Contactless Credit Cards Roll Out
NEW YORK -- More than five years after the development of ExxonMobil's Speedpass, MasterCard and American Express are putting the final touches on contactless versions of their credit cards.
MasterCard has been testing its PayPass system mainly in Orlando, Fla., according to a report by the Associated Press, and promises a nationwide rollout in 2004, beginning primarily at quick-service restaurants and other places where people tend to be in a hurry. American Express has done pilot runs of its Express Pay service in the Phoenix, Ariz., area, and the company has expanded it to New York ferry terminals on the Hudson River this week.
Using radio-frequency identification technology (RFID), the cards could be used anywhere regular plastic is accepted, as long as stores install new readers that meet technical standards allowing one reader to handle multiple brands of contactless cards.
"In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."
Visa USA has developed contactless capabilities, but is holding off on a launch because "consumers seem to be content using the cards they have in their wallet," Visa spokeswoman Camille Lepre told the Associated Press.
While old-fashioned credit cards store account information on a magnetic stripe that has to be swiped, the contactless cards keep their data on chips inside the plastic.
American Express's ExpressPay uses a keychain fob, like the ones used by ExxonMobil Speedpass and similar to the tags in supermarket discount programs.
MasterCard's PayPass comes on a regular-sized card that also has a magnetic stripe for swiping if need be. MasterCard also has done tests in Dallas with Nokia Corp. in which the RFID chip is embedded in the plastic casing of a cell phone.
American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.
MasterCard says it uses a different security system but would not provide specifics.
"I have some faith in the credit card companies," Henry Holtzman, a research scientist at the Massachusetts Institute of Technology's Media Lab, told the Associated Press. "I trust them because fraud is a serious issue they have to deal with."
Others are more skeptical. Simson Garfinkel, another MIT researcher who follows RFID, said credit-card companies ought to be using "smart" cards with public key cryptography, a very strong form of security.
Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and ensure that a consumer won't be limited by the cash in his wallet.
But Chasney, who is considering a contactless card trial, worries about the use of RFID in the cards. "I would suggest to you," he said, "the greatest obstacle is going to be security."
MasterCard has been testing its PayPass system mainly in Orlando, Fla., according to a report by the Associated Press, and promises a nationwide rollout in 2004, beginning primarily at quick-service restaurants and other places where people tend to be in a hurry. American Express has done pilot runs of its Express Pay service in the Phoenix, Ariz., area, and the company has expanded it to New York ferry terminals on the Hudson River this week.
Using radio-frequency identification technology (RFID), the cards could be used anywhere regular plastic is accepted, as long as stores install new readers that meet technical standards allowing one reader to handle multiple brands of contactless cards.
"In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."
Visa USA has developed contactless capabilities, but is holding off on a launch because "consumers seem to be content using the cards they have in their wallet," Visa spokeswoman Camille Lepre told the Associated Press.
While old-fashioned credit cards store account information on a magnetic stripe that has to be swiped, the contactless cards keep their data on chips inside the plastic.
American Express's ExpressPay uses a keychain fob, like the ones used by ExxonMobil Speedpass and similar to the tags in supermarket discount programs.
MasterCard's PayPass comes on a regular-sized card that also has a magnetic stripe for swiping if need be. MasterCard also has done tests in Dallas with Nokia Corp. in which the RFID chip is embedded in the plastic casing of a cell phone.
American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.
MasterCard says it uses a different security system but would not provide specifics.
"I have some faith in the credit card companies," Henry Holtzman, a research scientist at the Massachusetts Institute of Technology's Media Lab, told the Associated Press. "I trust them because fraud is a serious issue they have to deal with."
Others are more skeptical. Simson Garfinkel, another MIT researcher who follows RFID, said credit-card companies ought to be using "smart" cards with public key cryptography, a very strong form of security.
Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and ensure that a consumer won't be limited by the cash in his wallet.
But Chasney, who is considering a contactless card trial, worries about the use of RFID in the cards. "I would suggest to you," he said, "the greatest obstacle is going to be security."