|
|
|
|
|
|
by tialaramex
2481 days ago
|
|
|
The EMV system (that makes contactless card payment work as well as "chip cards") has the card act as a representative for its owner (the card company, not you, you don't own the card and it tells you that when you get it) and it negotiates with the terminal for each transaction. The card (on behalf of its owner) gets to say e.g. "Hi, I am allowed to authorise $185 more offline before talking to my owner. I am allowed to do PIN transactions also I have a magstripe. What shall we do now?" And a terminal could say "OK, let's do an online $28 transaction, with proof of PIN" or, "I'm good, $5.80 offline and no need for a PIN". All this complexity opens up a bunch of potential problems (and EMV is guilty of not getting in a team of academics to figure out the cryptographic situation before shipping it, so it has had to be repeatedly patched and has a bunch of issues that needn't exist) but it allows Apple Pay to decide that e.g. you can spend up to $50 per time, and so long as you make an online transaction at least once per week and without spending more than $250 offline that's fine. Both the issuer of the card and the terminal's owner get to decide on their appetite for risk. Probably if you sell $500 gold chains from a location with bars on the windows and an airlock entrance you want to do online proof-of-PIN transactions only, even if the card itself says it's happy to spend $500 offline contactless - and if your bank is trying to rehabilitate someone with spending problems (in a country where just exploiting them isn't legal) its card may tell the guy with a street cart that alas you need to go online and do a PIN transaction even for their $6 bagel. |
|
|