NFC Focus: How Secure Are Contactless Payments? Source: Matthew Chapman
NFC payments could be the way you pay for your shopping, a latte, the keys you got cut and that Happy Meal, all with the tap of a smartphone or contactless card. As with any new payment technology, the big question is: Is it safe?
Philip Robinson, head of payments at Lloyds Banking Group, echoed the feelings of all of the institutions IBTimes UK spoke to when said that his company takes the security of its customer's data very seriously.
"Within the NFC standards, security is managed by a 'secure element', which hosts the firewalled applications and user credentials and controls security and cryptography. NFC follows several industry standards including EMV global standards for authenticating debit and credit transactions, backed by Visa, MasterCard and American Express," he said.
EMV stands for Europay, MasterCard and VISA, which is a global standard that allows integrated circuit cards to work together.
"The systems are based on a form of EMV for contactless, so for using NFC or a radio link it is an absolutely secure authentication process between the acceptance device and the contactless card or NFC handset," added Alan Moss, marketing director for WEMEA at equipment manufacturer VeriFone.
"It is based on obviously very complex cryptography in the same way as we have in standard contact EMV, a standard chip card. Essentially with contactless and NFC we are doing that using the radio waves but the authentication technology is the same."
Customer confidence
Telling users that contactless payments have the same security system as standard debit and credit cards should go some way to alleviating fears. This is, after all, not the first time banks have introduced new payment technologies.
"I make the same analogy to 15 years ago when online payments came along and people were worried about buying online and putting their credit or debit card details on the internet. People thought, I might get the goods but I don't know what is happening to my details," said Tom Gregory, Head of Digital Payments at Barclaycard Europe.
"This system is new so there are natural concerns around that but we are taking our customers on that journey and making them feel comfortable with these new ways to pay."
Some customers will need to have their hand held on that journey more than others. A study by Forrester Research concluded that those using a digital wallet - which is the software or app on a smartphone that handles a contactless payment - must have confidence in their security and privacy.
Early adopters, by their very nature, will care about the privacy of their data and the security of their transactions but are inherently more willing to take on risk. Everyone else will be looking very closely at how security is handled.
"Later adopters will be even more concerned than their predecessors were. They will differentiate among digital wallets based on their perception of the wallet operator's ability to protect their data, ensure the integrity of their transactions, and inspire confidence in their ability to do so.
"This will be a proof point for wallet operators whose reputations in other consumer interactions will inform that perception," Denee Carrington of Forrester Research wrote in her study Why The Digital Wallet Wars Matter.
Looking Silly
Anecdotal evidence from Barclaycard suggested that security was not the main concern for early adopters of the technology. In fact, most users were worried about looking silly.
"Customers' number one concern: am I happy that the payment will be made so I am not going to look foolish because I don't have any cash on me? If I go to tap my phone or card or PayBand and nothing happens I will look slightly red in the face. Their second biggest concern is, is my money safe?" Gregory said.
The worry about whether the payment would go through was alleviated using an auto top-up feature. So, for example, when a user's electronic cash dropped below £10, another £20 would automatically be applied to it.
That auto update brought its own fears. If a user drops their Barclays PayBand in a festival, what is to stop someone using it for an unlimited period of time as it continues to refresh its funds?
"People liked that you got a text message and an email every time you topped up or every time you spent," Gregory said. "It gave them peace of mind to know they were in control of their finances. If you were unfortunate enough to lose your PayBand and someone was making a fraudulent activity on it then you would instantly know and could cancel it straight away."   
Gregory said that a key selling point of PayBand and of all Barclaycard's contactless payment devices was that they were safer than cash. He made the analogy that if you had your wallet stolen it may be returned to you but it would likely be missing any money that was inside.
"With the PayBand, if you were unfortunate enough to lose it or someone stole it and then it got used, we refund that money back to you 100 percent with our fraud guarantee. You contact us in the same way as if you had fraudulent activity on a card and the operator will say which of these transactions was yours and which weren't yours and you get the fraudulent transactions refunded back to you," he said.
Money-back Guarantee
A money-back guarantee should be enough to convince most people to at least try out NFC technology. Rene Batsford, head of IT at food retailer Eat, actually claims the technology is safer than the card in your wallet because it can be reissued much more easily if there is a major data breach.
He said that companies such as Visa don't want to issue cards these days, they want to issue accounts that use virtual cards.
"When there was a security issue with Global Payments in America - when their systems were compromised and 10 million CVV codes were stolen - Visa had to reissue 10 million cards. That costs a lot of money and it is a big confidence dent," he remembered.
Batsford said the same kind of compromise on a virtual card could be handled much quicker by applying a fix and changing the algorithm.
"There will always be cyber-theft but NFC gives you the tools to stay one step ahead," he said.
| }
|