Is PCI DSS an incompatible truth with contactless payment cards and an inconvenient truth for Banks and card issuers?

The following is an interpretation of the Payment Card Industry Data Security Standard version 3.2 (PCI DSSv3.2) against the data readily accessible from a contactless card.

It suggests that your card data is at risk, that this risk is identified as a concern for the #PCI (Payment Card Industry) such that they list it as a key concern. Yet contactless cards offer no protection of this data and the PCI does not seem to address this.

Bank card contactless payment

All the different data types stored on a bank card including chip, PAN, Cardholder name expiration date magnetic strip

First, let’s understand what RISKY BEHAVIOR as identified by PCI is:

The PCI defines risky behaviour in the ‘PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2’ as follows:

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk.

  • 81% store payment card numbers.
  • 73% store payment card expiration dates.
  • 71% store payment card verification codes.
  • 57% store customer data on the payment card magnetic strip.
  • 16% store other personal data.

Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC)

And what are the PCI CONCERNS and it’s role?

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the front of a payment card.

What does the standard do? The PCI Data Security Standard (PCI DSS) sets out to Protect Cardholder Data:

Cardholder Data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally or transmitted over an internal or public network to a remote server or service provider.

 …. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

3.4 Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for the definition of strong cryptography.) ….

And yet the riskiest behaviour of all in comparison is surely the data revealed by access to the RFID chip on the card, the contactless payment favoured by banks as the alternative to cash?

Why? Simply because all contactless payment cards natively and openly reveal basic information that should be protected, the PAN, and other data.

With a mobile phone application, currently available to download, it is very simple to access (without the cardholders knowledge or permission) the following data from #contactless enabled cards:

What data can be found reading a Credit card?

Results from a readily available “PHONE App” to read a credit card follow: (In the App the card number is revealed in full, but in line with PCI guidelines, only the first six and last four digits are revealed here.)

  • Track 1
    • Expire date : 1 Nov 2017
    • PAN Card number : 540463******8991
    • Format : B
    • Service : International interchange
    • Normal
    • No restrictions
    • None
  • Track 2
    • Expire date : 1 Nov 2017
    • PAN Card number : 540463******8991
    • Service : International interchange
    • Normal
    • No restrictions
    • None
  • AID : A0 00 ** ** ** 10 10
    • Label : MasterCard
    • Priority : 1
    • Pin try left : 3 Time(s)

Not only this, it is possible to view the recent transaction log of the card.

Data that can be read with unauthorized access from your bank card

Data that can be read with unauthorized access from your bank card

According to PCI’s DSS V3.2, none of this information should be accessible, transmissible, recordable or stored and yet all of it is. So when it comes to risky behaviour should not the guide address and highlight this as follows:


A survey of cards in Europe reveals activities that puts cardholder data at risk.

100% of Contactless cards reveal PAN and other sensitive customer data in breach of Payment Card Industry Data Security Standards version 3.2 when accessed.

What about the Governance?

All five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization.” And “PCI DSS applies to All entities involved in payment card processing

—Including merchants, processors, acquirers, issuers and service providers”

So one must surely ask where’s the excuse for this seemingly non-compliance with DSS3-2?

How can a #merchant be held accountable to #DSS3-2 when the governing members appear not to be?

Ask yourself as a card user, are you fully satisfied that your contactless payment card is truly secure, that your data is not of use to fraudsters? – The PCI seems to think it is for their standards.

And what does this lack of security ultimately benefit? It would seem only the ease and speed of use of contactless transactions perhaps to ensure contactless payment uptake? #ComplyingwithPCI DS Standards, is that not the primary concern?

Julian Ghail photo

Julian Ghail, RFID Cloaked Ltd

The latest version of The PCI DSS V3-2 standard  and PCI quick guide to DSS V3-2 you always can find here:

Julian Ghail

Originally posted on


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We're preparing our next Kickstarter campaign, a radical new wallet....join us?