PayThink

There's a contactless 'code' that heightens security risk

Register now

Adoption of contactless payments is accelerating as consumers seek safer and more sanitary ways to make purchases.

Whether they take the form of digital wallets or tappable, chip-enabled cards, contactless options enable customers to check out without touching potentially contaminated pens, cash or keypads. In the first quarter, Mastercard saw a 40% increase in contactless payments on its network, and it’s likely this usage will continue to rise.

However, the shift in consumer habits could also bring increased security risks — unless you take steps to secure your customers’ data.

Generally speaking, a contactless payment is more secure than swiping a traditional magnetic stripe card. Both magnetic stripes and contactless chips contain payment information in a particular pattern that is relatively easy for bad actors to access using a fraudulent card reader or skimmer. However, contactless cards use a cryptogram — an alphanumeric code generated upon request afterward — for each transaction to validate the card itself.

That code is shared between the point of sale (POS) device and the card’s microchip using near field communication (NFC) technology. The process is the same as when the EMV chip is dipped into an integrated chip card reader (ICCR). While validating the card itself can protect merchants from accepting fraudulent cards at the point of sale, it does not protect the actual data on the card itself from being intercepted in the POS device or other systems and applications between the cardholder and the processing networks.

The POS device is still a potential point of vulnerability, even when contactless cards are used. Many merchants only encrypt customer data once it leaves the device on its way to the processor — so-called “transmission-level encryption.” At the point where data enters the terminal’s firmware, it is still unencrypted and therefore vulnerable to theft.

You can keep your customers’ data safe during contactless transactions by adopting two additional layers of protection. Together, these precautions devalue data related to contactless payments so that even if hackers access your system, they won’t be able to use the information they find.

A global security standard established by the PCI Security Standards Council, P2PE requires the encryption of customer data at the moment it enters the POS terminal’s firmware. While not currently mandated, P2PE ensures the highest level of protection for customer data at the POS and can reduce compliance requirements by up to 90%.

Contactless payments that originate from mobile phones are often tokenized using Issuer Tokenization, which makes these transactions more secure. Contactless payments originating from the card itself don’t have this same protection. Merchants can further boost security by tokenizing all PII on their systems, from social security numbers to credit card account numbers stored as part of loyalty programs.

The average data breach in the U.S. today costs a whopping $8.6 million. While strong security protections can be an investment, they’re worth it to avoid the financial and reputational impact of compromised customer data. Consumers have adopted contactless payments to stay safe from fraudsters and physical interaction with shared POS devices — by adopting P2PE and tokenization, you can keep them safe from hackers, too.

For reprint and licensing requests for this article, click here.
Contactless payments Payment fraud Risk Digital payments Payment processing
MORE FROM PAYMENTSSOURCE