Visa payWave is Visa’s contactless payment technology. It facilitates fast and convenient transactions at the point of sale and eliminates the requirement for a consumer to make physical contact with the terminal when making a purchase (therefore “contactless”). Consumers simply hold the card or phone in front of the contactless terminal in order to pay.

Concerning security, ensuring payment security is one of Visa’s highest priorities and Visa payWave enabled payment cards are no exception. Visa payWave cards are as secure as traditional cards and meet all the same standards for security and more.

There have been no reports of fraud perpetrated by reading Visa payWave cards. In keeping with evolving best practices in the industry, Visa mandates that Visa payWave cards do not transmit the cardholder’s name during a transaction. So, intercepting a Visa payWave transaction (a.k.a. electronic pickpocketing) results in less sensitive information than when handing a card over to a clerk. Neither the cardholder name nor the three-digit security code on the back of the card are available when the card is read via a contactless reader.

MASTERCARD'S RESPONSE

MasterCard PayPass cards and devices are as secure as paying with traditional MasterCard cards that have magnetic stripe technology. In fact, many consumers claim that they feel more secure with PayPass because they never have to turn the card over to a cashier and it never leaves their hand.

In response to the claims that you're hearing that a person could use a reader to capture someone's account number and expiration date, I think it's important to point out that they can't do anything with that data.

-You can't make an Internet or phone purchase, since the merchant should ask for CVC (card verification code) 2 data - the 3 digit code on the back, or zip code verification - to complete any purchase.

- You can't create a phony mag stripe card without CVC1 data in the mag.stripe.

- You can't create a phony PayPass card without the key that is used to create a dynamic CVC3, which is held securely in the PayPass chip.

We mandate the use of CVC3 in the chip, which makes it nearly impossible to duplicate a card or "replay" transactions" -- because a code that accompanies an authorization request changes every time an authorization request is made. The fact sheet at the bottom of this response goes into more detail, but this is a key point. For every transaction made with a PayPass card, there is a discreet authentication code that changes after each transaction. Without the proper code the transaction will not be authorized. The attached sheet will explain how the code is generated and what security measures are in place that make it so secure.

Lastly, MasterCard cardholders in North America enjoy the protection of the MasterCard Zero Liability policy, knowing that if their card was ever compromised, they are, as with all MasterCard payment programs, not responsible for unauthorized transactions on their accounts.

Click here for the PayPass Security Fact Sheet

AMERICAN EXPRESS' RESPONSE

Points regarding American Express' RFID technology, called ExpressPay: Security and privacy are a top priority in everything we do. We’ve been working with contactless technologies for several years now and are confident in the security of our ExpressPay technology. We have a sound and secure system in place, as well as a convenient payment method for our cardmembers.

How ExpressPay works:

--Cardmember waves card or fob equipped with ExpressPay to initiate the transaction (must be within 3 inches of reader).

--ExpressPay contains a unique “key” that generates a different digital signature for each transaction that cannot be copied, overwritten or read. The ExpressPay key creates a cryptogram, which ensures that the ExpressPay device is legitimate. We believe that the cryptogram is the best technology available today for ensuring the integrity of ExpressPay transactions and minimizing the risk of fraud -- no known way to break cryptogram. (Security experts have acknowledged our security as at the highest level in the industry.)

--Account number on ExpressPay is a unique code that is different from the account number of the charge or credit card that is linked to ExpressPay. We only transmit this unique code, thus, we protect the card account number. Since this unique code is different than the charge or credit number, it is useless to anyone who tries to obtain it.

--The information that is not encrypted is useless to a fraudster.

Other key points:

--The ExpressPay chip contains a unique “key” that generates a different digital signature for each transaction. This key cannot be copied, overwritten, or read. The key can only be created by American Express, and all transactions require verification of the key by the American Express system.

--The ExpressPay key creates a cryptogram, which ensures that the ExpressPay device is legitimate. We believe that the cryptogram is the best technology available today for ensuring the integrity of ExpressPay transactions and minimizing the risk of fraud.

--A fraudulent ExpressPay product would be detected by the digital signature as only our devices can generate the correct signature.

--The digital signature prevents product cloning. Additionally, the information extracted from an ExpressPay device cannot be used elsewhere.

DISCOVER'S RESPONSE

Discover offers a contactless card which is secure. Unlike RFID, which can operate at ranges up to 25 feet, contactless payment devices are designed with RF enabled technology that operates at very short ranges -- less than 2-4 inches -- so that the consumer needs to make a deliberate effort to initiate the payment transaction. For contactless payments, Discover uses added security technology both on the contactless device as well as in the processing network and system to prevent fraud, and with Discover's 0% fraud liability, Discover cardholders have the added protection of never being held liable for any fraudulent activity on their cards.

For more information on the security of contactless cards, visit the Smart Card Alliance website.