*******************************************************
Following is a question by Dr Hon Chiang Lai-wan and a written reply by the Secretary for Financial Services and the Treasury, Professor K C Chan, in the Legislative Council today (November 25):
Question:
In recent years, credit cards that need no card readers or card-swiping for data transmission and only Near Field Communication technology is needed to complete transactions through short-range wireless (i.e. "contactless") data transmission (commonly known as "touch-and-pay") have become increasingly popular. Recently, it was discovered that one could easily read the electronic information stored in contactless credit cards just by placing smart phones with certain mobile applications in the proximity of those cards, which has aroused concerns about the security of those credit cards. The Hong Kong Monetary Authority (HKMA) also announced the names of the seven card-issuing banks involved and required them to recall and replace those problematic credit cards expeditiously. In this connection, will the Government inform this Council:
(1) of the number of reports of crimes involving contactless credit cards in each of the past three years;
(2) whether HKMA has issued clear guidelines to card-issuing banks in respect of the security of contactless credit cards; if HKMA has, of the details; if not, the reasons for that;
(3) whether HKMA has investigated into the reasons why the information stored in the credit cards concerned can be read easily; if HKMA has, of the details; if not, the reasons for that;
(4) how HKMA regulates and enhances the security of contactless credit cards to protect credit card users; and
(5) whether HKMA has considered ways to step up publicity and education on the use of contactless credit cards safely, so as to enable users to understand the potential risks involved in using those credit cards and the ways to prevent personal data stored in credit cards from being stolen; if HKMA has, of the details; if not, the reasons for that?
Reply:
President,
(1) The Police and the Hong Kong Monetary Authority (HKMA) do not have statistical breakdown on crime cases relating to contactless credit cards.
(2) In 2012, the HKMA issued the regulatory requirements relating to contactless credit cards. These include requiring card issuing banks not to store a customer's full name or other unnecessary information on the part of a card that is accessible in a contactless manner.
(3) According to the HKMA's understanding from the relevant banks, this incident involved some contactless credit cards supplied by two providers, in which the full name of customers stored on those cards could be accessible by unauthorised persons in a contactless manner under certain circumstances, thereby causing concerns about personal data privacy. The HKMA notes that this has no security implication for transactions conducted by contactless credit cards.
(4) As mentioned above, the HKMA issued clear regulatory requirements relating to contactless credit cards to card issuing banks in 2012. The HKMA has been closely monitoring the market developments. When banks adopt new technology to provide services, the HKMA will issue and review the relevant regulatory requirements as appropriate.
Before formulating the relevant regulatory requirements, the HKMA will listen to views of different sectors and strike an appropriate balance between transaction convenience and security.
(5) According to the Code of Banking Practice, card issuing banks should advise cardholders to refer to the security advice provided by banks from time to time. Moreover, card issuing banks should review regularly their security advice to ensure that it remains adequate and appropriate as the technology environment evolves.
In addition, anti-crime appeals with respect to credit cards were made by the Police through the Facebook Page, Police Magazine and a radio programme in October and November 2015 respectively. The Police will continue to enhance public awareness and alertness through different publicity channels. Members of the public are reminded to attend to their credit cards, patronise reputable shops, pay full attention to transactions, and check regularly their accounts for suspicious transaction records.
Ends/Wednesday, November 25, 2015
Issued at HKT 15:15
NNNN
