Fraud Rising as Contactless Payment Limits Increase

October 14, 2021

Table of Contents

  1. How Do Contactless Payments Work?
  2. What Are the New Contactless Payment Limits in Europe?
  3. Are Contactless Payments Vulnerable to Fraud?
  4. Can Contactless Cards Be Hacked?
  5. How Do You Stop a Contactless Card Being Skimmed?

The COVID-19 pandemic has changed a lot of things for brick-and-mortar merchants. Many of these merchants, especially those in the restaurant and grocery industry, began offering new services like delivery and curbside pickup. Countless small businesses took their first steps into the realm of e-commerce, learning how to market, sell, and deliver their products to customers outside their local area.

Another change has been a significant increase in the demand for and adoption of contactless payments. In response to this demand, 29 countries have increased federal limits on the maximum value of contactless payments. Unfortunately, raising the amount of money customers can spend also raises the amount of money fraudsters can extract from stolen cards and payment credentials. What do merchants need to know about contactless payment fraud, the new transaction limits, and how the latter will affect the former?

New call-to-actionThe COVID-19 pandemic changed customer behavior in several ways, including many customers trying to limit how often they touched things other people have touched. While some things have gone back to normal, many will want to keep using contactless payment methods now that they've discovered the convenience of not having to insert a card and wait a few seconds for each transaction.

Of course, contactless payments were already well on their way to wider adoption, but the concern over the risk of infection drastically accelerated the timetable, and as more people notice others, especially friends and family, taking advantage of contactless options, we will likely continue to see a rapid pace of adoption for at least a little while longer.

Because of the relative newness of contactless payments, however, the fraud that derives from it—and the remedies for that fraud—are likewise in their early stages of development. As customers embrace contactless payments and the amount of money flowing through these systems goes up, fraudsters are taking notice.

How Do Contactless Payments Work?

Contactless payments allow customers to use either a radio-frequency identification (RFID) chip embedded in a payment card or an electronic device using near field communication (NFC) technology to make payments by holding the card or device near a compatible terminal.

When that happens, the two devices will communicate using radio waves, exchanging either encrypted payment credentials or a token linked to them.

This process works basically the same way regardless of which technology is being used, with the primary difference between RFID and NFC being that most NFC devices can initiate communication as well as respond to it, enabling peer-to-peer data transmission and payments. However, payment cards are more likely to use encrypted payment credentials, whereas NFC-enabled devices are more likely to use tokenization.

What Are the New Contactless Payment Limits in Europe?

Contactless payment limits were raised in 29 European countries, covering most of the region. The new limits vary by country, in part due to the different currencies involved, but most of them are between $40 and $60.

Most of these changes are permanent, but those in the Netherlands and Greece are temporary. The UK initially increased its contactless payment limit to £45 in concert with the other countries, but in October 2021 the limit was raised again, this time to £100. Here's a rundown of the new contactless payment limits for each country:

Here's a rundown of the new contactless payment limits:

Country Currency Old limit New limit
Albania LEK 2000 4500
Armenia AMD 12100 20000
Belarus BYN 20 100
Bulgaria BGN 50 100
Croatia HRK 100 350
Cyprus EUR 20 50
Estonia EUR 25 50
Georgia GEL 45 100
Germany EUR 25 50
Greece EUR 25 50
Hungary HUF 5000 15000
Ireland EUR 30 50
Kazakhstan KZT 5000 20000
Kosovo EUR 15 40
Kyrgyzstan KGS 1525 2500
Latvia EUR 25 50
Lithuania EUR 25 50
Luxembourg EUR 25 50
Malta EUR 25 50
N. Macedonia MKD 750 2000
Netherlands EUR 25 50
Poland PLN 50 100
Portugal EUR 20 50
Spain EUR 20 50
Sweden SEK 200 400
Tajikistan TJS 140 200
Turkey TRY 120 250
UK GPB 30 45
Uzbekistan UZS 52500 250000

The major card networks have been aggressive in getting European customers to accept and use contactless payments. Mastercard in particular has pushed several initiatives over the past few years, such as requiring the use of contactless-enabled payment terminals, to the point where now as many as three quarters of all Mastercard transactions in Europe are contactless. This has been touted as a win for merchants and customers, enabling faster transactions.

Are Contactless Payments Vulnerable to Fraud?

Contactless card fraud occurs at less than half the rate of overall card fraud. However, there are ways to exploit contactless payment systems, such as adding stolen payment credentials to a mobile wallet and using it to make fraudulent purchases at brick-and-mortar stores.

With these limit increases, fraudsters operating in the above countries can now more than double their profit from a single transaction.

The more attempts a fraudster makes to make a transaction with stolen credentials, the more chances they have to tip off the cardholder, get caught, or encounter some sort of technical glitch or fraud detection feature that renders the card useless. Most contactless payment systems only allow a limited number of transactions before the pin must be entered again, ensuring that even if not immediately reported, there's a hard limit on how much a stolen card can be used.

Manage Chargeback In-House Or OutshoreWhen limits for individual transaction amounts go up, each transaction becomes potentially much more valuable, and the total amount that can be stolen before requiring re-authorization goes up accordingly, making it more worth the fraudster’s time to go after these contactless payment devices.

So far, most contactless payment fraud has been carried out through unsophisticated means: namely, by stealing the credentials or devices directly and using them to make purchases. Fears about contactless card “skimmers” that steal data or money wirelessly just by being brought into proximity with a contactless device have largely proven unfounded so far.

While such fraud is not unheard of, it has thus far exploited specific vulnerabilities in specific systems, not contactless payment technology in general. Once all of these software vulnerabilities are discovered and addressed, there shouldn't be any way for a skimmer to enable fraudulent payments.

Contactless payment cards can't be cloned the way magnetic stripe cards can, and there are many technological and regulatory barriers that would make it nearly impossible to initiate and process a transaction without the device owner’s cooperation.

It's likely, however, that contactless payment card fraud will become more sophisticated and effective in the years to come as it becomes more rewarding for fraudsters.

Merchants should be aware of this not to avoid contactless payments, but to proactively seek out the fraud and chargeback mitigation tools that will help them weather these changes.

Contactless payments may be more secure than plastic cards, but fraud never really goes away—it just changes its form to seep into the cracks that existing security protections can’t seal. Merchants should adopt the contactless payments schemes that make sense for their businesses, but should also be forward-thinking about anticipating and proactively defending against the ways they might be misused or exploited.

FAQ

Can Contactless Cards Be Hacked?

Currently, contactless cards can't be hacked. However, there are still some vulnerabilities to fraud, mostly involving overlooked software vulnerabilities that can bypass authorization. Contactless transaction limits offer some protection, but they can also be bypassed on certain cards.

How Do You Stop a Contactless Card Being Skimmed?

Most modern wallets contain built-in RFID blocking, but if you don't use a wallet, or want to stick with one that doesn't have that feature, you can purchase a thin sleeve for your cards that will also block them from being read.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes