How Does Contactless Payment Work?
Unlike swipe-and-signature or even chip-based cards, which exchange payment information upon insertion into a POS system, contactless payment methods such as tap-and-go cards and mobile wallets transfer financial data via near-field communication technology.
With NFC, contactless-enabled POS systems generate a small radio frequency field that powers up a smart chip embedded within the user’s credit card or smartphone; this initiates the transfer of payment information via an encrypted transaction, Business Insider reports.
While this data exchange occurs in just seconds, it can only take place when the card or phone is in very close proximity to the POS reader. “Get within about 1.5 inches of the payment device, and it will let you pay by transmitting cryptographic signals that are very secure,” explains ISACA board member Rob Clyde.
Can Contactless Payments Help Slow the Spread of COVID-19?
As government agencies continue to prioritize worker and citizen safety amid the COVID pandemic, implementing or expanding the use of contactless payment technology offers clear benefits.
“Since contactless cards don’t always require a PIN or signature, it eliminates the need for patrons to physically touch the pin pad or signature pen,” says Robert Comer, program executive officer for the Defense Commissary Agency’s Information Technology Group. DeCA is in the process of rolling out key POS upgrades, but the agency already accepts tap-and-go cards, as well as mobile wallet applications such as Apple Pay and Google Pay.
The National Park Service, which adopted contactless technology in 2017, also acknowledges the safety advantages of alternative payment methods. “Cashless transactions allow our staff to maintain social distances while collecting park fees,” says an NPS spokesperson, who added that the change contributes to safe and positive visitor experiences.
Are Contactless Payments Safe?
Despite the increased safety offered by contactless payment transactions, misconceptions about the technology cause some to question its security effectiveness. ISACA’s Clyde cites one myth in which malicious actors place wireless listening devices in a narrow hallway to capture card data as users walk by.
“None of it is true,” Clyde says. “Listening in won’t get you the information, even at the POS.” That’s because contactless payments never send a user’s actual card number over the air to the POS terminal, or over the internet to the bank or credit card company for authorization; instead, they create and send a unique, one-time token that enables secure payment.
“The only place your credit card information is known is at the bank and the credit processor,” says Clyde, explaining why the one-time token is of no use to bad actors, even if they were to intercept it.
According to Clyde, the tokenization process gives contactless payments a significant security advantage over swipe-and-signature credit cards, because “anybody with a strip reader can read that card and commit fraud.” In the case of contactless payment, he adds, “fraud processes would need to occur inside financial firms to compromise transactions.”
How to Combat the Disadvantages of Contactless Payments
Contactless payment isn’t a perfect system, though, as it is still vulnerable to physical loss or theft. Many tap-and-go card users, for example, can make purchases of up to $75 without the need for PIN entry or other authorization, exposing them to potential fraud if cards go missing. Clyde suggests that mobile wallet applications are the more secure option since smartphones are often protected by a combination of PINs, fingerprint sensors and facial recognition tools, making it harder for attackers to access card data if the device falls into the wrong hands.
There’s also the potential that hackers will develop new approaches as no-touch terminals become commonplace. “The new fraud might be pictures of your card rather than physical theft,” Clyde says, explaining that high-quality photos of card numbers and card verification values could allow cybercriminals to create NFC-enabled doppelgangers.
To combat potential threats, government agencies must adopt a due-diligence approach to data protection at the point of sale. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) also play a role in protecting consumer information, as they lay out specific rules for handling financial data.
“DeCA’s POS systems are audited annually to ensure they remain PCI compliant,” Comer says. “Maintaining PCI compliance is our best defense against experiencing a data breach. It also reassures our customers that it’s safe for them to use their credit and debit cards when shopping at a commissary.”
Examining Potential Payment Apps and Options
Beyond safety and security concerns, government agencies will need to think through a laundry list of other considerations before deploying contactless payment. For instance, agencies must identify which mobile wallet applications they’ll accept, and then register with those payment providers, BizTech reports.
On the device front, agencies can choose from either NFC-enabled POS systems or dedicated contactless payment terminals. Software selection is also important, especially for agencies that opt for the latter device type.
According to Clyde, the industry is working to standardize POS and contactless devices to prevent interoperability issues that might otherwise limit adoption. This allows federal agencies to base purchasing decisions on form factors, transaction speed and other characteristics that will contribute to the speed, safety and convenience of contactless payments, and make them a worthwhile investment long after the current crisis has passed.