Retail Reset

A Virtual Forum Addressing COVID-19 Recovery Strategies

As Contactless Payment Use Grows, Here’s What Consumers Need To Know About Fraud Prevention

Touch-free “contactless” payments in stores and at vending machines are gaining popularity with U.S. shoppers and retailers during the pandemic, because the coronavirus can stay viable on many surfaces for hours or even days. Waving an NFC-enabled card or smartphone over a terminal instead of touching it can reduce the risk of picking up the virus along with groceries and cleaning supplies.

Although contactless payments are already popular in much of the world, they hadn’t seen much interest in the U.S. until now. That means there are some concerns about whether contactless payments protect users from fraud as well as from viral contamination. Here’s what U.S. shoppers need to know about how NFC payments can help limit the spread of the coronavirus, and how to protect these transactions from fraud.

What exactly is NFC and why are more people using it now?

Near-field communication (NFC) is similar to radio-frequency identification (RFID) technology, except that NFC only allows devices to connect and share information if they’re within about four inches of each other. During a purchase, the NFC device tokenizes and encrypts payment data to prevent criminals from intercepting it and using it to make purchases. Many U.S. banks now offer NFC-enabled credit cards, although you may have to request one specifically. Virtually all recent smartphones come with NFC built in, so you can use a mobile wallet to pay with your phone without ever touching a terminal.

From the launch of NFC, card companies and smartphone manufacturers have promoted it as a convenience that saves time. Contactless payments take about half as long to process as EMV payments that require you to insert your card into a reader. And NFC payments offer the same level of security as EMV-chip enabled cards.


Now, health experts including the World Health Organization (WHO) are promoting contactless payments as a safer alternative to cash and to chip-and-PIN credit card transactions, which require touching the payment terminal. Cash is such an efficient vehicle for carrying bacteria and viruses that South Korea temporarily took it out of circulation as part of its response to the pandemic. Although it seems like nonporous plastic credit cards might be cleaner, one study found that cards are dirtier than cash. In a pandemic, that turns point-of-sale terminals where people swipe or dip cards into “bus depots,” where virus particles can stop off and then catch a ride on new cards and new hands to keep spreading.

To protect customers and employees, more stores are adding contactless payment capacity and promoting that option to customers. Many countries are now allowing higher NFC transaction limits without requiring that the customer enter a PIN in order to encourage more contactless payments.

Can fraudsters exploit NFC technology?

Despite early concerns that anyone with a portable NFC reader could steal payment data from unsuspecting victims, so far the technology has been hard to crack. Although security researchers did find a way in 2019 to get around Visa’s contactless transaction limit in the UK, the range of those attacks was limited to test victims who were in very close physical proximity — something that’s unlikely to happen in an age of social distancing.

So the good news for consumers is that while it’s technically possible for fraudsters to steal the data from a nearby person’s NFC-enabled card using a portable reader, it’s not a practical strategy for fraudsters because anyone getting that close to another person in public right now is going to immediately raise suspicion. Even if they could steal the card information without obtaining the card, criminals wouldn’t be able to generate the tokens required to complete an in-store transaction.

The less good news is that contactless cards were involved in 3% of card fraud in 2018 in the UK. One victim lost the equivalent of nearly half a million dollars to a series of fraudulent transactions. These frauds happened the old-fashioned way — with the card in hand. When contactless cards are lost or stolen, there’s nothing stopping criminals from using them to make purchases without providing a PIN or a signature — up to the local per-transaction limit, of course.

How can consumers stay safe while using contactless payments?

Because most contactless card fraud happens when criminals have the card in hand, it’s wise to:

  • Keep track of your contactless cards and store them safely;
  • Report lost or stolen contactless cards to your bank right away; and
  • Minimize the amount of time your card is visible to others in public. Although it’s unlikely, it’s possible that someone could snap a picture of your card number and attempt to use it to make purchases online.

Most of us are very careful about keeping track of our smartphones, and that’s even more important if you’ve set up the NFC-enabled mobile wallet on your device. If your phone isn’t protected by a password, fingerprint or another form of identity verification, anyone who has your phone might be able to go shopping with your mobile wallet. Now is the time to set up or strengthen those security steps to prevent fraud if your phone is lost or stolen.

Finally, remember that even though contactless payments keep your cards and hands from touching checkout terminals, it’s still important to regularly clean your hands, clean your phone and even clean your credit cards to protect your health.

Rafael Lourenco is Executive Vice President and Partner at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives.     


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: