Dispelling the Myths: The Reality about Contactless Security

Ryan Erenhouse , Business Leader at Mastercard

18.01.2018 08:00 am

For many people, paying with a card is still associated with a “swipe” or a “dip”; however, for the owners of more than 370 million contactless cards accepted in over 8 million locations in 111 countries, they pay with a tap. Mastercard first introduced contactless cards back in 2003 to give consumers a safe and simple way to pay that helps speed them through the checkout line. And that same foundational technology (and many of the same standards) also powers our ability to pay with a phone.

Contactless technology was developed by Mastercard with the mindset of never sacrificing security for convenience. The cards and devices contain an embedded chip and a radio frequency (RFID) antenna that provide a wireless link with the contactless reader. When the card or device is tapped against the reader, information is transmitted in a highly secure manner within a fraction of a second.

But with contactless payment information being transmitted wirelessly, some people question whether it’s truly safe. The simple answer: yes.

First, contactless payments require different information than those made over the phone or online. The cardholder’s name, three digit security code on the back of the card, and billing information like zip code are never transmitted. Instead, along with the account information, a one-time-only code is sent from the card or device to the reader to identify that transaction.
Second, working with issuers, retailers and payment service providers, Mastercard uses robust fraud detection systems and artificial intelligence to spot suspicious activity and stop fraud in its tracks.
Finally, cardholders can rest assured that if their card is compromised, they are protected with a global zero liability promise and will not be liable for unauthorized charges.

Despite these security measures, there are misconceptions about this technology. Let’s take a look at the myths and the realities of contactless payments:

MYTHS	REALITIES
A thief can easily electronically pickpocket your contactless card/device.	While smart phone applications that enable the phone to read some of the data from a contactless enabled card or device do exist, they can only read the account number and expiration date. Plus, the thief would need to be physically close to the card in order to get this information.
If a thief does intercept your contactless information, they can create a counterfeit card to use in a store.	When a contactless transaction takes place the card or device provides the reader with a dynamic, one-time-only number that uniquely and securely identifies each specific transaction.It would be extremely difficult for a fraudster to copy the advanced encryption technology that is used to generate this dynamic number and create a functioning counterfeit version of a contactless card.
Even if a thief can’t counterfeit your card, they can make purchases online or by phone.	For a purchase to be authenticated and authorized via phone or online, typically several pieces of information must be presented – including the three-digit code on the back of a card and the cardholder’s name and billing address.Since the card or device does not send the code, billing address or zip code information or name over the contactless interface, the thief won’t have the information typically needed to conduct payment transactions, either in person, on the phone or online.
You are responsible for purchases made by thieves if they steal your card information	Mastercard protects consumers against fraudulent charges with a global zero liability policy. That means you are not held liable for unauthorized fraudulent transactions.
In addition to stealing your card data, thieves can also steal your identity.	There is a clear distinction between identity theft, where a consumer’s identity is assumed by another individual for criminal purposes, and payment card fraud, where a consumer’s card information is compromised and used to make unauthorized purchases.Mastercard contactless cards and devices do not transmit information about the cardholder such as name or address, so there is very little risk of actual identity theft. But, knowing that identity theft is a concern for many people, Mastercard does offer an ID Theft Alert service to consumer credit and debit cardholders in the U.S. who can sign up at the following link: https://www.mastercard.us/en-us/consumers/payment-technologies/id-theft-protection.html.