Myths of contactless payments security
As a result of my blog 2 weeks ago, I had the honor to talk to a group of journalists about the myths that still exist on contactless cards and mobile payment technologies. The goal was to debunk these myths for better informed consumers on this matter.
Only 4% of all Belgian card transactions are contactless. today This is very low compared to The Netherlands, where this number is 51%, or Europe in general (47%). The sector worked hard the last few years in Belgium to set the right conditions for a catch up. 85% of terminals in the market now accept contactless (similar to The Netherlands), and almost all of the new debit cards that are produced today is contactless. On issuing side, it is just a matter of waiting around for the cards life cycle of the remaining contact cards to increase the volume of contactless cards.
What remains: consumer education. New technology these days is perceived scary. New technology is hard to explain. Nevertheless I gave it a try. Hopefully it can help you as well in raising awareness among the security aspects of contactless cards.
Myth 1: “A thief can easily electronically pickpocket your contactless card/device if he/she approaches a terminal to you”
FALSE: in order to get hold of a terminal for setting up such a business, you need to see a terminal provider, which is a financial institution. They will run you through a whole Know Your Customer process. This means that they know who you are: you are identified.
Contactless payments are electronic, they can be traced back. Since you are identified, and the payment can be identified, there is a 100% chance to get caught, for only 25€ of return!
25€, that is the maximum amount in Belgium without a PIN code: would you give it a try?
Myth 2: “If a thief does intercept your contactless information, they can create a counterfeit card to use in a store”
FALSE: Card details are encrypted. For every individual card transaction, there is a one-time, unique number that is communicated between the card and the terminal. Contactless does not change anything more than the way of communicating information between one device to the other. It does not change the information itself.
As such, contactless does not pose any risk whatsoever when it comes to counterfeiting a card.
Myth 3: “Even if a thief cannot counterfeit your card, they can make purchases online or by phone”
FALSE: Contactless is nothing more than a feature to enable communication between a card/device and a terminal. It is technology that is only relevant in the physical world. Just like a regular card, a contactless card does not know your name, billing address, or even the 3-digit CVC code at the back of your card.
That is right: the card does not know what is written on its front or back.
Making a purchase online requires strong customer authentication: in Belgium a card reader is used for that most of the time. Sometimes a card number, cardholder name and 3-digit CVC code are enough. Since these data cannot be transmitted, there is no risk someone gets access to it through contactless communication.
Myth 4: “In addition to stealing your card data, thieves can also steal your identity”
FALSE: contactless cards do not transmit any information about the card holder, such as name and address. This information is not known by your card. There is no interest whatsoever to have this information on the card, because it is not required for making a transaction.
Myth 5: “If someone steals my connected watch, he/she can make purchases from my account.”
FALSE: Paying with a connected device is made even more secure than contactless cards. It is important to know that the device does not know your card number. What the device knows is a token of your card number, an encrypted alternative number. This is highly encrypted information that first needs to be ‘detokenized’ by a third party, like Mastercard, in order to make a transaction.
On top of that, a smart watch will not be able to make a transaction without:
- Wearing the watch: the payment feature will be disabled once you take it off
- Minimum one PIN per day is required in order to make other no-PIN contactless transactions.
It was a great learning moment for me as well. Being in the industry, you often forget how complex the world we live it really is. Once you forget how complex payments can be, you start taking things for granted that are not at all easy to understand for the Average Joe.
It is exactly that moment where professionals get surprised that certain innovations don’t take off. Keep in mind dear reader: human kind does not like change, he/she gets scared of change. If he/she does not sufficiently understand what you are offering, it will not be used.
I hope this post helps you demystify the security aspects of contactless NFC technology as well! Today contactless usage in Belgium grows with about 363%. By taking away the hurdles like the above mentioned preconceived ideas, Belgium should quickly be able to close the gap with the rest of Europe.