PayPal Community

Hello Erica,

I currently use the small blue triangle which fits atop my phone and I swipe a card. Will I need to purchase a new reader to be compliant with EMV? I was told when I opened my PayPal for my small business that the one I am currently using works (and will protect my business) with EMV. Is that not correct?

Thank you

It's October 1st. I don't have one. Any update on when they are coming? Has anyone gotten them yet? ETA?

---

@PayPal_Erica wrote:

Hi Trancie27,

 

Thanks for reaching out to us here! That is  a great question. PayPal will be sending out new EMV cards to all PayPal Debit MasterCard holders. They will be going out in batches, so keep an eye out for yours in the mail soon! 🙂

 

I hope this helps!

-Erica

If you see a helpful post, please accept it as a solution or give the author kudos. Thanks!

---

So, well into February and Business Debit cards not reissued with EMV here. I take it the deployment was pushed back?

That's OK, but would just like to know it's still in progress. The retailer that I had to battle because of magstripe fraud (after the Home Depot breach) finally enabled their EMV slot today, and that reminded me to check up on it.

If not iimplemented by the credit card company it would only mean the credit card company accepts the risk from a fraudulent card.  When implemented it only protects the retails from a fraudulent (counterfeit) card NOT from fraudulent use of a valid card.  It doesn't protect data security for storage.

Uh, when it comes to the PayPal Business Debit card, I'm a cardholder, not a merchant. The merchant liability shift isn't important from that point of view.

I want to know when EMV cards are coming because they provide protection to the consumer against card skimming and cloning(*) attacks. If you don't know why I care about this -- and why you should care just as much! -- I invite you to read all the relevant tagged posts from Brian Krebs (there are many; you'll need to go back multiple pages of earlier posts too).

After all, I already mentioned that I was a victim of the widely press-reported Home Depot breach. My PayPal Business Debit card's magstripe was cloned and used quite a bit before I could get it shut down and the charges reversed.

(* While not perfect -- it's possible to do limited-duration cloning of EMV chips, at some retailers, when those same retailers use improperly randomized nonces -- the difference between magstripe and EMV chip security is quite like the difference between a front door which can be opened by just a little jiggling, and one with a consumer-grade conventional deadbolt.)

The EMV cards are primarilty for protecting merchants NOT consumers.  Cards won't be able to be skimmed as easily and it will be difficult to create counterfeit cards, but it won't stop data breaches.

The user still has regular protection for fraudulent use but that production does NOT prevent faudulent use. Protection means recover of funds, not prevention of loss.

Protection also means more difficulty to clone/counterfeit the data. Besides the fact that skimming is incredibly difficult with EMV and doesn't result in indefinitely reusable data:

Even in the case of backend storage of data being leaked because of a merchants not following PCI plus best common practices for data protection, there is a huge difference between challenge-response crypto based authorization (EMV chip conversation) and static credential authorization (magstripe). Did you not hear about the fact that the Target breach was so successful for fraudsters because they stored the entire raw contents of the magstripe tracks?

(Hint: I was involved in PoS software development for some time, and additionally have a strong background in infosec, system software development, and cryptography. I understand the concepts involved here.)

The protection for the consumer, if the EMV capability is as consistently used as possible, is a much lower risk of being compromised. When compromise happens, that's time and trouble for the consumer to have the fraudulent charges disputed and reversed and waiting for a replacement card. That's a nonzero cost to the consumer.

Again: EMV is not all about protecting merchants. In fact, the liability shift is a *burden* specifically imposed on merchants by the clearing networks, to get merchants to move to EMV-enabled terminals! The most important protection of EMV for consumers comes in the form of reducing all the consumer-facing risk and hassle of being compromised in the first place.

...So yes, as a consumer, I would like to know when the magstripe Business Debit card is going to be reissued with an EMV contact chip. That's all I originally asked. I didn't request an misinformed "debunking" of the benefits of EMV.

And in case the above wasn't clear: EMV, at its core, does almost nothing at all for merchants. The liability shift is artificial pressure by the banks and clearing networks onto merchants so that the banks can reduce their risk, by forcing merchants to upgrade to terminals accepting EMV.

It's the liability that banks have had to shoulder for data compromise that finally pushed for EMV to be deployed in the U.S. -- around two decades later than everywhere else. The liability shift was added because the point-of-sale terminals are the points of greatest risk for the banks, but they are under the most direct control of merchants.