I’ve worked in Network security for 20 years and never make a statement, without context, that something is unambiguously “secure”; it implies that there is no risk. “Secured” implies that there is some risk, and one should always assume there is some level of risk. It’s invariably a case of assessment.
Back to the point; off-line access to card information. A case has been raised for this access for both payment and loyalty card details.
Let us look at loyalty cards fist, for which I have this issue, almost, on a weekly basis. Risk, Mitigation, Circumvention.
Well, I’m satisfied that there’s negligible risk for allowing off-line access to my loyalty cards and therefore little requirement for mitigation. I could always take a picture/screen shot and store them on my phone. Or I could even just attach them back on my keyring. Or use a dedicated loyalty card app. Either way, I don’t then need this feature within Curve (if it’s a nuisance), but I would like it.
Card information may be a little more complex. For a start, does this affect PCI DSS certification for Curve? What’s the difference between carrying the (bank) card in your wallet and carrying it (off-line) on your phone? It could be argued that the latter is more secured as you need a PIN (or biometric) to access it. That surely mitigates some of the risk? If access to the information isn’t a possible feature then users will circumvent the issue. It could be argued, very strongly, that something like Bitwarden is a better and more secured solution than a clear text file. People will find a way but they should assess the risk first.
I don’t think this is something Curve can just enable as they will need to carry out their own assessment. From compliance to coding to cost benefit, it may be a longer project than you would believe.