Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Cellphones Handhelds The Almighty Buck

PayPal Unveils Mobile Payment System 99

angry tapir writes "PayPal is targeting small businesses, service providers, and casual sellers on the move with its new PayPal Here service, which allows vendors to process a variety of payments including checks and cards using their mobile phones. The new service includes a free app and encrypted thumb-sized card reader, which allows merchants with an iPhone, and later Android smartphones, to process payments."
This discussion has been archived. No new comments can be posted.

PayPal Unveils Mobile Payment System

Comments Filter:
  • Given PayPal's well-documented history of abusing customers, arbitrarily freezing/keeping hundreds of thousands of dollars in customer money and being difficult to deal with, why hasn't anyone come up with a better way of doing things? Alternatively, why hasn't the US legal system, which seems to enjoy regulating everything to death, come down hard on PayPal and forced them to be more accountable? If they're going to act like a bank, they need to be held accountable like a bank.

    • by CaptSlaq ( 1491233 ) on Friday March 16, 2012 @08:09AM (#39376101)
      Since you probably don't work in this space, I'll drop you a hint: https://squareup.com/ [squareup.com]
      • Square is both a: a million times better and b: not paypal.

        Those two reasons alone should be sufficient for anyone who has ethics and doesn't want to support paypal's censorship.

      • by Ihmhi ( 1206036 )

        Great! Now all we need is for the vast majority of the Internet to support it like Paypal does.

        The only thing Paypal has going for it right now is the convenience. If you shop anywhere, you can probably use Paypal. Squareup - if it's really as good as you say - needs to get its foot in the door in a couple of big places and word will spread from there.

    • Because it's the only thing that works in most countries. Hell, it's one of the few that even exists outside the US.

    • by Goaway ( 82658 ) on Friday March 16, 2012 @09:09AM (#39376825) Homepage

      Because they don't abuse customers in general. They abuse sellers. The regular users who are paying are left alone, and thus the service is popular. Sellers don't really have a choice, and just have to put up with whatever bullshit PayPal comes up.

      • by MickLinux ( 579158 ) on Friday March 16, 2012 @03:56PM (#39382807) Journal

        Nonsense. Don't you remember the fiasco about them claiming to insure against fraud? Then it turned out that they were "self insuring", and never paid once.

        I was one of those who lost something like $350 on it [the normal used price for that particular Quark Xpress]. I proved fraud 5 different ways: two of them were that the seller claimed to be selling a licensed copy of Quark Xpress, and actually delivered a Windows 95 user manual; and the seller claimed to be from the Antilles [not a Russian mafia hotbed] and shipped from Tbilisi Georgia, which would have caused me not to buy, right there.

        Anyhow, Paypal said that since he shipped *something*, they considered that a 'quality dispute', which they didn't cover.

        I never got my money back, and Paypal has never paid on the claim, and as far as I am concerned, *Paypal's fraud* worked hand in hand with the sellers' fraud.

        No, it is NOT TRUE that Paypal doesn't abuse customers in general. There is a class actual lawsuit that demonstrated that. I just never signed on to it, because plaintiffs in class action lawsuits typically never collect. But if Paypal ever wants me to consider doing business with them in any way, shape, or form, they'll first pay me back the money I lost, plus interest.

        And yes, I am aware that Paypal is in the middle of a media blitz right now, which means that they probably are paying for "online reputation protection" as advertised on National Public Radio, and therefore I am probably going to be modded with a combination of "Troll" and "overrated" to make my post vanish. I've noticed that that has been the pattern these days.

        So be it. I'm still going to post the truth.

        Saying "they don't abuse customers" is false. I'll assume you said it in ignorance.

    • Because the vast majority don't give the slightest care to ethical issues like those surrounding Paypal AND once they learn to do things one way with one company's product they have zero interest in learning to use another's product, even if the interface is better or basically the same. Strangely this does not apply to learning a new version of the original product. They will go right along with those changes.

      Meanwhile the rest of us pretty much are locked in because there is no use changing money with
  • Wonder what sort of damage losing your phone could do to your business with this?

  • WTH? (Score:3, Insightful)

    by ledow ( 319597 ) on Friday March 16, 2012 @07:57AM (#39375975) Homepage

    First question:

    Would you stick your card into that device and/or type you PIN into a random Android mobile?

