In the UK, contactless transactions are growing at around 20% per month, so clearly customers like it. But should some customers be allowed to turn it off if they don’t?
In the UK there are around 38m contactless cards in circulation and their use is growing around 20% per month as I write. Clearly, customers like them. I’m sure many people share my attitude of mild annoyance at having to insert a card and enter a PIN instead of just tapping and going. And I do wonder about the risk analysis around using a card with a £10,000 credit limit and entering a PIN that might get shoulder surfed by a caffeinated ne’erdowell who is going to pick my pocket in order to buy a £2 coffee. There are, however, some security perceptions around contactless that we (technologists) should not ignore. In fact, if we address them, then contactless can be an even better proposition all round. I was thinking this because I wrote a piece about contactless crime and I’ve been thinking about it some more in connection with one of Consult Hyperion’s projects for a major card issuer.
During sentencing this week of a woman who had used someone else’s PayPass debit card more than 30 times before being caught, the magistrate, Michael Wheeler, of the Perth Magistrates Court, said they were all too easy to use unlawfully.[From Tap-and-go fraud: MasterCard downplays consumer concerns | World | The Guardian]
In the UK customers are not liable for unauthorised contactless transactions and the issuers have a variety of techniques (and EMV risk management parameters) to play with to control risks. So the money isn’t the issue. The damage here is to the image of contactless cards, not the issuers’ balance sheets or customers’ pockets. Consumer worries about security (no matter how ill-founded) are increased because of stories like these.
Consumers remain wary of new “contactless” payment technology – with one in four saying they find the idea of paying without entering a pin number “scary”.[From Consumers unimpressed by ‘contactless’ payments – The Scotsman]
Those you who listened to my podcast with Karen Williams from SpectrumInsight will remember that “crime” was one of the keywords associated with contactless (see the slide below) and survey after survey (none of which I can be bothered to Google right now) has shown that consumers have genuine fears about security in the contactless payment environment. After all, we’ve spent the best part of a decade trying to persuade them to enter PINs!
One possibility for making customer feel more confident is to give them more control. I’ve often wondered why my bank doesn’t give customers more control over transactions in general, not only contactless ones. Through my online banking portal I should be able to ask the bank to, for example, automatically decline all magnetic stripe or non-3DS transactions on my debit card. Similarly, a customer who doesn’t like contactless should be able to tell the bank to automatically decline contactless transactions on their card (this wouldn’t stop a thief from using a card offline, at least until it is reported stolen). People might even decide to log in when they get home and turn off their contactless cards completely until they go to work the next morning, or that sort of thing.
Now, I know what experts in risk analysis for payments systems (e.g., the people I sit next to down at CHYP End) will say about this. They will point out that the loss to issuers is negligible so it’s not worth investing in. But I wonder if the existence of such an on-off switch might be beneficial in other ways?
I have some evidence for this from the long ago days of Mondex. The cards could be locked using a four digit pass code, something that customers had requested in focus group discussions. But the only way to lock the cards was using the hardware electronic wallets and the phones that few customers had. Therefore all of the shops that accepted Mondex had to be fitted with a lock/unlock device. As it turned out, customers never bothered locking their cards and never used the lock or unlock stations, but it was the fact that the lock existed and that the lock/unlock stations were visible that gave them confidence in the system. Maybe we could learn something about confidence from this and apply it to contactless? It doesn’t seem that complicated to add a line of code to get the issuer hosts to auto-reject contactless transactions if the “no contactless” flag is set.
I think this is worth an experiment. If customers could choose through their online banking portal or mobile banking app to turn on or off contactless acceptance for their cards then they would use the cards more even though they never actually bothered to turn off contactless acceptance. After all, payment is one of those areas where confidence, perception and impressions of security are as important as the underlying reality.
Incidentally, when I asked our risk management wallahs about all this, they accurately pointed out that this is yet another argument in favour of using smart devices (e.g., mobile phones) for payments rather than cards because then all of the decisions will be (literally) in the hands of the consumer. Don’t like contactless? Turn off NFC on the phone. Like contactless for credit but not for debit? Then don’t put debit cards in your Google / Apple / Facebook (* delete where applicable) wallet. If your phone, rather than your card, gets stolen you tend to notice and can remotely wipe it. However you do the calculations, phones are more secure than cards.