NFC Terminals and Contactless Payments

Contactless payment systems allow consumers to make payments using a personal device—usually their smartphone or an NFC-enabled card—which communicates wirelessly with the merchant’s terminal, exchanging information and authenticating the payment without any physical contact. This can allow for a much faster, frictionless checkout experience, and a safer one as well.

The United States had been lagging behind other countries when it comes to embracing contactless payments, but recent polling shows that just over half of all Americans have used some form of contactless payment. Consumers tend to like these systems, with 85% anticipating that they will continue to use contactless payments in the future, so it behooves merchants who have not yet upgraded to NFC-equipped terminals to weight the costs and benefits and decide whether it makes sense to continue holding out.

How Does NFC Technology Work?

Near-field communication is a close range form of radio-frequency identification technology, which uses electromagnetic fields and radio transponders to allow wireless communication between devices. NFC and RFID are used in many common applications—for example, the key fobs and ID cards that open up office buildings and private garages.

In a payments context, NFC technology allows the consumer to transmit data wirelessly from their device, which could be a smartphone or a NFC-enabled contactless credit card, to the merchant’s terminal.

The merchant can then use that data to authenticate the payment without ever having to scan or insert a physical card, and the consumer does not have to enter a PIN or sign a receipt.

These systems are often billed as “tap to pay” because the consumer is encouraged to simply tap their device against the reader to get them in close enough proximity to transmit and receive data. Apple Pay, Google Pay, and Samsung Pay are the leading providers of smartphone-based contactless payment systems in the US, while contactless payment cards are offered by various issuing banks including Bank of America, Capital One, and Chase. Many payment processors, such as Square, offer low-cost NFC terminals that make it easy and affordable for merchants to start using them.

In addition, many chain stores, transit authorities, and other organizations that deal with a high volume of payments have started offering their own contactless payment systems.

How Secure are NFC Terminals?

Few merchants need it explained to them how contactless payments will create a smoother and quicker checkout experience—whether it’s EMV chips that stubbornly refuse to be read, fistfuls of cash that have to be counted and recounted, or checks slowly written out by hand, traditional payment systems have a way of slowing things down. The real question is whether or not contactless payments are safe from fraudsters, hackers, and other cyber-threats.

The main difference between NFC and a regular card payment is the fact that it’s wireless—a credit card would require a physical connection between the EMV chip and the card reader.

However, mobile wallet apps tokenize the sensitive payment data so there’s nothing useful for hackers to steal on the merchant side. Contactless credit card, meanwhile, use a special chip (the Secure Element) to validate the cardholder’s identity, just like the normal EMV chip. So far, there is no evidence that the wireless aspect of these transactions creates any additional exposure to fraud.

In theory, it’s possible for “sniffer” devices to eavesdrop on wireless communications, but NFC requires the communicating devices to be in extremely close proximity—in many cases, it will be impossible for a fraudster to install or conceal a sniffer close enough to the merchant’s terminal.

All NFC transactions are required to be user-initiated, and the customer may be required to enter some additional information into their device to confirm their identity, especially if the purchase exceeds a certain dollar amount set by the provider. This prevents fraudsters from passively triggering transactions on other people’s devices.

Many contactless payment systems also include additional proprietary security measures. Apple Pay, for example, requires users to verify their identity with their thumbprint before making a payment. Because such devices are so secure against true fraud, you’re also less likely to see “friendly fraud” chargebacks follow such transactions.

That's not to say there is no possibility of fraud with these systems, however. There have been some instances where security vulnerabilities in the system software have been exploited. Most notably, a vulnerability in Visa's contactless payment system allowed security researchers to steal funds by sending a message to a contactless card that PIN verification wasn't required, and a separate message to the payment processor that verification had been completed. While this exploit did require physical proximity to the payment device, it not only allowed them to withdraw a payment from the victim's account, but also bypass the contactless payment limit.

Visa hasn't yet announced a fix for this vulnerability, citing the lack of real-world use of this technique, but if fraudsters start taking advantage, Visa would likely be able to put out a fix on the software side of things that wouldn't require any hardware to be replaced.

The Bottom Line for Contactless Payments

Any merchant who was wavering about making the leap to contactless payments because of fears that they would be opening the door to new forms of fraud and contactless chargebacks should feel reassured that NFC terminals aren’t any riskier than other payment readers, and in many cases they in fact offer even greater protections.

While contactless payments were on a slow burn towards widespread acceptance in the US prior to COVID-19, the pandemic has created much greater awareness and interest in contactless payment methods. In fact, NFC terminals can provide a genuine public health benefit in locations that are required to accept a high number of payments from multiple customers.

While concerns about the virus have waned in the U.S., most customers who have taken the leap to using contactless payment systems will want to keep using them simply for the convenience they offer. In addition, as people spend more time together again, seeing friends and family using contactless payment is likely to convince others to give it a try as well.

Where contactless payment systems are backed by card brands, the chargeback rules mandated by those brands apply. Proprietary systems may be subject to their own dispute rules, and merchants should always research those before signing up with them. Visa, MasterCard, and American Express branded NFC cards, however, can be safely accepted without having to learn any new chargeback rules and regulations.

We may be headed for a future where contactless payments are more common than cash or cards, and merchants in markets where consumers value quick and convenient transactions would be well advised to look into upgrading to NFC terminals sooner rather than later. While lacking NFC capability will rarely make customers abandon a purchase, it can make those who rely primarily on that technology for making payments less likely to return. That sort of missed opportunity isn't always easy to spot, with upgrading to NFC-enabled terminals easier than ever, it's a project worth considering for any merchant.

FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com