Subscribe

Sabric allays fears about tap-and-go risks

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 14 Aug 2018
Stealing money by tapping a POS device near a consumer's bank card is highly unlikely, says Sabric.
Stealing money by tapping a POS device near a consumer's bank card is highly unlikely, says Sabric.

The South African Banking Risk Information Centre (Sabric) has dispelled circulating myths about the risks of contactless bank cards, or the tap-and-go feature, in the wake of a video that has been doing the rounds on social media.

Last week, a YouTube video, produced by multimedia company Virgo, went viral on social media, purporting to show how easy it is to perpetrate contactless card theft. It showed a consumer reading a magazine inside a retail store and in a few seconds someone approaches him from behind and taps a near-field communication (NFC)-enabled point-of-sale (POS) device on the consumer's pocket to instantly extract funds from his contactless card.

The video sparked much concern from South Africans, with many consumers questioning the safety of the tap-and-go bank cards.

However, Sabric has allayed these fears by saying the contactless cards will not make consumers more vulnerable to having their bank accounts illegitimately accessed.

"A video trending on social media may have created the incorrect impression that contactless cards are easy to exploit by criminals," says Kalyani Pillay, CEO of Sabric.

"This is simply not true. Contactless payment cards are as secure as traditional cards, and Sabric has not received any reported crime incidents where tap-and-go cards have been exploited."

South African-issued contactless cards are embedded with a radio frequency ID tag, identifiable by the WiFi-type symbol, which is then read together with the card's encrypted Europay, MasterCard or Visa chip.

Sabric says stealing money by tapping a NFC-enabled POS device near a client's card is unlikely, as acquiring the POS device involves a rigorous vetting process by the issuing bank, which includes the mandatory submission of 'Know-Your-Customer' documentation.

While collusion with a merchant could be a possible way to defraud people, the banking association says this is also unlikely, as the proceeds of crime resulting from this specific modus operandi would go into a merchant's bank account which, again, is closely monitored.

Furthermore, this payment option is only available for a predetermined number of low value transactions (generally less than R500) on any specific day, after which a PIN would be required to complete the transaction, so the financial reward associated with these transactions is low, while the reputational and prosecution risk to the merchant or criminal remains high, it adds.

"It is unlikely that organised criminals will be targeting this capability to steal money or card data, as the reward will be insignificant compared to other modus operandi at their disposal," Pillay points out.

Greater inclusion

While relatively new in SA, contactless card payments were first introduced by MasterCard in 2003, with currently more than 370 million active contactless cards globally.

In June, MasterCard announced an initiative to create greater payment consistency by making tap-and-go a standard feature in its cards, in the next five years.

MasterCard says, beginning later this year, it will introduce a series of card and terminal upgrades across the Middle East, Africa, Europe, Latin America and Asia Pacific, to bring contactless card payment technology to more people in more locations around the world.

According to a report by Juniper Research: POS & mPOS Terminals: Vendor Strategies, Positioning and Market Forecasts 2017-2022, more than half (53%) of global POS transactions will be contactless in the next five years.

Steven Ambrose, CEO of Strategy Worx, explains that international trends in countries that have had tap-and-go for years indicate the risks are limited.

"In Europe and the US, tap-and-go has not resulted in higher fraud and is in line with the use of chip and PIN, which both have dramatically lower risks than the older swipe system. Credit card companies have very sophisticated fraud protection systems, and if a POS device is used in this way, it would be highlighted very quickly."

MasterCard says it uses robust fraud detection systems and artificial intelligence to spot suspicious contactless payments activity in its tracks.

"Contactless payments require different information than those made over the phone or online. The cardholder's name, three-digit security code on the back of the card, and billing information like zip code are never transmitted. Cardholders can rest assured that if their card is compromised, they are protected with a global zero liability promise and will not be liable for unauthorised charges."

Share