Written by 
In the UK, contactless transactions are growing at around 20% per month, so clearly customers like it. But should some customers be allowed to turn it off if they don’t?
In the UK there are around 38m contactless cards in circulation and their use is growing around 20% per month as I write. Clearly, customers like them. I’m sure many people share my attitude of mild annoyance at having to insert a card and enter a PIN instead of just tapping and going. And I do wonder about the risk analysis around using a card with a £10,000 credit limit and entering a PIN that might get shoulder surfed by a caffeinated ne’erdowell who is going to pick my pocket in order to buy a £2 coffee. There are, however, some security perceptions around contactless that we (technologists) should not ignore. In fact, if we address them, then contactless can be an even better proposition all round. I was thinking this because I wrote a piece about contactless crime and I’ve been thinking about it some more in connection with one of Consult Hyperion’s projects for a major card issuer.
During sentencing this week of a woman who had used someone else’s PayPass debit card more than 30 times before being caught, the magistrate, Michael Wheeler, of the Perth Magistrates Court, said they were all too easy to use unlawfully.
[From Tap-and-go fraud: MasterCard downplays consumer concerns | World | The Guardian]
In the UK customers are not liable for unauthorised contactless transactions and the issuers have a variety of techniques (and EMV risk management parameters) to play with to control risks. So the money isn’t the issue. The damage here is to the image of contactless cards, not the issuers’ balance sheets or customers’ pockets. Consumer worries about security (no matter how ill-founded) are increased because of stories like these.
Consumers remain wary of new “contactless” payment technology – with one in four saying they find the idea of paying without entering a pin number “scary”.
[From Consumers unimpressed by ‘contactless’ payments – The Scotsman]
Those you who listened to my podcast with Karen Williams from SpectrumInsight will remember that “crime” was one of the keywords associated with contactless (see the slide below) and survey after survey (none of which I can be bothered to Google right now) has shown that consumers have genuine fears about security in the contactless payment environment. After all, we’ve spent the best part of a decade trying to persuade them to enter PINs!
One possibility for making customer feel more confident is to give them more control. I’ve often wondered why my bank doesn’t give customers more control over transactions in general, not only contactless ones. Through my online banking portal I should be able to ask the bank to, for example, automatically decline all magnetic stripe or non-3DS transactions on my debit card. Similarly, a customer who doesn’t like contactless should be able to tell the bank to automatically decline contactless transactions on their card (this wouldn’t stop a thief from using a card offline, at least until it is reported stolen). People might even decide to log in when they get home and turn off their contactless cards completely until they go to work the next morning, or that sort of thing.
Now, I know what experts in risk analysis for payments systems (e.g., the people I sit next to down at CHYP End) will say about this. They will point out that the loss to issuers is negligible so it’s not worth investing in. But I wonder if the existence of such an on-off switch might be beneficial in other ways?
I have some evidence for this from the long ago days of Mondex. The cards could be locked using a four digit pass code, something that customers had requested in focus group discussions. But the only way to lock the cards was using the hardware electronic wallets and the phones that few customers had. Therefore all of the shops that accepted Mondex had to be fitted with a lock/unlock device. As it turned out, customers never bothered locking their cards and never used the lock or unlock stations, but it was the fact that the lock existed and that the lock/unlock stations were visible that gave them confidence in the system. Maybe we could learn something about confidence from this and apply it to contactless? It doesn’t seem that complicated to add a line of code to get the issuer hosts to auto-reject contactless transactions if the “no contactless” flag is set.
I think this is worth an experiment. If customers could choose through their online banking portal or mobile banking app to turn on or off contactless acceptance for their cards then they would use the cards more even though they never actually bothered to turn off contactless acceptance. After all, payment is one of those areas where confidence, perception and impressions of security are as important as the underlying reality.
Incidentally, when I asked our risk management wallahs about all this, they accurately pointed out that this is yet another argument in favour of using smart devices (e.g., mobile phones) for payments rather than cards because then all of the decisions will be (literally) in the hands of the consumer. Don’t like contactless? Turn off NFC on the phone. Like contactless for credit but not for debit? Then don’t put debit cards in your Google / Apple / Facebook (* delete where applicable) wallet. If your phone, rather than your card, gets stolen you tend to notice and can remotely wipe it. However you do the calculations, phones are more secure than cards.
Contactless cards are the nemesis of mobile phone payments, really they are.
The pointy finger for lack of traction on NFC phone payments has long aimed at the nine party TSM model. Now that the non-SE Android (HCE) and iphone (TEE/Enclave) workarounds are upon us that excuse will so expire. Then more focus will shift to this: the more significant barrier to mass uptake in mobile phone payments: User Acceptance.
The clumsy deployments and issuance of contactless cards has done much to derail the prospects for a successful take up of NFC mobile payments in the UK. To whet appetites for paying this “cool and convenient” new way using phones, EMV contact chip cards with PINS also became contactless cards without PINS. Fair to say that last bit got sneaked unsolicited by the back door …. of the 38million in issue I’m wondering how many were actually requested by cardholder!?
Sacrificing the sole security step to demo cool and convenience using such an inadequate form factor was frankly a lousy idea. It has put off and has raised the fears and heckles of a significant section of its target user base. They will be hard to win back, first impressions die hard. In many cases scepticism turned into suspicion by the way banks added contactless under the card expiry replacement cycle. It’s hardly obvious to the eye when you rip the card from its carrier, scribble Sergio Aguero on the back and quickly stuff it in your wallet or your way out the door to work, am I right?
But it’s ZERO security that’s done the damage or more accurately the perception of zero security of a mobile phone payment when the payment card is ‘within’.
The irony is that the majority of debit and credit card users will agree PINS are ridiculously weak AND since mobile phones are, well, smart they can easily replace the PIN when using NFC to pay with something far niftier and more robust; harnessing the plethora of vectors and touch commands available without adding time or friction to the transaction. Finally we get to ditch the stupid PIN (security theatre) and replace it with a far more meaningful and highly personalised authentication step(s), linked and varied to spend limits by individual user preference. It won’t be long before the phone is smart enough to know it’s in your hand.
I’ve long thought contactless cards have done more harm than good. The bigger the hold up with NFC, the longer they’ve been in the field, the more deep seated the damage. At Touch2id we decided to stop talking about using the same (contactless) technology to pay with a phone as so many of the 18-25yos were saying “No way I’m using my phone” after seeing how vulnerable contactless card payments were. It was shocking: such cool tech, yet to protect our brand we needed to put daylight between us and ‘NFC phone payments’ …. these guys were the early adopters after all!
Karen’s excellent twitter summary speaks clearly and I fear it’s going to take a lot longer than people think to sufficiently change perception and acceptance. It’s established thinking now that ‘tap n pay’ with your phone will not be a sufficient draw card to drive adoption – apparently there must now be more orchestrated value to the experience (e-receipt, rewards etc). Had we not put so many off with such clumsy card deployments I doubt we’d be saying this now.
“If a mugger demands my contactless card then I will give it to him. I couldn’t care less it’s not my problem: the UK banks have an unequivocal guarantee to refund unauthorised transactions”. You’re technically quite right of course but what of the cardholders’ pain having to ring up their card issuer, get thru, explain they’ve forgotten that special additional password they’ve never had reason to use before, prove they’re really who they say they are (the injured party not the fraudster), explain they weren’t in that place or that store on each of those occasions, haven’t spent that money or received the goods and then there’s the round of 1970s form filling to endure before waiting until they finally get back what they shouldn’t have lost in the first place?
Putting that aside, would you hand it over so willingly, and be so subservient next time, if the payment card that mugger was after was now inside the valuable new smartphone you know your can’t function properly without tomorrow? It’s not been long since smartphone security evolved sufficiently to put the mobile phone beyond the aims and aspirations of your average payment hoody: without physical security around mobile phone payments it’ll be the no 1 pavement target once again.
The truth is contactless cards aren’t able to effectively demonstrate the cool and the convenience of mobile phone payments and have taken us a step back in demonstrating security. We should stop issuing them, there’s too many flaws.
People won’t trust enough in tokens and they trust security via the cloud even less. Until the smarts of the smartphone enable the owner to authorise the contactless payment at the POS by a discreet and friction free action (ideally of their choosing) the cool and convenience of tap n go mobile payments won’t truly come of age.
Don’t tell me … stickers, they’re the future, right? 🙂
Stickers were, indeed, the future. But as every fule kno, identity is the new money.
There is brand value to be made in helping people cope with change. A contactless card is better than carrying cash, because at least you’re risk protected… which you aren’t with cash.