Investigating the myths and realities of contactless payment

Similar documents
Why contactless pickpocketing is impossible

KNOW YOUR RUPAY DEBIT CARD

The Small Business Guide to Mastering EMV

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

EMV and Educational Institutions:

Frequently Asked Questions

Frequently Asked Questions

FAQ FOR MEMBERS WHAT DO I DO WHEN I GET MY NEW CARD?

PIN & PAY CARD FREQUENTLY ASKED QUESTIONS (FAQS) (Revised 17 August 2017)

EMV: Facts at a Glance

Frequently Asked Questions

Introduction to EMV BEYOND PAYMENT

EMV Implementation Guide

My new Apple device will have a payment feature. How do I set it up?

EMV Terminology Guide

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

THE ADOPTION OF EMV TECHNOLOGY IN THE U.S. By Guy Berg Global Industry Sales Consultant Datacard Group

Guide to Contactless Cards

Crash Course: What are EMV and the EMV Liability Shift?

Citi Pay App Frequently Asked Questions

Ignite Payment s Program on EMV

Dear Valued Member, Sincerely, Jerry Jordan President & CEO CGR Credit Union

No need to find cash and no hanging around at the till for change or receipts unless you need one.

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will fnd: Explaining Chip Card Technology (EMV)

North America Terminal Brochure Guide

CHIP CARDS. Banks are issuing payment cards embedded with security chips to help protect you against fraud at the register. What is a Chip Card?

The Changing Landscape of Card Acceptance

Current accounts Helping you to get things moving.

VARTECH NATION. EMV Certification for IT Professionals

A Buyer s Guide to POS

Top 5 Facts Merchants Need To Know About EMV

Electronic Banking Bonanza

EMV Migration. What You Need to Know about the Technology, the Security Protection it Provides, and When to Implement

Verifone MX 915/925 Payment Devices. with KWI 6.x POS Registers: What s New?

10 payment. acronyms that aren t what you think they are

Proxama PIN Manager. Bringing PIN handling into the 21 st Century

VISO BUSINESS PLAN. Token sale level Funds raised. Technologies launched. Share of Georgia s cash-desk equipment market

Effective Communication Practices for U.S. Chip Migration. Communication & Education Working Committee June 2014

Card payment processing for your business

EMV: The Race Is On! September 24, 2013

EMV Adoption in the U.S.

Small business guide. Contactless made easy: what you need to know

Say hello to your new Visa Debit Card

Increase Efficiency Boost Growth Stay Ahead of the Curve

EMV and Apple Pay. The world of credit cards is on the move.

KFH DEBIT CARD-i - FREQUENTLY ASKED QUESTIONS (FAQs)

Your Cater Allen Visa Debit Card Guide GUIDE

EMV is coming. But it s ever changing.

Summary of Mobile Payments Industry Workgroup (MPIW) Meeting with Merchants and Mobile Payment Start-ups September 25, 2012

ANZ EFTPOS card and ANZ Visa Debit card CONDITIONS OF USE

HCE E-Book HOST CARD EMULATION: NFC S MISSING LINK

I N T E R A C. The Faster, More Convenient Way. Small Value Purchases

EMV: Strengthen Your Business Through Secure Payments

The Future of Payment Security in Canada

5. Why do I need to change my existing BSN debit card to a new BSN PIN & PAY card to use PIN?

Say hello to your new Visa Debit Card

TRANSPORT TICKETING IN INDIA. How to create a sustainable ecosystem

ATM Webinar Questions and Answers May, 2014

Ulster Bank debitcard Your guide to getting the most from your card

EMV Overview. Get Familiar with EMV & Our Plans to Support it

Basic Account. The essential guide to your new account

Your guide to getting the most from your card

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Glocal Test Pack. Product description and user s guide 2018 MERCHANT TESTCARDS ALL RIGHTS RESERVED

Prepaid Cards. Coles Gift Mastercard Conditions of Use. Issued by: Indue Ltd Issue Date: July 2017 ABN

RuPay Contactless Ideathon (1.2)

ICT IGCSE Theory Revision Presentation 2.2 Direct data entry and associated devices

FINGERPRINTS BIOMETRICS THE MISSING PIECE OF THE PAYMENT CARD PUZZLE?

Next. Grow. Your guide to maximising Dynamic Currency Conversion. elavon.co.uk

Are We Ready for Electronic Payments?

Mobile Point of Sale Solutions: 2019 Easy and Secure Methods

Chargeback Best Practices. September 7, 2016

Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

Rugged Tablet Solutions: A Technical Buyer s Guide

Quick Guide. Token Service Provider

GoiNG SMARt U.S. implementation of SMARt PAyMENt cards on the horizon 10 SUMMER 2013 TEN

Contactless Card Issues Facts or Fiction? Dave Birch 17/10/2013

Mobile and Contactless Payments Requirements and Interactions

Covering Your Assets: Payment Landscape and Technology

Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

Treasury Management Solutions

Why chip cards? HELP PREVENT FRAUD: HELP AVOID LIABILITY: ACCEPT MOBILE TAP & PAY TOO: DYNAMIC AUTHENTICATION: Contact us

EMV chip technology ARE COMPANIES AND CONSUMERS REALLY READY?

