How do contactless payments work with an NFC smartphone? Nicolas Raffin: We recognize the mobile phone plays a hugely important role in our daily lives: it wakes us up with its alarm clock, we check our daily schedule through its diary, it guides us towards our next destination thanks to inbuilt GPS and much more besides. So why shouldn’t it allow us to pay for goods and services, or to receive discount vouchers and promotions that are automatically redeemed during payment? It should!
As a result, a few years ago the payment industry, in a joint effort with the mobile world, began discussions about how to securely enable payments with a mobile phone.
Through this development the term NFC was born. It is a way of carrying out transactions and services in the ‘near field’ (or short distance) of typically just a few centimeters.
This NFC technology is now stable, and is being introduced by banks and mobile telecom operators in many countries across the world.
How do contactless payments actually work? Nicolas Raffin: As you can imagine, it is quite a technical process. To simplify, your contactless payment card has an embedded antenna that is connected to the card’s microchip, the golden or silver metallic plate that you see on your card.
This antenna uses the Radio Frequency (RF) field sent by the payment terminal and converts it into electricity – which is then used to make the microchip work. Then the chip can start communicating and exchanging information with the payment terminal over this RF field. All this happens in less than 500 milliseconds, which explains why a contactless payment is so quick!
How secure are they?Nicolas Raffin: In the same way a contact transaction (where the card has to be inserted in a terminal) is very secure, so too is a contactless transaction.
The ‘conversation’ between the card and the terminal is protected by special keys that are inserted in both the terminal and card during production.
Also, remember that the distance between the card and the reader is very limited (2 to 3 cm/ 1 inch typically). This makes it difficult, if not impossible, for a fraudster to insert any ‘listening’ device in between.
The card itself is also protected by ‘counters’. These record the number of times the card is used in contactless mode. When a specific number has been reached, the card cannot be used anymore in contactless mode, and the cardholder has to use it in contact mode, using his PIN code. The number of times a card can be used in a contactless mode is defined by your bank – typically 10 times.
After this successful contact transaction (when the PIN is entered), the counters are reset to allow you to use the card in contactless mode again.
So, in the very worst case of a card being stolen just after it has been reset, the thief could make a maximum of 10 transactions of no more than EUR 20 each time – a maximum of EUR 200.
However, banks are aware of this threat and are using advanced security software to detect abnormal use patterns – for example 3 or 4 consecutive contactless transactions within a period of a few minutes or hours. Normal contactless usage is lower than this, and so your bank will block any further contactless transactions. In most cases, banks offer a 100% refund on any amount stolen.
In addition to this, some banks also send a SMS to the cardholder each time the card is used in contactless mode. Any fraudulent activity can therefore be immediately identified by you.
Could a thief ‘listen’ to the information sent by my card to the terminal during a payment?Nicolas Raffin: As we have discussed above, the distance between the card and the terminal is very limited, which makes it very difficult, if not impossible, to install any kind of ‘interception’ device able to capture the data moving from card to terminal.
Should a successful case be highlighted, it would be a simple process for law enforcement authorities to identify all the locations where fraudulent transactions were made. The fraudulent terminal would then be found and analyzed to find the recording device.
Some recent cases have been reported where mini-cameras were installed above the card keypad in gas station self-service payment terminals – and the thieves were easily located and arrested.
Could someone standing near me fraudulently carry out a transaction if my card is still my wallet or jacket? Nicolas Raffin: Again, the maximum reading distance is a just few centimeters so the thief would have to get really close to you, or use an extremely big antenna powered by a very large battery. Either way, you would notice - especially if your mobile phone sends you an SMS each time a transaction is made (as described above).
Added to this, as described previously, only a limited number of transactions can be carried out before the transaction counter is blocked - thus limiting the ‘interest’ in the thief investing in the technology to do so.
Finally, from a law enforcement perspective, since the transaction time would be recorded in the bank’s system (hour, minute), and cross referenced with the precise location (metro line/station) where the fraud occurred, CCTV systems would enable easy identification of a potential suspect.
In summary, these kinds of high-tech fraud cases have been demonstrated in ‘lab conditions’ by universities and other research bodies, with access to expensive, high tech equipment and knowledge. While they are theoretically possible they are very unlikely to occur in the real world due to the technical complexity for the thief.
What kind of information would thieves be able to get by fraudulently ‘scanning’ my card, and what could be done with it?Nicolas Raffin: In the unlikely event that a thief would take the risk to build such a complicated system, they would not be able to steal any more information than is readable by any assistant or waiter using your card in a shop or restaurant (name, card number, expiry date…)
But even this is being addressed. In the latest generation of contactless payment cards, crucial information – such as cardholder name - cannot be read in contactless mode.
As a result, the information scanned would not be enough to re-create a fake card, or to perform fraudulent web purchases. They would have none of the data requested during an online transaction - no cardholder name, no ‘clear’ information of whether it is a Visa or MasterCard card, no ‘CVV’ 3 digit security code (that appears on the back of the card).
Can contactless transactions be made by unwittingly holding a bag close to the payment terminal?Nicolas Raffin: This is one of the many ‘urban legends’ about contactless payment that we see from time to time on the web.
First, the very short reading distance between card and terminal makes this very unlikely from a technical point of view.
Second, the payment terminal does not work alone. It must be activated by the cashier, who manually enters the amount to be paid on the keyboard, or it is automatically ‘piloted’ by the till sending the amount of the purchase to the payment terminal.
Finally, articles or blogs also report large amounts of money being taken fraudulently or accidentally from cards. This is simply not possible as the system (card and terminal) is only set to allow transactions up to a certain amount only (typically EUR 20), precisely to reduce this risk.
About Nicolas RaffinNicolas Raffin is a Board Member of Smart Payment Association (SPA).
Nicolas started his career with numeric photo group PhotoMe as product manager. He then joined Schlumberger Electronic Transactions (that would later become Axalto and then Gemalto) and spent ten years within the group, in different sales and marketing management roles, in various European countries. He was then hired by US retail giant Safeway Inc to co-launch and develop the continental Europe subsidiary of Blackhawk Network, a leading provider of prepaid products and services. He is currently Head of Product Marketing Payment & Transport at Oberthur Technologies. He holds a Master in Marketing and a MSc in Technology & Innovation Management.
About the Smart Payment Association:The Smart Payment Association addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems & services both now and for the future.
More information about SPA at can be found HERE.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now