Will The Subway Save Contactless?

Written by Frank Hayes
June 3rd, 2010

Contactless payment cards still can’t catch a break. This week, New York City’s mass transit system began what may be the largest push for contactless payment yet in the U.S.

In a trial program that began on Tuesday (June 1), a million riders can use MasterCard contactless payment cards at turnstiles for fares on parts of New York’s subway and bus system, along with commuter trains across the Hudson River and some bus lines in New Jersey. It’s a six-month, highly visible demonstration of the benefits of contactless cards that might actually get consumers to use the cards that have been sitting in their wallets.

But the next day (June 2), a self-proclaimed hacker was on Canadian television demonstrating once again that both MasterCard and Visa contactless cards can be read with a $10 commercial RFID reader available on eBay. That’s despite assurances from both card companies that the cards are secure and encrypted. True, as the CBC News report made clear, newly issued cards will only report the card number and expiration date; older cards also kick out the cardholder’s name. And a reader usually has to be very close to the card to work. But in a crowded subway car, that’s not necessarily much of a challenge.

That remains the contactless dilemma. At least 100 million contactless cards are in the hands of U.S. consumers, but mostly they’re not being used. Many cardholders don’t even know they’re carrying a MasterCard PayPass or Visa PayWave card. Some major retailers have yet to go contactless, while others still encourage customers to swipe even at point-of-sale locations that support contactless. Nobody–neither retailers nor customers–seems to see a benefit. And consumer behavior is tough to change without that benefit at the checkout counter.

MasterCard is hoping the subway turnstile will be a different story. Riders on the MTA’s Lexington Avenue line, PATH trains running between Manhattan and New Jersey, and 11 bus routes on both sides of the Hudson can use MasterCard PayPass cards for a six-month trial. Starting in August, Visa PayWave cards will work as well. (MasterCard gets the first two months to itself because it’s sponsoring the trial.)

“The rider can select any of the many fare options: 30 day, 14 day, one day, one week, prepaid or pay-as-you-go,” said MTA spokesman Aaron Donovan. “There are a million potential customers on the Lexington Avenue trains, the PATH trains and the buses.”

Doing contactless payment in a subway station or bus should be perfect for showcasing the technology. Everyone standing in line can see the guy who walks up, gets a beep from the fare machine and moves through without fishing for change. Making a fast transaction is fine. But making a fast, highly visible transaction where everyone standing in line can see it—and can also see a benefit (because the line moves faster for them, too)—is what will sell contactless to consumers.

And if they use a contactless card on the subway, they’ll be more likely to get in the habit of using it for other low-value purchases. At least that’s what MasterCard is hoping.

Even as mass transit tries to get contactless moving to daily use, security problems still dog the cards. The CBC News demonstration didn’t show anything new. Hacker Paul “Pablos” Holman has been bumping reporters’ wallets for years with his cheap RFID reader, and successfully collecting data from their contactless cards. That’s what he did again this week for the CBC.

What’s worse is that contactless cards are even riskier when consumers don’t use them. Those consumers may not know they even have a contactless card. If a thief bumps them with an RFID reader, they may not realize there’s a risk of having their card’s information stolen. What they don’t know they have, they won’t protect.

That means New York’s contactless transit trial could have a double benefit. It might be the best shot contactless will have at getting consumers to use the cards. And it may be the best wakeup call consumers will have that they need to protect those cards. Steel-mesh wallets, anyone?


One Comment | Read Will The Subway Save Contactless?

  1. PCI Guy Says:

    Why is it that, at the same time the card brands are foisting billions of dollars of PCI security compliance costs onto merchants, they are simultaneously delivering (to consumers who don’t want them) hundreds of millions of cards that broadcast sensitive card data to anyone carrying a $10 RFID reader from eBay?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.