Digital Transactions Authoritative, insightful and timely information for payments professionals
Data Insecurity
Part 7
In the lore of payments innovations, there's a maxim that seems to always hold true: Before you ever reach critical mass, beware of the New York Times article that raises questions about your security or operability. If you can't weather that storm, your payments innovation will hit some unexpected air pockets. Perhaps that's what happened to contactless payments. Thanks to an enlightened push by MasterCard Worldwide and ViVOtech Inc. on their PayPass contactless program, excitement about tap-and-go payments was building to a crescendo by this time last year. Many industry pundits were predicting that contactless payments?whether made with credit cards carrying embedded antennae or special radio-wave receiving fobs?would overcome the hurdles that torpedoed smart cards a decade before. It was fun, cool, safe, and easy?at a manageable expense. Then, on Oct. 23, a New York Times article by John Schwartz came out. Titled “Researchers See Privacy Pitfalls in No-Swipe Credit Cards,” the story told of Harvard researchers who built a radio-wave receiver from $150 in spare computer and hobby parts that captured the equivalent of mag-stripe account information (name, account number, expiration date) when they tapped it with an envelope containing a credit card with an RFID microchip embedded inside. Payment card companies immediately cried foul, protesting that they used 128-bit encryption and other security features to protect their contactless devices. But the Harvard researchers tested 20 cards actually issued by three payment brands, and each and every one was exposed. Although there had been earlier studies that revealed potential, mostly theoretical security flaws in RFID transmission, once the story made the pages of the Gray Lady, there was hell to pay. A variety of groups called for termination of the use of microchips for payment. Other groups raced to devise mechanisms for disabling the microchips. A German group called FoeBud, which describes itself as a “civil-rights group for the digital age” created on online catalog of “RFID-busting” products, including the equivalent of a hole-puncher for antenna-bearing cards ($7), and copper bracelet with a red light that blinks when in range of an RFID scanner ($18). A story in the Wall Street Journal reported that some consumers were whacking their contactless credit cards with hammers, or sticking them in their microwave ovens, in order to eliminate the RFID transmission. In a 2006 report, Jupiter Research cut its forecast of contactless cards issued for 2009 by almost 70% compared to a forecast it made in 2004 (down to 126 million cards from 396 million). It also cut its projection of contactless's share of purchases by 75% (from 2.9% of all purchases by 2009 to 0.7%). For 2006, less than 20 million cards had been issued, and?depending on whose numbers you used?only 10,000 to 20,000 merchant locations were accepting them for payment. So, quickly, and to some, mysteriously, the bloom came off contactless. Until then, the public enthusiasm for contactless had been unbridled. Or was it? Private research surfaced in late 2006 showing that a fair proportion of consumers felt squirrelly about using them?even though it was pointed out that contactless at least required a reader to gain access to the account information, versus an ordinary mag-stripe card, where the account number and expiration date and even the Cardholder Verification Number (CVN) are on prominent visual display on the card to anyone who happens to get their hands on it. More than a few consumers wondered whether the crooks would be able to carry around a RFID receiver?perhaps in their pockets?and just troll the checkout lanes for available credentials. Today, you generally have to be within a couple of inches of the microchip to read it; tomorrow, with ever expanding technology sophistication, would it be possible to intercept account credentials from a foot away? Or from an adjacent cashier station? Or even from out in the parking lot? Proponents of contactless, led by MasterCard, point out that there are plenty of security options available to contactless issuers, if they choose to require and deploy them. And generally, in the early part of the life cycle for new-product adoption, deployers tend to go with minimum security to avoid impeding convenience, then beef up the protection as needed. There's even been a push from inside the industry to add a standard PIN-debit authentication option for deployment?at least for transactions exceeding $25 (for the most part, transactions less than $25 require neither a signature nor a PIN today). That additional requirement would largely eliminate the 5-to-7-second time savings from swiping a mag-stripe card, but it would have the substantial benefit of not only reassuring consumers that their account information will be safer, but also offering accepting retailers the option of doing PIN-debit transactions with the devices?which might produce significant savings in interchange (depending on how PIN-debit options are priced). But you have to wonder at this point whether the perception of going light on security early on might have rendered this payment innovation a serious body blow. The old chicken-and-egg adoption issues are front-and-center now. Consumers are holding back and wondering where the merchants are. And merchants cite fear of fraud as only the third highest inhibitor for their adoption, according to the Market Platform Dynamics 2006 Gen XY survey. Lack of cards in circulation and a lack of a compelling business case (namely transaction pricing) were bigger concerns for them. In payments, convenience might trump security, and security often outweighs utility. But economics tops them all. —Steve Mott
