Contactless cards are effective, clean and fast – the technology links offline and online data to create a speedy user experience that drives sales and bolsters the UK’s image within the current payments paradigm. Franchesca Hashemi asks Howard Berg, senior vice president of Gemalto, what the risks are
The UK has gone wild for contactless payments. Shopping has been made simple, we’re told. Tap-to-pay technology – we are led to believe – is about convenience, security, and the customer experience. There are now 58 million contactless cards in circulation in the UK, which is more than any other country in Europe. During the month of March 2015, Visa Europe’s British contactless cardholders spent a record 330m ($364m), transacting a total of 52.6 million times, making it the month’s European market leader for contactless transactions. The adoption rates are steadily increasing, so how does the popular payment method work and what happens if a consumer overspends "offline"?
Howard Berg, senior vice president of Gemalto, believes that layers of virtual and physical components protect consumers:
FH: Can you explain the difference between an online and offline transaction and how banks, customers and card terminals fit into the equation?
HB: (In terms of online) a customer pops their card into the reader and enters the PIN code. The terminal will then "dial" through to the issuer for authorisation. This confirms the card has sufficient credit and hasn’t been reported as lost or stolen.
Now, this system works but it can be relatively slow. The idea of a contactless transaction basically speeds up that process for lower value transactions. Therefore rather than inserting a card you tap it on the reader, the receipt is printed and the customer walks away.
The main difference between traditional card payments and a contactless transaction is that the customer does not enter their PIN, and it is pretty much instantaneous. This is because the network is offline. Simply, ‘offline’ means the transaction is not sent for authorisation to the issuer. There are certain checks that are done on the cards by the terminal, but they are offline checks. It is not authorised.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataFH: What parameters are set to ensure contactless card payments are safe?
HB: Firstly, most terminals in the UK accept contactless, however, there are some older ones that can’t. So, the issue is whether UK retailers’ card terminals accept contactless, and not whether they can transact offline or online.
Most contactless transactions are offline. However, there are two safety checks put into that. One is the value of the transaction, which is currently £20 but that will increase to £30 as of September. If a customer attempted to spend more than £30 then they would have to make contact and complete the transaction using chip and pin. This contact system will almost certainly be "online".
The second check is within your card. The banks set a maximum number of offline transactions and/or a maximum value. This depends on the issuer, but if issuer X says that a customer can make four offline transactions, on the fifth transaction any attempts to pay by contactless card will require the card to be physically put into the reader, because the transaction needs to be completed online.
This is a safety check that makes sure everything is in order, so it mitigates the risk.
FH: And this varies from bank to bank?
HB: Every bank has a different threshold- this is done on purpose, because if the fraudsters knew what the ratio was then they could figure it out. The fact that it is different for every bank makes it more difficult to defraud.
This fraud variation method is true for debit and credit cards. For prepaid cards, the transactions must be done online, because it must be known how much money is in there.
FH: So "online" is a name given to the virtual network supported by a POS and does not necessarily apply to a specific body?
HB: Online originates from the old days when a network would be connected to a standard telephone line, so if the signal or transactions were going down the line it would be "online". If they weren’t, they were "offline".
In terms of the question ‘can every terminal transact offline’: the answer is yes. Interestingly, some can’t do online.
London’s tube network processes all contactless transactions offline. There are certain checks in terms of so-called hot cards (reported missing or suspect, so they register on a reader as defunct) but the TfL system is completely offline.
In most cases, card terminals have the ability to go online when required. However, as contactless transactions are all about speed, the terminals will remain offline. This works because banks know how to keep the risk under control.
FH: How long will it take for an offline transaction to appear online, so that the contactless issuer can be made aware of a recent purchase?
HB: It depends on the system, but it could be the same day and usually within a couple of hours. It also depends on the system sitting behind the contactless transaction. If it is a banks’ own terminal then the offline transaction will appear online pretty quickly.
The offline aspect essentially means that a payment is not authorised at the point of transaction. Once the transaction goes through to the bank, it will be looked at and action will be taken if necessary.
Remember, though, because these transactions are contactless they are relatively small in terms of value. They have to be under £20, so the level of risk is controlled by the size of the transaction and the number of times you can make contactless transactions.
