Contactless Payment Cards are as Secure as Traditional Cards

SABRIC (The South African Banking Risk Information Centre) would like to allay any fears that bank clients may have about contactless bank cards or “tap & go”, in the wake of a video that has been doing the rounds on social media.

“A video trending on social media may have created the incorrect impression that contactless cards are easy to exploit by criminals. This is simply not true. Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where “tap and go” cards have been exploited”, says Kalyani Pillay, CEO of SABRIC.

Contactless technology was introduced for the convenience of cardholders and while relatively new in South Africa, has been available in many jurisdictions for some time. The convenience lies in the fact that these cards can merely be tapped on a near-field communication (NFC) Point of Sale (POS) device to make certain payments, which is quick and easy for the card holder. Videos online suggest that criminals could exploit contactless technology and steal money or card data by simply tapping an NFC enabled POS device near enough to a victim’s bank card.

Stealing money by tapping a near-field communication (NFC) enabled Point of Sale (POS) device near enough to a bank clients card is not likely. Acquiring an NFC POS device involves a rigorous vetting process by the issuing Bank which includes the mandatory submission of Know Your Customer (KYC) documentation. In addition, Banks also monitor merchant transaction activity and conduct merchant site visits. Should any irregularities be identified, an investigation will be launched immediately. Collusion with a merchant could be a possible way to defraud people, however this is also unlikely as the proceeds of crime resulting from this specific modus operandi would go into a merchant’s bank account which, again, is closely monitored. Furthermore, this payment option is only available for a predetermined number of low value transactions on any specific day, after which a PIN would be required to complete the transaction, so the financial reward associated with these transactions is low, whilst the reputational and prosecution risk to the merchant remains high.

Stealing card data by criminals is also not a viable option, as merely holding an NFC enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions. South African issued contactless cards are embedded with an RFID (Radio Frequency ID) tag, identifiable by the WiFi-type symbol, which is then read together with the cards EMV chip which is encrypted. Even if a criminal tapped a victim’s contactless card using an NFC POS device near in their wallet or bag, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases.

“It is unlikely that organised criminals will be targeting this capability to steal money or card data, as the reward will be insignificant compared to other modus operandi at their disposal.” says Pillay.

SABRIC urges bank clients to take note of the following tips to protect themselves:

  • Ensure that you always tap the POS device yourself, and that your contactless bank card never leaves your hand.
  • Report lost and stolen cards immediately.
  • Register for SMS notifications to ensure that you are alerted to any transactions on your account.
  • Always inform your bank immediately if any suspicious or unauthorised transactions are conducted on your account.