[oclug] A credit/debit card reader for the home ??
oclug at strosberg.com
Fri Sep 25 14:58:14 EDT 2009
William Case wrote:
> Just had a thought! But it has probably been thought before.
> I was about to buy a magazine article from Scientific American. They
> wanted $7.95 which I was willing to pay. Of course when I clicked on
> the appropriate screen button to purchase it, they wanted credit card
> info. I have used my Visa to purchase online before but I am always
> very reluctant to do so. In this case I cancelled my purchase.
> What I think would work for me is having a personal card reader attached
> to my computer. If I wanted to make an online purchase, the
> communication of account numbers and passwords would be directly between
> me and my bank with only the purchase amount and name and some kind of
> purchased item ID being transferred to the vendor by my bank.
> Similarly, I could then use a 'cash' card. A cash card would be a
> swipe-able card to which I could transfer an amount from a bank account
> from home using my home card reader, debit/credit card and the cash
> card. While I am out at a restaurant, bar, store etc., any vendor would
> have access only to the amount of money registered on the cash card and
> would deduct the amount spent from the cash card total. If the cash
> card were lost or stolen, only the remaining amount on the cash card,
> plus the cash card passwords would be at risk. I would have to keep
> topping up the amount on the cash card, but I could do that safely from
> Of course, I don't understand all the security problems this might
> introduce, but on the surface, it would make me feel as if I was in more
> control of my money and transaction security.
> I would really like to see any thoughts, criticisms or comments anyone
> might have.
Credit and debit payment processing is very complex. The readers are
simple (I've designed, built and sold many different variations in the
You can get keyboard "wedge" readers that will read track 2 and track 3
magnetic stripe reader (MSR) data from your cards very cheaply. You
swipe the card, and the reader converts it to keystrokes on the keyboard
interface as if it has been typed. Cheaper readers do not implement the
CRC (cyclical redundancy check) or checksums incorporated in the card.
Cheap readers generally do not work bi-directionally as well.
MSR devices are on the way out - smart card "chip" technology is slowly
gaining momentum here - it already is pervasive in Europe. MSR data is
easily duplicated with an inexpensive card writer and there is no
technical difference between the original and a cloned card. The rate
at which technology is incorporated into the banking industry here is
controlled by the volume of fraudulent activity the banks/card issuers
are willing to accept. If fraud is low, why bother instituting new
technology at great expense?
In Canada our pinpad technology is controlled by the banks - approved
vendors incorporate bank-injected encryption chips in the pin pads to
generate the checksum values from your "PIN" when you enter it. This
checksum value changes every transaction, and is compared to a similarly
generated checksum for the transaction at the bank end. At no time is
your "PIN" ever sent across the Internet (or direct processing
connection via telephone). There are multiple factors used to generate
the checksum. The Canadian debit handling is far more secure &
consistent than the American version, as the US Federal Reserve system
is far more confused and fragmented than Canadian banking.
The encryption chips are self destructing in the event of tampering, and
are serialized. Hack attempts at point of sale generally attack the pin
pan keyboard interface well in front of the actual encrypted
All this to say, the banking community is not willing to accept high
risk transaction data from card-not-present transactions. Paypal is a
reasonable buyer alternative, but their fees are ridiculous to the
seller. Don't look for this feature on home computers in the near future.
More information about the OCLUG