Academic claims contactless payments pose data security risk

The rise of contactless payment systems, which use RFID technology to transmit customer credit card information to a retailer's reading device, is posing a substantial risk of fraud and the theft of personal data, experts have warned.

Visa, MasterCard and other card companies are claiming that systems used by retailers will generally be secure enough to make contactless payment work safely. They have begun trialling a number of uses of the technology in the UK and around the world.

The technology is designed to allow quick and easy payments or around 10 or 20 to be made by cards with no signature required.

But security researcher Professor Kevin Fu of the University of Massachusetts says a lot of today's contactless systems are transmitting credit card account numbers 'in the clear', without any encryption.

"Without more robust systems, current RFID credit cards are vulnerable to personal information disclosure and cross-contamination of information," he said. "Financial companies must not only think about fraud, but also about other consumer rights and concerns. Mechanisms for fixing most of these vulnerabilities already exist."

"The much vaunted 'cashless society' is rapidly approaching," commented Ian White, EMEA compliance practice leader at security vendor Cybertrust. "Contactless payments technology offers retailers and consumers alike significant benefits in ease of use and reduced costs, but raises significant information security issues that retailers of all sizes must be prepared to address if the market is to be driven forward."

He says the new technology will make a growing band of retailers suddenly subject to the demands of the Payment Card Industry Data Security Standard (PCI DSS).

"This mandate applies tight guidelines on the management and storage of customer information and credit details - such as PIN numbers - to reduce the risks of identity theft and fraud," he says.

"In a climate of growing consumer data security awareness, retailers need to be aware of the requirements of the PCI DSS and potential changes they will need to make to their policies, processes and technologies if they are to securely exploit the rapidly emerging contactless payment technology," he adds.