[LINK] Contactless Credit Cards in Oz
Roger.Clarke at xamax.com.au
Wed Jan 6 15:50:15 EST 2010
(Thanks to link and privacy list subscribers for their pointers, on
and off list! I've flung together the following quick analysis).
The two competing offerings are Mastercard Paypass and Visa PayWave:
These are indeed being implemented by several banks in Australia.
The functionality is in a substantial number of credit-cards already.
It appears that the schemes of CommBank, NAB and HSBC/Woolworths may
already be operational, and that ANZ's may be shortly.
See this article of 9 Nov 2009:
The following notes consider the consumer protection aspects. (There
are also anti-competitive aspects, because the terminals abandon the
any-card/any-terminal arrangement that ushered in the EFTPOS era.
The ACCC appears to be letting that happen).
Overall, based on a very brisk assessment ...
Consumer protections may be far too weak.
Until now, Card Present transactions required some form of
authentication that the person presenting the card was authorised to
use the card.
Card Not Present transactions lacked the authentication requirement,
but consumers were protected (provided that they reconciled their
accounts, and went to the effort of working through the bank's
That's because CNP transactions that were disputed were essentially
always credited back to the consumer and charged back against the
I wonder what the Consumer EFTS Code says about this new form of
unauthenticated Card Present transaction:
[It's a non-trivial exercise to apply the Code to this situation, and
I'm not about to attempt it 'on the fly'!]
And I wonder what consultations ASIC, Visa, MasterCard, Woolworths
and each of the banks have had with consumer and privacy advocacy
organisations about this.
Unlike a contact-based chip, a contactless chip and antenna are
generally not visible, because they are embedded inside the card.
Is there something on every Mastercard Paypass card and every Visa
PayWave card that clearly communicates to the cardholder that the
card contains a contactless chip?
There's a consent issue of a serious nature:
- is each card-holder informed of this functionality?
- is the functionality by default switched off?
- does the card-holder have to consent before it's switched on?
- does the card-holder have adequate information that they can
appreciate the nature of the service before they switch it on?
- is there a way in which a card-holder can test whether there is
switched-on contactless-card functionality in their card?
2. Consumer Protection and Visa PayWave
(a horrible, over-engineered not-really-a-web-page)
"You don't have to sign anything or enter a PIN for purchases under $100"
"For purchases over A$100 a signature or PIN is required.
(My memory is that the original discussions were about a $25 limit)
"Hold your card within 5 cm of the secure contactless reader.
"Your card has to be waved within 5 centimetres of the card reader
for more than half a second
[That sounds too much like magic.
[And it begs the question about what prevents a rogue terminal,
whether within 5cm or in the grey zone beyond 5cm, generating a
transaction based on its conversation with the contactless card.
"EMV chip technology ... provides both data protection and
transaction security via the use of keys and the latest encryption
"Visa payWave-enabled cards are just as secure as any other Visa chip
card and carry the same multiple layers of security protection,
including Zero Liability, which ensures you are not responsible for
fraudulent or unauthorized transactions. In addition, with Visa
payWave, you retain control of your card during the transaction,
which reduces the risk of fraud.
[Authentication and encryption processes are necessary; but they're
not easy to implement because of the processor power and time
constraints. The information provided in the FAQ is inadequate.
Where's the pointer to the certification written by an independent
security consultancy and backed up by warranties and indemnities?]
"You can then remove your card and the transaction will be complete.
[i.e. consent is given to the transaction merely by placing the card
inside the relevant field - which is stated to be within 5 cm / 2
inches from the reader, i.e. about the card's height]
"You can choose to have a receipt, but this is optional.
" ... the transaction is automatically routed through the credit
button, whether you're making the purchase on a Visa Credit, Debit or
Prepaid card. So there's no need to press any buttons. The
transaction will automatically be routed to the transaction account
or line of credit linked to your card.
[I find the proposition quite amazing that a non-credit card could
generate a credit-card transaction. Perhaps they mean that it won't
work if you don't have a credit-card; but if you have a credit-card
as well as a debit-card or prepaid-card, you still generate a credit
3. Consumer Protection and MasterCard's PayPass
MasterCard's page is much harder to find:
At a quick glance, the primary difference is that MC have slid the
threshhold up to $35 rather than all the way up to $100 as done by
But if Ivan's daughter has "had one since June from the same bank,
but used as a debit card", maybe MasterCard permits transactions
directly against a person's bank account rather than against
That would also be a first, and would raise additional, and very
serious, questions about the protections available to consumers.
4. Other Resources
Here's NAB's page:
"NAB will reimburse you 100% of any amount fraudulently removed from
your account if, despite our defences, you're a victim of fraud. Of
course your responsibilities when operating your account still apply."
[But is that a term imposed by the law, or at least by a strong Code
that is enforceable and actually enforced; or is that a term that
the NAB can modify or cancel as it sees fit?]
Here's Commbank's page:
Here's Woolworth's/HSBC ePump program, which would appear to be an
application of MasterCard PayPass, limited to petrol pumps? only at
Here's a promo at a major location:
[I co-wrote a somewhat relevant piece on consumer device insecurity here:
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link