Contactless Payments: The New WaveSecurity Leaders Discuss How to Balance Security vs. Convenience
As part of its ongoing push toward cashless payments, India is taking steps to ramp up the use of contactless payments, which are already becoming more common in Japan, South Korea, Australia, the U.K. and the U.S. (See: Securing Contactless Card Payment Transactions)
RBI is requiring card issuers to launch contactless cards and merchants to upgrade their infrastructure to accommodate them. It has created rules for securing the transactions, stressing the need to balance security and convenience (see: Move to Chip Payment Cards: Work in Progress).
In addition, the finance ministry has asked all banks to issue near-field communication-enabled contactless credit and debit cards for all customers.
Card-not-present transactions for cards issued in India, including for contactless transactions, are secured with an additional factor of authentication, such as a PIN or a dynamic one-time password (see: Card-not-Present Fraud Growth: No End in Sight).
Globally, over 1.5 billion contactless payment cards were expected to be issued by the end of 2018, accounting for 50 percent of all payment cards shipped, Visa reports.
Some 20 million Visa contactless cards have been issued in India since the effort was launched in 2015. Plus, 1 million terminals have been installed in India to handle these cards.
"Besides the significant push in building awareness, we have helped expand India's contactless acceptance infrastructure to over 1 million points," T.R. Ramachandran, Visa's group country manager, India and South Asia, says in a blog published in Business Line.
Meanwhile, the Ministry of Urban Development has launched three contactless payment pilot project that use its National Common Mobility Card contactless guidelines. These projects are run by the Bengaluru Metropolitan Transport Corporation, Kochi Metro Rail Limited and Ahmedabad Smart City, according to Nalin Bansal, vice president and Business Head, RuPay Contactless, National Payments Corporation of India .
While India is still in the early stages of making the transition to contactless, some other countries have already made substantial progress.
For example, nearly 94 percent of payment card transactions are contactless in Australia, according to Visa's Ramachandran.
U.S.-based Research and Markets reports the global contactless payments market is expected to reach a cumulative figure of $2.23 trillion worth of transactions by 2025.
North America is expected to emerge as one of the key regional markets for contactless transaction growth because of the increasing deployment of cloud-based contactless payment technologies in various verticals, such as transportation, according to Research and Markets.
The research group says Europe is expected to be another major region for contactless payments owing to the growing number of smart card rollouts. Countries in the Asia Pacific region, such as Australia, Taiwan, and Japan, have witnessed a higher penetration rate of contactless payments compared to other countries, researchers say.
Because contactless payments are still relatively new, security standards are still in development.
"We recognize the growing use of contactless technology to support payment acceptance and are currently working with the industry to develop security requirements for those environments," says Troy Leach, chief technology officer at the Payment Card Industry Security Standards Council.
PCI SSC is in the beginning stages of developing a security standard for accepting contactless payments on a merchant's commercial off-the-shelf phone or tablet.
The goal, Leach says, is to develop security requirements for solutions that enable a merchant's COTS device to accept contactless payments without the need for a dongle or other type of peripheral reader by leveraging the NFC capabilities inherent to a COTS phone or tablet.
"This includes specific criteria for how solution providers protect payment data within their offerings, as well as the test requirements for laboratories to demonstrate the effectiveness of that security," he says.
The move to contactless payments raises security concerns related to the NFC and RFID technology used, says New York-based Brandon Swafford, CISO at Webster Bank.
"In this case, many components work to secure the transaction, including the proximity of the card; it has to be very close to the reader, and that each time the card is used it generates a unique one time code for the transaction so it is very difficult to counterfeit," Swafford says.
California-based Ben Johnson, co-founder and CTO of Obsidian Security, says device-level security is of utmost importance. "Furthermore, a rogue or malicious payment system might try to compromise your personal device, or the personal device to try to compromise the payment system through contactless," he points out.
But T. Venkatachalapathi, principal architect, Ezetap Mobile Solutions Pvt. Ltd., explains in a blog post: "The NFC functions on your phone go into active mode only when you want them to. For instance, the chip will get activated only when you checkout at a retail store with contactless POS. The chip won't even work if your phone is in standby as it needs to be invoked by you."
Even if there are powerful readers placed at public places, it is not easy for those readers to copy the card information, he says. "EMV contactless cards work on a concept called load modulation. The modulation is so small that the heavy reader cannot be sensitive enough to construct the information correctly. Moreover, since NFC signals are very sensitive, they don't respond unless all the planets get aligned, which happens only at a qualified reader PCD [Proximity Coupling Device] and hence the transaction is secure."
Swafford points out that fraud detection used on the backend "are improving their speed and accuracy to prevent fraudulent transactions at the time of purchase, protecting the buyer and the seller, particularly in the contactless space."