Where next for U.K. cards?

[Dave Birch] In an article about the immediate future of credit cards in the U.K., which I found via the Sun newspaper I think (it’s a key source of financial insight…), the commentator focuses on dull subjects such as the continuing popularity of balance transfer deals — though these seem to me to encourage, rather than, “stop rate tarts”. For foreign viewers, I should explain that a rate tart (eg, me) is someone who takes a zero-interest balance transfer deal from a card issuer, never uses the card, and then switches to another zero-interest balance transfer deal at the end of the term. And why not? If a bank sends me a letter saying “please have some free money”, then of course I’ll tick the box marked “yes”. Anyway, what caught my eye was the comment that the only thing likely to change the market will be some genuine innovation (a topic of some discussion previously). The article goes on to say that

Perhaps Barclaycard’s upcoming Oyster/contactless payment/credit-card combo [he means the OnePulse card] will do that, at least for the London market. I expect it to significantly increase people’s spending, just as credit and debit cards did. Other providers will see its impact and will want to work on similar technology and infrastructure as fast as they can — if they can.

I think it’s fair to observe that in the case of Oyster, they can’t (because the deal with Barclays is exclusive for an initial period). But perhaps the author is right that contactless will spark off some new products — as it has in the U.S., where Visa USA has just announced the Micro Tag, a contactless keyring (like the PayPass fob and the American Express companion fob) instead of cards to pay for purchases under $25 by waving the device in front of a contactless payment terminal. Sadly, we can’t use these in the U.K. — for technical reasons to do with transactions being online, PINs, EMV scripts and such like — but we don’t especially need to worry about this, because there’s no doubt in my mind that the preferred contactless doo-dah (sorry for the technical argot) for most consumers, in most of the world, is their own phone.

Technorati Tags: contactless, credit cards, debit cards, fraud, security

Another prediction that could have been made by the Sun pundit — especially had they listened to some of the first customer and merchant responses in this BBC report (starts 26 minutes in) — might well have been the import of contactless panic from the U.S., where people are destroying the contactless chips in their cards:

I was out at dinner with a friend in the States earlier this year and I noticed that his credit card had a hole in it, approximately hole-punch size. I wanted to know — was this some new card feature? Turns out that, when he received his new Mastercard in the mail and found that it had a Paypass RFID chip on it, he took a hole punch to it and punched it out. Why? Because, as widely reported and summarized here, there are very legitimate privacy concerns associated with RFID technologies.

My pet hate. Equating contactless payment technology with the (in the U.S. market anyway, scary mark-of-the-beast) RFID technology. It’s fair enough to raise security concerns for discussion, but confusing the technology used in contactless payment cards with the technology used for tracking pallets of baked beans gets us (ie, the industry, consumers and activists) into the wrong conversation.

A subset of Americans really do not like contactless, for whatever reason, and we’re not going to change their minds with pie charts. But plenty do like it, and they are encountering different problems. Such as: never mind a hole punch in a card, what do you use to render a keyfob harmless? Especially if you are someone who takes identity theft so seriously that you cut up old credit cards and gradually mix the pieces into the garbage over several days to make it difficult for even a dedicated attacker to get information from the cards. Citibank apparently sent this concerned citizen a new credit card and a new PayPass key fob. As usual, she cut up the old credit card. But she couldn’t figure out how to destroy the thick, durable key fob. Of course, if both the card and the keyfob gave up a per-device alias PAN through the contactless interface (as we have consistently advised: this isn’t dreary hindsight dressed up as consultancy!) then there wouldn’t be a problem, because the keyfob and card chips can’t be counterfeited.

But back to the point. Are these security concerns really affecting the roll-out of contactless cards? Someone whose opinions I always take seriously, Steve Mott, says that they are and points the finger specifically at the New York Times story as a turning point in the story of contactless in the U.S. As you will recall, researchers who built a contactless reader and used it to obtain track 2 data from credit cards inside envelopes. This data could be used to make counterfeit magnetic stripe cards. I think Steve may be wrong when he says that all brands were exposed, because if memory serves the American Express cards gave up alias PANs and not card PANs (although the researchers wouldn’t have kn own that, because they just see them as PANs, if you see what I mean) but nonetheless the damage was done. Although other researchers, the banks, the suppliers and others already knew all about this issue, once it made the Grey Lady there was, as Steve says, hell to pay.

The report was soon followed by a Wall Street Journal story about consumers putting their cards in microwave ovens and so forth. But is Steve right to attribute the subsequent downward revision of contactless card forecasts to these stories? Were consumers really more worried about using cards with contactless interfaces than using cards without them, even though both types have the cardholder name, PAN, expiration date and CVV clearly written on them for anyone who can read to steal? Well, no-one has the right to demand rationality from consumers, who have (as I’ve said above) perfectly reasonable security concerns. Consumer education has to be part of the rollout plan: certainly, consumers in London (where the roll-out began last month) are raising the obvious issue: what happens if someone steals my card? The banks are dealing with this by being admirably clear and specific, telling consumers: it’s not your problem, don’t worry about it. But when Steve asks whether the perception of going light on security early on might have rendered a “serious body blow” to contactless, I think I’d answer that a big part of the scare doesn’t come from genuine worries about the security of contactless transactions but from emotional responses to that labelling of contactless transactions as “RFID”. For an expert view, let’s see what the Charles Bronson, Florida state Commissioner of Agriculture and Consumer Services has to say:

with the right technology, a hacker could walk into a crowded room and get ID information from dozens of people if they were carrying RFID-type cards… the cards should be carried in special mesh-type paper sleeves that block radio transmissions… Another way, he added, is to use a wallet that’s been rated as scanner-proof.

Wise counsel indeed. But if this actually happened (it hasn’t — you can’t light up the chips in the cards from more than a few centimetres away) then it’s simple to fix. Just change the cards so that all this “ID information” consists of is alias PANs readable. You can’t use them to create counterfeit cards and you can’t submit them to contactless terminals (because you can’t forge the digital signature that is needed). Please, let’s keep some perspective.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]