Merchants storing and batch processing payments offline in the U.K. are opening the door for fraudsters to potentially use contactless cards that have been reported lost or stolen for several months after a bank cancels them.
The U.K.'s Financial Conduct Authority plans to introduce new measures to tighten the process for banks that receive reports of a stolen contactless card because 45% of contactless card transactions occur offline in the country.
An offline transaction occurs most often for low-value transactions, with no direct connection to the card issuer but rather accessing the chip in the card for authorization. Because offline calls for a more manual process in which the POS terminal calls the processor, it is a more expensive transaction. Thus, merchants have a tendency to batch those types of payments to make them less costly overall than online authorization.
“There are currently a limited set of circumstances where a card can be used by a fraudster several months after it has been canceled,” FCA chairman John Griffith-Jones stated in a letter last month to the Treasury Select Committee. “The FCA is working with the industry to address the risks that have been identified.”
The FCA plans to examine various issues in the process, including removing any responsibility on customers to identify fraudulent transactions in addition to technical enhancements that could reduce the likelihood of post-cancellation contactless fraud.
The financial services industry also needs more awareness of the Hot Card File, which contains information on more than 7.2 million U.K. card that have been reported lost.
"Controls operated through the payment schemes, individual card issuers and the industry, are already in place to limit fraud losses or the impact when customers lose cards,” Griffith-Jones said.
Card schemes place limits on the value of each contactless transaction and the number of consecutive contactless transactions before cardholder verification is required. To avoid tipping off fraudsters, they do not disclose the number of consecutive contactless transactions allowed before a PIN is required, he added.
Card issuers have their own controls, including lower limits on the number of consecutive contactless transactions before a PIN is required, and a lower cap on total contactless spending before a PIN is required.