Credit Card companies are constantly searching for newer methods to
enable consumers to use their payment cards for common purchases.
Greater convenience means that a greater number of consumers will use their cards more frequently then traditional payment methods such as cash or checks. One of the newer technologies being employed within the payments industry is that of the Radio Frequency Identification Device (RFID).
Radio-Frequency Identification, more commonly referred to as RFID, has been heralded by many as a means of expediting everything from store inventories to airport security lines. According to the Electronic Privacy Information Center (EPIC - www.epic.org), RFID “is a type of automatic identification system. The purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and processed according
to the needs of a particular application.” Advocates have been
promoting its value in implementations as varied as automated inventory systems to e-passports.
At their most basic level, RFID systems are comprised of three primary components. First is the transponder. This is the actual Radio Frequency Identification Tag that is encoded with the information to be transmitted. In general there exist two types of RFID, active and passive. Active RFID uses a power source attached to the RFID transponder to transmit data while a passive RFID tag uses power provided from an external source to transmit the data to an antennae. The second component is the antenna that is used to receive the information broadcast from the RFID tag. The third component is the transceiver that is used to decode the information received from the transponder and received by the antenna. While the differences between an active and passive RFID have little meaning to most, the fact that the devices 'broadcast' information is important.
A familiar incarnation of the RFID technology is the ubiquitous
“SpeedPass™” from ExxonMobile and MasterCard's “PayPass” technology.
Customers can purchase products and gasoline by simply waving their payment pass devices near an RFID reader. The convenience of such a solution is difficult to refute. The challenge, and something of which many users may be unaware, is that the data contained on the RFID payment devices is stored completely “in the clear,” or unencrypted. This includes the customer name, Primary Account Number and CVC2 data. It goes without saying that this raises some significant security and privacy issues to consumers.
The Payment Card industry should be applauded for its increased focus on security and privacy issues. More emphasis has been placed on encryption, firewalls, access controls, and similar data security controls in recent years. Companies are taking greater efforts to ensure that their employees understanding data security and their responsibilities relative to protecting sensitive data. Yet the underlying driver for the security shift has actually been growing concerns about consumer privacy in the increasingly connected world in which we exist. The challenge for most, from issuers to customers, is to balance the desire for greater convenience with the increasingly mandated calls for greater data security and consumer privacy. The hype surrounding the RFID phenomena provides an excellent case study in the balance of convenience and privacy.
Certainly RFID provides significant convenience for tracking all manner of things, from currency to consumer goods. Unfortunately, the ease of tracking objects extends to individuals as well. This trait has led the US State Department to begin issuing RFID passports in August of this year. This introduction was immediately met by DEFCON, a popular annual hacking convention, which provided educational sessions on how to hack RFID passports and credit cards. It is this type of showmanship that has led to the heated debate between those that desire privacy, and those that are seeking to increase the speed and convenience of the shopping experience.
As with any technology implementation, it is important to assess the additional risks that are being introduced into the environment. In this case, we speak not only of technological risks, but overall corporate risks that may be introduced as a result of unintended
collection of data by RFID-capable sensors. The privacy challenge
with respect to RFID payment devices derives largely from the fact that the transmitter, even the passive transmitter, can send data to a receiver unintentionally. The transmitter is unable to distinguish between receivers and so will respond to any receiver in range.
From a privacy perspective, RFID credit cards are cause for concern. While some claim that RFID is no more intrusive then the debit system or credit card system, that contention is certainly debatable. A credit card stored in a wallet or purse provides a greater degree of privacy than does an RFID transmitter. The fact of the matter is that consumers are often unwittingly carrying a transmitter that is broadcasting not only their name but also their financial information such as credit card account number and CVC2 data.
As with all new technologies, there must be a balance between privacy
and convenience. There are benefits and drawbacks of RFID adoption.
Inventory tracking and checkouts become more efficient, but at the same time the privacy of consumers is threatened and companies are, in most cases unintentionally, exposing themselves to potential liability. Not only can they collect information about their customers faster but they can, in some cases, do so without the knowledge of that customer. Are customers forgoing some degree of privacy through the use of the RFID payment devices? The issue also brings into sharp focus the Fair Information Practices that should comprise corporate privacy policies.
The introduction of RFID technologies introduces significant challenges to companies att empting to adhere to the Fair Information Practices. Among the most important concepts in privacy is the concept of “Notice.” This principle is the keystone of any privacy policy and essentially requires that companies should provide notice to consumers regarding the company's information practices, prior to the collection of any personal information. RFID technology can make notice extremely difficult, since the receivers are capable of collecting data from customers without their knowledge. For instance, in a mall a shopper walking past a store may unknowingly transmit their information to a receiver. That consumer has no knowledge of the information practices of the company but the company, however unintentionally, has collected information about that person.
Secondly, Fair Information Practices embody the notion of choice or consent. The individual in question should have the right to grant permission to use the data collected in certain ways. Any secondary use of the data without permission may be a violation of the Fair Information Practices. As illustrated above, a person holding an RFID payment device may transmit personal information unknowingly. This belies the idea that the individual then gave any consent to use the information. Therefore, if a company is adhering to the Fair Information Practices, any information that is collected without the knowledge or consent of the individual in question should not be used. As with many privacy and security concepts, this is often easier said than done.
The concern about privacy can be highlighted more clearly with an example. Consider a public figure that has recently received a new RFID payment card and is carrying the device in their wallet or purse. This person is unknowingly able to transmit their credit card number and name to anyone with an RFID reader. While this alone is a privacy concern imagine that this person has recently purchased a prescription for a condition that is recognized under the ADA as a
disability and the pharmacy has used RFID tags to track inventory.
Now anyone with an RFID reader can not only identify the person and credit card account number but can associate a prescription and disability with this person. As can be imagined, this is a serious privacy concern.
Groups such as EPCGlobal, an organization attempting to standardize RFID technology, are also trying to balance the drive towards the use of RFID with the very real privacy concerns associated with it. They are trying to accomplish this balance through the creation of an RFID standard. While these guidelines recommended by EPCGlobal are designed specifically for inventory control tags, its principles are
transferable. First, the guidelines require that consumers are
notified of the presence of RFID tags through signs or logos.
Secondly, consumers should be made aware of the methods for disabling or discarding the device on their products. EPCGlobal also believes that consumers should be made aware of the capabilities of RFID and its attendant technologies. Accurate information about the technology will help customers make informed decisions. Lastly, the organization's guidelines prohibit the inventory tags from storing or transmitting any personal information about the customer. The adoption of this last requirement to the RFID payment device may prove difficult, but working in conjunction with RFID technology providers, privacy and security professionals, companies can use this technology without compromising the privacy of their customers.
The Payment Services Industry is no stranger to technological innovation. Frequently, new technologies give rise to very real concerns about data privacy. Witness the rise of e-Commerce and electronic transactions. The technologies can be managed in such a way, though, as to mitigate the privacy concerns of consumers and regulators. The key is to recognize the risks that are being introduced in conjunction with the new technologies and to take steps to mitigate those risks. 
|