EMV Adoption. What does this mean to your ATMs?

Source: Forrester - US Mobile Payments Will More Than Triple By 2021

Hot Topics in Payments Cornerstone CU League Small CU Committee July 9, 2014

tmw Prepaid Card For #better_tomorrow SECURED BY POWERED BY PCI COMPLIANT

Merchant Testing and Training Pack

WHERE DO YOU WANT TO GROW. Solutions for Community Financial Institutions

One Signature. Many Privileges.

Is Your Organization Ready for the EMV Challenge?

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

TOKENIZATION OF A PHYSICAL DEBIT OR CREDIT CARD FOR PAYMENT

Quick Guide. Token Service Provider

Cash account. Current accounts

Is Apple Pay free? Yes. Be aware that message and data rates may apply, depending on your data plan.

Mastercard Europe Risk Leadership Conference Cannes, France October 8-11, 2018 DRAFT AGENDA

Changing Consumer Purchasing Patterns

Transcription:

Investigating the myths and realities of contactless payment Questions & Answers There has been much recent coverage in the media (press, web, blogs.) about the perceived security vulnerabilities of contactless payment - with several exaggerated cases reported in some detail. Rather than a pragmatic analysis of risk, the vast majority of reports appear to compound inaccurate urban legends the kinds that typically appear during the introduction of any new technological innovation. At a time when banks in particular, and the whole payment industry in general, are investing considerable sums of money in infrastructures (payment terminals, cards, mobile phones ) that offer fast, convenient and secure contactless payments, the Smart Payment Association (SPA) feels it is important to explain exactly what contactless payment is, how it works and how secure it is. 1. What is a contactless payment? Contactless payment offers you the opportunity to pay for goods and services without the need to insert your card into the payment terminal or to enter a PIN code. You simply hold the card in front of the terminal (and, for the vast majority of terminals on the market, on the screen). The typical distance between the card and the terminal is 2 to 4 cm (less than two inches). However, to keep things simple, the large payment brands have popularized the idea of touch/tapping the card onto the terminal to carry out the transaction. As a result, contactless payment is enabling a simpler and more convenient way to pay for small purchases (typically up to the value of 20 ). Contactless payment is also possible through a mobile phone if the device has NFC (Near Field Communications) capabilities. You simply hold the phone next to the payment terminal to carry out a contactless transaction - in the same way as you would do using a conventional contactless payment card. Contactless payment by card 1

2. How do I know if I have a contactless card? Contactless payments can only be made using cards with contactless payment capabilities enabled. The payment industry has developed an internationally recognized logo that appears on such cards. If you have this logo on your payment card, you re ready for contactless payment. If you are in doubt, or if this functionality needs to be activated prior to use, please contact your bank and/or consult its usage terms & conditions 3. How does contactless payment work with an NFC smartphone? We recognize the mobile phone plays a hugely important role in our daily lives: it wakes us up with its alarm clock, we check our daily schedule through its diary, it guides us towards our next destination thanks to inbuilt GPS and much more besides. So why shouldn t it allow us to pay for goods and services, or to receive discount vouchers and promotions that are automatically redeemed during payment? It should! As a result, a few years ago the payment industry, in a joint effort with the mobile world, began discussions about how to securely enable payments with a mobile phone. Through this development the term NFC was born. It is a way of carrying out transactions and services in the near field (or short distance) of typically just a few centimeters. This NFC technology is now stable, and is being introduced by banks and mobile telecom operators in many countries across the world. Contactless payment by phone 4. How do I know if a given store accepts contactless payment? The major payment brands, such as Visa or MasterCard, have prepared various advertising and signage packages to highlight whether stores accept contactless payment. You ll usually see a sticker 2

affixed on the store s door if contactless payment is accepted similar to those advertising debit or credit card acceptance. In addition, you can tell by looking on the payment terminal itself. If it has contactless capability, and your purchase is below the standard level of 20, the terminal s screen will display a specific logo inviting you to pay by contactless. Depending on the terminal model, you may also see little lights glitter above the screen. You can therefore touch/tap your card (or NFC phone) to a certified payment terminal with a visible EMV logo and make a contactless payment. 5. How does contactless payment actually work? As you can imagine, it is quite a technical process. To simplify, your contactless payment card has an embedded antenna to establish a communication channel between the card s microchip and a payment terminal. This antenna uses the Radio Frequency (RF) field sent by the payment terminal and converts it into electricity which is then used to make the microchip work. Then the chip can start communicating and exchanging information with the payment terminal over this RF field. All this happens in less than 500 milliseconds, which explains why a contactless payment is so quick! 3

