Fraud Rising as Contactless Payment Limits Increase
Table of Contents
- How Do Contactless Payments Work?
- What Are the New Contactless Payment Limits in Europe?
- Are Contactless Payments Vulnerable to Fraud?
- Can Contactless Cards Be Hacked?
- How Do You Stop a Contactless Card Being Skimmed?
The COVID-19 pandemic has changed a lot of things for brick-and-mortar merchants. Many of these merchants, especially those in the restaurant and grocery industry, began offering new services like delivery and curbside pickup. Countless small businesses took their first steps into the realm of e-commerce, learning how to market, sell, and deliver their products to customers outside their local area.
Another change has been a significant increase in the demand for and adoption of contactless payments. In response to this demand, 29 countries have increased federal limits on the maximum value of contactless payments. Unfortunately, raising the amount of money customers can spend also raises the amount of money fraudsters can extract from stolen cards and payment credentials. What do merchants need to know about contactless payment fraud, the new transaction limits, and how the latter will affect the former?
The COVID-19 pandemic changed customer behavior in several ways, including many customers trying to limit how often they touched things other people have touched. While some things have gone back to normal, many will want to keep using contactless payment methods now that they've discovered the convenience of not having to insert a card and wait a few seconds for each transaction.
Of course, contactless payments were already well on their way to wider adoption, but the concern over the risk of infection drastically accelerated the timetable, and as more people notice others, especially friends and family, taking advantage of contactless options, we will likely continue to see a rapid pace of adoption for at least a little while longer.
Because of the relative newness of contactless payments, however, the fraud that derives from it—and the remedies for that fraud—are likewise in their early stages of development. As customers embrace contactless payments and the amount of money flowing through these systems goes up, fraudsters are taking notice.
How Do Contactless Payments Work?
When that happens, the two devices will communicate using radio waves, exchanging either encrypted payment credentials or a token linked to them.
This process works basically the same way regardless of which technology is being used, with the primary difference between RFID and NFC being that most NFC devices can initiate communication as well as respond to it, enabling peer-to-peer data transmission and payments. However, payment cards are more likely to use encrypted payment credentials, whereas NFC-enabled devices are more likely to use tokenization.
What Are the New Contactless Payment Limits in Europe?
Most of these changes are permanent, but those in the Netherlands and Greece are temporary. The UK initially increased its contactless payment limit to £45 in concert with the other countries, but in October 2021 the limit was raised again, this time to £100. Here's a rundown of the new contactless payment limits for each country:
Here's a rundown of the new contactless payment limits:
|Country||Currency||Old limit||New limit|
The major card networks have been aggressive in getting European customers to accept and use contactless payments. Mastercard in particular has pushed several initiatives over the past few years, such as requiring the use of contactless-enabled payment terminals, to the point where now as many as three quarters of all Mastercard transactions in Europe are contactless. This has been touted as a win for merchants and customers, enabling faster transactions.
Are Contactless Payments Vulnerable to Fraud?
With these limit increases, fraudsters operating in the above countries can now more than double their profit from a single transaction.
The more attempts a fraudster makes to make a transaction with stolen credentials, the more chances they have to tip off the cardholder, get caught, or encounter some sort of technical glitch or fraud detection feature that renders the card useless. Most contactless payment systems only allow a limited number of transactions before the pin must be entered again, ensuring that even if not immediately reported, there's a hard limit on how much a stolen card can be used.
When limits for individual transaction amounts go up, each transaction becomes potentially much more valuable, and the total amount that can be stolen before requiring re-authorization goes up accordingly, making it more worth the fraudster’s time to go after these contactless payment devices.
So far, most contactless payment fraud has been carried out through unsophisticated means: namely, by stealing the credentials or devices directly and using them to make purchases. Fears about contactless card “skimmers” that steal data or money wirelessly just by being brought into proximity with a contactless device have largely proven unfounded so far.
While such fraud is not unheard of, it has thus far exploited specific vulnerabilities in specific systems, not contactless payment technology in general. Once all of these software vulnerabilities are discovered and addressed, there shouldn't be any way for a skimmer to enable fraudulent payments.
Contactless payment cards can't be cloned the way magnetic stripe cards can, and there are many technological and regulatory barriers that would make it nearly impossible to initiate and process a transaction without the device owner’s cooperation.
It's likely, however, that contactless payment card fraud will become more sophisticated and effective in the years to come as it becomes more rewarding for fraudsters.
Merchants should be aware of this not to avoid contactless payments, but to proactively seek out the fraud and chargeback mitigation tools that will help them weather these changes.
Contactless payments may be more secure than plastic cards, but fraud never really goes away—it just changes its form to seep into the cracks that existing security protections can’t seal. Merchants should adopt the contactless payments schemes that make sense for their businesses, but should also be forward-thinking about anticipating and proactively defending against the ways they might be misused or exploited.