Contactless card or “tap-and-go” payments are slowly gaining popularity as more banks and retailers adopt this method of payment. Shoppers with the technology-enabled cards are benefitting from the speed and convenience that contactless payments offer. However, with payment as seamless and simple as tapping your card against a machine, what are the risks and how are banks mitigating them?
Tap-and-go cards are embedded with a chip that allows for near-field communication (NFC), a technology that allows for compatible card readers to authenticate transactions by proximity to the card.
The purpose of tap-and-go transactions was to do away with the time-consuming Pin code and authorisation process, speeding up payments. The card does not necessarily need to come into physical contact with the machine, despite the requirement to “tap” it; this action merely ensures that the card is close enough to the machine to be read.
As no Pin is required, there is no true authentication and the card holder is deemed to be the owner of the card. This is a daunting prospect as it means that if a user’s card is stolen, the thief may make purchases using the tap and go function with ease. However, there are security parameters that have been put in place to counter this.
Similar to the EMV (Europay, Mastercard and Visa) chips, tap-and-go chips are difficult to copy. Potential thieves need to be in possession of the card in order to make purchases. Banks have also set payment limits, only allowing for smaller purchases to be made using this method, too. In South Africa, these are typically set between R200 and R500/purchase.
There is the chance of a thief stealing a tap-and-go card and making multiple purchases in succession, but the risk is smaller than a copied card being used to make large purchases.
Beyond limiting transactional amounts, banks can also impose random Pin requests. While this may seem to defeat the purpose of tap and go, it adds a necessary measure of security and occurs only randomly, every several transactions.
Users can also enable SMS notifications for even the smallest transaction, ensuring that they are alerted to any unauthorised payments. Even if the card is stolen and used, they can be quick to report it and cancel their cards.
Technically, the responsibility for transactions made on a stolen card can be proven to be the responsibility of the card user, as the user should be able to prove that there was no negligence on their part — something that’s not easy to do. However, most banks cover these losses themselves, as they value their customers’ business.
The technology has seen a relatively slow global adoption, with larger markets exercising caution before rolling it out. But the US, and other markets, are deploying tap and go across many major retail chains, establishing the technology as an acceptable payment method, and cementing the likelihood of it becoming commonly used.
In South Africa, several banks and retailers have begun deploying tap and go, and endorsements from recognised payment brands as well as the Payments Association of South Africa have ensured that local adoption will only grow from here.
Tap and go is convenient and the security risks are relatively low, especially when compared to other payment methods. It’s only a matter of time before tap-and-go payments are prerequisites for express checkouts, so customers can reap the maximum benefits from this technology. Meanwhile, users should simply exercise caution when using their card: keep it safe and don’t delay blocking the card if it should fall into someone else’s hands.
- Simeon Tassev is MD and qualified security assessor at Galix Networking