FH: To what extent are consumers aware of the fact that contactless cards are not necessarily making an online transaction? So, for example, a customer goes into a shop thinking they have been paid the night before, makes a couple of transactions – are they covered from going into an unarranged overdraft if the account has insufficient funds?
HB: Blimey, I’ve never heard or seen statistics that suggests this is happening.
To be honest, for the consumer, it doesn’t make that much of a difference. All contactless cards are protected by the same rules as credit and debit cards. All that happens is that the issuer is making a decision whether the contactless transaction is a risk they can take. The way they look at it is after so many transactions, the card will be no good.
I suppose the argument is this: let’s say bank X sets the safety check at 5 transactions and the contactless limit has been increased to £30. That works out a £150 maximum potential loss for the bank.
For an online transaction, if someone has taken your card and found out your PIN, it is likely that more than £150 will be lost in one go. That’s why banks can afford to take that risk.
FH: Are consumers being educated to this fact? It could leave some contactless card owners very distressed if they are unaware of the technicalities surrounding contactless.
HB: When a person has their card stolen, the banks will call a customer and say we have some transactions that we want to check with you. The bank will then ask you: did you take part in this. If you say no and the fraud is identified, normally it is a bank loss opposed to consumer loss. The cardholder may be concerned and there may be a period when they don’t have a card- a few days, worst case scenario- but in most cases the loss is suffered by the banks and not the consumers. Simply because the consumer has not entered their PIN so the person has not verified it is them making the transaction.
It’s a trust transaction.
From the consumer’s perspective contactless is about speed with minimal risk, and the banks take a potential risk but it is worth it in terms of potential benefits to the overall process.
FH: What about mobile payments and Apple Pay: do they come under the same offline rules?
HB: The only difference with Apple Pay for example is that this payment method requires verification, because when you actually put your iPhone on the reader you also have to press the fingerprint pad on the device. This verification method obviously can’t be done on a card, so it has to match details stored on the iPhone. It will still be offline yet there is an authentication process, which is the consumer giving their fingerprint before the transaction is allowed.
The Industry’s Perspective: Offline and Online
The Bank
In June 2015, Lloyds Bank customers made around half a million contactless transactions per day. EPI asked the bank’s spokesperson whether customers are aware that contactless cards nearly always transact offline, and therefore to be vigilant in checking their account has sufficient funds when paying by contactless:"The ability to carry out a transaction offline isn’t specific to contactless, and can occur where a PIN is entered too.
"We encourage customers to regularly view their accounts to ensure they have enough money to make a payment, no matter what form this payment takes, whether it is contactless, chip & PIN or a direct debit."
In terms of the contactless technicalities, Lloyds’ spokesperson agreed that industry parameters alongside institution-specific checks ensure a safe payment experience: "Customers have to abide by the current contactless limits set by the industry, and in addition we have our own limits to ensure that contactless cards are being used in a safe way, which are based on the number and value of transactions. Should a customer exceed these limits, they will trigger a request for the card to be presented as a normal chip & PIN transaction."
The Industry’s Representative Voice
EPI then sought a nationwide consensus on the matter. The UK Cards Association warned that consumers must first meet financial requirements before a contactless card is issued. Any overspends as a result of the offline network, a spokesperson for the UK Cards Association reasoned, will be covered by the same rules as an online transaction: "Banks will only issue customers with a contactless card when they meet the required risk criteria. For example those customers who have a basic bank account, where overdrafts are not offered, or are under the age of 18, are normally restricted from having a contactless card."
The Card Issuer
The final industry voice, cards giant Visa Europe, agreed that it is up to the bank whether consumers are offered cards that have the ability to transact offline.
For the twelve months up to July 2014, Visa’s European contactless cardholders spent a record 12.6bn and used the payment method a total of 1.1 billion times.
Visa’s spokesperson went on to reference creditworthiness as a key consideration for banks that issue contactless cards.
"By contrast, all Visa prepaid cards are online-only (with no offline capability), since overspend is not permitted on these products. Visa contactless tags, wearables and mobile NFC implementations are virtually all online-only, too.
"In general, the industry is moving towards online for all contactless transactions. Today in Spain and the Netherlands there is no offline authorisation – everything is online processed."