25 October, 2015
Hong Kong's banks store too much personal data about customers on contactless credit cards, Francis Fong Po-kiu, honorary president of Hong Kong's Information Technology Federation told the South China Morning Post.
Fong was responding to a recall notice issued by the Hong Kong Monetary Authority (HKMA) that asked seven banks to recall or replace credit cards. The information stored on these cards contains the user's full name, when it should be restricted to transaction data. This contravenes rules put in place in 2012, the authority told Out-Law.com in an emailed statement.
The near field communications (NFC) chip on older contactless cards often contains three pieces of information needed for online purchases, Fong told the newspaper: the customer's name, the card number and its expiry date. This can be read using a mobile phone app, according to the report.
With all three pieces of information, criminals can make online transactions, Fong told the South China Morning Post.
The HKMA said that it understands the recall has raised public concern about the risks introduced by contactless technology but that this has not raised risks to users. The technology is convenient for users, and the authority aims to strike a balance between that convenience and the management of risk. It will continue to work with card issuers to protect credit card users, the authority said.
The Bank of China (Hong Kong), Bank of Communications Hong Kong branch, DBS and China Citic Bank International told the South China Morning Post that they would arrange replacement cards for customers, while HSBC said it did not issue such cards, the newspaper said.
The Hong Kong office of the privacy commissioner said it would launch a compliance check on the issue, the South China Morning Post said.
For further information, please contact:
Paul Haswell, Partner, Pinsent Masons
paul.haswell@pinsentmasons.com