Academic claims contactless payments pose data security risk

With the number of trials of contactless payment cards groing, a leading academic security researcher has raised concerns over the level of data security in place to safeguard sensitive information during the transaction.

The rise of contactless payment systems, which use RFID technology to transmit customer credit card information to a retailer's reading device, is posing a substantial risk of fraud and the theft of personal data, experts have warned.

Visa, MasterCard and other card companies are claiming that systems used by retailers will generally be secure enough to make contactless payment work safely. They have begun trialling a number of uses of the technology in the UK and around the world.

The technology is designed to allow quick and easy payments or around 10 or 20 to be made by cards with no signature required.

But security researcher Professor Kevin Fu of the University of Massachusetts says a lot of today's contactless systems are transmitting credit card account numbers 'in the clear', without any encryption.

"Without more robust systems, current RFID credit cards are vulnerable to personal information disclosure and cross-contamination of information," he said. "Financial companies must not only think about fraud, but also about other consumer rights and concerns. Mechanisms for fixing most of these vulnerabilities already exist."

"The much vaunted 'cashless society' is rapidly approaching," commented Ian White, EMEA compliance practice leader at security vendor Cybertrust. "Contactless payments technology offers retailers and consumers alike significant benefits in ease of use and reduced costs, but raises significant information security issues that retailers of all sizes must be prepared to address if the market is to be driven forward."

He says the new technology will make a growing band of retailers suddenly subject to the demands of the Payment Card Industry Data Security Standard (PCI DSS).

"This mandate applies tight guidelines on the management and storage of customer information and credit details - such as PIN numbers - to reduce the risks of identity theft and fraud," he says.

"In a climate of growing consumer data security awareness, retailers need to be aware of the requirements of the PCI DSS and potential changes they will need to make to their policies, processes and technologies if they are to securely exploit the rapidly emerging contactless payment technology," he adds.

Featured Resources

Report: The State of Software Security

This annual report explores important trends in software security

Download now

A fast guide to finding your cloud solution

One size doesn't fit all in the cloud, so how do you find the best option for your business?

Download now

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Small & Medium Business Trends Report

Insights from 2,000+ business owners and leaders worldwide

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020