Earlier this week, the Hong Kong Monetary Authority (HKMA) ordered seven credit card issuers to suspend issuing cards with contactless payment functions, in light of identified security weaknesses.
The technology used to facilitate contactless payment devices is known as Near Field Communication (NFC). Cards that contain an NFC chip can be used to pay for low value goods and services (usually under HK$ 1,000) by waving the credit card close to the reader, without the need to enter a PIN or provide a signature. As well as the obvious risk of cards being used with relative ease by thieves, the technology may also pose a data security threat. In particular, tests have revealed that certain mobile apps can be used to instantly obtain data such as credit card number, expiry date and even the cardholder’s name.
To commit online fraud, a fraudster would normally need to have all three items of data: credit card number, expiry date and cardholder’s name. The critical issue is not, therefore, the technology itself, but the amount of data stored on NFC chips. Indeed in 2012, with this risk in mind, the HKMA advised banks to ensure that unnecessary data (e.g. cardholder’s name) would not be readable via the contactless interface between the NFC credit card and reader. Not all NFC credit cards store the cardholder’s name, which is why some banks and not others have been subject to scrutiny.
The issue is a concern to not only the HKMA, which is charged with the task of promoting the stability and integrity of the financial system, but also to the Privacy Commissioner for Personal Data (PCPD), which aims to secure protection of individuals’ personal data. The HKMA has ordered certain banks to undertake a risk assessment to determine whether, and the extent to which, data leakage may have occurred. The PCPD has also launched a compliance review into the matter.
Cybersecurity is now a critical issue for nearly every sector, given businesses’ reliance on IT for day to day functioning. But security is particularly important in the banking industry because customer trust and confidence underpins, and are needed to sustain, a stable and prosperous financial system. The HKMA issued a circular last year setting out a number of controls that banks should implement to minimise the risk of loss and leakage of customer data, in light of the development of, and increasing reliance upon, technology in the industry. This was issued around the same time as the PCPD’s Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry, which aimed to assist the banking industry in understanding legal obligations with regard to personal data.
The events of this week also demonstrate the nexus between industry and privacy regulators, and the need for regulated institutions to consider their obligations both within their particular industry and more broadly as data users. While the Personal Data (Privacy) Ordinance does not currently mandate the notification of security breaches, the HKMA can (and this week did) report potential breaches to the PCPD. It could also mandate notification of breaches to affected customers.
Financial institutions and payment service providers are reminded to review the security of technologies employed in facilitating transactions. A regular risk assessment should be undertaken in respect of the amount and nature of data stored and any potential loopholes for leakage or theft should be addressed.