New ways to pay
By Chiara Cavaglieri
Article 1 of 4
Contactless payments are quick and convenient, but are they safe? Fraud figures remain low but our investigations have highlighted flaws.
Contactless payment security
Banks routinely issue customers with contactless cards, and we're spending over £4bn on them every month in the UK.
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
These concerns are not unfounded. A recent Which? investigation revealed significant security flaws when we tested 12 leading credit and debit cards. And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed – or wrongly refused.
So, should you be using your contactless cards? In this guide, find out:
- How do contactless payments work?
- Which? investigates - are contactless cards safe to use?
- How can you protect yourself from fraud?
- Which banks let you opt-out of having a contactless card?
Contactless debit or credit cards allow you to pay for items worth up to £30 at a time without entering your Pin – by using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
Where can I make contactless payments?
Many shops accept contactless cards, including Marks & Spencer, Boots and Waitrose, although there are still some major stores that don’t offer contactless transactions, including Debenhams and John Lewis.
London commuters can use contactless cards through the entire transport network, and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments by 2020.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field – when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted – this usually happens instantly.
Card issuers restrict the number of contactless transactions that can be made before the Pin is requested, to prevent fraud. The £30-per-transaction limit is another safeguard, however, our research suggests that some banks are failing to protect their customers properly.
In 2016, we asked volunteers to use their tap-and-pay cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin, to see how much a thief could spend unchecked.
While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers – Barclays, the Co-operative Bank and TSB – allowed our 'thieves' to spend more than £200 through 10 consecutive transactions in just three hours.
A real thief might well have continued.
Could a thief copy my contactless card details?
Although the risks are low, it is possible.
In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be very close to you to lift your card details without you knowing. In our tests, the card had to be touched against the mobile card reading device, although other readers might be more powerful.
Industry figures suggest contactless card fraud is low, amounting to 2.7p in every £100 spent using the technology, which represents just 1.1% of overall card fraud.
However, it is possible that these figures do not reflect all losses – because fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such.
In our tests, despite skimming the card details using the NFC technology, this type of crime would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
Do protective wallets and foil stop contactless cards from being read?
There are metal cases that claim to protect your cards.
Although many members report using these successfully, we haven’t yet tested their effectiveness. Our researchers tested wrapping a card in tin foil – and this prevented it from being read, even when we rubbed it against the reader.
While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
What protection is in place against accidental payments being made?
It is possible to pay for something without meaning to, but only when you’re close to the reader. The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes.
Contactless terminals are programmed so that they only take one payment from one card for any one transaction. Readers have also been designed to reject payment if two contactless cards are presented at the same time.
If a thief steals my contactless card, or copies my card details, will my bank reimburse me?
Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. For more, see our guide to fraudulent activity.
If you believe a transaction was fraudulent, it’s the responsibility of the card provider to prove that you authorised the payment or were negligent in not taking reasonable care of your card's security features – and if it can’t, then it must reimburse you.
Which? has previously revealed that card providers sometimes wrongly refuse refunds so if you feel that your bank has acted unfairly, refer your complaint to the financialombudsman.org.uk.
You can take simple step to minimise the risk of card fraud:
- Never hand over your card If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
- Ask for a receipt Contactless users aren’t always offered a receipt – so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
- Check your statements You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
|Credit and debit card providers||Automatically sends contactless cards to new customers||Allows customers to opt out|
|NatWest/Royal Bank of Scotland||a|
a Not all card types have been upgraded to contactless.
b Debit cards only; credit card customers can’t opt out.
c Debit cards only, credit card is chip and Pin.
d Excludes legacy business cards.
e Customers must opt out again when new cards are issued.
- Last updated: December 2017
- Updated by: Chiara Cavaglieri