image of a lock with a keyboard key credit card chip

Contactless Payments Security: Myth vs. Reality

By: Dr. Art Harper, Director Solutions Consulting for Card Payment Solutions

Over the last few years, the payments landscape has experienced many changes – shifting from standard magnetic stripe cards to EMV cards and now contactless payment methods. More and more merchants are beginning to embrace contactless and turn on their near-field communication (NFC) technology, allowing payments to be processed using tap-and-go payment options. And while convenience, speed, ease of use and merchant acceptance are all important factors impacting the use of this payment type, many consumers are concerned about the safety of contactless cards and other tap-and-go payment methods – including smart watches and mobile wallets.

Contrary to what some consumers may believe, there are multiple layers of security throughout the traditional credit and debit payments systems that protect all parties involved in the contactless payment transaction. Read on for five myths surrounding contactless and insight into the reality of how secure contactless, tap-and-go payment methods really are:

Myth: A contactless card may accidentally process a transaction while inside a wallet.

Contactless technology does not work until the consumer removes it from his or her wallet and holds it in close proximity of the point-of-sale (POS) terminal. The close range proximity – 10 centimeters or less – is required in order for the contactless technology to respond to the POS terminal. Contactless payment methods use radio frequency to communicate. However, do not confuse that with RFID (radio-frequency identification) technology that also uses radio frequency but has a much longer proximity range of up to 5 feet.

Myth: If my contactless information is intercepted, a counterfeit card can be created and used in-store.

Each time a consumer uses a contactless card, a dynamic one-time-only code is generated to uniquely identify each individual transaction. The contactless card or device then provides the payments reader with that unique code, securing the transaction. It is extremely difficult for a fraudster to copy any of this advanced encryption technology to create a dynamic code and even more difficult to have the ability required to create a counterfeit version of a contactless card.

Myth: Even though a contactless card cannot be counterfeited, it can be still be used for online transactions.

To complete an online transaction, a consumer must provide or have access to the card verification value (CVV2 or the three- or four-digit security code), cardholder name and billing address associated with the card – none of which are sent or shared during a contactless transaction. Since neither the card nor the device transmits this information when making a purchase, fraudsters typically will not have enough information for an online payment transaction to be authorized or authenticated.

Myth: Now that my card data has been stolen, my identity can be stolen, too.

There is a clear distinction between identity theft, when a consumer’s identity is assumed by another individual for criminal purposes, and payment card fraud or payment device fraud, when a consumer’s card information is compromised in order to make unauthorized purchases. As mentioned, contactless cards and devices do not transmit information about the cardholder that would allow a thief to steal someone’s identity from a contactless transaction. In order to steal someone’s identity, the fraudster would need a name, address and other personal information that is not shared when conducting a contactless transaction. There is very little risk of identity theft associated with contactless transactions.

As evidenced, contactless cards and tap-and-go payment methods are just as secure as any other payment option when conducting transactions. According to Visa, 95 percent of terminals shipped are already contactless-enabled and many merchants are committed to turning on the NFC functionality. In fact, eight out of the top 10 merchants are now accepting NFC payments. It is highly likely that credit unions could experience an increase in transactions by offering contactless card programs. In other countries that have been issuing contactless cards for several years, most countries saw an increase of three to five transactions per card in the first year of contactless rollout.

It is important for credit unions to educate members about the safety and security of contactless payments options in order to provide members with the opportunity to embrace this new method of payment that will continue to grow in popularity for years to come.

Dr. Arthur (Art) Harper is part of the EMV team at PSCU, the company that is certified and was the first to issue credit, debit and prepaid EMV cards in the credit union market. He has written several articles and educated credit unions across the country through internal and external webinars, EMV roadshows and one-on-one meetings. Art represents PSCU and the credit union industry on the U.S. Payments Alliance board.