Tap and go overdrawn- does offline NFC pose risk?

Contactless cards are effective, clean and fast.

Tap and go overdrawn- does offline NFC pose risk?

The technology links offline and online data to create a speedy user experience that drives sales and bolsters the UK’s image within the current payments paradigm. Franchesca Hashemi asks Howard Berg, senior vice president of Gemalto, what the risks are

The UK has gone wild for contactless payments. Shopping has been made simple, we’re told. Tap-to-pay technology – we are led to believe – is about convenience, security, and the customer experience. There are now 58 million contactless cards in circulation in the UK, which is more than any other country in Europe. During the month of March 2015, Visa Europe’s British contactless cardholders spent a record €330m ($364m), transacting a total of 52.6 million times, making it the month’s European market leader for contactless transactions. The adoption rates are steadily increasing, so how does the popular payment method work and what happens if a consumer overspends “offline”?

Howard Berg, senior vice president of Gemalto, believes that layers of virtual and physical components protect consumers:

FH: Can you explain the difference between an online and offline transaction and how banks, customers and card terminals fit into the equation?

HB: (In terms of online) a customer pops their card into the reader and enters the PIN code. The terminal will then “dial” through to the issuer for authorisation. This confirms the card has sufficient credit and hasn’t been reported as lost or stolen.

Now, this system works but it can be relatively slow. The idea of a contactless transaction basically speeds up that process for lower value transactions. Therefore rather than inserting a card you tap it on the reader, the receipt is printed and the customer walks away.
The main difference between traditional card payments and a contactless transaction is that the customer does not enter their PIN, and it is pretty much instantaneous. This is because the network is offline. Simply, ‘offline’ means the transaction is not sent for authorisation to the issuer. There are certain checks that are done on the cards by the terminal, but they are offline checks. It is not authorised.

FH: What parameters are set to ensure contactless card payments are safe?

HB: Firstly, most terminals in the UK accept contactless, however, there are some older ones that can’t. So, the issue is whether UK retailers’ card terminals accept contactless, and not whether they can transact offline or online.

Most contactless transactions are offline. However, there are two safety checks put into that. One is the value of the transaction, which is currently £20 but that will increase to £30 as of September. If a customer attempted to spend more than £30 then they would have to make contact and complete the transaction using chip and pin. This contact system will almost certainly be “online”.

The second check is within your card. The banks set a maximum number of offline transactions and/or a maximum value. This depends on the issuer, but if issuer X says that a customer can make four offline transactions, on the fifth transaction any attempts to pay by contactless card will require the card to be physically put into the reader, because the transaction needs to be completed online.

This is a safety check that makes sure everything is in order, so it mitigates the risk.

FH: And this varies from bank to bank?

HB: Every bank has a different threshold- this is done on purpose, because if the fraudsters knew what the ratio was then they could figure it out. The fact that it is different for every bank makes it more difficult to defraud.

This fraud variation method is true for debit and credit cards. For prepaid cards, the transactions must be done online, because it must be known how much money is in there.

FH: So “online” is a name given to the virtual network supported by a POS and does not necessarily apply to a specific body?

HB: Online originates from the old days when a network would be connected to a standard telephone line, so if the signal or transactions were going down the line it would be “online”. If they weren’t, they were “offline”.

In terms of the question ‘can every terminal transact offline’: the answer is yes. Interestingly, some can’t do online.

London’s tube network processes all contactless transactions offline. There are certain checks in terms of so-called hot cards (reported missing or suspect, so they register on a reader as defunct) but the TfL system is completely offline.

In most cases, card terminals have the ability to go online when required. However, as contactless transactions are all about speed, the terminals will remain offline. This works because banks know how to keep the risk under control.

FH: How long will it take for an offline transaction to appear online, so that the contactless issuer can be made aware of a recent purchase?

HB: It depends on the system, but it could be the same day and usually within a couple of hours. It also depends on the system sitting behind the contactless transaction. If it is a banks’ own terminal then the offline transaction will appear online pretty quickly.

The offline aspect essentially means that a payment is not authorised at the point of transaction. Once the transaction goes through to the bank, it will be looked at and action will be taken if necessary.

Remember, though, because these transactions are contactless they are relatively small in terms of value. They have to be under £20, so the level of risk is controlled by the size of the transaction and the number of times you can make contactless transactions.

FH: To what extent are consumers aware of the fact that contactless cards are not necessarily making an online transaction? So, for example, a customer goes into a shop thinking they have been paid the night before, makes a couple of transactions – are they covered from going into an unarranged overdraft if the account has insufficient funds?

HB: Blimey, I’ve never heard or seen statistics that suggests this is happening.

To be honest, for the consumer, it doesn’t make that much of a difference. All contactless cards are protected by the same rules as credit and debit cards. All that happens is that the issuer is making a decision whether the contactless transaction is a risk they can take. The way they look at it is after so many transactions, the card will be no good.

I suppose the argument is this: let’s say bank X sets the safety check at 5 transactions and the contactless limit has been increased to £30. That works out a £150 maximum potential loss for the bank.

For an online transaction, if someone has taken your card and found out your PIN, it is likely that more than £150 will be lost in one go. That’s why banks can afford to take that risk.

FH: Are consumers being educated to this fact? It could leave some contactless card owners very distressed if they are unaware of the technicalities surrounding contactless.

HB: When a person has their card stolen, the banks will call a customer and say we have some transactions that we want to check with you. The bank will then ask you: did you take part in this. If you say no and the fraud is identified, normally it is a bank loss opposed to consumer loss. The cardholder may be concerned and there may be a period when they don’t have a card- a few days, worst case scenario- but in most cases the loss is suffered by the banks and not the consumers. Simply because the consumer has not entered their PIN so the person has not verified it is them making the transaction.

It’s a trust transaction.

From the consumer’s perspective contactless is about speed with minimal risk, and the banks take a potential risk but it is worth it in terms of potential benefits to the overall process.

FH: What about mobile payments and Apple Pay: do they come under the same offline rules?

HB: The only difference with Apple Pay for example is that this payment method requires verification, because when you actually put your iPhone on the reader you also have to press the fingerprint pad on the device. This verification method obviously can’t be done on a card, so it has to match details stored on the iPhone. It will still be offline yet there is an authentication process, which is the consumer giving their fingerprint before the transaction is allowed.