At Consult Hyperion we spend a lot of time worrying about the security of the PII and account information stored in the smartcard and mobile services we help our clients to build. Apart from the financial and reputational risks associated with any loss, consumers tend to stop using services they consider to be insecure. Both risk our client’s investment in their service.
Over the weekend the Daily Telegraph ran a story blaming the rise in contactless payment card fraud in the UK on the availability of devices on the Dark Web that can be used to steal card data from contactless cards. Contactless card usage in the UK is on the rise, whilst Cheque usage is on the decline, so it is not inconceivable that contactless card fraud has overtaken cheque fraud. However, the cause is much simpler than that suggested by the article.
Yes, you can read some information from a contactless card with an NFC-enabled mobile device. However, thanks to those clever cryptographers within the payment brands and Consult Hyperion the data that can be obtained from the card is time and device dependent. It cannot be used to manufacture a new card, so has limited value to the fraudster.
Rather thieves know that they can use a stolen card in the local store to buy goods up to the £30 limit in one or more locations, provided that they avoid the CCTV cameras. As the transactions are low value, the police tend not to investigate them. Any losses that the merchant and the cardholder may incur are covered by the Issuer and the Payment Brand, provided that they have complied with Issuer and Brand’s rules. So, the risk to the thief is low and the returns, say in terms of a good night out with friends, are high.
Contactless cards were introduced to replace cash in low value transactions. ‘Tap and Pay’ was seen to be as convenient as taking cash out of your pocket or purse. The risk that the card would be stolen and used by the thief was recognized and limited to an acceptable value in the UK by the contactless limit.
At Consult Hyperion we regularly help our customers to assess such risks and make such decisions. The drive towards the ‘frictionless transaction’, i.e. one in which there are no barriers that might get in the way of the consumer completing the purchase, has made these conversations more frequent and more difficult. However, we always focus on the reasons why the consumer will use your service, which maybe why consumers continue to use contactless payment cards.