Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Contactless Payment Schemes'

The Dangers of Contactless Payment:
Visa PayWave and MasterCard PayPass NFC-Chip Schemes

27 October 2010, minor updates to 17 August 2014

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2010-2014

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/EC/CPS-12.html


Abstract

The Visa PayWave and MasterCard PayPass schemes enable anyone to use a card to make payments of up to $100, without any form of authentication such as a PIN. They are being forced on consumers, they create new risks, and the costs of fraud and error will be worn by consumers. The schemes' designs are appallingly anti-consumer, and consumers should reject them.


1. Background

Since 2009, Visa and MasterCard have been progressively adding chips to their cards which contain contactless capability often called Near-Field Communications (NFC). This upgrades RFID technology to support two-way communications. The chip in the card is dual-function, enabling both contact-based and contactless interaction with EFTPOS terminals, as well as contact-based interaction with ATMs.

Issuers in Australia say that they are under instructions from these two companies to issue only cards that contain NFC chips. (The statement is seriously misleading, but that's what they say). The NFC feature of the chip enables the card to converse with EFTPOS terminals over a short distance of 5-10cm, without being in physical contact with them.

The two competing offerings are:

The schemes include security features that are claimed to protect against technical risks such as rogue terminals and double-charging of the same transaction. However at least some technical risks remain, such as NFC-readers close to EFTPOS terminals, and hidden devices installed in places where people's wallets and purses are likely to be.

Much greater risks arise when a consumer's card is stolen or lost, and especially if it is borrowed without the consumer realising that has happened. These cards can be used, by anyone, for multiple transactions up to $100 at a time, without any form of authentication.

These schemes are being forced on consumers, they create new risks, and the costs of fraud and error will be worn by consumers - not by banks or merchants, and certainly not by Visa or MasterCard. The following explains why the problem is so serious.


2. Problems with These Contactless Payment Schemes

(1) The NFC chip feature comes switched on, and can't be switched off. The consumer has no choice - the card simply comes with the functionality. The companies deem the consumer to have consented. They achieved this simply by changing the Terms that are imposed on cardholders.

(2) For transactions up to $100, no authentication is performed of the authority of the person to use the card (i.e. no signature, no PIN). This is the case whether you're borrowing money in a credit-card transaction, or taking the money directly out of your bank account in a debit-card transaction. The original assurances were that the limit on unauthenticated transactions would be about $25-$35.

(3) Transactions may or may not involve visual notification to the cardholder, who may or may not notice any such display.

(4) Transactions may or may not require some form of confirmation step. Most commonly, they do not.

(5) A receipt may be offered, or it may have to be requested.

(6) Consumers are being encouraged to do large numbers of transactions this way, which makes credit-card statements and bank statements very long.

(7) The vast majority of people will never discover when rogue transactions have occurred. The reasons why that's so are listed below.

(8) When a consumer discovers a suspect transaction, they have to go through a process to try to get the money credited back, but have very little information available to them, and of course no evidence.

(9) Banks actively try to discourage applicants, e.g. by saying it will take 60 days to investigate, and by requiring a signed document by fax or post.

(10) Banks authorise themselves to refuse applications for refund, by including in their Terms such obligations on the card-holder as to "exercise vigilant care", to "immediately notify" if a card is missing, and enabling refusal if the card-holder has "reported two or more incidents of unauthorised use in the preceding 12 months", or even if the account is not "in good standing".

(11) The protections that exist are not enshrined in law, but merely in the card-issuer's Terms, backed by a mere 'Code of Conduct', which may or may not help the consumer.

Because all cards are issued with chips with NFC capability, it appears to be impossible to acquire a new credit-card or debit-card that does not carry these risks to consumers.

This is an appallingly anti-consumer arrangement, which transfers losses from fraud and error from merchants to consumers.


3. Why Most Fraud and Errors will be at the Consumer's Cost

For a card-holder to take advantage of the card-issuer's offer to reimburse loss, the following has to happen:

(a) The consumer has to discover that one or more transactions have occurred for which they deny responsibility

(b) In practice, that means that they have to reconcile their statements, and do so within whatever 'statute of limitations' the card-issuer imposes on them - currently probably 60 days

(c) In order to reconcile, they need something to reconcile against. But for a great many small transactions a receipt has to be requested. And there are disincentives, such as:

(d) In order to have the energy to reconcile, the consumer has to overcome the disincentives, including:

For the above reasons, it's likely that only a very small proportion of fraudulent transactions will ever be discovered.

That in turn will embolden the crims, creating a non-virtuous cycle of 'tried, didn't get caught, try some more', which in turn invites conversion from small-time criminality to organised-crime racket.


4. The Code of Conduct - which may or may not help

Until 2012:

The EFTS Code of Conduct (final version, of July 2012), which has provided consumer protection when using many forms of electronic payment for 20 years

From 2013:

The ePayments Code, which will supersede the EFTS Code wef 20 March 2013


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 27 October 2010 - Last Amended: 17 August 2014 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/CPS-12.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy