Concerned about security, the Australian Parliament is recommending that all contactless transactions, which it defines as including Near Field Communication (NFC), default to opt out, meaning shoppers would have to proactively opt-in to use the technology.
The government’s worries about safety are detailed in a Parliament report that includes police reports that zero liability is sharply increasing contactless payment card fraud and that banks are refusing to cooperate with law enforcement. Indeed, Visa and four major Australian banks ignored parliament's inquiries, which didn't help their case.
The report—from the Parliamentary Joint Committee On Law Enforcement—interpreted contactless payments to include NFC and noted that transactions valued at fewer than $100 Australian (roughly equivalent to $70 U.S.) do not require PIN or other authentication.
Australian law enforcement "raised as an area of concern a 'significant increase' in deception offences in Victoria, arguing that new technology had enabled offenders to commit multiple low value transactions with stolen credit cards. Victoria Police argued that increased technology, lack of guardianship and the perception that credit card fraud is a victimless crime, is 'driving (deception) offences,'" the report said. "Victoria Police also argued that 'tap and go' technology provides motivation for the physical theft of credit cards, with little risk of capture by police or of physical identification."
The report pointed to zero liability policies as having the unintended effect of increasing thefts because Australian thieves—who apparently have more of a conscience than their U.S. counterparts—felt bad about stealing money from consumers, but were fine with stealing money from banks or card brands. Zero liability "is clearly advertised in conjunction with ‘Tap and Go’ technology. Widespread promotion of the Zero Liability Policy is expected to motivate offenders who are likely to see that the victim will not be at a personal loss," the report said.
This is not the first time that zero liability—which makes sure that shoppers do not suffer financially from fraudulent transactions--has been accused of unintentionally weakening security. Many retailers found that zero liability all-but-eliminated the loss of customers after a publicized breach, as well as making consumer lawsuits much less damaging—by preventing consumers from arguing that they suffered a financial loss. Combined, this has sharply undermined the retail ROI argument for spending more on security systems. Hence, in a roundabout domino-effect scenario, zero liability can make it more difficult for retailers to justify large security investments.
The report was especially critical of what it saw as a lack of cooperation between law enforcement and payments companies. The report looked at the fraud financial reserves from banks and was discomforted. "Anecdotal information from the Victoria Police Fraud & Extortion Squad and Victoria Police E-Crime Squad suggests that financial institutions factor fraudulent activity into their profit and loss margins and currently the loss associated with ‘Tap and Go’ is far outweighed by the profits generated. If losses are budgeted for, Victoria Police are likely to find it difficult to develop strategies in partnership with financial institutions to improve guardianship," the report said.
It then said that the lack of cooperation was made explicit when Visa and key banks refused to help prepare the report. "As part of a recent intelligence gathering exercise, National Australia Bank, Commonwealth Bank, ANZ, Westpac and Visa were all contacted via e-mail and/or phone for consultation during recent analysis of this issue by Victoria Police. No responses were received prior to the finalization of a recent intelligence product," the report said. "Without engagement by financial institutions, it is difficult to understand the full extent of fraudulent activity and the impact new technology and policies have on the criminal environment."
Worse, the committee noted, banks haven't given security strong enough consideration when finalizing contactless products. "Victoria Police were highly critical of the lack consultation between financial institutions and the police, especially as it relates to the introduction of new, higher risk technologies, such as contactless payment systems. Engagement with police prior to such initiatives would greatly assist in having standard practices across industry," the report said. "Simplicity of structures and processes is essential and 'bureaucracy' is often a barrier to effective joint action."
Visa and those banks ignoring the government inquiry "was not the best move ever," said Tim Sloane, vice president of payments innovation at the Mercator Advisory Group. "I think the banks made a terrible mistake by not responding to the charge."
Asked how big a deal it would be for Australian shoppers to have to opt-in to contactless and NFC payments, Sloane said that the long term impact may prove to be trivial. "The historical precedent is that it will be considered a big deal, but it will ultimately prove to be insignificant," he said, adding that the precedent he had in mind were the defaults on overdraft fees. "A general consumer that has awareness of what contactless is and therefore some concept of how it would make life easier for them will simply opt-in."
But Sloane questioned whether this opt-in tactic will even further the stated goals of the Parliamentary committee. The committee's premise is that thieves are going to aggressively steal these cards from those who are using contactless payments or NFC. But given that there is no way for the thief to know which shoppers have or have not opted in, Sloane wondered if the whole effort would prove pointless. "The bad guys don't know that I opted in unless I wear a big Band-Aid on my head. They are still going to try and take my wallet," he said.