Tap and pay cards ‘just as safe as traditional cards’
15 August 2018 | Web Article Number: ME201811162
CONTRARY to rumours doing the rounds on social media, contactless bank cards are just as secure as regular credit and debit cards.
That’s according to the South African Banking Risk Information Centre (SABRIC). “A video trending on social media may have created the incorrect impression that contactless cards are easy to exploit by criminals,” said SABRIC CEO Kalyani Pillay.
“This is simply not true. Contactless payment cards are as secure as traditional cards, and SABRIC has not received any reported crime incidents where ‘tap and go’ cards have been exploited.”
Pillay said contactless technology was introduced for the convenience of cardholders and while relatively new in South Africa, has been available in many jurisdictions for some time.
They cards can merely be tapped on a near-field communication (NFC) Point of Sale (POS) device to make certain payments, which makes them quick and easy for the card holder.
According to Pillay, stealing money by tapping a near-field communication (NFC) enabled Point of Sale (POS) device near enough to a bank clients’ card is as simple as the video suggests.
“Acquiring an NFC POS device involves a rigorous vetting process by the issuing Bank which includes the mandatory submission of Know Your Customer (KYC) documentation. In addition, Banks also monitor merchant transaction activity and conduct merchant site visits. Should any irregularities be identified, an investigation will be launched immediately.”
While collusion with a merchant could be a possible way to defraud people, this was also unlikely, said Pillay, as the proceeds of crime resulting from this modus operandi would go into a merchant’s bank account which, again, is closely monitored.
Furthermore, this payment option is only available for a predetermined number of low value transactions on any specific day, after which a PIN would be required to complete the transaction, so the financial reward associated with these transactions is low, whilst the reputational and prosecution risk to the merchant remains high.
“Stealing card data by criminals is also not a viable option, as merely holding an NFC enabled POS device close to a bank card will not provide enough information to enable fraudulent card-not-present transactions.”
Pillay said South African issued contactless cards are embedded with an RFID (Radio Frequency ID) tag, identifiable by the WiFi-type symbol, which is then read together with the cards EMV chip which is encrypted.
“Even if a criminal tapped a victim’s contactless card using an NFC POS device near in their wallet or bag, all they would get is the card number and expiry date. Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases.
“It is unlikely that organised criminals will be targeting this capability to steal money or card data, as the reward will be insignificant compared to other modus operandi at their disposal,” said Pillay.
SABRIC is a non-profit company formed by South African banks to support the banking industry in the combating of crime. SABRIC’s clients are South African banks and major CIT companies.