Transaction data stored on Contactless Credit Cards
Roland Perry
lists at internetpolicyagency.com
Tue Sep 9 21:28:35 BST 2014
In article <540F4FFF.6060602 at iosis.co.uk>, Peter Tomlinson
<pwt at iosis.co.uk> writes
>TfL (and you) cannot write anything to a basic credit or debit card
>issued by your bank.
>
>Please don't get confused with prepaid bank issued cards of the sort
>that are a store of value. Or with ITSO spec cards that can have
>prepaid travel tokens loaded onto them (those tokens are known as
>Stored Travel Rights in ITSO speak).
I'm not. My question is about the perfectly standard (and issued pretty
much as standard for the last couple of years) Contactless Credit/Debit
card. No "product" loaded on it, but simply used as a token to track the
journeys a holder makes and send him a post-processed bill overnight.
>TfL is not currently accepting ITSO cards
Digressing slightly, I'm told they *are* now accepting Travelcards
loaded onto Southern's ITSO card (branded "the Key"). This is very late
- such acceptance [ITSO on Prestige] has been announced as imminent for
a long time - but has always been expected to happen.
What I think I know from reading ITSO specifications is that in order
for the contactless transaction to take place in the sub-second window
that travellers expect there isn't time to *both* read the card's
credentials *and* write any kind of transaction data *back* to the card.
What I'm interested in today is whether the same applies to contactless
credit cards, or as you hint whether it's *philosophically* banned as
well as being a potential breach of the rules of physics.
>but might in the near future accept ITSO spec ENCTS [1] bus passes at
>Oyster readers (at the moment we just wave the cards as we get on the
>bus in London, or show them to an inspector).
That's a different project I expect.
ps Again digressing slightly, it's commonly understood that contactless
cards require PIN to be used 'at random', or is that 'every ~N
transactions' and I've even seen 'on the first transaction, and then
sporadically afterwards'.
Is the usage data which would trigger such a PIN request a result of
things written and re-written to the card, or only a result of a
very-real-time authorisation request [and refusal pending PIN] to the
issuer?
The rules for transport tickets on contactless are laxer, of course,
because the (eg) TfL gates don't have a PIN pad on them. The other side
of the coin is that fraudulent transport use doesn't cost them any
tangible money, because the trains/buses were running anyway. But if you
were buying a cup of coffee, then it costs the merchant something
tangible to provide.
--
Roland Perry
More information about the ukcrypto
mailing list