Contactless card, or “tap and go”, payments are slowly gaining popularity as more banks and retailers adopt this method of payment. Shoppers with the technology-enabled cards are benefitting from the speed and convenience that contactless payments offer.
However, with payment as seamless and simple as tapping your card against a machine, what are the risks and how are banks mitigating them? Simeon Tassev, MD and qualified security assessor (QSA) at Galix Networking talks about how banks, retailers and users can bag the benefits without sacrificing security.
What is “tap and go”?
“Tap and go cards are embedded with a specific chip that allows for near field communication (NFC) – a technology that enables compatible card readers to authenticate transactions by proximity to the card,” explains Tassev.
According to Tassev, the purpose of tap and go transactions was to do away with the time-consuming pin code and authorisation process, speeding up the payment process. The card does not necessarily need to come into physical contact with the machine, despite the requirement to “tap” it; this action merely ensures that the card is close enough to the machine to be read.
How safe is it?
As no pin code is required, there is no true authentication and the card holder is deemed to be the owner of the card. This is a daunting prospect, as it means that if a user’s card is stolen, the thief may make purchases using the tap and go function with ease. However, there are security parameters that have been put in place to counter this.
Tassev says, “Similar to the EMV (Europay, Mastercard and Visa) chips, tap and go chips are very difficult to copy. Potential thieves need to physically be in possession of the card in order to make purchases using tap and go. Banks have also set payment limits, only allowing for smaller purchases to be made using this method, too. In South Africa, these are typically set between R200 and R500 per purchase.”
There is the chance of a thief stealing a tap and go card and making multiple purchases in succession, but the risk is smaller than a copied card being used to make large purchases. Of course, Tassev adds that online purchasing still carries the same risk as with regular chip and pin, or magnetic strip, cards.
Beyond limiting transactional amounts, banks can also impose random pin requests. While this may seem to defeat the purpose of tap and go, it adds a necessary measure of security and only occurs randomly, every several transactions.
“Users can also enable SMS notifications for even the smallest transaction, ensuring that they are alerted to any unauthorised transaction taking place so, even if the card is stolen and used, they can be quick to report it and cancel their cards,” includes Tassev.
“Technically, the responsibility for transactions made on a stolen card can be proven to be the responsibility of the card user, as the user should be able to prove that there was no negligence on their part – something that’s not easy to do. However, most banks cover these losses themselves, as they value their customers’ business.”
Here to stay
The technology has seen a relatively slow global adoption, with larger markets exercising caution before rolling it out. Tassev says that markets such as America are now in the process of deploying tap and go across many major retail chains, establishing the technology as an acceptable payment method, and cementing the likelihood of it becoming commonly used.
In South Africa, several banks and retailers have begun deploying tap and go, and endorsements from recognised payment brands as well as the Payments Association of South Africa (PASA) have ensured that local adoption will only grow from here.
“Tap and go is convenient and the security risks are relatively low, especially when compared with other payment methods. It’s only a matter of time before tap and go payments are pre-requisites for express check outs, so customers can reap the maximum benefits from this technology. Meanwhile, users should simply exercise caution when using their card: keep it safe and don’t delay with blocking the card if it should fall into someone else’s hands,” Tassev concludes.