6. How secure is it? In the same way a contact transaction (where the card has to be inserted in a terminal) is very secure, so too is a contactless transaction. The first statistics for contactless transactions corresponding to 2014 indicate a fraud level of 0,015 % ( Observatoire Banque de France 2015) a figure which is an intermediate value between the fraud level for contact card payments and the one observed for cash withdraw in ATMs. Moreover this fraud is almost exclusively due to the fact that the card is lost or stolen. This confirms that the fraud originated during the transaction is marginal and it matters to understand the reasons for this: First the distance between the card and the reader is very limited (2 to 4 cm/ 1-2 inches typically). This makes it difficult, if not impossible, for a fraudster to insert any listening device in between. The same applies to mobile contactless payments using a mobile device. In that case however the vulnerabilities of the operating system of the mobile device requires the storage of the payment data in a secure environment within the mobile. Two approaches are at present used: a hardware environment, the embedded secure element (ese) able to protect the payment data with a level of security equivalent to a chip card a software environment, the Host Card Emulation ( HCE), more vulnerable which requires the use of additional countermeasures, such as the use of tokens Second, the payment card product (contactless or mobile) itself is also protected by counters. These record the number of times the card is used in contactless mode. When a specific number has been reached, the card has to be used in contact mode, using his PIN code or in some countries may still be operational in contactless mode with an online verification of the PIN code. The number of times a card can be used in a contactless mode is defined by your bank typically 10 times. After this successful contact transaction (when the PIN is entered), the counters are reset to allow you to use the card in contactless mode again. So, in the very worst case of a card being stolen just after it has been reset, the thief could make a maximum of 10 transactions of no more than 20 each time a maximum of 200. However, banks are aware of this threat and are using advanced security software to detect abnormal use patterns for example 3 or 4 consecutive contactless transactions within a period of a few minutes or hours. Normal contactless usage is lower than this, and so your bank will block any further contactless transactions. In most cases, banks offer a 100% refund on any amount stolen. 7. Could a thief listen to the information sent by my card 4

to the terminal during a payment? As we have discussed above, the distance between the card and the terminal is very limited, which makes it very difficult, if not impossible, to install any kind of interception device able to capture the data moving from card to terminal. Should a successful case be highlighted, it would be a simple process for law enforcement authorities to identify all the locations where fraudulent transactions were made. Indeed, to complete the transaction the payment terminal must be registered by the bank acquirer. Some recent cases have been reported where mini-cameras were installed above the card keypad in gas station self-service payment terminals and the thieves were easily located and arrested. 8. Could someone standing near me fraudulently carry out a face to face transaction if my card is still in my wallet or jacket? Again, the maximum reading distance is a just few centimeters so the thief would have to get really close to you, or use an extremely big antenna powered by a very large battery. Successful attacks have been reported in academic papers, these fraud cases have been demonstrated in lab conditions by universities and other research bodies, with access to expensive equipment and deep technical knowledge. While they are theoretically possible they are very unlikely to occur in the real world due to the technical complexity for the thief. Added to this, as described previously, only a limited number of transactions can be carried out before the transaction counter is blocked - thus limiting the interest in the thief investing in the technology to do so. In addition, the maximum amount by transaction is capped. Moreover the fraudulent transaction can only be presented by a registered terminal, recorded in the bank s system (hour, minute), and cross referenced with the precise location (metro line/station) where the fraud occurred, CCTV systems would enable easy identification of a potential suspect. 9. Could someone use the retrieved information to perform an ecommerce transaction? In the unlikely event that a thief would take the risk to build such a complicated system, they would not be able to steal any more information than is readable by any assistant or waiter using your card in a shop or restaurant (name, card number, expiry date ). 5

But even this is being addressed. In the latest generations of contactless payment cards specifications issued by the major payment schemes, crucial information such as cardholder name - cannot be read in contactless mode. As a result, the information scanned would not be enough to re-create a fake card, or to perform fraudulent web purchases. They would have none of the data requested during an online transaction - no cardholder name, no clear information of whether it is a Visa or MasterCard card, no CVV 3 digit security code (that only appears on the back of the card). 10. Can contactless transactions be made by unwittingly holding a bag close to the payment terminal? This is one of the many urban legends about contactless payment that we see from time to time on the web. First, the very short reading distance between card and terminal makes this very unlikely from a technical point of view. Second, the payment terminal does not work alone. It must be activated by the cashier, who manually enters the amount to be paid on the keyboard, or it is automatically piloted by the till sending the amount of the purchase to the payment terminal. CVV Digit Finally, articles or blogs also report large amounts of money being taken fraudulently or accidentally from cards. This is simply not possible as the system (card and terminal) is only set to allow transactions up to a certain amount only (typically 20 ) without PIN, precisely to reduce this risk. Any other question? Contact SPA at 6

info@smartpaymentassociation.com 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback