Posted on

Feedback

After successfully being funded on Kickstarter we have started to deliver our first RFIDsecur™ card orders. Kickstarter backers are beginning to receive the first batch of these contactless protection cards.

We’ve been receiving some great feedback from many of our #RFIDsecur card #Kickstarter backers we thought we’d share some with you.

If any of our Kickstarter backers are reading this, please feel free to share your thoughts and posts with us and we’ll do our best to update our page with your comments.

Kickstarter Comments

Winfried Mayr – Superbacker
Got mine, they look great – thank you!

Robert Warwick – Backer
My cards arrived the other day and they’re brilliant past some on to my family. Many thanks.

Ben Pasquali – Backer
Received today! Tested and passed thank you!

Ronan – Superbacker

Received ! Thanks !!! Backer #20 – delivery to France

Licensecart – Backer

Got my cards today and they look so amazing 😀 Thank you for your hard work guys, will buy more soon.

Twitter posts

Posted on

Kickstarter project live – RFIDsecur™ RFID and NFC blocking cards

Kickstarter

It’s actually happened and our Kickstarter fund-raising is active please visit and pledge, if you can’t pledge please share and spread the world as it all helps.

On the first day we’ve raised nearly 10% of our Kickstarter fund-raising target and we’ve still got 26 days to go, with all the support, hopefully we will reach our target.

 

RFIDsecur™

This fund-raising is as much about raising the profile of our new material RFIDsecur™ as the fund-raising to get Hewlett-Packard approval for digital printing. We are aiming to reach out to manufacturers and businesses that need new materials work with them to help produce some of the best RFID and NFC blocking products on the market. This card shows how versatile RFIDsecur™ is, printable, ultra thin, flexible whilst still being able to block multi frequencies of 13.56Mhz and 125Khz.

RFID and NFC Blocking cards
Kickstarter rewards consist of RFIDsecur™ RFID and NFC Blocking cards, we have 5 designs to choose from

 

Posted on

Kickstarter project

We have recently submitted out Kickstarter project for approval and have just had our confirmation email saying we have been accepted.  Wish us luck for the next part of our journey, or even better pledge and get some of our cards.

Kickstarter reward card
Kickstarter project, one of reward designs for the RIFD NFC blocking cards

Kickstarter launch

The Kickstarter project will be launched very soon, there are a number of pledges and rewards and we have some great ideas for more.

You will be able to get singles, doubles and family packs, there is also an option for dealers and promotions cards, with the option to have your own artwork on the cards.

Dealer reward Kickstarter

The dealer offer for our Kickstarter project will  be 200 RFID NFC contactless blocking cards for £1,000 , these could be used for promotional and  business use, launch of a new product, business cards promotional material. Once the user understands the concept that the cards protect against RFID NFC scanning and card protection, these card will always be in their wallet or purse with your information.

 

Posted on

PCI DSS 3-2 Contactless data exposure – Surely not poor Governance

Is PCI DSS an incompatible truth with contactless payment cards and an inconvenient truth for Banks and card issuers ?

The following is an interpretation of the Payment Card Industry Data Security Standard version 3.2 (PCI DSSv3.2) against the data readily accessible from a contactless card.

It suggests that your card data is at risk, that this risk is identified as a concern for the #PCI (Payment Card Industry) such that they list it as a key concern. Yet contactless cards offer no protection of this data and the PCI does not seem to address this..

Bank card contactless payment
All the different data types stored on a bank card including chip, PAN, Cardholder name expiration date magnetic strip

First let’s understand what RISKY BEHAVIOR as identified by PCI is:

The PCI defines risky behaviour in the ‘PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2’ as follows:

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.

81% store payment card numbers.
73% store payment card expiration dates.
71% store payment card verification codes.
57% store customer data on the payment card magnetic strip.
16% store other personal data.

Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC)

And what are the PCI CONCERNS and it’s role?:

The goal of the PCI Data Security Standard (PCI DSS) is to #protectcardholderdata and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

What does the standard do? The PCI Data Security Standard (PCI DSS) sets out to Protect Cardholder Data:

#CardholderData refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally, or transmitted over an internal or public network to a remote server or service provider.

 …. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

3.4 Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of strong cryptography.) ….

And yet the riskiest behaviour of all in comparison is surely the data revealed by access to the #RFID chip on the card, the contactless payment favoured by banks as the alternative to cash?

Why? Simply because all contactless payment cards natively and openly reveal basic information that should be protected, the PAN, and other data.

With a mobile phone application, currently available to download, it is very simple to access (without the cardholders knowledge or permission) the following data from #contactless enabled cards:

What data can be found reading a Credit card?

Results from a readily available “PHONE App” to read a credit card follow: (In the App the card number is revealed in full, but in line with PCI guidelines, only the first six and last four digits are revealed here.)

  • Track 1
  • Expire date : 1 Nov 2017
  • PAN Card number : 540463******8991
  • Format : B
  • Service : International interchange
  • Normal
  • No restrictions
  • None

 

  • Track 2
  • Expire date : 1 Nov 2017
  • PAN Card number : 540463******8991
  • Service : International interchange
  • Normal
  • No restrictions
  • None

 

  • AID : A0 00 ** ** ** 10 10
  • Label : MasterCard
  • Priority : 1
  • Pin try left : 3 Time(s)

 

Not only this, it is possible to view the recent transaction log of the card.

According to PCI’s DSS V3.2 none of this information should be accessible, transmissible, recordable or stored and yet all of it is. So when it comes to risky behaviour should not the guide address and highlight this as follows:

RISKY BEHAVIOR:

A survey of cards in Europe reveals activities that puts cardholder data at risk.

100% of Contactless cards reveal PAN and other sensitive customer data in breach of Payment Card Industry Data Security Standards version 3.2 when accessed.

81% store payment card numbers.
73% store payment card expiration dates.
71% store payment card verification codes.
57% store customer data on the payment card magnetic strip.
16% store other personal data.

What about the Governance?

All five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.” And “PCI DSS applies to All entities involved in payment card processing

—Including merchants, processors, acquirers, issuers and service providers”

So one must surely ask where’s the excuse for this seemingly non compliance with DSS3-2?

How can a #merchant be held accountable to #DSS3-2 when the governing members appear not to be?

Ask yourself as a card user, are you fully satisfied that your contactless payment card is truly secure, that your data is not of use to fraudsters? – The PCI seem to think it is for their standards.

And what does this lack of security ultimately benefit. It would seem only the ease and speed of use of contactless transactions perhaps to ensure contactless payment uptake? #ComplyingwithPCI DS Standards, is that not the primary concern?

PCI quick guide to DSS V3-2 https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf

The PCI DSS V3-2 standard https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf