What is contactless payment security?
Banks routinely issue customers with contactless cards, and UK shoppers spent £80.5bn on them in 2019.
When Which? surveyed 1,066 people in August 2016 about their views on contactless cards, we found that 73% of the public think having a contactless card makes it quicker to pay for things. But, 69% are concerned about their contactless card being stolen and used to make purchases.
Fraud rates are very low, equivalent to less than 2p in every £100 spent in early 2020, but these concerns are not unfounded.
Past investigations by Which? Money have found providers failing to require Pin checks after contactless spending limits were reached, and wrongly refusing to refund customers.
So, should you be using your contactless cards?
How do contactless cards work?
Contactless debit or credit cards allow you to pay for items without entering your Pin, using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
What is the contactless payment limit?
Initially in the UK, you could typically only authorise contactless payments of £30 and under (although some retailers allow digital wallet users to spend more than this).
The contactless limit was then increased to £45 at the start of the coronavirus pandemic.
Following the March 2021 Budget, the limit is currently £100 though systems will need to be updated and it will be down to individual retailers to decide whether to accept the higher limit.
If you want to spend more than this, you'll be asked to make a chip and Pin transaction instead.
Can I use contactless to withdraw cash?
Barclays piloted contactless cash machines allowing its customers to withdraw money by tapping their Android smartphones or contactless debit cards.
The bank says this removes the risk of card skimming (fraudsters copying card details at the ATM).
RBS and NatWest customers can also withdraw money without a physical card by generating a Pin within their banking app.
But otherwise, you'll need to use chip and Pin at ATMs.
Can I use my contactless card abroad?
Yes, you can use it anywhere you see the contactless symbol displayed, although different transaction limits may apply and most banks charge fees for using your card abroad.
Here, we highlight the best debit cards to use abroad.
Can I make accidental contactless payments?
It is possible to pay for something without meaning to, but only when you’re close to the reader.
The cashier needs to activate the terminal (or you need to select this option yourself at a self-service till) to accept contactless payments, reducing the risk of mistakes.
Contactless terminals are programmed to take one payment from one card for any one transaction.
Readers have also been designed to reject payment if two contactless cards are presented at the same time.
Do watch out for card clash on the Transport for London (TfL) network though.
If the reader detects more than one card, it could take payment from a card you didn't intend to pay with and you'll be charged the maximum fare for your journey.
Do contactless card protectors work?
There are metal cases that claim to protect your contactless cards, but we're sceptical whether you actually need them.
Contactless 'skimming', where criminals steal money by getting close to you, has never actually been recorded happening outside of laboratory settings.
A criminal would have to set up a retail card account, obtain a card reader, then get within centimetres of your card.
Will my bank refund fraudulent contactless payments?
If a thief steals your contactless card, or copies your card details, your bank should reimburse you.
Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. For more, see our guide to fraudulent activity.
If you believe a transaction was fraudulent, it’s the responsibility of the card provider to prove that you authorised the payment or were negligent in not taking reasonable care of your card's security features - and if it can't, then it must reimburse you.
Where can I make contactless payments?
The vast majority of shops accept contactless cards and both Mastercard and Visa set targets for terminals in every UK shop to accept contactless payments by 2020.
London commuters can use contactless cards through the entire transport network and Stagecoach has introduced contactless payments on its buses.
Charities have also started exploring 'tap-and-donate' card readers to boost donations.
The technology behind contactless cards
1. A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
2. A card-reading terminal emits an electromagnetic field - when a card enters this field it is powered 'on'.
3. The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
4. Only when the card recognises the reader will it 'reply' with a coded data transfer.
5. The card terminal should then confirm that payment has been accepted - this usually happens instantly.
Contactless and Oyster on Transport for London (TfL)
In London you can travel around by bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and most National Rail services using an Oyster card, a contactless card, or a mobile payments app.
An Oyster is a smartcard that you must either load with money to use as pay-as-you-go credit, or add your Travelcards and Bus & Tram Passes to.
Contactless debit or credit cards will also work on the TfL network, with the money taken directly from your account on a pay-as-you-go basis.
At present, you can't add any Travelcards or Bus & Tram passes.
Using a mobile payments app such as Apple Pay, Android Pay or Samsung Pay is no different to using contactless payment card, although make sure your default card is the same at the beginning and end of your journey to avoid being charged the maximum fare.
Contactless can be cheaper than Oyster
TfL applies daily capping to all Oyster and contactless pay-as-you-go journeys, which means that when the total cost reaches a pre-determined limit, you won't be charged for further journeys in the same zones for the rest of that day.
But only contactless journeys benefit from a weekly cap as well as a daily cap, calculated from Monday to Sunday.
For example, travel between zones 1 and 3 is capped at £43.50 per week.
If you create an online Oyster or contactless account with TfL you can easily report your card as lost, stolen, damaged or failed and apply for refunds if your journey is delayed (by at least 15 minutes on the Underground and DLR, or 30 minutes on the Overground and TfL Rail).
Are contactless cards safe?
Industry figures suggest contactless card fraud remains low, amounting to 2p in every £100 spent in early 2020.
This is lower than the level recorded in 2018 (2.7p) and represents just 2.8% of overall card fraud.
The £100-per-transaction limit is one safeguard, and card issuers also restrict the number of contactless transactions that can be made before the Pin is requested.
However, our previous research found that some banks failed to enforce this limit on Pin-free transactions.
How much could a thief spend on a stolen card?
Under the EU’s second Payment Services Directive (PSD2) banks must ask for a Pin if your cumulative contactless payments exceed €150 (roughly £130) or five consecutive contactless payments have been made. PSD2 also states that a Pin should be requested where the contactless transaction exceeds €50 (around £43).
These safeguards are known as 'strong customer authentication' which also affects online banking.
However, the UK's departure from the EU means that we have set our own caps of:
- single contactless payments of up to £100, and
- cumulative contactless payments up to £300.
Digital wallets such as Apple Pay and Google Pay are exempt from the cap on transactions - though some retailers may set a lower transaction limit - as are unattended payment terminals such as parking meters and transport systems.
Why was my contactless payment rejected?
As we explained above, strong customer authentication means that you should be asked to use chip and Pin when your cumulative spend reaches £300.
The problem, however, is that the card machine will simply reject the payment - and as these extra security checks are relatively new, shop staff may think your card has been declined.
Monzo has told customers it will send a notification in the app asking you to retry the payment but for other card providers, it won't be so clear.
If a contactless payment is rejected, it's likely that you're making you have spent £300 across multiple contactless transactions - all you need to do is insert your card and enter your Pin.
Can contactless cards be skimmed?
Banking association UK Finance says there have been no verified reports of contactless fraud on cards still in the possession of the original owner.
In theory, skimming could take place. In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be uncomfortably close to you to lift your card details without you knowing - in our tests, the card had to be touched against the mobile card reading device. Other readers might be more powerful, but a criminal would still have to obtain a retail reader and corresponding account.
It is worth noting that despite skimming the card details using the NFC technology in our investigation, this type of crime would be documented as ‘remote purchase fraud’ and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
If fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such, the industry may not be fully aware of the risks.
Fraud on cancelled contactless cards
Previously, contactless cards could still be used even after they were reported stolen and cancelled. This is because some low-value payments could be made offline, meaning they were batched and processed without the store contacting your bank first.
A thief could potentially have used a cancelled contactless card without the retailer or bank realising.
Fraudulent offline payments should be stopped by a Pin request, assuming of course the fraudster doesn't know what it is, but as our 2016 investigation showed, some banks are slack when it comes to this security measure.
Now, the financial regulator has said that almost all contactless card transactions are processed ‘online’, which means they go to the bank for authorisation. Once the card ‘checks in’ online with the bank, it will disable a contactless card that has been reported stolen.
If a fraudster does manage to use a card that you've reported lost or stolen, it's your bank's responsibility to investigate and you shouldn't be left out of pocket.
How do I avoid contactless card fraud?
You can take simple step to minimise the risk of card fraud:
Never hand over your card
If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
Ask for a receipt
Contactless users aren’t always offered a receipt, so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
Check your statements
You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can I opt-out of having a contactless card?
If you don’t want a contactless card, many providers let you opt-out, although some big banks and credit card providers don't. Check the table below:
|Card provider||Debit card||Credit card|
|Bank of Scotland||Yes||Yes|
|Royal Bank of Scotland (RBS)||Yes||No|
|The Co-operative Bank||Yes||No|
Information correct at October 2020 except for NatWest and RBS which is correct at January 2019 due to banks failing to provide updated data. If n/a this means the provider does not offer this type of card at all. Some basic, youth and business accounts only offer non-contactless cards.