    I think that should tell you everything you need to know about how much that will get used.

    • I don't know how they did this but it *can* be safe. If encryption of card data happens on the device itself (not android application) then it should be fine.
    • Re:WTH? (Score:5, Insightful)

      by Lumpy ( 12016 ) on Friday March 16, 2012 @08:07AM (#39376069) Homepage

      Yes, a lot of people do this all the time. I have been using SQUARE on my iphone for a year now to do this for my small business.

    • by neokushan ( 932374 ) on Friday March 16, 2012 @09:22AM (#39376993)

      Full Disclosure: I work in the credit/debit card industry. Specifically, I work in the part of that industry that involves testing the shizzle out of them.

      Your old magstripe only card isn't safe, the magstrip can be easily copied in a variety of ways. Readers are cheap and skimmers that are so small, they can fit inside ATM card slots, are easy to buy online (and don't cost much). Lesson? Don't use the magstrip for anything, ever.

      So what are you meant to do? Well, like a lot of the rest of the world, the US is switching over to EMV. In the UK, it's known as chip and PIN, but the basics are as follows:
      Instead of a magstrip, your card has a "chip" inside it. That chip is where the communications happen. Readers contact the chip and exchange a bunch of cryptographic data, but the key thing is that the chip isn't simply "read", but it performs calculations itself, using its own private keyset that cannot be read by the chip reader. I can't stress that point enough. There's no way to read the contents of the chips, all you can do is communicate with it.
      Each transaction is "Unique" and the card itself will sometimes request to speak directly to a Host (i.e. somewhere at your Bank's HQ), in what's called an "online" transaction. If the card chip isn't sure of a terminal, it will demand to go online before processing a transaction. Hell, sometimes it'll demand to go online just because it hasn't recently. The two then communicate in such a way that the terminal (the middle man) can't intercept in any meaningful fashion. Each message is cryptographically generated so that the host knows the card sent it and not some MITM.

      The bottom line? Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account*.

      *there is, of course, a small caveat to this. As I said, each transaction is unique, so theoretically someone could skim a single offline transaction from you, but if they try to replay that transaction, there's every chance the transaction will then go online (the terminal AND the chip can demand to go online at any point), in which case the host will void it immediately. There's also plenty of upper and lower transaction limits, so for example if a transaction amount is above say $50 or $100, it HAS to go online or will fail outright.

      • I just looked into this. I did not know about the liability shift in EMV preventable fraud come 2015. I almost cried tears of joy. You have given me a glimmer of hope for the world. (Though it might be a bit cruel to the merchants, I have little sympathy. The U.S. has been way behind the curve on this simply because the merchants would pitch a hissy fit about buying new terminals every time.)

      • Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account

        These folks [bbc.co.uk] at Cambridge say the system needs an 'entire rewrite' to be secure. Is there data to refute them?

        • What that flaw does is allow you to not require the PIN when performing a transaction. You can't clone the card, so you still need the card itself, plus you need to intercept communications between the card reader and the card (most shops aren't going to let you slide something between the card and terminal). You only use the PIN in terminal transactions, you don't use them for distance (Internet/Phone, etc.) transactions (different security is in place). A flaw for sure, but not exactly a deal breaker.

          The

          • Watch the video.

            http://www.youtube.com/watch?v=PWnH_yblgTc [youtube.com]

            You do need the card (for this particular attack), but it is trivial to hide the fact that you are doing anything funny, all you have to do is have the wire from the fake card hidden literally up your sleeve.

            • Even without the PIN, a stolen card can be used for all sorts of nefarious things. They have your credit card number, dates of expiration, even the CVN (3digit security number on the back), enough to order from many online stores. Many places will still accept cards without the PIN by using a signature as well, so really the issue is with the card being stolen. However, the GP was about people "skimming" cards via a hacked terminal and, to my knowledge this has yet to happen*.

              *It's possible to make a magstr

        • The system needs to be adjusted if merchants want to ensure they're processing a PIN-verified transaction, as opposed to an unauthenticated transaction. It doesn't make the card inherently insecure -- you can't generate PIN-verified transaction using this method -- but it does open up the merchant for chargebacks because they didn't require a PIN. And if your card allows non-PIN transactions it could be stolen and used without the PIN.

