Contactless payments are popular but how secure are they?

July 31,2019 09:50 AM GMT

During the 10 years that contactless payments have been available in the UK, they have grown to become one of our favourite ways to pay. If you live in or have recently visited the UK, you may well be amongst the millions of people across the country who know how quick and easy it is to tap for your travel, morning coffee, lunchtime sandwich, and after-work pint.

Contactless has proved hugely popular, yet for as long as the technology has existed, investigations into its security have been undertaken – efforts that we wholeheartedly welcome, not least because they support our own commitment to evolve the technology and ensure it maintains the highest standards of security. 

Keeping your money safe

Visa payments, including contactless, are protected by multiple layers of security that work together to prevent fraud. As part of this security, Visa requires banks to investigate unauthorised transactions reported by cardholders, and if fraud has been committed, refund the money thanks to Visa’s Zero Liability policy. [1]

In practice, this means that if you suspect you might be a victim of fraud – for instance, if you lose your card or see payments on your account that you don’t recognise – you are able to report this to your bank, block your card, and get your money back.

Low fraud rates

While the use of contactless cards has increased rapidly, Visa’s contactless fraud rate in Europe has declined by 40% between 2017 and 2018.[2] Specifically in the UK, a report by UK Finance found that fraud on contactless cards and devices remains low – the equivalent to 2.5p in every £100 spent using contactless technology, no higher than the rate during the first half of 2017[3].

The truth about cloning/contactless skimming

One common concern around contactless relates to the possibility of fraudsters using mobile payment terminals to “skim” the details from your card. In reality, this is extremely unlikely.

Firstly, initiating a transaction while a card is in someone’s wallet is very difficult in practice – particularly since a fraudster would need to know precisely where you keep your card, and stand extremely close to you.

Secondly, any money that is taken from a card needs to go somewhere. Visa payments can only be processed by terminals that are registered and audited for security compliance. To obtain an authorised merchant account, a fraudster would need to take several steps that include registering with a bank or payment processor, providing their personal information, and meeting other Know Your Customer (KYC) requirements. Even if they did all of this, it would be possible to trace the stolen money back to the recipient.

At Visa, we are not aware of a case where a contactless card has been cloned to create a physical counterfeit copy of a card – the details that can be “skimmed” simply aren’t sufficient to enable this. 

Bypassing the contactless limit and “Man in the Middle” attacks

Since the introduction of contactless, industry experts have looked into how to commit fraud on contactless cards – including so-called “man in the middle” attacks, or those that bypass contactless payment limits.

Research tests may be reasonable to simulate, but these types of schemes have proved impractical for fraudsters to employ in the real world. In fact, we are not aware of any such fraud having been successfully committed.

In partnership with the wider industry, including financial institutions, IT and security experts, academics, and others, we constantly adapt, enhance, and evolve our payment solutions to identify and address new risks. When appropriate, we make changes in technology and infrastructure to mitigate risks.

As adoption of contactless payments by consumers continues to grow around the world, Visa is committed to delivering the best possible customer experiences supported by world-leading security. 

_________________________________________

[1] Visa's Zero Liability Policy does not apply to Visa corporate or Visa purchasing card or account transactions. For specific restrictions, limitations and other details, please consult your card issuer.

[2] Visa in Europe data

[3] UK Finance, “2018 half year fraud update,” Sept. 2018, Page 12, https://www.ukfinance.org.uk/wp-content/uploads/2018/09/2018-half-year-fraud-update-FINAL.pdf