How to Avoid Contactless Payment Fraud
Learn how to improve contactless card payment security with best financial technology practices
Constant evolution of the payment ecosystem has developed to a stage where the transfer of money is no longer restricted to cash or physical transfers. Today, we can buy with a quick sleight of hand, simply tapping a card against a point-of-sale (POS) terminal.
Without the need to carry wallets and sift through coins for the exact change, shopping is so much easier with contactless payments. A quick tap and you have the exact change ready, every time, in a fraction of a second.
Advantages for merchants and consumers are mounting up. Queuing times are dramatically reduced, along with the simplicity of the technology making it accessible to everyone.
But does such convenience come at a cost? The reality of exchanging any type of information wirelessly is vulnerable to attack. Though, if used securely, it creates a realm of opportunities for contactless payments.
What is a contactless payment?
By definition, contactless payments are transactions that take place without physical contact between a customer’s method of payment, to a point-of-sale (POS) reader.
First introduced in Seoul, South Korea for commuters on the bus service, the technology has been around for over 20 years, but has only gained pace in the US since 2015.
Contactless technology uses either radio frequency (RF) or near-field-communication (NFC) protocols to allow two devices to establish communication to make a payment transaction.
Consumers have a choice of paying with a wearable device, such as a smartwatch, or by using e-wallets on their mobile phones to make payments. But in today’s world, where consumers are wary of adapting to significant changes, contactless cards have made the biggest impact in day to day shopping transactions.
How do contactless payment cards work?
Contactless cards are embedded with a chip and antenna that communicate with a contactless or POS reader. When the card is held within close proximity (1–2 inches) to the reader, the antenna is energized to establish a radio connection between the two. This way, transaction or payment information can be exchanged.
Typical communication between a POS terminal and a card
The reader issues a unique encryption code, so that all communication is transmitted privately. Once the card decrypts this code, communication takes place without the risk of outside intervention.
The transaction is processed when details are sent to the card, affirmation of the proposed transaction is received and sent back to the reader. A receipt is issued and stored for reference by both. All done in a fraction of a second.
So what security features do contactless payment cards have?
Of course, a question that needs to be answered is: are there contactless payment security risks? Contactless card fraud is possible, considering information is being sent through a wireless connection.
Various social media posts describe how fraudsters have used handheld devices to scan the magnetic strip of a bankcard. This is a rare, but possible, attempt to access your 16-digit card number, expiry date, or even mini bank statements. This information can be used to clone cards for use in countries where chip and pin have not yet been introduced. Surprisingly, some online retailers still don’t ask for the 3-digit security code on the back.
But to access one of such devices, you must be a business owner, who has a registered bank account with the POS suppliers. Each terminal user sends clear identifiable information to the bank, which is quickly forwarded to the authorities. As all activity is monitored, the fraud attempts are instantly stopped in tracks.
How do providers ensure contactless payments are safe?
As technology has been improving over the last 20 years, so too have the security features.
Multiple layers of protection have been established to minimize contactless payment security risks.
- Europay, Mastercard, Visa (EMV) global standard
- Unique transaction data
- Authentication protocols
- Confidential cardholder information
EMV global standard
Increasing rates of counterfeit card use and large-scale data breaches have enticed banks and merchants to switch to EMV, a global standard that improves payment security and makes counterfeiting cards extremely difficult. The EMV standard was created by Europay, Mastercard and Visa. Accepted worldwide, all major banks have issued a new generation of contactless cards, equipped with a microchip used to authenticate chip-card transactions. This chip stores and protects the user’s information and is the minimal safety standard required for secure transactions.
Unique transaction data
Bank merchants had the foresight to make sure contactless payments are secured by enabling a unique transaction code for every payment. Every single purchase is given its own encrypted code, that doesn’t show any of the cardholders’ information. As soon as the cardholder and the POS reader establish a connection, critical information is disguised to avoid identification of the person, or the bank details being accessed. This unique code can be used only once for this card, and cannot be replicated to purchase another item, no matter where or how someone might try.
Using the unique transaction data, card issuers have a robust fraud detection system in place that can automatically detect and reject any attempt for this code to be used more than once. There is no responsibility placed on the merchant to discover this attempt at fraud, as the purchase will automatically be declined through the system.
Confidential cardholder information
There is no trace of the cardholder’s name in the physical microchip embedded into the card, as for any transaction this information is not required. Fears of your data being skimmed to allow online purchases are eased with this system, as all payments online need the cardholder name to authenticate the purchase.
With all these safety protocols in place, you can rest assured your information is safe. But for those who wish to provide an extra layer of security, tokenization is an option.
Tokenization replaces the primary account number (PAN) with an encrypted number. During transactions, the cardholders’ bank or card details are never transmitted, eliminating the potential for fraud mid-transaction. Instead, a “token” is sent, which can be a digit between 13 and 19 characters that doesn’t contain the PAN. In the unlikely event someone managed to steal the token details, they would be unable to use it for another transaction, as each token uses a unique transaction code, which cannot be replicated or used again.
Most card fraud takes place when the vulnerabilities of using PAN information are exposed. Tokenization complements EMV, providing the ultimate in security protection for both in person and card-not-present (CNP) purchases, such as online and mobile.
Tokenization is gaining in popularity due to its enhanced security methods, as there are more significant cost savings for financial institutions. These savings can be passed onto merchants as well as consumers, and fewer financial losses will occur from fraud issues.
What systems are in place to protect the end user?
For end users, or consumers, contactless payments have opened up a world where queuing for goods is almost non-existent. All you need to do is simply tap your card against a POS reader, and the transaction is completed.
Benefits of contactless payments
Security risks are reduced for the consumers as if their cards are fraudulently accessed, the card provider, for example, Mastercard, will reimburse the customer.
Consumers run into very little problems with contactless payments:
- They’re in control of it, when or where they choose to use contactless payments.
- Enhanced security measures ensure consumers are protected from any fraud.
- Failure recovery systems mean that you can switch to chip and pin at any time for extra protection.
- Offline data authentication (ODA) gives further security for merchants.
- Consumers can rely on the card issuers catching and covering the costs of any fraudulent activities and get their money back if any fraud does occur.
With these measures in place, there seem to be no disadvantages for merchants or consumers alike.
Where does it all lead to?
While there may be a fear of contactless fraud being a common occurrence, things are much more straightforward. With a multitude of fraud detection systems in place, it’s not just incredibly hard, but near impossible to make any sort of impact on a person’s account through fraudulent activity. Contactless payments are just as safe and in certain circumstances even more secure than contact payments or cash. Now that contactless payments feature on cards, mobile phones, and wearable devices, a platform for innovation has been established. Who knows where this improvement in technology will take us?
Without offering contactless payment options, customers and profits get left behind. For faster payment processing and innovative FinTech solutions, contact Intellias.
Originally published at www.intellias.com on January 2, 2019.