To pay, show me your credit card

The company Jumio proposes a new system to pay on line: netSwipe.   It uses the usual credit card for payment.  Rather than entering your credit card number, your name, and the expiration date, the netSwipe applet asks to present your credit card to the webcam.  The system is supposed to extract the data by visually scanning the image.  The process is remotely done.  The applet should securely stream the output of the webcam to the remote server.

You still have to dial in the CV2, i.e. the 3 digits at the back of the card, or the 4 digits in the case of AMEX).

Impact for the merchant:

  • The fee is 2.75% of the transaction.
  • The usual PCI-DSS security requirements

Note: Security Requirements

Using Netswipe Scanning or Netswipe Recycle Swipe to capture credit card data means that you will be capturing, transmitting and possibly storing card data. The Card Schemes, Visa and MasterCard, have never permitted the storage of sensitive data (track data and/or CVV2) post-authorization, and it is prohibited under ‘Requirement 3′ of the Payment Card Industry Data Security Standard (PCI DSS). Merchants who store Sensitive Authentication Data (SAD) are being fined by the Card Schemes.

Consequently, if you use Netswipe Scanning or Netswipe Recycle Swipe you will need to demonstrate that your system can handle this data securely and that you are taking full responsibility for your PCI DSS compliance. One part of this is the need for us to see a clean Vulnerability scan being made on your systems.

There are two interesting questions:

  1. Is it more user-friendly than the current method?  If the recognition is accurate, probably yes.
  2. Is it more secure than the current method?  Depending on what the scanning method actually detects, it may increase the security.  Imagine that the system does not only extract the three semantic data but would also validate the hologram, and  check whether the graphical layout of the credit card is the one expected for this customer (and that it is also a plastic card).   Then, the system would near an approximation of proving the presence of the actual card.   I was not able to find the corresponding patent.
    Nevertheless, at the end the “ultimate” defense is the CV2.
    As a conclusion, provided that the streaming is secure, which may be tested, then it is probably not less secure than usual manual acquisition.

Leave a Reply

Your email address will not be published. Required fields are marked *