American Flag flying upside down as signal of DISTRESS

New, swipeless credit card need not leave the user's hand

Just hold it near an electronic reader

The Baltimore Sun
This article may be unavailable from the indicated source. It is being presented as an educational essay, having been received from various sources on the internet.
Associated Press
December 23, 2003

NEW YORK - The familiar process of buying something with a credit card - handing the plastic to the clerk or swiping it yourself, then waiting for approval and signing the receipt - could be headed the way of the mechanical brass cash register.

For more than a year, MasterCard and American Express have been testing "contactless" versions of their credit cards. The cards need only be held near an electronic reader for a sale to go through - though the consumer can still get a receipt. [Then the reader could read the card as it passed by, whether or not it was a purchase!]

The card companies say the system is much faster and safer because the card never leaves a customer's hand.

"In some instances, it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."

MasterCard has been testing its PayPass system mainly in Orlando, Fla., and promises a nationwide rollout in 2004, beginning primarily at quick-service restaurants and other places where people tend to be in a hurry.

American Express has mainly done pilot runs of its Express Pay service in the Phoenix area, though the company expanded it to New York ferry terminals on the Hudson River last week.

The new credit cards work much like the Speedpass system that ExxonMobil has accepted for quick payments at its gasoline stations since 1997. But the key-chain fobs carried by Speedpass' 6 million users are good only at ExxonMobil stations and a handful of other retail outlets.

In contrast, credit cards that incorporate the technology could be used anywhere regular plastic is accepted, as long as stores install the new readers. The card companies have worked out technical standards that would let one reader handle multiple brands of contactless cards.

Penny Gillespie, a senior analyst at Forrester Research, predicts that it will take a few years for contactless cards to go mainstream.

Visa USA has developed contactless capabilities but is holding off on a launch because "consumers seem to be content using the cards they have in their wallet," said Camille Leprey, a Visa spokeswoman.

The new cards have chips imbued with radio-frequency identification, or RFID, the technology that Wal-Mart, the military and other institutions hope to begin using soon to precisely track inventory.

While regular credit cards store account information on a magnetic stripe that has to be swiped, the contactless cards keep their data on chips inside the plastic.

American Express' ExpressPay uses a key-chain fob, like the ones used by the ExxonMobil Speedpass and similar to the tags in supermarket discount programs.

"I like that it's on your key-chain and it's fast to use," said Kristie Beenau, 36, of Peoria, Ariz., who has used ExpressPay for about six months at a CVS Pharmacy and fast-food restaurants.

"I charge everything anyway. Now I wave it rather than get my card out. It's more convenient."

MasterCard's PayPass comes on a regular-size card that also has a magnetic stripe for swiping. MasterCard also has done tests in Dallas with Nokia Corp. in which the RFID chip is embedded in the plastic casing of a cell phone.

The contactless cards have no battery or power. When they near a reader, they are jolted to life by the reader's electromagnetic waves.

A small radio antenna in the cards instantly transmits account information to the reader. The transaction then proceeds through the credit card network just as if the card had been swiped.

In theory, a thief intent on cloning a card could intercept a transaction without a consumer's knowledge. That's because RFID transmissions are not encrypted.

However, the thief would have to get very close to his target or have a very sensitive reader.

There would be other hurdles.

American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip.

That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.

MasterCard says it uses a different security system, but would not provide specifics.

Simson Garfinkel, a researcher at Massachusetts Institute of Technology who follows RFID, said credit-card companies ought to be using "smart" cards with public key cryptography, a very strong form of security.

Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and because they ensure that a consumer won't be limited by the cash in his wallet.

But even Chasney, who is considering a contactless card trial, worries about the use of RFID in the cards.

"I would suggest to you," he said, "the greatest obstacle is going to be security."

To return to our home page, click: