UK government sets guidelines to combat contactless m-payments fraud

I'm sure they will be just as effective as any other guidelines have been, but I'm at a loss to remember an example.

I am with Dean on this.  Why on earth would it take Government regulation to ensure basic PIN/ password/ security measures be employed.  Barclaycard should be embarrassed that they are being told to do what ought to be basic product design.  The whole card approach which is based on just meeting minimum standards was ridculous 5 years ago, and is now inexcuseable.

The reason why the UK Govt is making this noise now is so that they can be seen to be doing *something* on the run-up to the 2012 Olympics, where m-payments, combined with e-tickets etc is their current recurring vision.

I also agree that these are all basic measures, which should reasonably be expected to be implemented prior to large scale adoption. - That is unless there is some indemnity given by Barclaycard et al, who are willing to accept liability for any losses. - don't hold your breath.

Why only worry about contactless m-payment fraud, not card based? And Jon, why have m-payments and e-ticketing for 2012 (transport ticketing consultation was out last week)? Surely m-payments, with m-ticketing (as the Barlcaycard/Oyster/O2 pilot), so then why not take advantage of the mobile (a computer) as an integral part of the security process? Some of the current pilots do seem rather unimaginative!

Moves by UK government to lay down guidelines designed to tackle fraud associated with mobile phone-based contactless payments and to increase public confidence are welcome if issuers and acquirers are to make the most of this new channel and grow payment volumes.

Whilst government guidelines are one way to ensure that adequate security measures are in place, it must also be combined with an industry commitment to best practice security. To date, the industry has been careful to add security on both the contactless devices and in the processing network, including a unique built-in secret key on the card which generates a unique CVV. It's also interesting to note that the processing of contactless payments does not require the use of the cardholder's name and some cards do not even include the cardholder's account number. Furthermore, contactless transactions can only be processed once which prevents incidents of "repeat attacks" from occurring, which can affect other types of transactions.

Clearly, the security of any new transaction channel must be a priority if it is to enjoy widespread success, so it is good to see that both the payments industry and the Government have contactless security firmly on the agenda. But other challenges associated with mobile contactless, such as preparing the payments infrastructure for increased transaction volumes where on-line transactions are the norm, require just as much attention if contactless payments are to be the success that everyone in the payments industry hopes they will be.