Contactless payment devices have become increasingly popular. These systems allow a consumer to effect payment at a retail point of sale quickly and efficiently.
A traditional sale transaction often involves a consumer presenting a credit card, debit card, gift card, or other kind of presentation instrument or payment device, which is “swiped” through a point-of-sale (POS) terminal. The merchant indicates the amount of the proposed purchase, and the POS terminal communicates information to a payment processing computer or system to obtain approval for the transaction. In a typical transaction, the communicated information includes a unique identifier read from the payment device and the amount of the proposed transaction. The payment processing system verifies (possibly after communicating with other systems) that the payment device is valid and is associated with enough credit or stored value to pay for the purchase.
Often, the consumer is required to enter a personal identification number or sign a document as part of the transaction. One of the reasons for these requirements is to increase the merchant's confidence that the customer at the cash register is actually the account holder authorized to make purchases, and not someone attempting to make a fraudulent purchase. While these measures do mitigate risk for the merchant and card issuer, they also take significant time and add to the complexity of making purchases. When the purchase is small and it is desirable to complete a transaction quickly, the added complexity and time burden may outweigh the small financial risk that a purchase is fraudulent. For example, requiring a customer signature at the drive-up window of a drive-through restaurant can seriously affect the throughput of the drive-through.
A “contactless” payment device enables non-cash payment without a physical connection between a consumer payment device and a POS device. For example, the contactless payment device may be a card, key fob, watch, a cellular telephone phone, or another kind of item that has a unique account identifier and is associated with value. The value may be in the form of stored value in an account, such as a checking account associated with a debit card, or may be in the form of credit. The payment device and the POS terminal can communicate without physical contact, often using a wireless method such as radio frequency (RF) communication, near field communication (NFC), a Bluetooth protocol, or a carrier-based mobile technology. To initiate communication, the customer taps the payment device on a contactless reader device associated with a POS terminal, or even simply waves the payment device in the vicinity of the contactless reader that is emitting radio frequency waves. The POS device nearly instantaneously detects the presence of the payment device and reads the account identifier from the payment device. If desired, an authorization check is performed and the transaction can be approved and finalized in seconds. For some transactions, no PIN or signature may be required. The customer can be on his or her way quickly and the merchant can begin another transaction with another customer.
One concern with contactless payment devices is that a person with a contactless reader device may be able to surreptitiously read (or “sniff”) the account identifier or other account information stored on a contactless payment device and use the account information to make fraudulent purchases. It has been proposed that a contactless payment device include a switch such that reading information from the device is disabled unless a user of the device holds the switch in an enabling position. The device can then be used for payments when the switch is held, but cannot be sniffed otherwise because reading is normally disabled, such as when the device is carried in a user's pocket. A switch-operated payment device is described in U.S. patent application Ser. No. 11/327,840 of Kean and entitled “Information access control”, the entire disclosure of which is incorporated herein by reference. A presentation instrument having a sensor input is described in U.S. patent application Ser. No. 11/381,360 of Beeson and entitled “RF presentation instrument with sensor control”, the entire disclosure of which is incorporated herein by reference.
Radio frequency sensing of various credentials or other information is used in other applications as well. For example, a card, key fob, or other device may have a passcode or credential stored on it that allows entry into a building, allows access to a medical storage cabinet, or is used for some other kind of authorization. Similarly, information stored on the contactless device may provide identification of the person carrying the device, or the device may simply be used for information storage and retrieval. Sniffing of information from these kinds of devices is undesirable as well.
While a switch largely solves the problem of surreptitious sniffing, it creates a new problem. Because the device is normally disabled, the recording of necessary information on the device is hampered. The process of recording information or credentials on a device used for contactless payment or for other uses is sometimes called “personalization”, especially when the device is used for payment and the stored information is an account credential, such as an account number or other account identifier. Machines normally used to perform personalization are not designed to actuate a switch.