What is contactless payment security?
Banks routinely issue customers with contactless cards, and we're spending over £4bn on them every month in the UK.
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
These concerns are not unfounded. A Which? Money investigation in 2016 revealed significant security flaws when we tested 12 leading credit and debit cards.
And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed – or wrongly refused.
So, should you be using your contactless cards?
How do contactless payment cards work?
Contactless debit or credit cards allow you to pay for items without entering your Pin – by using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
Where can I make contactless payments?
Many shops accept contactless cards, including Marks & Spencer, Boots and Waitrose, although there are still some major stores that don’t offer contactless transactions, including Debenhams and John Lewis.
London commuters can use contactless cards through the entire transport network, and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments by 2020.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field – when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted – this usually happens instantly.
Contactless and Oyster on Transport for London (TfL)
In London you can travel around by bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and most National Rail services using an Oyster card, a contactless card, or a mobile payments app.
An Oyster is a smartcard that you must either load with money to use as pay-as-you-go credit, or add your Travelcards and Bus & Tram Passes to.
Contactless debit or credit cards will also work on the TfL network, with the money taken directly from your account on a pay-as-you-go basis.
At present, you can't add any Travelcards or Bus & Tram passes.
Using a mobile payments app such as Apple Pay, Android Pay or Samsung Pay is no different to using contactless payment card, although make sure your default card is the same at the beginning and end of your journey to avoid being charged the maximum fare.
Contactless can be cheaper than Oyster
TfL applies daily capping to all Oyster and contactless pay-as-you-go journeys, which means that when the total cost reaches a pre-determined limit, you won't be charged for further journeys in the same zones for the rest of that day.
But only contactless journeys benefit from a weekly cap as well as a daily cap, calculated from Monday to Sunday.
For example, travel between zones 1 and 3 is capped at £40 per week.
If you create an online Oyster or contactless account with TfL you can easily report your card as lost, stolen, damaged or failed and apply for refunds if your journey is delayed (by at least 15 minutes on the Underground and DLR, or 30 minutes on the Overground and TfL Rail).
Are contactless cards safe?
Card issuers restrict the number of contactless transactions that can be made before the Pin is requested, to prevent fraud.
The £30-per-transaction limit is another safeguard, however, our research suggests that some banks are failing to protect their customers properly.
In 2016, we asked volunteers to use their tap-and-pay cards on the high street, spending between £20 and £30 each time, and to keep shopping until they were asked for a Pin, to see how much a thief could spend unchecked.
While most banks asked for a Pin, or blocked the card, after three to five transactions, three debit card providers – Barclays, the Co-operative Bank and TSB – allowed our 'thieves' to spend more than £200 through 10 consecutive transactions in just three hours. A real thief might well have continued.
Fraud on cancelled contacless cards
Another problem with contactless cards is that they can still be used even after they’re reported stolen, because the card itself doesn’t always ‘know’ it has been cancelled.
The reason for this is that contactless payments can be made offline, so that they can be batched and processed without the store contacting your bank first.
A thief could potentially use the cancelled card without the retailer or bank realising.
This is in contrast to online transactions, which go to the bank for authorisation (this process can be triggered by the card’s chip, or the value of the transaction). Once the card ‘checks in’ online with the bank, it will disable a contactless card that’s been reported stolen.
Fraudulent offline payments should be stopped by a Pin request, assuming of course the fraudster doesn’t know what it is, but as our 2016 investigation showed, some banks are slack when it comes to this security measure.
Ultimately, if a cancelled contactless card is used, it's your bank's responsibility to investigate and you shouldn't be left out of pocket.
Can contactless cards be skimmed?
Although the risks are low, it is possible.
In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be very close to you to lift your card details without you knowing.
In our tests, the card had to be touched against the mobile card reading device, although other readers might be more powerful.
Industry figures suggest contactless card fraud is low, amounting to 2.7p in every £100 spent using the technology, which represents just 1.1% of overall card fraud.
However, it is possible that these figures do not reflect all losses – because fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such.
In our tests, despite skimming the card details using the NFC technology, this type of crime would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
How do I avoid contactless card fraud?
You can take simple step to minimise the risk of card fraud:
Never hand over your card
If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
Ask for a receipt
Contactless users aren’t always offered a receipt – so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
Check your statements
You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can I opt-out of having a contactless card?
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers don't.
Check the table below (correct at February 2018):
|Card providers||Can you opt out of a contactless debit card?||Can you opt out of a contactless credit card?|
|Co-op Bank (and Smile)|
|Clydesdale and Yorkshire Banks|
|Lloyds (and Bank of Scotland, Halifax)|
|NatWest (and RBS, Ulster Bank)|
|Post Office Money (Bank of Ireland)|
American Express, Capital One and MBNA don't offer any debit cards; Cumberland BS, Monzo and Starling don't offer any credit cards; contactless functionality isn't yet available on Danske Bank credit cards.
Some basic, youth and business accounts only offer non-contactless cards: Co-op Bank Cashminder and business credit cards, Danske Standard and Discovery, Lloyds Basic and Youth, Post Office Money Control, Santander Basic and Business, and Tesco business credit cards.