Since the pandemic began, consumers have gravitated toward doing business in the most socially distanced, touch-free ways. Ecommerce spiked with stay-at-home orders and the economic shutdown, and then, as people ventured out again to brick-and-mortar stores and restaurants, the number of contactless card transactions increased.
Not only are contactless card transactions fast and easy – consumers just “tap and go” for small dollar-amount transactions. They have the security of knowing that higher-dollar transactions require a cardholder to present the card and enter a personal identification number (PIN). Therefore, if a card is ever lost or stolen, it couldn’t be used fraudulently for large purchases.
As with anything, there is always the potential for vulnerabilities that you need to be aware of and ensure that there are measures in place to account for them, especially when it comes to payment security. A prime example of this is the recent research conducted by at the Swiss Federal Institute of Technology (ETH) in Zurich, where they discovered a hack that lets them bypass the limit for Visa contactless payments.
Understand Measures that Protect EMV and Contactless Card Transactions
As trusted advisors, it’s vital that software developers and ISOs understand the measures that card issuers take to keep transactions safe. Educating yourself and your client on relevant aspects of payment security can help you both make good decisions if there is a question about the legitimacy or security of a transaction. For example:
- Card transaction qualifiers: Card issuers set CTQs, which determine actions taken to verify a transaction at the point of sale (POS). In some regions, terminals may be configured not to require any cardholder verification (CV) under a certain transaction amount. Knowing the limit for a contactless payment without CV can help merchants minimize fraud.
- Real-time authorization: Most transactions are sent online for authorization by the card issuer at the time of the purchase. The issuer will perform anti-fraud checks, and merchants should always stay alert to messages from the issuer.
- Offline transactions: Some industries may allow offline transactions, and those that do, occasionally can run into a transaction that can’t be authenticated in real-time. In these instances, there are additional authentications that are performed on card data. If the CTQ has been modified, such as in the case of bypassing a PIN, offline authentication will fail, and the transaction will be declined.
- Tokenization vs. actual card numbers: Card numbers printed on contactless cards are different than tokens used by mobile wallets such as Apple Pay. When a transaction is sent for approval, a card issuer will be able to tell whether the card or a token stored in a mobile wallet was used. The issuer will also be able to tell if the transaction required a PIN – and if no PIN is given, the card issuer’s anti-fraud mechanisms should flag the transaction as potentially fraudulent and require that it be rerun on the contact card interface.
- High-value transactions: When an amount is higher than the limit for a contactless transaction, the card type or mobile wallet, the payment terminal and the operating environment will determine how it should be validated.
In addition to these anti-fraud checks, the card issuer, the terminal and the card itself include other measures that validate transactions.
Never Assume Someone Else Is Handling Security
There’s little debate that EMV and contactless payment technologies have made a substantial impact on card-present security. In 2019, Visa reported that chip technology had reduced card-present fraud by 76 percent over instances in 2015 when EMV was first introduced in the U.S. However, as with any technology that’s designed to be flexible and to allow use in different operating environments, hackers may continue to find ways to exploit features for misuse.
Stay informed and study research findings such as those from ETH – they’re important for identifying potential vulnerabilities, helping to find ways to fix them and maintain the highest level of payment security for EMV and contactless card transactions.
Fill out the form below and we will get in touch with you shortly
NMI Will Exhibit & Present at 2023 ETA TRANSACT Event in April
NMI will exhibit at the 2023 ETA TRANSACT conference in Atlanta, Georgia, from the 24-26th of April. TRANSACT offers an incredible opportunity...Learn More
A Beginner's Guide to Biometric Authentication for Payments
Phone, wallet, keys - the three “essentials” everyone scrambles to find before leaving home. Traditional payment transactions require consumer...Learn More
Finaro, Mastercard, Northmill and NMI Partner To Pioneer First Cloud Commerce Deployment in Europe
Finaro, the global cross-border payment provider and fully licensed bank, has today announced its European Cloud Commerce deployment with paym...Learn More
The Generational Shift in Consumer Shopping Behaviors
With every generation, consumer behaviors change. Gen Z (ages 18-24) and Zillennial (25-26) shoppers grew up online. Many don’t remember a tim...Learn More
An Introduction to Payment Terms and Concepts
The payments space has a language all of its own. Who are acquirers? What’s a payment terminal? What about a PayFac? Whether you’re a new busi...Learn More
How NMI is Making 2023 the Best Year Yet for Our Partners
The payments industry has changed dramatically over the past several years. In 2020, consumer expectations shifted, and we saw a sudden rise i...Learn More
What You Need to Know About Buy Now, Pay Later Legislation
What if you could finance and pay for a purchase over time without a credit check or signing up for a personal loan? Buy Now, Pay Later (BNPL)...Learn More
4 Steps to Make Your ISO Business More Profitable in 2023
As headlines warn of a potential recession, consumers are tightening their belts in preparation for a challenging year. While so much negative...Learn More
NMI Achieves Milestone Year in 2022 With Industry Recognition, Acquisitions and New Partnerships
Through acquisitions and continued platform investments, the company will continue to support partners from sign-up to pay-out across the comm...Learn More
The Evolution of Public Parking Payments
Parking payment solutions have evolved significantly since their inception. The first parking meters were installed in Oklahoma City in 1935 (...Learn More