Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , Remote Workforce

Contactless Payments: Healthy COVID-19 Defense

Touch-Free Payment Limit Gets Raised as Pandemic Continues
Contactless Payments: Healthy COVID-19 Defense
Buses in Dundee, Scotland, accept "contactless" credit and debit card payments from riders. (Photo: Mathew Schwartz/ISMG)

Don't call me a payment card technology fan boy. But with COVID-19 creating new rules for life - stay as close to home as possible and avoid touching anything when in public that might pass coronavirus - it helps to have a nationwide "contactless" payment system when you do have to pay for groceries and other essentials in person.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Contactless cards have a near-field communications chip built into them to establish a wireless connection with a point-of-sale payment terminal. The old-school approach, of course, involves swiping, which results in the cardholder's name, three-digit security code and zip code getting read from the magnetic strip at the back. With contactless, the chip in the card instead generates a one-time-only code, which gets transmitted wirelessly to the reader to identify the transaction.

From a fraud-fighting standpoint, compared with swiping a card and signing a paper receipt, contactless is much more secure. And while some call these capabilities "tap and go," in reality, there's no contact required: You just have to wave your card or compatible smartphone close to the card reader until it beeps.

Cards with this capability began to be rolled out in the U.K. in 2008, and the vast majority of payment terminals in stores now work with them. Other systems that don't get refreshed very often - for example, inside buses - have been slowly catching up. Here in the Scottish city of Dundee, last year most buses finally got upgraded with the ability to accept contactless payments.

Many newer smartphones also have contactless capability via Apple Pay, Android Pay or Samsung Pay. Just load a payment card and use your smartphone to pay without touching anything, up to certain amounts. As a bonus, the smartphone-based approaches add additional layers of security, such as needing to use your fingerprint or face to unlock the contactless payment capability.

Public Health Mandate: Touch as Little as Possible

Now, using contactless feels better in a time when public health officials are telling us to touch as little as possible and to thoroughly wash our hands on a regular basis to help cut down on the transmission of SARS-CoV-2, the virus that causes COVID-19.

Payment cards with "contactless" capabilities feature this symbol.

Living in Scotland, I'm following government advice to stay at home during this stage of the pandemic and to only go out for exercise close to home. Likewise, the guidance allows for one adult from a household to go solo to buy essentials, for example, at the grocery store. I'm not a key worker, so I'm not taking a bus, for example, to work a shift at the local hospital.

But for any of those activities, I'm thankful for the fact that almost everywhere I go, if I need to pay for something, I can use Apple Pay, as I've already loaded a credit card onto my iPhone. Hence, there's no need to insert my payment card into a reader and tap in my PIN (since all U.K. cards are chip and PIN cards), or even to - gasp - use cash or coins.

Insert financial industry caveat: "The World Health Organization, the Bank of England, the European Central Bank and other national central banks, and renowned scientific institutions have confirmed that there is no scientific evidence that there is an increased risk of spreading the coronavirus through the use of cash." So says UK Finance, a banking industry group in Britain.

But why take the chance? Indeed, the industry has accelerated its plan to raise the top amount that you can charge, in any given contactless transaction, due to the outbreak.

While there was a £30 ($37.40) limit on payment card transactions, since April 1, the limit is quickly being changed across the country to £45 ($56.00). So if someone were to steal my credit card, they could use it to make contactless purchases of up to £45 until the fraud-spotting team at my bank noticed something was awry or I reported the card as having been stolen and they canceled it. Either way, as a cardholder, I'm not liable.

Contactless payments in the U.K. accounted for 44 percent of all card transactions and £80.5 billion in spending in 2019, according to U.K. Finance. During the same time frame, contactless fraud remained low, it says, accounting for just £20.6 million in losses, equivalent to 2.5 pence for every £100 paid for using contactless.

How to Say 'Contactless' in American?

Last year, Visa estimated that more than two-thirds of face-to-face transactions in Europe occurred using contactless payments, while in Canada and the U.K., the usage figure is about 60 percent.

In the U.S., however, contactless card transactions remain rare, with CNBC reporting last year that only about 3 percent of U.S. cards even have this capability, regardless of whether POS systems can read them.

One measure of the degree to which the functionality hasn't made in-roads occurred when I visited California in February to attend the RSA conference in San Francisco.

As an American who lives in the U.K., returning to the U.S. always involves a process of reverse-culture shock, including my struggling to find the right local words for certain concepts - such as "contactless."

In Scotland, we tend to not ask if we can pay using contactless. Instead, we typically take out a credit or debit card, or a smartphone, and wave it with an inquisitive look or mime bringing it into contact with a surface while asking: "Can I?"

In California, my miming was a complete fail. So was my struggle to find the right words. Contactless? Tapping? The cashier at the cool Mexican restaurant in Berkeley I visited the weekend prior to RSA had no idea what I was talking about. So I said it involved using my smartphone to pay, via a stored credit card.

"Oh, you mean Apple Pay?" she said. Yes. But what if it was an Android, what would she call it? "Uh, Apple Pay?"

Whatever you want to call it, as we struggle to lock down the spread of COVID-19, contactless is obviously well suited not just for enhanced card security and fraud fighting, but also helping to minimize the threat posed by virus transmission.

Will we ever touch money the same way again?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.