IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Academic claims contactless payments pose data security risk

With the number of trials of contactless payment cards groing, a leading academic security researcher has raised concerns over the level of data security in place to safeguard sensitive information during the transaction.

The rise of contactless payment systems, which use RFID technology to transmit customer credit card information to a retailer's reading device, is posing a substantial risk of fraud and the theft of personal data, experts have warned.

Visa, MasterCard and other card companies are claiming that systems used by retailers will generally be secure enough to make contactless payment work safely. They have begun trialling a number of uses of the technology in the UK and around the world.

The technology is designed to allow quick and easy payments or around 10 or 20 to be made by cards with no signature required.

But security researcher Professor Kevin Fu of the University of Massachusetts says a lot of today's contactless systems are transmitting credit card account numbers 'in the clear', without any encryption.

"Without more robust systems, current RFID credit cards are vulnerable to personal information disclosure and cross-contamination of information," he said. "Financial companies must not only think about fraud, but also about other consumer rights and concerns. Mechanisms for fixing most of these vulnerabilities already exist."

"The much vaunted 'cashless society' is rapidly approaching," commented Ian White, EMEA compliance practice leader at security vendor Cybertrust. "Contactless payments technology offers retailers and consumers alike significant benefits in ease of use and reduced costs, but raises significant information security issues that retailers of all sizes must be prepared to address if the market is to be driven forward."

He says the new technology will make a growing band of retailers suddenly subject to the demands of the Payment Card Industry Data Security Standard (PCI DSS).

"This mandate applies tight guidelines on the management and storage of customer information and credit details - such as PIN numbers - to reduce the risks of identity theft and fraud," he says.

"In a climate of growing consumer data security awareness, retailers need to be aware of the requirements of the PCI DSS and potential changes they will need to make to their policies, processes and technologies if they are to securely exploit the rapidly emerging contactless payment technology," he adds.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022