How Safe Are the New Contactless Payment Systems?

As the retail industry starts to embrace contactless payment in a big way—led by $41 billion retailer 7-Eleven and Chase, the nation’s largest issuer of credit cards—arguments are renewing about just how safe and fraud-proof these cards will be.

One key argument is how easily the card’s data could be read by a thief, who could then presumably use the information to either steal the customer’s identity or create a bogus duplicate of the card to make fraudulent purchases. The ambitious bandit might even try both.

Security issues are a crucial concern surrounding credit cards, with several recent, highly publicized break-ins making consumers nervous.

The most recent report came on Friday, when MasterCard International reported that a security breach of credit card payment data had exposed about 40 million cards of all brands to potential fraud in what one analyst said was the biggest privacy breach ever.

7-Eleven is taking the retail leadership role in advancing contactless payment. To hear eWEEK.com audio of the convenience store chain’s CIO discussing the move, click here.

Contactless advocates have argued that current contactless readers can only “see” the RF chip when it’s two inches away, making unauthorized scanning for customer data quite difficult.

That two-inch argument was touted recently by 7-Eleven CIO Keith Morrow, who pointed to it as a key anti-fraud fact.

That distance varies sharply, though, depending on the equipment used to do the testing.

Shell Canada, for example, performed some of its contactless testing using the high-powered antennae that it believed thieves would use, said Mike Cooper, the $2.4 billion Canadian petroleum giant’s adviser for network development engineering.

The kind of low-frequency tags popular in the United States “we could read at a distance of 10 meters,” which is about 33 feet, Cooper said.

He contrasted those with the high-frequency tags used by Shell Canada, which he said could be read—with that same high-powered antennae—from about 26 inches away.

Retailers are facing strict new credit card security requirements at the end of this month, from Visa and others. To read more, click here.

The high-frequency tags “can be read from a shorter distance, so it’s more difficult to snoop,” Cooper said.

Chase officials disagree with the distance issue, but referred questions to Visa, one of its contactless card partners.

But Chase officials did say that the distance argument is irrelevant for their cards and customers because of several security measures—including 128-bit and triple DES encryption—that would make any improperly captured data useless.

“Even if you could skim it, with every transaction, the [authorization] code changes and that code is needed for an authorization,” said David Chamberlin, first vice president for external communications at Chase Card Services.

Chase’s contactless card rollout has already started in Georgia and Colorado and is expected to be in the hands of about 2 million cardholders by the end of the summer, Chamberlin said.

Although he wouldn’t discuss the total projected contactless installed base numbers for next year, he said that Chase plans on shipping the cards to about “five or six more markets by the end of the first quarter” of next year and that the typical market will include about 1 million cardholders. That would suggest that Chase will have about 8 million cards in circulation by the end of March 2006, out of its current 94 million card members.

When factoring in moves by American Express and other credit card companies who have made similar commitments to contactless, the market for contactless could become substantial earlier than had been predicted.

Chase’s contactless credit card efforts are substantial, but can it overcome the security perception albatross? To find out, click here.

Chase will issue contactless cards to any current cardholder who requests them, Chamberlin said, but Chase’s rollout preference is to not move into markets until a sufficient number of retailers have been outfitted with the necessary equipment.

It would be pointless and potentially self-destructive to give lots of customers contactless cards if there are no—or very few—retailers where they can be used, he said. It would be akin to issuing ATM cards in an area where there are no ATMs.

Chamberlin points to several security factors, including Chase’s “zero liability policy,” which protects consumers but not necessarily the retailers.

The new contactless cards do have changeable authorization codes, but those are nothing new and not particular to contactless cards, said Patrick Gauthier, senior vice president for emerging products development at Visa.

Next Page: Visa defends its security procedures.

Latest Articles