Home / News / Fraud and Security / How to answer questions about contactless security frame_main_breadcrumb_about    
18 DECEMBER 2016
This is the site of Card & Payments World, the well respected international newsletter providing in depth information on mobile, card and online payments and this is our daily news and resource site for subscribers who also receive 11 printed newsletters a year and three glossy magazines.

More than just a technology title. Read more

PDF Print
Friday, 24 July 2015 11:35
How to answer questions about contactless security

Which? magazine opened up the contactless security can of worms again this week, by skimming card information and successfully completing an internet transaction for a £3,000 television. So how should the security concerns be dealt with? While this case illustrates the lack of security on the internet site (no use of the three digit security code, no checking against card registered address details) it does make the point that security issues with contactless - and therefore NFC mobile payment - still exist and need ironing out.

Contactless payment numbers are now growing fast with contactless payment cards being used more than one billion times in the past 12  months in Europe, according to Visa Europe.

The problem however is considered by the payments industry to be a minor one in terms of fraud risk (at least at the current level of contactless payments).  But  consumers, retailers, and other involved businesses are going to need their questions answered,especially if that all important consumer confidence is to be maintained.

Here is a very useful Q&A from Proxama that might help with the detail.

Contactless payment and security - the background
It is correct that some details from a contactless card can be captured using a scanner, including the card number (PAN) and the card expiry. Online merchants shouldn’t accept payment based on this limited detail and should require card holder name, address and CVV number. This type of fraud, whilst headline grabbing is very low volume compared to the high volume fraud which can result from security breaches at online merchants, where thousands of customer details, including names and addresses, as well as card details are captured.

The payments landscape is evolving and new technologies will help address security loopholes.
Mobile payments

Contactless payments using mobile phones, such as the recently launched Apple Pay in the UK, require the customer to activate the phone before making a payment. With Apple Pay this is achieved by using the fingerprint capability of the new iPhone.  Scanning of the iPhone before this point, wouldn’t provide any card details.

The banks are introducing ‘tokenisation’, initially for mobile payments, where the customer’s card number is replaced by an alternate number, a ‘token’.   The process of making a payment is the same for both the customer and the merchant, but if for some reason the ‘token’ is captured it cannot be used to make online purchases.

Q&A about contactless security
How does the security of contactless cards compare to more traditional types of cards? E.g. magstripe, EMV
Contactless cards were introduced to enable quick low value transactions, therefore have reduced security as cardholder authorisation, through PIN or signature, isn’t required. However, only a small number of contactless transactions should be made before a PIN entry is required.  At the same time, the contactless interface on the card does enable some limited details to be read.

How does the security of mobile payment technology, such as Apple Pay compare to contactless cards?

As far as the merchant is concerned payment from mobile phone or contactless card is the same, but the mobile phone does bring additional security for the customer typically through some sort of password being entered before the phone can be used for payment. The recently launched Apple Pay service in the UK requires the customer to use the fingerprint button on the iPhone 6 before the payment is made.

Visa/MasterCard standards for mobile payment, include providing end to end encryption of communication between the bank systems and the mobile device.

Tokenisation: we generate a ‘token’ to replace the cardholder PAN on the mobile and manage its full lifecycle including issuance, authorisation, replacement, etc.

Liability: Where does the responsibility fall for contactless card fraud? Merchant? Consumer? How does this compare to mobile payments?

The responsibility varies depending on the circumstances. For new technology such as contactless cards and mobile payments, as long as the consumer has followed guidelines then the card issuer will generally pay for the fraud.  If an online merchants accepts payment without checking card details such as name, address and especially the CVV, the merchant will pay for the fraud.

How does the UK compare to other countries for card fraud?

The UK has lower fraud than most other markets, mainly because there is a complete EMV PIN based infrastructure. Online fraud is increasing slightly, but at a much lower rate than online commerce is growing by. Fraud from skimming cards (which is what the article was about) is shrinking in the UK, and reduced by 2% last year (UK Cards Association figures).

Is there anything consumers can do to prevent fraud?

Consumers are covered well by the consumer credit act, and will be protected.

We get the inside stories on payments that you won't find anywhere else. To read them: