Transaction data stored on Contactless Credit Cards

Roland Perry lists at internetpolicyagency.com
Tue Sep 9 21:28:35 BST 2014 

In article <540F4FFF.6060602 at iosis.co.uk>, Peter Tomlinson 
<pwt at iosis.co.uk> writes
>TfL (and you) cannot write anything to a basic credit or debit card 
>issued by your bank.
>
>Please don't get confused with prepaid bank issued cards of the sort 
>that are a store of value. Or with ITSO spec cards that can have 
>prepaid travel tokens loaded onto them (those tokens are known as 
>Stored Travel Rights in ITSO speak).

I'm not. My question is about the perfectly standard (and issued pretty 
much as standard for the last couple of years) Contactless Credit/Debit 
card. No "product" loaded on it, but simply used as a token to track the 
journeys a holder makes and send him a post-processed bill overnight.

>TfL is not currently accepting ITSO cards

Digressing slightly, I'm told they *are* now accepting Travelcards 
loaded onto Southern's ITSO card (branded "the Key"). This is very late 
- such acceptance [ITSO on Prestige] has been announced as imminent for 
a long time - but has always been expected to happen.

What I think I know from reading ITSO specifications is that in order 
for the contactless transaction to take place in the sub-second window 
that travellers expect there isn't time to *both* read the card's 
credentials *and* write any kind of transaction data *back* to the card.

What I'm interested in today is whether the same applies to contactless 
credit cards, or as you hint whether it's *philosophically* banned as 
well as being a potential breach of the rules of physics.

>but might in the near future accept ITSO spec ENCTS [1] bus passes at 
>Oyster readers (at the moment we just wave the cards as we get on the 
>bus in London, or show them to an inspector).

That's a different project I expect.

ps Again digressing slightly, it's commonly understood that contactless 
cards require PIN to be used 'at random', or is that 'every ~N 
transactions' and I've even seen 'on the first transaction, and then 
sporadically afterwards'.

Is the usage data which would trigger such a PIN request a result of 
things written and re-written to the card, or only a result of a 
very-real-time authorisation request [and refusal pending PIN] to the 
issuer?

The rules for transport tickets on contactless are laxer, of course, 
because the (eg) TfL gates don't have a PIN pad on them. The other side 
of the coin is that fraudulent transport use doesn't cost them any 
tangible money, because the trains/buses were running anyway. But if you 
were buying a cup of coffee, then it costs the merchant something 
tangible to provide.
-- 
Roland Perry

More information about the ukcrypto mailing list