          There are a variety of solutions. The technical one is to have the paymen

      • Each transaction is "Unique" and the card itself will sometimes request to speak directly to a Host (i.e. somewhere at your Bank's HQ), in what's called an "online" transaction. If the card chip isn't sure of a terminal, it will demand to go online before processing a transaction. Hell, sometimes it'll demand to go online just because it hasn't recently. The two then communicate in such a way that the terminal (the middle man) can't intercept in any meaningful fashion. Each message is cryptographically generated so that the host knows the card sent it and not some MITM.

        I think it's likely that all transactions will be on-line for the US implementation. MasterCard PayPass, Visa PayWave and Discover Zip all go on-line all the time, I believe. These are all EMV-derived protocols, but I don't think any of them are perfectly-compliant with any of the EMV usage modes. Also, I think they're all SDA plus a per-transaction dynamic CVV.

        • You're right, none of them are completely EMV, they all use a different variant of the standard. In fact, nobody actually does proper EMV, often for political reasons. still, I'd be surprised if ALL transactions were online only, there's plenty of legitimate reasons for needing offline transactions (ticket inspectors on trains are common here). Then again, it's not entirely unthinkable.

          • In the US effectively all transactions are already on-line, so the off-line use cases don't really exist. Other approaches have been found. Given the capability, it's possible that off-line might be used... but at the same time the proliferation of Internet access is making it often just as easy to do it on-line. Even on a train.
      • Comment removed based on user account deletion
      • The bottom line? Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account*.

        *there is, of course, a small caveat to this. As I said, each transaction is unique, so theoretically someone could skim a single offline transaction from you, but if they try to replay that transaction, there's every chance the transaction will then go online (the terminal AND the chip can demand to go online at any point), in which case the host will void it immediately. There's also plenty of upper and lower transaction limits, so for example if a transaction amount is above say $50 or $100, it HAS to go online or will fail outright.

        Speaking as someone who was involved in the early NA EMV specs, there is one HUGE caveat to this:
        All the devices that support EMV have a fallback sequence in case something goes wrong. This comes out of the department of redundancy department, as Visa moved a lot of its processes from back in the dialup authentication days forward into EMV.

        End result? it's possible to block the chip slot such that when you insert a card, it reports an error and prompts you to use the magnetic stripe instead... which can be

      • PayPal says they plan to go Global with this but for now it's just the US. If you're in a European country (specially the UK) you can watch out for the release of mPowa. They will be first available in the UK and in some parts of Europe but they will be open to the North American market and other parts of the world after that. It may interest you that with mPowa you have an option to use a chip and PIN device. And also, process a payment manually. Of course, you can still use the card reader of you want
    • by Inda ( 580031 )

      Why would I type my PIN into a machine that doesn't have Chip and PIN [wikipedia.org]

      Best regards,

      The British Isles

    • Because you're not at a store nor a computer, you don't carry cash, and you want to buy something.

      I could see this being very useful at conventions, small-business events (where people are all over the store and outside and etc. and they only have one "real" card reader), and for freelancers. The card readers at walmart, at the gas station, at any random ATM, etc. and this are all equally potentially unsafe.
  • by Lumpy ( 12016 ) on Friday March 16, 2012 @08:06AM (#39376055) Homepage

    To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

    The internet is full of "paypal stole all my money" stories.

    • by tlhIngan ( 30335 )

      To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

      The internet is full of "paypal stole all my money" stories.

      Depends. First, they're doing the easy way of taking 1.7% instead of 1.75%, and second, well, Paypal is the only company out there if you want to accept random credit card payments.

      Square basically is a merchant account with all the merchant account stuff. If you're just a small time seller off Craigslis

      • by Lumpy ( 12016 )

        " Paypal is the only company out there if you want to accept random credit card payments."

          Square has already been doing this. I can accept random credit card payments on my phone, swipe the card, or key in number. I am not a company I am a person.
          Yes I have to be offering a "service" but paypal requires that as well. Try to send a gift payment to someone and use a credit card.

  • As if there isn't enough identity theft already, and now they seriously want me to enter in cc information into my phone?

    Fortunately, these phones are totally secure and cannot be hacked. Not only that, the app is 100% secure.
    • Perhaps I'm missing something, but why would I care about entering my CC info into a phone? I'm not liable for any unauthorized charges. In the country where I live, it's the vendor who's liable, not me, and certainly not the bank, may their names be praised.
      • by ledow ( 319597 )

        Because your credit charges, card fees and interest rates will end up directly reflecting the amount of fraud that occurs.

