By T. Leigh Buehler | 11/05/2024
Contactless payment systems are rapidly becoming the preferred method of transactions throughout the world. Contactless payment systems offer significant advantages such as convenience and speed, making for a more pleasant checkout experience for shoppers.
Customers can pay for their goods or services at large or small businesses by simply tapping their contactless device, like a payment card or digital wallet, on a compatible point-of-sale (POS) terminal. A personal identification number (PIN) or signature is not required for smaller purchases.
The Rise of Contactless Payments
The COVID-19 pandemic helped to make contactless transactions like mobile payments much more popular. According to Statista, the use of contactless payments increased from 37% in 2019 to over 53% in 2021.
Customers and businesses wanting to follow health and safety measures and minimize physical contact with each other were the moving force behind the growth of contactless transactions. Contactless cards, digital wallets, and Near Field Communication (NFC) technology have become integral to this payment transformation.
But the contactless payment system is not completely immune to vulnerabilities that could expose both individuals and businesses to fraud and monetary loss.
Digital Wallets and Contactless Cards
Digital wallets like Apple Pay®, Google Wallet®, or Samsung Pay® enable customers to store cards on their phones and pay for purchases with a quick tap or scan using a card reader at a checkout counter. These wallets are considered secure and use tokenization and biometrics to protect your information. These security protections make it harder for fraudsters to steal sensitive details about you.
However, there is a slight downside. Digital wallets won’t work if your phone dies or if the retailer doesn’t accept this form of payment. As a result, you will sometimes need your physical credit card.
A contactless card lets you tap to pay without needing to insert the card into a machine or swipe it through the machine. This form of payment is quick and easy, and it doesn’t rely on your phone’s battery life. Many businesses worldwide accept contactless payments, making it a travel-friendly option.
Contactless payment systems utilize Radio Frequency Identification (RFID) or Near Field Communication (NFC) technology to enable quick and secure transactions. When you tap your card or mobile device on a payment terminal, RFID sends encrypted information via radio waves to the terminal, allowing for a seamless exchange of data.
Additionally, many contactless systems use Dynamic Data Authentication (DDA), which generates a unique transaction code for each payment. This one-time code ensures that even if your information is intercepted, it cannot be reused. This security method helps to prevent fraud at payment terminals.
But contactless payments have potential risks. The risks with contactless payments include:
- Unauthorized transactions
- Data theft and skimming
- Vulnerabilities in mobile payment systems
- The increased complexity of security measures
- Limited liability protection
Unauthorized Transactions
One of the primary concerns surrounding contactless payments is misuse. Since contactless cards allow for payments without PIN verification up to a certain limit (usually between $50 and $100), it becomes easier for criminals to make illegal payments using a lost or stolen card.
Unlike traditional chip-and-PIN transactions where the user must enter a code, contactless payments rely on the proximity of the card to the terminal. The lack of the requirement for a verification code makes it simple for a thief to quickly use a stolen card.
The Federal Trade Commission’s Consumer Sentinel Network Data Book reported a significant increase in contactless card fraud complaints between 2018 and 2021, driven largely by the ease by which criminals could conduct small-value payments without detection. If cardholders do not immediately notice that their cards have been stolen, multiple contactless purchases could be made within a brief period before a card is reported missing.
With no requirement for PIN entry, transactions go unnoticed until a cardholder reviews the account or receives alerts from the bank. In some instances, even when reported promptly, the bank’s reimbursement may be limited to specific conditions, leaving the cardholder at a financial loss.
Data Theft and Skimming
Another significant risk associated with the contactless payment method is skimming, a type of data theft. Skimming involves fraudsters using illicit devices to capture the data transmitted during a contactless transaction.
Contactless payments use NFC technology, which operates over short distances (up to about four centimeters). As a result, criminals can discreetly use skimming devices in crowded areas like airports, public transportation, or shopping centers to intercept card information from unsuspecting consumers.
Though the information obtained through skimming might not be enough to conduct fraudulent purchases (since card numbers alone do not necessarily include the security code or PIN), criminals can still use the stolen data for other malicious purposes. For instance, the data could be paired with other stolen information to clone cards or commit identity theft. In some cases, this information can be sold on the black market or used for social engineering attacks.
Vulnerabilities in Mobile Payment Systems
In addition to contactless cards, mobile wallets have gained popularity as secure methods of making payment. These wallets offer users the convenience of linking their payment cards to their smartphones, which can then be used for contactless payments at compatible terminals. While these wallets offer additional layers of security – including biometric authentication such as fingerprints or facial recognition – they are still vulnerable to certain risks such as malware and phishing attacks.
One potential risk is the use of malicious apps designed to steal users’ payment credentials. If a smartphone is infected with malware, it may allow hackers to access stored payment information or manipulate transactions.
