Society of Payment Security Professionals - Payment Security Blog

Contactless payments take hold

We have discussed many things relating to the payments industry, from Chip-PIN to the details of the PCI DSS, but have not focused much on the technology side of things. There are the PCI PIN (from Visa) requirements for TRSM and now the emergence of ‘contactless‘ payments has taken the stage.

Contactless (’Express Pay’ for American Express & ‘pay pass’ for MasterCard) is a form of smart card that has taken hold in the US. The reason for contactless is that it simply requires the merchant to purchase a device (the reader) that plugs directly into their current POS or Integrated POS (IPOS) device. This permits them to accept either ’swipe’ or ‘contactless’ payments without a major upgrade in their infrastructure. Most European countries (UK, France, Germany, Spain) and Canada have either mandated or at least support the Chip-PIN technology. The benefit of Chip-PIN is a higher level of security, because it requires the cardholder’s PIN to be entered for each transaction, which comes at a high cost — as many of these systems requre a complete upgrade of the merchant’s POS.

The Green Sheet has an article on contactless cards, which you can see a picture of here.

• “By the end of 2006, U.S. banks had issued 17 million to 19 million contactless credit and debit cards, according to industry estimates. One market research company, JupiterResearch, estimated those numbers will increase to 37 million by the end of 2007 and 188 million by 2010.”
• “Contactless enables a fast and secure payment process”
• “Contactless is currently a single-application product. The true value in contactless will lie in multiapplication systems…”

The ubiquity of contactless is going to take hold and with it the security risks. It will be the job of the PCI SSC, all card brands, and the information security industry to raise awareness and prevent fraud within these new electronic devices.

These groups are building security measures into the way contactless is used, but the big question is: will it be enough? Just as with card-present (or ’swipe’) transactions there are two pieces of data that are captured: the magnetic track data and the PAN (or credit card number), which is located within the track data. The question with contactless is can a skimmed card be re-used as a contactless payment or will the fraudsters just tear out the PAN and use it?

There are many security hurtles to overcome, but merchants are teaming up to implement this new technology. It has been shown that making it easier to pay means more people WILL pay. The allure of higher consumer spending will outweigh the security concerns over new technology. It will be the role of security companies and continued audits to verify that companies are securing the credit card data they collect.