        It's already started with companies charging X% for different cards because they have been forced to absorb the fraud (since the Chip-and-PIN introduction in the EU, for example, which pushed liability to the retailer), every charge you get made against you ends up costing everyone involved - retailer, bank, card company, intermediate suppliers and, eventually, you.

        You think that free mo

  • It is nice to see what the thumb-size card reader looks like, and I assure you that if I ever see one I'll refuse to let that seller scan my card. Paypal is one of the most absurd abuses to ever come out of the Electronic Bay of thieves. and I'll never do business with them. This even concerns me that some retailer might trying processing your info through Paypal without your knowledge or consent.
  • Paypal is to to the arena, I have seen these little smart phone CC readers in a lot of places. The most common place is at Gun shows.

    Then, how will Paypal handle that? They dont allow you to use there service to sell guns, ammo, explosives, etc. but with these readers there is no way to check what you are selling.

    Will they start locking accounts randomly until the seller submits what they are selling?

    Will they contact the customer for a "Survey" to see what was bought?

    I wonder if the local dealers will star

  • Sorry PayPal, I hate your business. Square built this model and has done a great job at delivering.

    Between Square for face to face transactions and Stripe for Web Commerce, there have been quite a few "revolutions" with payments from these smaller companies and they are quite welcome.
  • by Overzeetop ( 214511 ) on Friday March 16, 2012 @08:55AM (#39376617) Journal

    Paypal is the refuge of last resort for processing things because they capture your money. Google and Square both sweep money into your account directly. And 1% back on debit card purchases from your Paypal account? Why not just use a real CC and get 1%-5% cash back, plus have your money in a real bank, and not have your account balance exposed to fraud.

  • by bubblegoose ( 473320 ) <bubblegoose.gmail@com> on Friday March 16, 2012 @08:59AM (#39376699) Homepage Journal

    Does this remind anyone of the episode of "The Office" where Dunder Miflin introduces a triangle shaped phone?

    • I actually thought it was a joke when I first saw the headline. This has the be the most unfortunate timing of a product release ever. Long live the Sabre (er, Paypale) Pyramid!

  • It's a bank, for crying out loud. It just wants to avoid all the liabilities that being called a "bank" means. It's a freaking bank.

  • Paypal finally comes in

    Square up http://www.squareup.com/ [squareup.com]

    Intuit Go Payment http://intuit-gopayment.com/ [intuit-gopayment.com]

    Any others anyone knows about? There are those that don't have a Cc swiper on it but looking for a list of ones that give free swipers.
    • I have used intuit for a few years for many sales. Being able to hand someone a paper receipt with the bluetooth swiper/printer is nice. Some people don't care for a receipt, the older crowd seem to demand it to feel comfortable.
  • home depot has a button on their checkout. I am not sure if useable or not.

  • You deserve whatever you get. I predict wide adoption.

  • There's only one downside: It uses PayPal.

  • ...that an ad for Squareup (served by ad.doubleclick.net) appears at the top of of my browser window when viewing this article...

  • I thought there was a recent article on slashdot about Apple already patented this.

    But then, Apple seems to think they "invented" everything.

  • by bornagainpenguin ( 1209106 ) on Friday March 16, 2012 @01:01PM (#39380405)
    ...is that they are effectively a form of electronic currency for the internet. In itself that wouldn't represent a problem, but when Paypal's currency ceases to be neutral, such as it was in the whole Smashwords debacle [techdirt.com] it loses its value to most people because unlike the physical form it is not legal tender in all circumstances. Money needs to be neutral for it to work properly. Paypal has shown time and time again their willingness to muck about with what is considered legal tender with their currency so it is not a good option for people.

    Worse yet, considering it is highly apparent that Paypal was lying about the Credit Card companies pressuring it (given how they were so easily able to flipflop on the issue [techdirt.com]) this means their currency is not an honest one and cannot be relied on to retain value. While personally I have used Paypal in the past I and never had any trouble, I have also been careful to limit my interactions with them and actively sought alternatives where ever possible. As time goes on and the kinds of incidents like the Smashwords one continue to add up it only increases my resistance to using Paypal where ever I can avoid it.

    I imagine others feel the same...

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...