The credit card companies are taking the “necessary steps” so consumers can use the cards in a secure way, said ITRC executive director Jay Foley. “There is no real pickpocketing capability there. You might be able to walk up behind someone with a scanner, but the volume of information you will capture is going to be incomplete and unusable”, he told Infosecurity.
There are two primary security measures that credit companies use to secure information on RFID credit cards: generating a unique transaction number each time the card is read by a scanner and restricting the distance that the card can be read to between one and four inches.
“There are only three pieces of information that are captured by the RFID terminal: card number, expiration date, and a control number that is generated per transaction by the chip based on the information that the RFID terminals sends to the card. It’s a unique number and it changes every time. If you were to capture the control number and try to use that information two minutes from now, it wouldn’t be viable”, Foley explained.
The RFID reader does not capture the name, address, or other personal information that is included on a credit card with a magnetic strip, he related.
The RFID technology also protects the merchants. “If a retailer has a breach of security and they have to notify customers, they are going to have to notify everybody involved, except for the RFID customers because the retailer hasn’t captured enough information to trigger the [notification] law”, Foley explained.
The ITRC head said that all of the credit card companies surveyed had in place adequate security for their RFID credit cards (details of the companies’ responses are provided in the ITRC news release). He added that all of the companies limit the distance that cards can be read to four inches.
Foley said that consumers can place their credit card in sleeves that block RFID readers from reading the card. “I just don’t think it’s necessary”, he added.