Contactless VISA Cards

Peter Tomlinson pwt at iosis.co.uk
Fri Sep 25 21:01:15 BST 2009 

Andrew,

There is a confusion here. The Standard Card (previously Eros Card) is a 
private scheme run by the London Evening Standard, using their own 
network of contactless readers. Interestingly, transactions with the new 
Standard Card go through a lot faster than with the Eros Card. An online 
transaction over GSM link was used for the Eros Card, but I think the 
transactions with the Standard Card are off-line. I think there was 
value for 10 newspapers in the original distribution, and then you top 
up with an online payment transaction (debit or credit card).

As for terminals for bank contactless cards, there are indeed very few. 
Last year I was given (as were others at the same conference) a list of 
Mastercard PayPass retailers in central London, but never found one 
because I just wasn't motivated to do that (wrong type of retailer and 
/or wrong place - but I had also received a Mastercard card with £10 in 
it's account, time limited).

Peter

Andrew T wrote:
> They've incorporated a clever security feature into the cards, being
> that the only thing you could buy with these is 10 copies of the
> Evening Standard.
>
> Has anyone seen the terminals in place anywhere else? Why are they
> going to considerable expense replacing contact cards with hybrid
> contact/contactless?
>
> I've not seen a good analysis of the many security implications of
> such a system:
> * How does a user ensure that the terminal is genuine? I know that an
> Oyster reader is an Oyster reader. I know my buildings card reader is
> my companie's card reader. But how do I know if some guy on the street
> is genuine or not?
> * How are the funds transferred from the terminal to the vendor's
> account? Is each payment signed?
> * Is there any reconciliation performed at all?
>
> Andrew
>
> On 25/09/2009, Richard Jones <rich at annexia.org> wrote:
>   
>> On Fri, Sep 25, 2009 at 07:44:39AM +0100, Peter Tomlinson wrote:
>>     
>>> Personally, if one of these cards is mailed to me, I will claim that I
>>> did not agree to the change and will ask for an old type card. But can
>>> those of you who got one tell us if there is an activation process that
>>> you have to follow before the contactless interface is enabled?
>>>       
>> Not one that I'm aware of, at least, my bank didn't tell me to do
>> anything except sign the card.
>>
>> Having said that, I don't think I've ever seen a retailer who takes
>> these sorts of payments either, so I can't test the contactless
>> element of the card.
>>
>> Rich.
>>
>> --
>> Richard Jones
>> Red Hat
>>
>>
>>     
>
>

More information about the ukcrypto mailing list