The statement follow reports that a group calling itself the RFID Consortium for Security and Privacy had uncovered lapses in the security and privacy features of several types of RFID payment cards.

The group consists of researchers from the University of Massachusetts, RSA Laboratories and Innealta and lists partners including The San Francisco Bay Area Rapid Transit District, MIT Auto-ID Labs and the Programme for Advanced Contactless Technology at Graz University of Technology in Austria.

The researchers tested around 20 contactless credit cards and found that RFID cards transmit cardholder names and so any device capable of scanning a card can learn the name imprinted on it - with or without the owner’s consent

Secondly, the RFID credit cards are vulnerable to skimming. An attacker with an RFID reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card, says the group. Alternatively, a fraudster may be able to perform online transactions with harvested credit-card information.

Last month the researchers demonstrated to a New York Times reporter how the cards can be compromised and how the cardholder's name and other data can be leaked in plaintext to an unauthenticated card reader. A video demo has also been posted on YouTube.



However the SCA claims that nothing in the report supports the conclusion that a criminal could complete a fraudulent contactless payment transaction in the real world.

"One reason is that the researchers conducted these tests in a lab setting using only contactless cards and readers and did not interact with the payment networks in any way. One cannot draw valid conclusions about the security of a payment network if you ignore the network," says the SCA statement.

In response to the risk of a cardholder's name being harvested by criminals, SCA states that many contactless payment cards do not include the cardholder name on the chip, so this is not transmittted.

The SCA also points out that a contactless payment smart chip calculates a unique numeric value, or security code, that serves as a proof of authenticity for each transaction and this feature protects against the possible replay of any transaction data to create a fraudulent transaction. Any attempt to reuse an encrypted security code for another payments would result in the transaction being rejected.

"The card calculates these unique identifiers using secret information that is encrypted, never leaves the card and differs from one card to the next, which prevents successful cloning of contactless cards," says the SCA. "Even in the unlikely event a fraudster is able to record information from a contactless transaction, it would be useless."