The malware operates in the background, siphoning sensitive card data like card numbers and transaction history. In some cases, it could even authorize unauthorized payments without the user’s consent, leaving them with significant financial losses.
Similarly, phishing scams targeting mobile wallet users can trick individuals into revealing sensitive information that could be used to compromise their financial accounts.
The Increased Complexity of Security Measures
Contactless transactions involve multiple actors, including banks, payment processors, card issuers, and merchants. The complexity of these interconnected systems increases the potential for security gaps, making it more challenging to safeguard customers from fraud and data breaches.
If a merchant's terminal is not adequately secured, hackers could potentially compromise the terminal to capture payment data during transactions. This increased complexity also makes it harder for regulators to keep up with emerging threats and enforce adequate security standards across the entire payment ecosystem.
Contactless systems rely on communication between multiple devices (such as a smartphone and a terminal). Consequently, there is always a possibility that hackers could intercept the signals and manipulate the data being transferred.
Since the vulnerability lies with the terminal, consumers may have no way of knowing that their data is being stolen until fraudulent transactions start appearing on their accounts. In terminal breaches, consumers and merchants may suffer significant financial losses, as resolving such incidents can be costly and time-consuming.
Limited Liability Protection
While most banks and card issuers typically offer fraud protection for contactless payments to protect them against fraudulent transactions, liability protections may vary depending on the region and the circumstances of the fraud. In some cases, consumers may not be fully reimbursed for fraudulent purchases from the card's issuing bank, especially if they fail to promptly report the loss or theft of their cards.
For example, banks might limit liability for contactless fraud to a certain amount or may refuse to reimburse customers who were negligent in safeguarding their contactless cards. These bank rules can lead to financial losses for cardholders, particularly if they are unaware of the specific terms and conditions governing their contactless payment protections.
Tokenization and Encryption Can Be Helpful in Improving the Security of Contactless Payment Systems
Research conducted by the European Payments Council notes that while contactless payments pose risks, the technology also includes inherent security features such as tokenization and encryption that significantly reduce the likelihood of successful fraud attempts. Tokenization, for example, replaces sensitive card information with unique tokens during purchases, making it harder for criminals to steal valuable data.
Despite these security measures, it is essential for consumers and businesses alike to remain vigilant and adopt best practices to mitigate the risks associated with contactless payment systems.
Best Practices for Reducing Contactless Payment Risks
While contactless payment systems do present certain risks, consumers can take several proactive steps to protect themselves from fraud and data theft:
1. Monitor transactions regularly: Consumers should regularly review their bank statements or use mobile banking apps to monitor their purchases in real time. Any unfamiliar purchases should be reported immediately to financial institutions to minimize losses.
2. Use mobile wallets with biometric authentication: Mobile wallets often provide more robust security features than contactless cards. Features like fingerprint or facial recognition add an extra layer of protection, reducing the likelihood of unauthorized purchases.
3. Set transaction alerts: Many banks offer the option to receive text messages or email alerts for every transaction made with a contactless card or mobile wallet. These alerts can help cardholders detect fraudulent activity quickly.
4. Use RFID-blocking wallets: To prevent skimming attacks, consumers can use RFID-blocking wallets or card sleeves that shield their contactless cards from being read by skimming devices.
5. Report lost or stolen cards immediately: Cardholders should report any lost or stolen cards to their financial institutions immediately to block further purchases.
Contactless payments have really changed how we shop, making it faster, easier, and much more convenient. But like any technology, it is not without its risks.
These risks should not scare you away from using contactless payments. Instead, just be smart about them.
Make use of security features like fingerprint or face ID, keep an eye on your purchase records, and stay vigilant. With simple steps, you can enjoy the benefits of contactless payments while keeping your finances safe.
The Retail Management Degree at American Military University
For students who are interested in contactless payments, point-of-sale terminals, retail customer service, sustainability, and other aspects of retail management, American Military University (AMU) offers an online bachelor’s degree in retail management.
Courses in this degree program are taught by experienced faculty members and include topics such as retail innovation, retail operations, and consumer behavior. Other topics include digital retail, digital retail technologies, cybersecurity, analytics, social media marketing, and marketing strategy.
This degree program has received specialty accreditation from the Accreditation Council for Business Schools and Programs (ACBSP®). This accreditation ensures that the courses in this program have met high academic quality standards.
For more information about the retail management degree, visit our retail management degree program page.
Apple Pay is a registered trademark of Apple, Inc.
Google Wallet is a registered trademark of Google, LLC.
Samsung Pay is a registered trademark of Samsung Electronics Co., Ltd.
ACBSP is a registered trademark of the Accreditation Council for Business Schools and Programs.