Contactless Cards: Are Privacy Jitters Legit?

Americans are using a controversial new microchip technology in some new credit and debit cards to make it easier and quicker to purchase groceries, cigarettes and gasoline. In addition, the cards tie those purchases into the supply chain more rapidly with a flick of the wrist.

Backed by powerhouses American Express, Visa and MasterCard, contactless credit and debit cards use Radio Frequency Identification (RFID) technology that replaces the magnetic stripe used to authorize the card for purchases. It’s called contactless because the microchip doesn’t require swiping like the magnetic stripe does; it only requires the card be within four inches of a unique reader that uses radio waves to activate it.

Multi-Layered Approach

While the cards are a boon to merchants and are part of a large new RFID industry — from manufacturers who make the tags and readers to software companies that create data analytics for ROI — the technology also presents some security concerns as merchants may have the ability to track goods and services more closely than some would like.

Defenders say RFID doesn’t infringe on any more privacy than earlier technology does.

There are multiple layers of security in the contactless cards, according to Peter Stefanopoulos, vice president of merchant and consumer marketing for advanced payments enterprise development at American Express. The card must be within four inches of the reader so that it can’t go off accidentally.

Secondly, the card transmits a code, rather than the holder’s account number, to the reader. That may make the contactless card more secure than the magnetic stripe card, which actually does transmit the account number. The data transmitted is also encrypted.

American Express began its pilot program in 2002 with 450 merchants, and now has 25,000 merchant locations, according to Stefanopoulos. Nearly half of those come from McDonald’s, its largest merchant partner, with 12,000 locations. The cards are also accepted at other quick-service restaurants, pharmacies such as CVS, convenience stores such as 7-11, and supermarkets nationwide.

Right now American Express offers the technology on its Blue Card and Clear Card portfolios. The company doesn’t offer a debit card, but Visa and MasterCard are using RFID on their debit and credit card lineups. Not all banks are offering the new technology in their cards — at least not yet.

No Humans

RFID is also replacing bar codes in supply chains, especially since Wal-Mart mandated that all of its suppliers start using it. Cost savings and personnel efficiencies are primary among its advantages.

“RFID doesn’t require human intervention,” said Dr. Pedro Reyes, Ph.D., assistant professor at the Hankamer School of Business at Baylor University. The limitation of the bar code system is that it’s line-of-sight technology, but RFID is not. With a bar code, only one item can be scanned at a time, and it requires a person to do it. RFID can read hundreds of items simultaneously, he told TechNewsWorld.

RFID-enabled credit and debit cards may also be integrated into the supply chain, and transactions are processed in real-time. That integration holds out one of the biggest promises of RFID technology.

“Contactless payments in isolation, as with any technology, or any consumer tool … does not fulfill its true potential,” said John Greaves, vice president, RFID Global Group, NCR. His firm provides RFID software and services, including data analytics packages surrounding RFID technology. It does not manufacture readers or tags. “Consumer transactions from product information exchange has existed for years, but RFID does it faster,” Greaves said.

One benefit the consumer sees immediately is that contactless cards don’t require a signature for purchases under US$25, making purchases — and lines — move more quickly. “Consumers conducting transaction with Express Pay (American Express’ contactless cards) were able to conduct transactions 53 to 63 percent faster than with cash,” Stefanopoulos said. Moving people through checkout lines more rapidly is one reason the cards appeal so much to fast food restaurants such as McDonald’s.

Consumer Vulnerability

Banks are liable for that $25 if the card is used fraudulently, said Stefanopoulos. All the same rules and regulations that apply to credit and debit cards apply to contactless cards, he said.

Security experts, however, focus on whether the contactless technology is secure from hackers and viruses. “Think of the security issues with computer and viruses; that will exist with RFID,” Reyes said.

In addition, privacy advocates worry about whether RFID technology leaves consumers more vulnerable to identity and privacy theft.

Nothing is being done with RFID that isn’t already being done with credit cards today, say defenders of the technology. “There is nothing RFID provides that is not currently [being provided] about a consumer, about a purchase, about a location, about an event, about a credit rating, anything at all,” Greaves said.

Reyes agreed. “These fears that are being associated with RFID already exist with other technologies such as credit cards and cell phones and such,” he stated.

“The consumer’s privacy has been at risk ever since we’ve had credit cards,” Reyes said, because the credit card companies already collect data on consumer buying behavior. Also, cell phones have Global Positioning System (GPS), and supermarkets track buying patterns with rewards cards and issue bounce-back coupons at the point of sale.

Stefanopoulos, for one, prefers to call the technology simply RF, and takes exception to the ID nomenclature. “There’s no ID function in this technology,” he said.

1 Comment

  • It’s nice to know that banks are applying encryption and other security measures to these cards. It’s also good that there is a maximum liability safety net in case of fraud. However, as time goes on people will figure out how to get past the security measures. They already have figured out how to boost RFID reading range by using specialized equipment. If you have one of these cards in your pocket, you should consider something like an RFID Shield to keep your data secure.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Robin Hohman
More in Privacy

Technewsworld Channels