Follow the pain

[Dave Birch] Our friends over at PYMNTS have been asking an interesting question:

What is the biggest reason why contactless payment cards are not moving further along?

[From Why Hasn’t Contactless Ignited: PYMNTS Community Fires Back – pymnts.com]

They’ve had a lot of different answers, and it’s well worth looking through the various comments. I remain convinced that one of the biggest problems is the mismatch between bank channels and cash-replacement locations. In other words, cash doesn’t work properly in some locations, and this ought to be an opportunity to replace it. Someone commenting on the question said that “if it ‘aint broke, don’t fix it”. Well…

IMG_0038

This was the scene on Clapham Junction station. I didn’t get my chocolate bar, they didn’t get a sale. This is where cash is a pain, and where contactless ought to be an alternative. In fact, there are plenty of places where cash is a pain: the car park, the vending machine, the bus, the stupid Smart Carte machine at San Francisco airport, and none of them take contactless. My dry cleaner does take contactless, but I’m sure his terminal will never, ever be used. At the Mobile Payments and Commerce conference in Brussels last year, I heard a lovely phrase from Christian Sere-Annichini. He was talking about low-value payments for parking meters, vending machines, newspapers, that kind of thing, and he called it “street commerce”. An ideally descriptive phrase, you know immediately what it means. I think I use it in every presentation on low-value, cash-replacement strategies from now on: s-commerce.

I wonder, though, if another problem — apart from the failure to address s-commerce — might be that it has proved difficult to communicate to the general public how contactless cards work and what the benefits might be. Therefore, I thought it might be useful to look to see what the public’s concerns are and try harder to answer them.

How does it work? Contactless cards use short-range wireless technology. The reader at the till picks up a signal from your card when it’s very close.

[From Contactless payments: Time to wave goodbye to cash | Money | The Guardian]

Well, not really. The cards have no power: they pick up power from the till and then respond to commands from the till. They don’t send out a signal until they’ve been powered by the till.

The retailer has to enter the amount for you to approve, you then have to hold your card in front of the reader at precisely the right time – and for more than half a second. The reader display will confirm your transaction.

[From Contactless payments: Time to wave goodbye to cash | Money | The Guardian]

I don’t know where the “half a second” thing comes from, the transactions are faster than that, and the reader will prompt when it is expecting a card. Admittedly, the issue about the retailer having to enter the amount is really, really annoying as it means that they have to mess about pressing buttons, which slows everything down.

But what if someone steals my card? To combat the risk of a thief going on a contactless spending spree, cardholders will, when they hit a certain number of transactions or amount of spending, have to enter their pin the next time they pay, typically, each time they rack up £50 spending.

[From Contactless payments: Time to wave goodbye to cash | Money | The Guardian]

As a contactless card holder, I can genuinely say that I don’t care, since it’s the banks’ problem and not mine. But nevertheless, this is a genuine concern for members of the general public and we do need to deal with the fact that journalists (in particular) really like to recycle stories about contactless card insecurity. Remember this?

the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay

[From RFID credit cards easily hacked with $8 reader – Engadget]

I don’t understand the psychology, obviously, but it seems to be a case of a story that journalists want to hear, if you see what I mean. As a consequence, everything gets framed in terms of stupid banks (who, it appears, have spent millions developing a system that can be trivially-defrauded) and clever hackers who are sticking it to the man.

In some organizations, RFID cards aren’t just for entering doors; they’re also used to access computers. And in the case of RFID-enabled credit cards, RFID researcher Chris Paget, who gave a talk at DefCon, says the chips contain all the information someone needs to clone the card and make fraudulent charges on it

[From Feds at DefCon Alarmed After RFIDs Scanned | Threat Level | Wired.com]

Once again: you cannot “clone” a contactless card with this information and you cannot create a counterfeit magnetic stripe card because the “track 2 equivalent” data in the chip is not the same as the actual magnetic stripe track 2 data. Yes, data can be read from a contactless card, but it cannot be used to create another card!

RFID credit cards surfaced in Canada since 2006, when MasterCard started aggressively pushing its PayPass cards. Today, about 90 per cent of MasterCards in the country are RFID-enabled and the company aims for 100 per cent by the end of the year, said Scott Lapstra, vice-president of market development for MasterCard Canada.

[From CBC News – Consumer Life – New credit cards pose security problem]

Oh no! So many Canadians are already at risk from large-scale identity theft! All you have to do it walk down the road with an $8 reader and you can get the all of the card details that you like and then use them to go on a spending spree. Actually, no. You have to read a lot further down the article to find out that

The MasterCards in Johanson’s demonstrations were of a later model and didn’t cough up their cardholders’ names.

[From CBC News – Consumer Life – New credit cards pose security problem]

So let’s review. You can’t use the data to create a counterfeit magnetic stripe card and you can’t use the data to create a clone contactless card. But you can get readers for an alleged $8 — great, I’ll take ten. But that’s not what the public take away from this. It’s up to us to work harder to get the message across if we want contactless take-up to accelerate.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.