A great deal of public discussion is currently going on regarding credit cards which have RFID technology. Many people don’t know what it is, how it works, or what it is for. In brief, RFID stands for Radio Frequency Identification which involves a “RF tag” and a “reader”. These components allow for what they industry calls “contactless payments”.
- In 2005 JP Morgan Chase introduced their RF Credit Card and coined the term “Blink” technology. These “contactless” cards could be simply waved in front of a special reader or swiped through a traditional terminal.
- An RFID Credit Card is a standard credit card with a Radio Frequency Microprocessor embedded in it. At its most basic level it is nothing more than a “Read Only” Chip with your personal credit card information embedded in it which can be read by an “RFID Enabled Point of Sale Terminal”.
It has been said that the RFID chip contains all of your pertinent account information, such as the customer’s name, the account number and expiration date of your card (more about this later).
The apparent benefits of RFID credit card transactions are convenience, speed and the elimination of employee contact with the card. To minimize accidental reading of these cards, they are designed to be read at a distance of 1 – 4 inches from the reader.
There is current public concern as to whether RFID cards can be “hi-jacked” by use of an unauthorized RFID scanner, and then the information used for fraudulent purposes. It is important to note that there are two parts to this process: Scanning the card to retrieve the information, and then being able to use the retrieved information to make a fraudulent financial transaction. The implication in recent media articles is that it is easy to “hi-jack” the RFID information, and that it is easy to then use this information to make fraudulent purchases.
Here is a bit about what the RFID can and cannot do:
Ability to scan the RFID enabled cards:
- Scanners that can “read” the RFID cards are available to merchants and the general public
- These scanners can interrogate the RFID card, and retrieve the information provided by the RFID chip on the card
- This is a fairly simple process, and can certainly be done without the card owner knowing that it has been done.
Ability to use the retrieved information for fraudulent purchases
- The assumption is that the RFID chip provides the same information that is embedded in the magnetic strip, which is the traditional method of swiping a credit card. So, if the RFID chip can be read, then the perpetrator has the ability to use that information to make fraudulent purchases.
- Some RFID card manufacturers have implemented security features which make it difficult or impossible to use the “hi-jacked” information to make a fraudulent transaction.
For contactless payments (RFID), the financial industry uses added security technology, both on the contactless device (RFID card), as well as in the processing network and system to prevent fraud. While implementations differ among issuers, examples of security measures that are being used include the following:
- Industry standard encryption. At the card level, each contactless card can have its own unique built-in secret “key” that uses standard encryption technology to generate a unique card verification value, cryptogram or authentication code that exclusively identifies each transaction. No two cards share the same key, and the key is never transmitted.
- Authentication. The issuers verify that the contactless payment transaction has a valid card verification value, authentication code or cryptogram before authorizing the transaction. Therefore, at the system level, issuers have the ability to automatically detect and reject any attempt to use the same transaction information more than once.
- Confidentiality. The processing of contactless payments does not require the use of the actual cardholder name in the transaction. In fact, best practices being used within the industry do not include the cardholder name in the contactless chip.
- Control. Cardholders control both the transaction and the card throughout the transaction. Cardholders do not have to hand over either a card or their account information to a clerk during a contactless transaction.
The RFID issue will continue to need to be monitored, but at this time it appears that both the technology and the companies that are using it can be trusted. It is apparent so far that although scanning the card can be done, getting all the necessary information useful to commit fraud is probably not easy.