Contactless cards are effective, clean and fast – the technology links offline and online data to create a speedy user experience that drives sales and bolsters the UK’s image within the current payments paradigm. Franchesca Hashemi asks Howard Berg, senior vice president of Gemalto, what the risks are

The UK has gone wild for contactless payments. Shopping has been made simple, we’re told. Tap-to-pay technology – we are led to believe – is about convenience, security, and the customer experience. There are now 58 million contactless cards in circulation in the UK, which is more than any other country in Europe. During the month of March 2015, Visa Europe’s British contactless cardholders spent a record €330m ($364m), transacting a total of 52.6 million times, making it the month’s European market leader for contactless transactions. The adoption rates are steadily increasing, so how does the popular payment method work and what happens if a consumer overspends "offline"?

Howard Berg, senior vice president of Gemalto, believes that layers of virtual and physical components protect consumers:

FH: Can you explain the difference between an online and offline transaction and how banks, customers and card terminals fit into the equation?

HB: (In terms of online) a customer pops their card into the reader and enters the PIN code. The terminal will then "dial" through to the issuer for authorisation. This confirms the card has sufficient credit and hasn’t been reported as lost or stolen.

Now, this system works but it can be relatively slow. The idea of a contactless transaction basically speeds up that process for lower value transactions. Therefore rather than inserting a card you tap it on the reader, the receipt is printed and the customer walks away.
The main difference between traditional card payments and a contactless transaction is that the customer does not enter their PIN, and it is pretty much instantaneous. This is because the network is offline. Simply, ‘offline’ means the transaction is not sent for authorisation to the issuer. There are certain checks that are done on the cards by the terminal, but they are offline checks. It is not authorised.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

FH: What parameters are set to ensure contactless card payments are safe?

HB: Firstly, most terminals in the UK accept contactless, however, there are some older ones that can’t. So, the issue is whether UK retailers’ card terminals accept contactless, and not whether they can transact offline or online.

Most contactless transactions are offline. However, there are two safety checks put into that. One is the value of the transaction, which is currently £20 but that will increase to £30 as of September. If a customer attempted to spend more than £30 then they would have to make contact and complete the transaction using chip and pin. This contact system will almost certainly be "online".

The second check is within your card. The banks set a maximum number of offline transactions and/or a maximum value. This depends on the issuer, but if issuer X says that a customer can make four offline transactions, on the fifth transaction any attempts to pay by contactless card will require the card to be physically put into the reader, because the transaction needs to be completed online.

This is a safety check that makes sure everything is in order, so it mitigates the risk.

FH: And this varies from bank to bank?

HB: Every bank has a different threshold- this is done on purpose, because if the fraudsters knew what the ratio was then they could figure it out. The fact that it is different for every bank makes it more difficult to defraud.

This fraud variation method is true for debit and credit cards. For prepaid cards, the transactions must be done online, because it must be known how much money is in there.

FH: So "online" is a name given to the virtual network supported by a POS and does not necessarily apply to a specific body?

HB: Online originates from the old days when a network would be connected to a standard telephone line, so if the signal or transactions were going down the line it would be "online". If they weren’t, they were "offline".

In terms of the question ‘can every terminal transact offline’: the answer is yes. Interestingly, some can’t do online.

London’s tube network processes all contactless transactions offline. There are certain checks in terms of so-called hot cards (reported missing or suspect, so they register on a reader as defunct) but the TfL system is completely offline.

In most cases, card terminals have the ability to go online when required. However, as contactless transactions are all about speed, the terminals will remain offline. This works because banks know how to keep the risk under control.

FH: How long will it take for an offline transaction to appear online, so that the contactless issuer can be made aware of a recent purchase?

HB: It depends on the system, but it could be the same day and usually within a couple of hours. It also depends on the system sitting behind the contactless transaction. If it is a banks’ own terminal then the offline transaction will appear online pretty quickly.

The offline aspect essentially means that a payment is not authorised at the point of transaction. Once the transaction goes through to the bank, it will be looked at and action will be taken if necessary.

Remember, though, because these transactions are contactless they are relatively small in terms of value. They have to be under £20, so the level of risk is controlled by the size of the transaction and the number of times you can make contactless transactions.

