UK regulator calls for banks to tighten cancellation processes for stolen contactless cards

The UK’s Financial Conduct Authority (FCA) has set out a series of measures it plans to undertake in order to tighten the processes banks undergo when a customer reports a stolen contactless card, which currently allow — in a “limited set of circumstances” — for a stolen contactless card to be misused by fraudsters “several months after it has been cancelled”.

FCA logoThe key risk to customers occurs when merchants process payments offline and store them in a batch to process later on, FCA chair John Griffith-Jones explains in a letter to the Treasury Select Committee published this week. At present, around 45% of contactless card transactions occur offline.

“There are currently a limited set of circumstances where a card can be used by a fraudster several months after it has been cancelled,” he writes. “The FCA is working with industry to address the risks that have been identified.”

The FCA says it will explore the following issues:

  • Removing any onus on customers to identify fraudulent transactions;
  • Technical enhancements to reduce the likelihood of post-cancellation contactless fraud;
  • Making the option of having a non-contactless card more visible during card issuing;
  • Improving customer communications at the time of cancellation;
  • Providing clarity to customers on the clearing times for contactless payments;
  • Raising awareness of the industry Hot Card File, which contains information on over 7.2m UK cards which have been reported lost.

There are already “a number of controls in place, operated by payment schemes, individual card issuers and the industry, which work to limit fraud losses or the impact on customers when losses do occur,” Griffith-Jones continues.

“Card schemes place limits on the value of each contactless transaction and the number of consecutive contactless transactions before cardholder verification is required — the number of consecutive contactless transactions allowed before a PIN is required is not public to avoid tipping off fraudsters.

“In addition to these controls, both Visa and Mastercard have a lower cap on the value of transactions that are allowed to be processed offline. In addition to these controls, card issuers have their own controls — these include lower limits on the number of consecutive contactless transactions before a PIN is required, and a lower cap on total contactless spending before a PIN is required.”

  • Willam Hugh Murray, CISSP

    One of the reasons for using “chip and PIN” is to resist the use of lost or stolen cards in offline applications. Because more transactions take place offline in Europe than in the US, chip and PIN is more popular there than in the US.

    Contactless cards speed up transactions while PINs slow them down. Enough said?