The Last Barrier to Contactless
Transaction Processing Fades Away

by Jon Karlen

   Flashing the tiny wand on your key chain past the gas pump's electronic reader, you meander into the station's convenience store while the tank is filled. You decide to buy not just a cup of coffee but a few odds and ends for home as well, and pay for it with another quick flash past a reader at the check-out counter. Tank topped up, you point the car toward McDonald's, where instead of fumbling with cash you again flash the wand past a reader at the counter and your Number 3 Meal is paid for. Only a few years ago, this scenario might have passed for science fiction. Today, it's a reality that's gaining momentum as retailers test the waters of contactless payment systems. Early results show that they're not only efficient, but they just might induce you to buy more than you originally thought or visit the store more frequently. The limit of the tantalizing benefits this technology offers to retailers and credit card associations is limited only by the imagination. That, and the nagging question of privacy and security. Fortunately, that question has been answered by a security technology called public key cryptography.
   Contactless transaction processing is the newest and most alluring of the many applications for Radio Frequency Identification (RFID). A typical system consists of a small card or token that you pass nearby a reader. The reader communicates with the token via a radio signal, verifies its validity either locally or by communicating with a central processing center, and enables the transaction to proceed. The proceeds are either deducted from your checking account or added to a revolving charge.
   Although contactless technology has been used for more mundane industrial applications like package tracking for nearly a decade, only since 1997 has a major retailer taken the plunge and delivered contactless technology to the consumer. That company, Exxon Mobil, introduced SpeedPass in 1997, and the company currently has more than 6 million customers flashing their tiny tokens past readers at pumps in a growing number of states. You can now use the SpeedPass token to dine at some McDonald's restaurants in the Chicago areas as well, a trial program that has already lifted sales by 20 percent in the stores where contactless payment is accepted. Other pilot programs are underway as well, and results have been equally encouraging. Not only are contactless customers spending more, they're spending more frequently as well.
   Nevertheless, the question of security has lingered as a potential disaster in the making as contactless transaction systems proliferate. The highest levels of security, embodied in a technology called public key cryptography, have, until recently, been too expensive, too slow, too large, and too power hungry to build into inexpensive tiny plastic tokens that retailers give away to their customers. As a result, current contactless systems have either no security or employ a security technique called symmetric key crytography, which although secure in small systems, becomes vulnerable (and frighteningly difficult to manage) in a large-scale deployment.
   Fortunately, an alternative to the most widely-used public key technology has been developed that can be implemented for a fraction of the cost, can complete a transaction in two tenths of a second, is frugal with power, can be realized in very inexpensive devices, and retains its iron-clad security and ease of manageability no matter how many users, locations, and applications are accommodated. With the traditional limitations of public key security put to rest, the opportunities that contactless transactions offer for consumers, retailers, and credit card associations may finally begin to be realized.
   How secure is public key cryptography? The answer is extraordinarily so, as exemplified by the unique nature of the security industry, which has as one of its basic tenets, a mission to render useless its members' best efforts. Scientists the world over spend thousands of hours every year trying to "break" the latest crypto systems. While only the legendary "one time pad" of intelligence service fame is the only truly unbreakable system (and not applicable to commercial use), the most viable public key system for contactless transactions is still robust, and would require 1,000,000 years to break using all of the most powerful computers on Earth -- working together.
   Beyond security itself, possibly the most appealing aspect of contactless transaction technology enabled with public key security is that it brings the benefits of credit card-type payment to even the least-expensive purchases.Consequently, the billions of small purchases transacted each year with cash can now be made with the contactless token or card and applied to a revolving account as with credit cards. But unlike credit cards, the unique identity of the token never leaves the device, making it inherently more secure. Public key security also makes wide-scale compromise of a nationwide contactless network nearly impossible as well, since even in the extremely unlikely event that a single reader is compromised, the breach cannot spread throughout the system, as it can with symmetric key technology.
   Public key-enabled contactless systems are also dramatically less expensive to implement, which benefits payment associations and retailers alike. The technique eliminates the need for the retailer to purchase or lease a dedicated, "always-on" communication link (usually via a roof-top satellite terminal) to a central processing center. Instead, each day the reader downloads the users on the "hot list" and posts transactions via a standard dial-up connection. Since the transactions themselves are verified locally in the reader without a need for a round-trip on a communications link to a central processing location, the transaction process is completed in about the time it takes to flash the token past the reader. The retailer needs only a phone line and a reader to participate, making cost of entry acceptable even to convenience stores and other small retailers.
   Having defeated its last major obstacle, contactless technology seems poised to revolutionize transaction processing for consumers, retailers, and payment associations. The technology is available, security robust and deployable at acceptable cost, and the applications endless. The only remaining question is not if but how soon we'll all be flashing our tokens to pay for most things we buy.