Making purchases with the quick wave of a cell phone or a plastic card–rather than a swipe–in front of a reader or scanner is becoming a reality as issuers and merchants begin to show support for contactless payments.
For several years, this type of payment was considered a gas station convenience, thanks primarily to ExxonMobil Speedpass. Now some credit unions and other issuers have begun putting credit/debit cards and key-fob tokens with radio frequency-based contactless payment chips into the hands of millions of consumers. Major card companies–including American Express, MasterCard, and Visa–also have launched initiatives to offer contactless payment devices.
While embracing technological advances seems to be the right thing to do, it is also prudent to identify the associated risks and identify and implement loss control best practices. According to Aberdeen Group (December 2006), 74% of retailers that have deployed or are considering deploying wireless retail devices do not view security as a top risk factor. Unfortunately, with data breaches at a record high in 2007, this seems very puzzling. Haven't we learned from the past? Credit unions should be careful not to fall into this trap.
Recommended For You
To merchants, contactless payments will speed purchasing and potentially increase the average value of each purchase. Issuers believe convenience will, in effect, cause their customers to favor contactless cards over others they hold. Contactless payment is typically aimed at consumers making purchases under $25, which do not require a signature. In addition to cards and key-fobs, mobile phones are seen as another contactless wave of the future.
Financial and retail industries believe these cards will help:
-Retain customers and differentiate them from competitors;
-Increase credit and debit card transactions in traditional cash-only retail segments;
-Increase interchange fee income;
-Provide improved views of customer-buying behavior; and
-Enable new customer-facing programs and services –like loyalty programs.
As payment mechanisms shift away from cash and traditional card forms, stronger authentication methods will become increasingly critical. In addition, financial institutions that consider contactless payment methods as trendy, quirky, or meaningless to their business strategies are at risk to more agile and possibly non-traditional competitors, such as telecommunications or cellular companies.
Smart cards, meanwhile–also referred to as chip cards–are typically divided into "contact" and "contactless." Both card types have a chip containing a microcomputer. Where they differ is that contactless cards contain an antenna that broadcasts card data to the retail card reader. Although still in their infancy, it definitely is not too early to establish best practices to prevent chip card fraud.
Here are six to consider initially:
1. If a "smart" contactless card is so smart, it should be able to shut it off when not in use or have the card shut itself down to prevent nearby fraudsters with card readers from capturing card data. While this fraud event may be highly unlikely and the data stolen useless, there is no excuse for allowing data to be illegally captured.
2. Limit the broadcast range of contactless cards to two to three inches from a reader. This won't guarantee a fraudster can't retrieve information out of the air at a retail location, but it will likely require the consumer to have some sort of formal engagement to initiate a transaction.
3. Distribute cards in a turned-off mode to mitigate potential data theft. If the cards cannot be turned off, they should be mailed in a card carrier to shield broadcast.
4. The most compelling reason to issue a smart chip card–contactless or contact–is the ability to create dynamic security information for each transaction. This is the great differentiator from the conventional card where static data is encoded in a magnetic stripe. Dynamic data that changes with each transaction is a feature that could possibly end the cycle of data breaches. Since each transaction is a one-time event, the information captured by fraudsters would not enable them to create a usable card since they would not have the encryption to calculate valid security codes.
5. Ensure names are not printed on the cards and not stored within the chip. Most retailers don't ask for ID, so if a card was compromised, fraudsters would not have any of your personal information. That said, some issuers prefer to manufacture cards with the name imprinted and encoded in the chip to instill a sense of ownership and consumer vigilance. In this case, your system should be able to tie a numerical identifier to a secured consumer name database, so if stolen or lost, the fraudster would not have access to personal information.
6. Do not forget tried-and-true best practices now in place for conventional magnetic stripe cards that can simply be exported to contactless cards. Use best practices such as fraud monitoring systems, card activation and numerous other fraud mitigation techniques.
The chip contact and contactless arena is just evolving and will likely expand to include:
-Development of combined credit/debit card via a chip.
-PCs with built-in chip card readers for safer Internet transactions.
-Cell phones and key-fobs used as card transaction devises.
If your credit union is considering or has already implemented one of these cutting-edge products, don't forget the all-important risk identification, analysis and best practices framework. Risks can quickly become losses, which cannot always be reversed painlessly or quickly.
At this year's Card Processor Summit on the front-end of CUNA Mutual's Discovery Conference in Hollywood, Fla., June 18-21, we will delve deeper into best practice topics and recommendations surrounding contactless payments, prepaid family of cards and business cards.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
