Thursday 27 April 2017 | RSS

 
    Feedback
     
     

    Visa and American Express to strengthen security for stolen contactless cards

    Visa contactless security

    FRAUD PREVENTION: Visa and American Express are to review their security processes

    Visa is to bring all of its contactless transactions online this year across 10 European countries to give consumers “more control over their accounts” following calls from the UK’s Financial Conduct Authority (FCA) for banks to tighten the processes they undergo when a customer reports a stolen contactless card. American Express is also “reviewing options” to ensure those who cancel their cards are protected against contactless fraud.

    The security processes in place today when a customer reports a stolen contactless card allow — in a “limited set of circumstances” — for the card to be misused by fraudsters “several months after it has been cancelled,” FCA chair John Griffith-Jones wrote in a letter to the Treasury Select Committee published last month.

    The key risk to customers occurs when merchants process payments offline and store them in a batch to process later on, Griffith-Jones explained. At present, around 45% of contactless card transactions occur offline.

    Consumer control

    “Visa is bringing all contactless transactions online this year in 10 European countries including the UK, with more markets to follow next year,” Visa said in a statement sent to NFC World. “By doing this, we are giving consumers more control over their accounts as they will have up-to-date information on their spending while also making it easier to immediately stop all transactions on a card if it is compromised.”

    “American Express takes all types of card fraud very seriously and is currently reviewing options — including a zero floor limit — to ensure those who cancel their cards are protected against contactless fraud,” American Express told NFC World. “We’d like to reassure cardmembers and those who cancel their cards that they would not be held liable for fraudulent transactions on their cards.”

    The FCA set out last month a series of measures it plans to undertake in order to tighten the processes banks undergo when a customer reports a stolen contactless card. These include removing the dependency on customers to identify fraudulent transactions, improving customer communications at the time of cancellation and providing clarity to customers on the clearing times for contactless payments.

    • William Hugh Murray, CISSP

      There will always be some contention between convenience and security but it is shrinking. The Internet has dramatically reduced the cost of persistent connectivity. It is good to see Visa taking advantage of it.

      That said, even “smart cards” are relatively dumb when compared to mobiles. Cards will aiways be more vulnerable than mobiles.

    • William Hugh Murray, CISSP

      In the US we are too poor to have contactless EMV. Our problem is that all of our cards, EMV, contactless, and others have the credit card account number in the clear on a magnetic stripe. The sole protection that we have to protect against fraudulent use of a lost or stolen cards is online checking against the list of cards reported lost or stolen.

      It is already too late for contactless EMV here. We will go mobile, i.e., card-less. (My cards are all in a drawer.)

    • Eugene Lishak

      Offline transactions and batch processing – this is how contactless open-loop ticketing is currently working. It should not. Here is an alternative approach is discussed, fraud-less and fast: https://wwopenfare.com/

    More headlines...