Alain Bensoussan
The French data protection authority, the CNIL issued on May 10, 2012, a press release (read here in French) to express its concerns on the security of contactless credit cards.
It also announced that it was currently carrying out technical investigations to identify any security gap and analyze their impacts on privacy.
Contactless credit cards are using the NFC (Near Field Communication) technology. NFC is a wireless short-range and high-frequency technology allowing to exchange information between a smart card and a terminal.
Holders of contactless credit cards can pay simply by putting the card on the payment terminal itself equipped with a NFC sensor).
It appears that some contactless credit cards currently issued by credit establishments would create a risk for the security of the personal data contained in the cards.
Some tests would have shown that these cards would communicate over several meters information not only on the card holder but also on the transactions made with the card.
As a result, the CNIL has decided to launch a technical investigation to identify any security loophole and assess their consequences on the privacy of card holders.
The French Data Protection Act provides that organization implement computer processing must ensure the security of the data they process, in particular to prevent any access by unauthorized third parties.