Radio-frequency identification (RFID) payment technology is here. It’s being used in smartphone retail payment solutions like Google Wallet, in prepaid payment cards like Transport for London’s Oyster card, and it’s being rolled out on debit cards for low-value goods up to £20.
There are already more than 20 million contactless credit or debit cards already issued in the UK and more than 80,000 merchant readers installed, with forecasters touting it for a big future because of the speed of use and convenience benefits it offers.
Naturally, the more prevalent the payment method becomes the more concerns that are going to be raised about its privacy and security standards. So just how secure is your data with contactless payments?
Bypasses PIN entry
One of the main issues with contactless payment is that it bypasses well-established security steps like authorisation by PIN entry. This makes it a sitting duck for attackers as all somebody would have to do is put a mobile Near-Field Communication reader close to a payment card to perform an unwanted transaction.
However, proponents of the technology will argue that it shares the same underlying secure data transfer as normal payment cards, using the same basic technology and software as existing chip and pin Europay, Mastercard and Visa (EMV) cards.
What’s more, according to Dave Birch, director at Consult Hyperion and chair of the Digital Money Forum, contactless mobile phone payments have the potential to be “significantly more secure, since there are a number of characteristics of mobile that make it much harder to defraud people.”
Birch goes on to cite the example of somebody losing one of their cards and not noticing for some days whereas if somebody was to lose their mobile phone they would notice straight away.
Transmits personal data
Another concern is that eavesdroppers can pick up data transmitted during contactless payment transactions. The process, which is not supposed to transmit payment information further than 10cm from a reader, has been clocked transmitting data as far as half a metre away by researchers.
The vulnerability was discovered after researchers used inconspicuous equipment including a shopping trolley, a backpack and a small antenna to intercept synthesised payments card data from distances of up to 45cm, raising major questions about its secure data transfer capabilities.
The researchers claimed that at that distance, fraudsters could gather information without arousing suspicion. But UK Cards Association, the trade body that represents credit and debit card issuing organisations, was quick to clarify that they would not be able to harvest significant information.
According to the UK Cards Association, any data obtained by eavesdroppers would be limited to the card number and expiry date that can be seen on the front of the card. With these information fraudsters would not be able to clone cards and would struggle to make fraudulent transactions.
Secure data transfer in contactless payment technology is still very much a debatable issue. However, companies involved in RFID payment technologies still have to adhere to the same PCI standards as a normal payment card.
To find out how Maytech can help you with PCI DSS (payment card data transfers), visit our PCI compliance page.