Over the last few years we have seen a major shift in the way consumers pay for everyday goods and services, from the development of pre-paid wallets such as the Oyster Card through to mobile and contactless payments. Chris Davies reports on the security of contactless payments in the UK.
It is in the area of contactless payments that we are seeing a great deal of activity at the moment, with a growing view that we have reached an important inflexion point in their evolution.
So are we about to see contactless payments move to the mainstream? A growing body of evidence suggests we are. In the UK it is estimated that one in four people has a contactless card and in total 28 million cards have been issued. In May the Post Office announced that it was to become Europe’s biggest accepter of contactless payments, with 30,000 terminals being installed across 11,500 branches.
Despite this and the enormous business opportunity presented to retailers who accept contactless payments – particularly those serving customers making frequent low value payments at outlets such as coffee shops and newsagents – not to mention the speed with which a customer can complete a transaction, concerns persist about the security of ‘tapping and going’.
The problem experienced by a prominent retailer earlier this year, where a small number of customers using contactless payment terminals found money taken from cards other than the ones intended for payment, did little to allay fears.
But it is my strongly held view that contactless is a secure way to pay, as it benefits from the same range of advanced security features found on a standard chip and PIN card, with transactions processed through the same secure networks.
Each transaction that takes place on a reader with a contactless card is unique – the card generates a one-off cryptogram, which, if intercepted, would be useless, and does not enable the data thief to duplicate the transaction. In addition, the information that can be read via contactless would not equip anyone with enough information to create a cloned card. According to both MasterCard and Visa, payment processors and banks have not reported any increase in fraud in countries where contactless is being used widely.
The retailer is still protected against chargebacks in exactly the same way as they would be for chip & PIN or signed card transactions.
The fact that the transaction is wireless and contact free has no bearing on the security of the payment. The card details are transmitted directly to the scanner, and cannot be read outside of a four inch radius. When it is accepted, the transaction is processed in exactly the same way as a normal chip and PIN payment, using identical security and data encryption. The antenna or chip in the card is powered by the scanner, so the card cannot broadcast a signal on its own.
For consumers a particular concern has been the possibility of theft resulting from their card being lost or stolen. Provided that the cardholder reports this, they will not be held liable for any unauthorised payments, be they contactless or any other form of card payment.
An important additional layer of security for contactless payments is that the terminal will occasionally ask the customer to enter their PIN. In terms of frequency there is no industry standard for this to avoid prediction by fraudsters – it could be prompted by the value of the transaction, or a particular number of consecutive contactless transactions (details are held by a counter within the card’s chip.) The value of transactions is typically capped at £20, which limits the potential for theft from an individual card.
If multiple cards are presented to the reader, it will not charge any of them, so it is not possible for a consumer to be charged more than once on different cards. In addition, payment processors have safeguards in place to protect against duplicate consecutive transactions.
Finally, when a new contactless card is issued, the customer will need to perform a chip & PIN transaction before the contactless functionality can be used.
As consumers become more confident with the technology, banks roll out more payment cards with the right functionality and ever more retailers start to accept contactless payment, the method is going to play an increasingly prominent role alongside chip & PIN.
The benefits for both retailers and customers alike are clear to see and it would be a significant opportunity missed if adoption was slowed by misplaced fears over security. It is the responsibility of the industry to make sure this doesn’t happen.
Chris Davies, managing director of Global Payments