Re: You can't argue with a working proof of concept video.....
While 30 seconds may be a bit quick - some shops in remote places might have a dialup line that is activated to process payments, or an overloaded satellite link - 24 hours is definitely way way way too long. The really criminal thing though is the three digits....seriously?
I'm not sure how much flexibility there is in the EMV protocol, I sure hope the three digits thing isn't part of the spec! Seems to me that if the payment terminal created a one time key, passed that to the phone, then the phone encrypted the transaction using that key you'd have something that couldn't possibly be replayed to any other payment terminal. Obviously it is feasible to do that, but sometimes doing things the right way gets compromised due to wanting to drive down cost...i.e. making the payment terminals cheaper.
Anyone know if there's an EMV spec available for download anywhere, or is it one of those things that's top secret unless you've paid big bucks to be a member of the club? Apple has a lengthy security document about overall iOS security but it doesn't delve into the internals of how Apple Pay works. Not sure if that's in another document, or if Apple isn't permitted to give away the dirty details of the EMV protocols. It would be interesting to compare how they are doing things to how Samsung did them.
Biting the hand that feeds IT
