American Express, for example, replaces it with "Valued Cardholder" in the contactless info. This is to protect against privacy invasion by tap-skimming, but it also protects our privacy from merchants.

 

Replay attacks of contactless MSD are possible, yes. But they're so small of a risk and purely on the level of theory - they're just not high value propositions to scammers. The idea that people won't move from something that is horrifically insecure (magstripe) to something that's got some low-value theoretical attacks (contactless MSD) because they're worried about security is just bizarre to me.

 

From a true SECURITY perspective, contact EMV is probably a bit better than contactless, since replay contactless MSD data could theoretically be obtained from a compromised contactless terminal, but contactless MSD will be phased out soon enough and again, such data is very low value and there's no evidence of it being used. From a PRIVACY perspective, contactless is a lot better than contact or swipe, because the merchant doesn't get your name. Both are worlds ahead in security from magnetic stripes.

---

So now I want to go and try my contactless chip&pin debit card, but it's UK issued so not sure it will work here (and the FTF would be annoying)

---

It will work here if your bank allows international use, though some terminals may not like it.

As for Shock's question - they're very common outside the US. As EMV takes off in the US, they may or may not be introduced more widely depending on how many customers complain about inserting their card.

Not sure how it is where you live, but there are people of all ages who work at Mcdonalds here. I get that it's a "First Job" type of job, but some people have worked there for years at the ones I go to. But I guess they are still untrained to EMV cards. But my point is, I don't think age has anything to do with it.

---

@ArmyVietVet wrote:

Considering it is McDonalds with young people probably working their first job with virtually no training on the use of the credit/debit other payment processing, it doesn't surprise me. They have enough to do getting the order filled correctly. Technology hmm...?

---

---

@Shock wrote:

Not sure how it is where you live, but there are people of all ages who work at Mcdonalds here. I get that it's a "First Job" type of job, but some people have worked there for years at the ones I go to. But I guess they are still untrained to EMV cards. But my point is, I don't think age has anything to do with it.

---

@ArmyVietVet wrote:

Considering it is McDonalds with young people probably working their first job with virtually no training on the use of the credit/debit other payment processing, it doesn't surprise me. They have enough to do getting the order filled correctly. Technology hmm...?

---

 

---

I'd suspect that the poster of that concern had an issue other than EMV. I've never seen a US-based, EMV-enabled McDonald's nor have I heard of one. He may have been at a test store or something, but I'd expect the staff at such a store to be well-aware by now how to run an EMV card given they're a couple percent of the market and growing rapidly. The normal McDonald's US terminals generally do not have EMV support (they have a few with EMV slots, but they seem to be located more by coincidence, I've never seen more than one or two in a store).

McDonald's will be an interesting migration case, given the lack of contactless cards in the US market. McDonald's is all about speed, and may be very hesitant to switch until they absolutely have to (which isn't October 2015, that's a liability shift not a network mandate). The occasional counterfeit card may prove less costly to McDonald's than the slowdown of contact EMV. It will be quite interesting to see what they choose to do.