Contactless payments are in the news again: in the UK the spending limit has been increased from £20 to £30 per transaction, and in Australia the Victoria Police has argued that contactless payments are to blame for an extra 100 cases of credit card fraud per week. These frauds are where multiple transactions are put through, keeping each under the AUS $100 (about £45) limit. UK news coverage has instead focussed on the potential for cross-channel fraud: where card details are skimmed from contactless cards then used for fraudulent online purchases. In a demonstration, Which? skimmed volunteers cards at a distance then bought a £3,000 TV with the card numbers and expiry dates recorded.
The media have been presenting contactless payments are insecure; the response from the banking industry is to point out that customers are not liable for the fraudulent transactions. Both are in some ways correct, but in other ways are missing the point.
The law in the UK (Payment Services Regulations (PSR) 2009, Regulation 62) indeed does say that the customers are entitled to a refund for fraudulent transactions. However a bank will only do this if they are convinced the customer has not authorised the transaction, and was not negligent. In my experience, a customer who is unable to clearly, concisely and confidently explain why they are entitled to a refund runs a high risk of not getting one. This fact will disproportionately disadvantage the more vulnerable members of society.
Banks can also make mistakes. The reason that customers are normally refused refunds is because the bank records show that the transactions were performed using the genuine card and correct PIN. The bank argues that this could only have happened if the customer either authorised the transaction or was negligent in keeping their PIN secret. With contactless transactions, there’s no PIN so the customer should be in a good situation. However I’ve encountered fraud cases where the bank records are simply wrong: for example showing that the transaction was authorised by PIN when in fact the PIN was not used.
It would be unreasonable to ask banks not to roll out features just because there is the potential for new types of fraud. I certainly don’t think the police should have a veto right on any new technology. A cost-benefit analysis needs to be performed. From the bank’s perspective the important one is fraud losses versus extra transaction fees, and clearly the banks think this was acceptable.
However the banks’ losses are only a small part of the cost on society: the police need to spend time investigating the crime, the customer needs to deal with the financial (and emotional) consequences, and most likely the merchant will have to pay most of the fraud losses. The criminal may cause damage (e.g. breaking into a car) in the course of committing the crime, and the proceeds of crime may go onto create further harm (e.g. buying and using illegal drugs). It may take a long time to get a refund too, especially if the customer has to escalate the complaint the the Financial Ombudsman service (29% of non-PPI complaints remain unresolved after 6 months and 10% take over a year) The actual fraud losses from contactless transactions are low compared to both the transaction volume and losses from other types of card transactions, but the full social costs could be far higher.
Fraud on contactless cards didn’t have to be this easy. The card number (known as a PAN — Primary Account Number) on the front of the card used for online purchases does not have to be on the contactless chip. Instead an “alias PAN” could be used only for contactless transactions which the bank would reject if used for online purchases. Merchants could also do extra checks, such as asking for the CVV2 printed on the back of the card, confirming the name and/or address or asking for a password as part of a 3D-Secure exchange.
However banks generally didn’t use alias PANs even though the specifications make special provision for them, though Apple Pay did. Barclays even made the cardholder’s name available on the contactless interface, contrary to guidelines and so defeating the value of name verification. Some merchants (most notably Amazon) don’t check the CVV2, the cardholder address, or the 3D-Secure password on the basis that their extra exposure to fraud is worth the convenience it offers to customers, taking into account the other fraud prevention measures that the merchant has in place. Furthermore there are design flaws in the contactless protocol which allow criminals to bypass even the remaining security measures.
So overall, the situation is not as simple as either the media or the banks make out. Contactless payments are convenient and popular, but their security weaknesses create social costs beyond those measured simply through direct fraud losses. It is not sufficient to simply offer fraud victims a refund (if they can convince the bank that they are entitled). Provision is needed to help those unable to navigate the labyrinthine transaction dispute procedures, and that takes into account the potential for errors in bank logs. Even measuring the true cost of fraud is difficult, let alone deciding who should pay them. Attempts to do so must be careful to not impose a damper on innovation, nor give banks too much control over law enforcement prioritisation.