Academic claims contactless payments pose data security risk

With the number of trials of contactless payment cards groing, a leading academic security researcher has raised concerns over the level of data security in place to safeguard sensitive information during the transaction.

The rise of contactless payment systems, which use RFID technology to transmit customer credit card information to a retailer's reading device, is posing a substantial risk of fraud and the theft of personal data, experts have warned.

Visa, MasterCard and other card companies are claiming that systems used by retailers will generally be secure enough to make contactless payment work safely. They have begun trialling a number of uses of the technology in the UK and around the world.

The technology is designed to allow quick and easy payments or around 10 or 20 to be made by cards with no signature required.

But security researcher Professor Kevin Fu of the University of Massachusetts says a lot of today's contactless systems are transmitting credit card account numbers 'in the clear', without any encryption.

"Without more robust systems, current RFID credit cards are vulnerable to personal information disclosure and cross-contamination of information," he said. "Financial companies must not only think about fraud, but also about other consumer rights and concerns. Mechanisms for fixing most of these vulnerabilities already exist."

"The much vaunted 'cashless society' is rapidly approaching," commented Ian White, EMEA compliance practice leader at security vendor Cybertrust. "Contactless payments technology offers retailers and consumers alike significant benefits in ease of use and reduced costs, but raises significant information security issues that retailers of all sizes must be prepared to address if the market is to be driven forward."

He says the new technology will make a growing band of retailers suddenly subject to the demands of the Payment Card Industry Data Security Standard (PCI DSS).

"This mandate applies tight guidelines on the management and storage of customer information and credit details - such as PIN numbers - to reduce the risks of identity theft and fraud," he says.

"In a climate of growing consumer data security awareness, retailers need to be aware of the requirements of the PCI DSS and potential changes they will need to make to their policies, processes and technologies if they are to securely exploit the rapidly emerging contactless payment technology," he adds.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?

What should you really be asking about your remote access software?

17 Nov 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

12 Nov 2021