FH: To what extent are consumers aware of the fact that contactless cards are not necessarily making an online transaction? So, for example, a customer goes into a shop thinking they have been paid the night before, makes a couple of transactions – are they covered from going into an unarranged overdraft if the account has insufficient funds?

HB: Blimey, I’ve never heard or seen statistics that suggests this is happening.

To be honest, for the consumer, it doesn’t make that much of a difference. All contactless cards are protected by the same rules as credit and debit cards. All that happens is that the issuer is making a decision whether the contactless transaction is a risk they can take. The way they look at it is after so many transactions, the card will be no good.

I suppose the argument is this: let’s say bank X sets the safety check at 5 transactions and the contactless limit has been increased to £30. That works out a £150 maximum potential loss for the bank.

For an online transaction, if someone has taken your card and found out your PIN, it is likely that more than £150 will be lost in one go. That’s why banks can afford to take that risk.

FH: Are consumers being educated to this fact? It could leave some contactless card owners very distressed if they are unaware of the technicalities surrounding contactless.

HB: When a person has their card stolen, the banks will call a customer and say we have some transactions that we want to check with you. The bank will then ask you: did you take part in this. If you say no and the fraud is identified, normally it is a bank loss opposed to consumer loss. The cardholder may be concerned and there may be a period when they don’t have a card- a few days, worst case scenario- but in most cases the loss is suffered by the banks and not the consumers. Simply because the consumer has not entered their PIN so the person has not verified it is them making the transaction.

It’s a trust transaction.

From the consumer’s perspective contactless is about speed with minimal risk, and the banks take a potential risk but it is worth it in terms of potential benefits to the overall process.

FH: What about mobile payments and Apple Pay: do they come under the same offline rules?

HB: The only difference with Apple Pay for example is that this payment method requires verification, because when you actually put your iPhone on the reader you also have to press the fingerprint pad on the device. This verification method obviously can’t be done on a card, so it has to match details stored on the iPhone. It will still be offline yet there is an authentication process, which is the consumer giving their fingerprint before the transaction is allowed.

The Industry’s Perspective: Offline and Online

The Bank
In June 2015, Lloyds Bank customers made around half a million contactless transactions per day. EPI asked the bank’s spokesperson whether customers are aware that contactless cards nearly always transact offline, and therefore to be vigilant in checking their account has sufficient funds when paying by contactless:"The ability to carry out a transaction offline isn’t specific to contactless, and can occur where a PIN is entered too.

"We encourage customers to regularly view their accounts to ensure they have enough money to make a payment, no matter what form this payment takes, whether it is contactless, chip & PIN or a direct debit."

In terms of the contactless technicalities, Lloyds’ spokesperson agreed that industry parameters alongside institution-specific checks ensure a safe payment experience: "Customers have to abide by the current contactless limits set by the industry, and in addition we have our own limits to ensure that contactless cards are being used in a safe way, which are based on the number and value of transactions. Should a customer exceed these limits, they will trigger a request for the card to be presented as a normal chip & PIN transaction."

The Industry’s Representative Voice
EPI then sought a nationwide consensus on the matter. The UK Cards Association warned that consumers must first meet financial requirements before a contactless card is issued. Any overspends as a result of the offline network, a spokesperson for the UK Cards Association reasoned, will be covered by the same rules as an online transaction: "Banks will only issue customers with a contactless card when they meet the required risk criteria. For example those customers who have a basic bank account, where overdrafts are not offered, or are under the age of 18, are normally restricted from having a contactless card."

The Card Issuer
The final industry voice, cards giant Visa Europe, agreed that it is up to the bank whether consumers are offered cards that have the ability to transact offline.

For the twelve months up to July 2014, Visa’s European contactless cardholders spent a record €12.6bn and used the payment method a total of 1.1 billion times.

Visa’s spokesperson went on to reference creditworthiness as a key consideration for banks that issue contactless cards.

"By contrast, all Visa prepaid cards are online-only (with no offline capability), since overspend is not permitted on these products. Visa contactless tags, wearables and mobile NFC implementations are virtually all online-only, too.

"In general, the industry is moving towards online for all contactless transactions. Today in Spain and the Netherlands there is no offline authorisation – everything is online processed."