What is contactless payment security?
Banks routinely issue customers with contactless cards, and we're spending over £4bn on them every month in the UK.
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
These concerns are not unfounded. A Which? Money investigation in 2016 revealed significant security flaws when we tested 12 leading credit and debit cards.
And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed – or wrongly refused.
So, should you be using your contactless cards?
How do contactless payment cards work?
Contactless debit or credit cards allow you to pay for items without entering your Pin – by using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
What is the contactless payment limit?
In the UK, you can only authorise contactless payments of £30 and under.
If you want to spend more than this, you'll be asked to make a chip and Pin transaction instead.
Can I use contactless to withdraw cash?
Barclays is piloting contactless cash machines allowing its customers to withdraw money by tapping their Android smartphones or contactless debit cards.
The bank says this removes the risk of card skimming (fraudsters copying card details at the ATM).
RBS and NatWest customers can also withdraw money without a physical card by generating a Pin within their banking app.
But otherwise, you'll need to use chip and Pin at ATMs.
Can I use my contactless card abroad?
Yes, you can use it anywhere you see the contactless symbol displayed, although different transaction limits may apply and most banks charge fees for using your card abroad.
Here, we highlight the best debit cards to use abroad.
Can I make accidental contactless payments?
It is possible to pay for something without meaning to, but only when you’re close to the reader.
The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes.
Contactless terminals are programmed to take one payment from one card for any one transaction.
Readers have also been designed to reject payment if two contactless cards are presented at the same time.
Do watch out for card clash on the Transport for London (Tfl) network though.
If the reader detects more than one card, it could take payment from a card you didn't intend to pay with and you'll be charged the maximum fare for your journey.
Do contactless card protectors work?
There are metal cases that claim to protect your contactless cards.
Although many Which? members report using these successfully, we haven’t yet tested their effectiveness.
Our researchers tested wrapping a card in tin foil – and this prevented it from being read, even when we rubbed it against the reader. While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
Will my bank refund fraudulent contactless payments?
If a thief steals your contactless card, or copies your card details, your bank should reimburse you.
Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. For more, see our guide to fraudulent activity.
If you believe a transaction was fraudulent, it’s the responsibility of the card provider to prove that you authorised the payment or were negligent in not taking reasonable care of your card's security features – and if it can't, then it must reimburse you.
Where can I make contactless payments?
Many shops accept contactless cards, including Marks & Spencer, Boots and Waitrose, although there are still some major stores that don’t offer contactless transactions, including Debenhams and John Lewis.
London commuters can use contactless cards through the entire transport network, and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments by 2020.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field – when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted – this usually happens instantly.
Contactless and Oyster on Transport for London (TfL)
In London you can travel around by bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and most National Rail services using an Oyster card, a contactless card, or a mobile payments app.
An Oyster is a smartcard that you must either load with money to use as pay-as-you-go credit, or add your Travelcards and Bus & Tram Passes to.
Contactless debit or credit cards will also work on the TfL network, with the money taken directly from your account on a pay-as-you-go basis.
At present, you can't add any Travelcards or Bus & Tram passes.
Using a mobile payments app such as Apple Pay, Android Pay or Samsung Pay is no different to using contactless payment card, although make sure your default card is the same at the beginning and end of your journey to avoid being charged the maximum fare.
Contactless can be cheaper than Oyster
TfL applies daily capping to all Oyster and contactless pay-as-you-go journeys, which means that when the total cost reaches a pre-determined limit, you won't be charged for further journeys in the same zones for the rest of that day.
But only contactless journeys benefit from a weekly cap as well as a daily cap, calculated from Monday to Sunday.
For example, travel between zones 1 and 3 is capped at £40 per week.
If you create an online Oyster or contactless account with TfL you can easily report your card as lost, stolen, damaged or failed and apply for refunds if your journey is delayed (by at least 15 minutes on the Underground and DLR, or 30 minutes on the Overground and TfL Rail).
Are contactless cards safe?
Card issuers restrict the number of contactless transactions that can be made before the Pin is requested, to prevent fraud.
The £30-per-transaction limit is another safeguard, however, our research suggests that some banks are failing to protect their customers properly.
In 2016, we asked volunteers to use their tap-and-pay cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin, to see how much a thief could spend unchecked.
While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers – Barclays, the Co-operative Bank and TSB – allowed our 'thieves' to spend more than £200 through 10 consecutive transactions in just three hours. A real thief might well have continued.
Fraud on cancelled contacless cards
Another problem with contactless cards is that they can still be used even after they’re reported stolen, because the card itself doesn’t always ‘know’ it has been cancelled.
The reason for this is that contactless payments can be made offline, so that they can be batched and processed without the store contacting your bank first.
A thief could potentially use the cancelled card without the retailer or bank realising.
This is in contrast to online transactions, which go to the bank for authorisation (this process can be triggered by the card’s chip, or the value of the transaction). Once the card ‘checks in’ online with the bank, it will disable a contactless card that’s been reported stolen.
Fraudulent offline payments should be stopped by a Pin request, assuming of course the fraudster doesn’t know what it is, but as our 2016 investigation showed, some banks are slack when it comes to this security measure.
Ultimately, if a cancelled contactless card is used, it's your bank's responsibility to investigate and you shouldn't be left out of pocket.
Can contactless cards be skimmed?
Although the risks are low, it is possible.
In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be very close to you to lift your card details without you knowing.
In our tests, the card had to be touched against the mobile card reading device, although other readers might be more powerful.
Industry figures suggest contactless card fraud is low, amounting to 2.7p in every £100 spent using the technology, which represents just 1.1% of overall card fraud.
However, it is possible that these figures do not reflect all losses – because fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such.
In our tests, despite skimming the card details using the NFC technology, this type of crime would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
How do I avoid contactless card fraud?
You can take simple step to minimise the risk of card fraud:
Never hand over your card
If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
Ask for a receipt
Contactless users aren’t always offered a receipt – so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
Check your statements
You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can I opt-out of having a contactless card?
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers don't.
Check the table below (correct at February 2018):
|Card providers||Can you opt out of a contactless debit card?||Can you opt out of a contactless credit card?|
|Co-op Bank (and Smile)|
|Clydesdale and Yorkshire Banks|
|Lloyds (and Bank of Scotland, Halifax)|
|NatWest (and RBS, Ulster Bank)|
|Post Office Money (Bank of Ireland)|
American Express, Capital One and MBNA don't offer any debit cards; Cumberland BS, Monzo and Starling don't offer any credit cards; contactless functionality isn't yet available on Danske Bank credit cards.
Some basic, youth and business accounts only offer non-contactless cards: Co-op Bank Cashminder and business credit cards, Danske Standard and Discovery, Lloyds Basic and Youth, Post Office Money Control, Santander Basic and Business, and Tesco business credit cards.