Masterpass online transactions - why do they require your pin?

It bothers me when my own bank does it (FNB often requires the card pin when making changes to daily limits). I'd be doubly bothered by some 3rd party ask for it.
 
It bothers me when my own bank does it (FNB often requires the card pin when making changes to daily limits). I'd be doubly bothered by some 3rd party ask for it.

It’s not a third party though, Masterpass is part of MasterCard.

So it’s like the first party.

Your bank being the second party.
 
It’s not a third party though, Masterpass is part of MasterCard.

So it’s like the first party.

Your bank being the second party.
I'm talking about Zapper.
 
This. They claim they don't store or capture it... just like Facebook claim they don't store your PW... but in reality it's up to the devs. Hopefully their peer review system is solid.

Are you sure they aren’t just passing you through to a web portal that is directly with Masterpass?

Much like Visa do with 3D Secure.
 
They will be required to encrypt the PIN, and pass it to the acquiring host who can decrypt the PIN. That's currently what we do.
The PIN encryption is a standard anyhow.
 
They will be required to encrypt the PIN, and pass it to the acquiring host who can decrypt the PIN. That's currently what we do.
The PIN encryption is a standard anyhow.

Pretty much this.. but this means they pushing the transaction as a ‘card transaction/present’ (verified with pin, pin block is generated) and not a ‘card not present’ (verified by cvv) which attracts a higher fee and in SA should require 3D secure for each tran (unless they implemented tokenization).

Maybe it’s a good thing I only use MasterPass via FNB since they introduced it in their app.
 
What do you mean "the pin encryption is a standard anyhow"?
This is an android app, not a POS device?

My point being , this is not open source code that I can review. Of course I could run a wireshark session to confirm TLS is active and trace destination etc...

Pin block generation code is pretty standard.. you can do a quick search on how to do it. Still have to get the keys, etc. And if they get it wrong it just won’t work.

But that doesn’t mean it’s secure at all.. so with PA-DSS you have to consider how you handle the data on the device too. My point is this.. I am assuming they have encrypted the pinblock or a variant there of in some form along with ssl etc before leaving the device. But what should worry people is on device.. particularly on android device and how they using the data.

I dunno I’m weary when FNB asks me for my pin.. I ain’t gonna put my pin in a 3rd party app or website!

This is exactly why I find the “new” WhatsApp vehicle license renewal process problematic! Banks have spent a lot of money teaching consumers never to click on sms link to payment services.. and viola.. they, this company doing license renewal, doing just this. Some context.. yes I know WhatsApp business has a verification program (you probably didn’t notice) but if consumer adds an imposter they have all identity info and card+ cvv info
 
Last edited:
One way I guess they can justify is by claiming to splitting pin & card info.. but it’s till a pin
 
On our terminals I don't encrypt PIN blocks anywhere in my code. Its done by a piece of hardware which I access via an API. The keys are injected prior to use.
 
I'm talking about Zapper.
If you're using a masterpass app then that is a mastercard. Do you really think mastercard is going to send your pin to zapper? Mastercard does the authorisation, not zapper.
 
Masterpass and Vodapass ask for the pin.
I used it a few times now.
So far no issues.....touch wood
 
Masterpass and Vodapass ask for the pin.
I used it a few times now.
So far no issues.....touch wood

Shouldn’t be an issue much like using your internet banking on a desktop. This risk is not with the application but the device and consumer use of other apps or software on the device.
 
Top
Sign up to the MyBroadband newsletter
X