Since the pandemic began, consumers have gravitated toward doing business in the most socially distanced, touch-free ways. Ecommerce spiked with stay-at-home orders and the economic shutdown, and then, as people ventured out again to brick-and-mortar stores and restaurants, the number of contactless card transactions increased.
Not only are contactless card transactions fast and easy – consumers just “tap and go” for small dollar-amount transactions. They have the security of knowing that higher-dollar transactions require a cardholder to present the card and enter a personal identification number (PIN). Therefore, if a card is ever lost or stolen, it couldn’t be used fraudulently for large purchases.
As with anything, there is always the potential for vulnerabilities that you need to be aware of and ensure that there are measures in place to account for them, especially when it comes to payment security. A prime example of this is the recent research conducted by at the Swiss Federal Institute of Technology (ETH) in Zurich, where they discovered a hack that lets them bypass the limit for Visa contactless payments.
Understand Measures that Protect EMV and Contactless Card Transactions
As trusted advisors, it’s vital that software developers and ISOs understand the measures that card issuers take to keep transactions safe. Educating yourself and your client on relevant aspects of payment security can help you both make good decisions if there is a question about the legitimacy or security of a transaction. For example:
- Card transaction qualifiers: Card issuers set CTQs, which determine actions taken to verify a transaction at the point of sale (POS). In some regions, terminals may be configured not to require any cardholder verification (CV) under a certain transaction amount. Knowing the limit for a contactless payment without CV can help merchants minimize fraud.
- Real-time authorization: Most transactions are sent online for authorization by the card issuer at the time of the purchase. The issuer will perform anti-fraud checks, and merchants should always stay alert to messages from the issuer.
- Offline transactions: Some industries may allow offline transactions, and those that do, occasionally can run into a transaction that can’t be authenticated in real-time. In these instances, there are additional authentications that are performed on card data. If the CTQ has been modified, such as in the case of bypassing a PIN, offline authentication will fail, and the transaction will be declined.
- Tokenization vs. actual card numbers: Card numbers printed on contactless cards are different than tokens used by mobile wallets such as Apple Pay. When a transaction is sent for approval, a card issuer will be able to tell whether the card or a token stored in a mobile wallet was used. The issuer will also be able to tell if the transaction required a PIN – and if no PIN is given, the card issuer’s anti-fraud mechanisms should flag the transaction as potentially fraudulent and require that it be rerun on the contact card interface.
- High-value transactions: When an amount is higher than the limit for a contactless transaction, the card type or mobile wallet, the payment terminal and the operating environment will determine how it should be validated.
In addition to these anti-fraud checks, the card issuer, the terminal and the card itself include other measures that validate transactions.
Never Assume Someone Else Is Handling Security
There’s little debate that EMV and contactless payment technologies have made a substantial impact on card-present security. In 2019, Visa reported that chip technology had reduced card-present fraud by 76 percent over instances in 2015 when EMV was first introduced in the U.S. However, as with any technology that’s designed to be flexible and to allow use in different operating environments, hackers may continue to find ways to exploit features for misuse.
Stay informed and study research findings such as those from ETH – they’re important for identifying potential vulnerabilities, helping to find ways to fix them and maintain the highest level of payment security for EMV and contactless card transactions.