Contactless Cards A Security Risk?

This past Monday, we blogged about the fact that debit card fraud is dropping in Canada, thanks, in part, to the new chip card system. Credit cards, which as of last year started adopting the same technology, are now asking customers to enter PIN codes to help prevent fraudulent charges. Most people have already had their cards change to include this new feature.

Yesterday, Stefania Moretti of QMI Agency reported that Visa Canada has been working on technique that has the intent of making purchases more convenient to credit card holders. Visa payWave cards make it so that no signatures or PIN are necessary. However, these contactless cards raise questions about preventing credit card fraud or “skimming”. Doesn’t this make it easier for fraudsters to rip people off?

Earlier this week, Scotiabank, TD and Royal Bank all agreed to offer Visa payWave credit cards that “use tiny radio frequency identification antennas and don’t need to be inserted into merchant terminals. Instead, cardholders simply tap or wave their card in front of the terminal.”

Moretti goes on to explain that these contactless cards promise to cut the wait times at checkouts since both signatures and PIN codes won’t be necessary. A simple swipe or passing of the card for any transaction under $50 is all a customer will have to do. Sounds like a really convenient option, doesn’t it?

The problem, of course, is that criminals can apparently clone credit card numbers and expiry dates by simply getting a card reader. These readers are easy to find on the internet, notes Moretti. Gord Jamieson, the director of risk management and security at Visa Canada, has said that there have been no reported instances of fraud from payWave cards yet.

Explains Jamieson: “There is a remote risk that data could be intercepted but we have multiple layers of security that really address that potential, limited risk.” In addition, Visa insists that their cardholders are never expected to pay for fraudulent transactions as they will work to dispute such charges.

As well, Moretti explains that “along with transmitting basic credit card information, Visa cards generate dynamic codes that change with each transaction so the reuse potential of stolen data is limited and they do not transmit cardholder names.” The contactless cards have a radio frequency symbol to communicate this trait.