September 22, 2004
Computerworld: Securing RFID information:
The banking and payment card industry has much more experience in protecting personally identifiable information stored on RFID cards, said Ken Ayer, vice president of access controls at Visa International Inc. Visa and the payment card industry prefer the term EMV cards because of the Europay, MasterCard and Visa standards consortium that established standards for smart credit and payment cards beginning in 1996.
Personally identifiable data elements subject to privacy regulations are Triple-DES encrypted on EMV cards. The latest contactless EMV cards are based on the ISO 14443 standard card, which can be read from only within 10 cm. They are configurable based on privacy and security standards followed by each issuing bank in each host country.
EMV cards support both symmetrical and asymmetrical key encryption, Ayer said. The only actual encrypting done on the card is in a challenge-response process to identify an authorized card reader to the card. The rest of the encryption is handled on back-end systems.
"This is a worldwide system that works in all countries around the globe," he said. "It's entirely up to the bank to use one type of encryption or the other, as well as what type of data to encrypt."
Posted by andersja