What is contactless payment security?
Banks routinely issue customers with contactless cards, and UK shoppers spent £69bn on them in 2018.
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
These concerns are not unfounded. A Which? Money investigation in 2016 revealed significant security flaws when we tested 12 leading credit and debit cards.
And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed - or wrongly refused.
So, should you be using your contactless cards?
How do contactless cards work?
Contactless debit or credit cards allow you to pay for items without entering your Pin, using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
What is the contactless payment limit?
In the UK, you can typically only authorise contactless payments of £30 and under (although some retailers allow digital wallet users to spend more than this).
If you want to spend more than this, you'll be asked to make a chip and Pin transaction instead.
Can I use contactless to withdraw cash?
Barclays is piloting contactless cash machines allowing its customers to withdraw money by tapping their Android smartphones or contactless debit cards.
The bank says this removes the risk of card skimming (fraudsters copying card details at the ATM).
RBS and NatWest customers can also withdraw money without a physical card by generating a Pin within their banking app.
But otherwise, you'll need to use chip and Pin at ATMs.
Can I use my contactless card abroad?
Yes, you can use it anywhere you see the contactless symbol displayed, although different transaction limits may apply and most banks charge fees for using your card abroad.
Here, we highlight the best debit cards to use abroad.
Can I make accidental contactless payments?
It is possible to pay for something without meaning to, but only when you’re close to the reader.
The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes.
Contactless terminals are programmed to take one payment from one card for any one transaction.
Readers have also been designed to reject payment if two contactless cards are presented at the same time.
Do watch out for card clash on the Transport for London (TfL) network though.
If the reader detects more than one card, it could take payment from a card you didn't intend to pay with and you'll be charged the maximum fare for your journey.
Do contactless card protectors work?
There are metal cases that claim to protect your contactless cards.
Although many Which? members report using these successfully, we haven’t yet tested their effectiveness.
Our researchers tested wrapping a card in tin foil - and this prevented it from being read, even when we rubbed it against the reader. While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
Will my bank refund fraudulent contactless payments?
If a thief steals your contactless card, or copies your card details, your bank should reimburse you.
Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. For more, see our guide to fraudulent activity.
If you believe a transaction was fraudulent, it’s the responsibility of the card provider to prove that you authorised the payment or were negligent in not taking reasonable care of your card's security features - and if it can't, then it must reimburse you.
Where can I make contactless payments?
The vast majority of shops accept contactless cards and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments by 2020.
London commuters can use contactless cards through the entire transport network and Stagecoach has introduced contactless payments on its buses.
Charities have also started exploring 'tap-and-donate' card readers to boost donations.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field - when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted - this usually happens instantly.
Contactless and Oyster on Transport for London (TfL)
In London you can travel around by bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and most National Rail services using an Oyster card, a contactless card, or a mobile payments app.
An Oyster is a smartcard that you must either load with money to use as pay-as-you-go credit, or add your Travelcards and Bus & Tram Passes to.
Contactless debit or credit cards will also work on the TfL network, with the money taken directly from your account on a pay-as-you-go basis.
At present, you can't add any Travelcards or Bus & Tram passes.
Using a mobile payments app such as Apple Pay, Android Pay or Samsung Pay is no different to using contactless payment card, although make sure your default card is the same at the beginning and end of your journey to avoid being charged the maximum fare.
Contactless can be cheaper than Oyster
TfL applies daily capping to all Oyster and contactless pay-as-you-go journeys, which means that when the total cost reaches a pre-determined limit, you won't be charged for further journeys in the same zones for the rest of that day.
But only contactless journeys benefit from a weekly cap as well as a daily cap, calculated from Monday to Sunday.
For example, travel between zones 1 and 3 is capped at £41.20 per week.
If you create an online Oyster or contactless account with TfL you can easily report your card as lost, stolen, damaged or failed and apply for refunds if your journey is delayed (by at least 15 minutes on the Underground and DLR, or 30 minutes on the Overground and TfL Rail).
Are contactless cards safe?
Industry figures suggest contactless card fraud remains low, amounting to 2.7p in every £100 spent using the technology in 2018 - the same level recorded in 2016 and 2017 - representing just 3% of overall card fraud.
The £30-per-transaction limit is one safeguard, and card issuers also restrict the number of contactless transactions that can be made before the Pin is requested.
Our previous research found that some banks failed to protect their customers properly.
In 2016, we asked volunteers to use their tap-and-pay cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin, to see how much a thief could spend unchecked.
While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers - Barclays, the Co-operative Bank and TSB - allowed our 'thieves' to spend more than £200 through 10 consecutive transactions in just three hours. A real thief might well have continued.
Since 14 September 2019, new 'strong customer authentication' rules under the EU’s second Payment Services Directive (PSD2) have required banks to ask for a Pin if your cumulative contactless payments exceed €150 (roughly £130) or five consecutive contactless payments have been made.
PSD2 also states that a Pin should be requested where the contactless transaction exceeds €50 (around £43) though there are no current plans to change the existing £30 contactless limit in the UK.
Find out more: strong customer authentication - how does it affect online card payments?
Why was my contactless payment rejected?
As we explained above, strong customer authentication means that you will be asked to use Chip and Pin more often in shops.
The problem, however, is that the card machine will simply reject the payment - and as these extra security checks are very new, shop staff may think your card has been declined.
Monzo has told customers it will send a notification in the app asking you to retry the payment but for other card providers, it won't be so clear.
If a contactless payment is rejected, it's likely that you're making your sixth contactless payment in a row, or have spent €150/£130 across multiple contactless transactions - all you need to do is insert your card and enter your Pin.
Can contactless cards be skimmed?
Although the risks are low, it is possible.
In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be uncomfortably close to you to lift your card details without you knowing - in our tests, the card had to be touched against the mobile card reading device.
Other readers might be more powerful but UK Finance says there have been no verified reports of contactless fraud on cards still in the possession of the original owner.
It is worth noting that despite skimming the card details using the NFC technology in our investigation, this type of crime would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
If fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such, the industry may not be fully aware of the risks.
Fraud on cancelled contactless cards
Previously, contactless cards could still be used even after they were reported stolen and cancelled. This is because some low-value payments could be made offline, meaning they were batched and processed without the store contacting your bank first.
A thief could potentially have used a cancelled contactless card without the retailer or bank realising.
Fraudulent offline payments should be stopped by a Pin request, assuming of course the fraudster doesn't know what it is, but as our 2016 investigation showed, some banks are slack when it comes to this security measure.
Now, the financial regulator has said that almost all contactless card transactions are processed ‘online’, which means they go to the bank for authorisation. Once the card ‘checks in’ online with the bank, it will disable a contactless card that has been reported stolen.
If a fraudster does manage to use a card that you've reported lost or stolen, it's your bank's responsibility to investigate and you shouldn't be left out of pocket.
How do I avoid contactless card fraud?
You can take simple step to minimise the risk of card fraud:
Never hand over your card
If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
Ask for a receipt
Contactless users aren’t always offered a receipt, so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
Check your statements
You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can I opt-out of having a contactless card?
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers don't. Check the table below:
|Card provider||Debit card||Credit card|
|Bank of Scotland||Yes||Yes|
|Royal Bank of Scotland (RBS)||Yes||No|
|Post Office Money||No*||No*|
|The Co-operative Bank||Yes||No|
Information correct at January 2019 except where * shown which is correct at February 2018 due to card provider failing to respond to request for updated data. If n/a this means the provider does not offer this type of card at all. Some basic, youth and business accounts only offer non-contactless cards.