Monday, September 12, 2005

Push card to pay?

I have been working diligently for my employer on securing payments. When I saw this article today I thought it was time to post my thoughts. My noble fellow is trying to solve a problem that does not exist and is likely not to exist due to the design of payment card application.

Payment cards are not RFID tags that spit out payment data when they are powered on. These cards have specific commands and responses that a novice would not know to get the card to release payment information. Let’s assume you do 'get' a payment reader and make it 'mobile' for pickpocket attacks in a crowded bus or train as suggested, then the security lies in the information being passed by the card. These cards generate and pass one time cryptographic signatures that can be tied to transaction amount and other transaction specific elements. Let’s assume you do get through all that and you get a account number, now how do you commit fraud with that? How do you find out who the issuing bank is from a 16 digit number in order to change the mailing address? how do you get the social security number for a credit card number?

First off you should know the contactless cards are not being deployed because there was a problem of fraud with magnetic stripe cards in the US market. It was a differentiating factor to get 'early adopter' segment of the population to switch issuers. The business reasoning was invented after the fact to justify the decision by the large issuers. The very early Chase project in Texas was using Unique ID from a TI chip on the back of a Nokia phone that was sent to a server, then the server was translating the chip id to a payment account number in a for processing. Is that any more secured than magnetic stripe?

Secondly, the whole value marketing proposition of contactless payment cards is based on quick transactions. In regions around the world, consumers are paying for their transit fare without taking the card out of the wallet. As they acquire contactless payment cards, they would expect the same results, and yet with a switch or even worse biometrics that would be inconvenient to say the least.

The gentleman's suggestion to solve the problem will increase the cost of the cards and reduce throughput significantly at production facilities. The credit card production facilities are not like the fabs for RFID tags for Wal-Mart. Credit cards are manufactured in secure facilities long before anyone's data is even on the cards. The introduction of the switch is being discussed by some of the card manufacturing firms already, but the problem is it’s not cheap, easy or production ready.

The change to embed the switch will cost everyone more, card manufacturers, card personalizer and card issuers. Secondly, with the switch and all its connections the card will need to be very sturdy to last at least 3 years in wallets, ATM machines, ice scraping use and much more abuse.

There needs to be a cost benefit analysis that shows that we have a problem that requires a switch to be solved. I would end this post by saying, to the outside world that payment cards is a secure cards, view from the inside is that we are in risk management business and not risk elimination. When and if the benefits outweigh the cost significantly enough, that is when the payment or banking world adopts new concepts.

1 comment:

Anonymous said...

Hi
Nice initiative!
Do you know any other blogs like this ?
Please check out my site epayresearch.com