Blog article
See all stories »

Consumer trust in contactless security a must for take-off

The National Payments Plan progress report that was published in June highlighted the Payment Council’s continued focus on alternative payment technologies such as contactless. The two-year progress update references the “Review of the contactless and prepaid card markets”  published in May 2010, which highlighted concerns raised by a number of consumer representative organisations around the security of contactless payments. This report states that “a lack of consumer trust in the system was seen as an impediment to uptake, and one that could only be resolved by ensuring that security standards are high and that contactless products deliver a good level of consumer protection.”

So are contactless transactions secure? As discussed on paymentssecurity.com, the industry has been careful to add security on both the contactless devices and in the processing network and there are several key aspects to contactless that protect the consumer from fraud. Firstly, contactless cards have a unique built-in secret key on the card which generates a unique Card Verification Value or CVV. Secondly, the networks have the ability to detect repeat transaction information (and consequently repeat attacks) which has been a problem in the past for other types of transactions. Thirdly, there are limits to the number and value of the transactions that can be made before you have to enter a PIN and this prevents large sums from being stolen. Finally, the processing of contactless payments does not require the use of the cardholder’s name and some cards do not even include the cardholder’s account number so unlike traditional payment methods, user information cannot be stolen to perpetrate high value or identity-based fraud. 

Despite these steps, consumers will naturally be wary of contactless as they have become used to securing their card payments by using their PIN. One way to tackle this would be to ensure that  educating consumers around this issue is part of the existing education plans outlined for electronic alternatives to cheques (see “The future of cheques in the UK” report) in order to ensure consumer confidence in, and adoption of, contactless payments.

3831

Comments: (2)

A Finextra member
A Finextra member 08 July, 2010, 12:35Be the first to give this comment the thumbs up 0 likes

<i>"Firstly, contactless cards have a unique built-in secret key on the card which generates a unique Card Verification Value or CVV. Secondly, the networks have the ability to detect repeat transaction information (and consequently repeat attacks) which has been a problem in the past for other types of transactions."</i>

Steve,

This is a US-centric view and needs clarification given the context of the UK National Payment Plan.

Here in the UK and Europe we use the same (EMV cryptographic) techniques for contactless transactions as chip & PIN.  Nothing has been added apart from the obvious RF interface.

In the US, however, they only had magnetic stripe card infrastructure prior to contactless payments and had to introduce the chip in the card containing the secret key that generate the dynamic CVV to which you refer.  I wouldn't hold it up as a beacon of security, given it's length, and it's not used here as far as I know.

<i>"Finally, the processing of contactless payments does not require the use of the cardholder’s name and some cards do not even include the cardholder’s account number ..."</i>

Really?  How do they work then?  I think you mean that it is possible for cards to use a <b>different</b> account number (PAN) over the contactless interface to that embossed on the front of the card?

The public will be wary, as you say, but I'd stick with a simpler message, e.g. that data obtained from sniffing contactless transactions are useless to an attacker.

Richard.

A Finextra member
A Finextra member 13 July, 2010, 09:26Be the first to give this comment the thumbs up 0 likes

Hi Richard,

Thanks for clarifying the technicalities. EMV contactless and Mag stripe contactless are of course different today in the way you describe.

You are absolutely right, the basic message is that sniffing contactless transactions is useless to the attacker. This combined with the individual transaction and cumulative transaction limits mean that the loss of a contactless card is no more risky to a consumer than losing a wallet with a few notes of cash in it.

The challenge for those designing communication to build confidence in consumers who have been educated on the importance of their PINs will be to put this across in simple to understand message.

Steve

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,205

Comments

6,342

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all