Contactless Payments - part 2

, posted: 21-Sep-2011 15:12

Yesterday I blogged about feeling uneasy with the no-authentication-for-under-$80-transactions on MasterCards PayPass implementation for ASB Bank.  See here

A number of the comments I received said "any fraud will be reimbursed", "its the bank or merchants taking the risk, not you", "they have insurance to cover that".  Yes they probably do.  I've been rung by ASB as a current customer to notify me of transaction found on a credit card I do use for internet transactions, and the process was remarkably simple and painless.  So I know it works.

But the issue is, why should something be implemented, that requires insurance and fraud protection.  Why not design it to lessen this risk.

I'm going to pull out of context some of the PCI DSS (link) requirements that service providers, merchants and banks have to adhere to:

8.2 Employ at least one of these to authenticate all users: something you know, such as a password or
passphrase; something you have, such as a token device or smart card; or something you are, such
as a biometric.

8.5 Ensure proper user identification and authentication management for non-consumer users and
administrators on all system components.

Ok, so these requirements really relate to the handling of card holder data, but why not apply this to your card.  The main piece of card holder data is your Card number, your PAN (Primary Account Number). To use the PayPass system you only have to supply one piece of card holder data - the physical card with the PAN embossed on it, why shouldn't requirement 8.2 also be applied, and a 2nd authentication criteria be used.

Pin numbers work, but can be slow when people miskey - but the really slow factor for these on EFT POS terminals is the time it takes to authenticate to the Auth Center - why not move the PIN authentication onto the chip, much faster (does potentially bring up the issue of cards being brute forced for pins).

Use biometrics - a thumbprint reader as part of the card, only a person with an authorised thumbprint can use the card - probably a little expensive, but hey it's my blog and I'm just spit balling here.

My point is, why implement something that needs some kind of fraud insurance to cover the banks and ultimately the consumer.  As the consumer you're paying for this in your bank fees and card fees.

Other related posts:
eReceipts - Why don't we have them yet?
Free $80 - come and get ur moneyz!!

Comment by scottjpalmer, on 21-Sep-2011 15:36

Stop being a Grumpy Old C ;-p

Comment by NickiB, on 21-Sep-2011 15:49

Resisting the urge to +1 Scott ;-)

I am reading the above differently to you. Clause 8.2 reads: "at least one" - does that not imply one is enough? I.e. your contactless payment card is a token device that authenticates you and thus would meet the requirements under 8.2.

More generally, the costs of insurance and hassle of refunding
And I would assume there is a choice, at least at this stage - do the banks let you request a card without this technology enabled? If you are happy with the system, use it; if not, avoid it altogether.

Seeing how slow chip readers process transactions in NZ, it would certainly make me happy to see this method used wherever possible, transactions seem take about 3 times longer to process there as in AU!

Comment by graemeh, on 21-Sep-2011 15:52

They don't implement something more secure because they believe the cost of fraud will be less than the cost of a more secure solution.

Comment by Adam, on 21-Sep-2011 16:34

It's not the PIN authentication that takes the time, it's the funds authorisation.

Moving the PIN auth to the card wouldn't speed up the transaction processing.

Comment by stevenz, on 21-Sep-2011 21:55

Unless the system is significantly faster than the current method the chip-imbued EFTPOS cards used, then the time saved by the swipe method is proportionally insignificant. Whatever method the chipcards use seems to take somewhere in the region of 3-4 times as long as "normal" cards at time.

More people need to support Snapper. Doesn't get much quicker than those things. Swipe, bleep, done.

Of course if you lose/damage the card then you've got problems.

Comment by n00dy, on 22-Sep-2011 12:46

i found that those eftpos terminals connecting via broadband are just so much faster than the dial up ones. we noticed it in my wifes retail business when we updated her eftpos terminal and switched to BB, standard eftpos trans were instantaneous and chip card (inseted) took only a second or two, I feel the chip card has enough security as it is and that more fraud is via internet tranactions than other means

Comment by Richard, on 22-Sep-2011 23:40

I am really disappoint there is no opt out, as i do feel this is a scheme to make us spend more money.

It makes the payment faster and easier so psychologically you might make purchases that you would normally think twice about. Imgine in a shopping mall you pass one of those counters selling junk, the sales person got a mobile eftpos machine before you know it your card been swiped, they got ur money. Ok i am sure retailers like this would be frowned apon, but still... in some sense i might as well be walking around shops with $50 in my hand waving it at sales staff

Comment by oxnsox, on 23-Sep-2011 10:42

It's unlikely you'll be buying stuff merely by walking past a counter terminal...  
It's a process.  Retailer must enter something to generate the transaction before you get within a few cm of their terminal with your near field device.

In some counties you're sent a txt each time your credit card is used (above a simple preset value). Gives you the option to cancel any fraudulent use pretty damn quickly.

But I suspect the whole point of the original post is not really about the technology but about the threshold figure to use the near field payment.

Soo... whats acceptable to you then??? If not $80, $50??  $25??, A couple of flat whites?

Author's note by davidcole, on 23-Sep-2011 10:52

@oxnsox to me?  Not having it on my credit card.  Having it on it's own card - like my snapper is.  Means I can control the balance and keep the level of (perceived) exposure to what I'm comfortable with - which would be around the $20 - $30 mark.  Similar to what my snapper is loaded with.

My biggest objection in the previous post was that it was on my credit card, and I couldn't not have it there.  if it was a seperate card, linked to an account with $20 - $30 - I'd be all over it and fairly happy.

Comment by Miki Szikszai, on 28-Sep-2011 12:30

Interesting to see the view that the amount loaded on a Snapper card is what people would feel comfortable with if the equivalent is cash. That's our view too.

@stevenz - if you lose or damage your Snapper card, and its registered, then we can transfer the funds to a new card.

We've got some new announcements out today in terms of support of Snapper with Subway and Smartpay - we expect that to continue to build a useful retail footprint.



Comment by chris, on 26-Oct-2011 08:32

Contactless technology offers a range of benefits. All parties involved benefit from this technology, security being one of them, key benefits include:

Issuer/Network Benefits:
Penetration to the cash and debit card payment market
Increased transaction volumes
Customer retention and loyalty

Merchant Benefits:
Fast transaction times - move customers more quickly through the payment process.
Increased customer spending - increased frequency of purchases, and increased customer loyalty that leads to increased revenues.
Improved efficiencies - Reduced cash handling, improved payment terminal reliability, and streamlined payment processes improve operational efficiency and reduce operating costs.

Customer Benefits
Increased Security - the card or device remains in the possession of the customer, which provides a more secure means for processing. Reduces the chance that someone snoops over your shoulder to acquire your pin.
General convenience - customer queues are reduced as transaction times are speedier leading to a better customer experience.
Doesn't need to be a card (Phones, Key Fobs)
Globally interoperable solution
Contactless acceptance supports mobile

All of these benefits add up in favour of this technology over the low risks associated with an $80 transaction.

NZ is in a good position, in the fact that this technology has been tried and tested for up to two years in some overseas markets. Research has shown that fraud has not increased with the use of contactless.

Something you may have missed, is regardless of the transaction being under $80, every 5 or so transactions the user will be asked to authenticate with a pin, so at worst the risk is no greater than $440. On top of this as you pointed out, the customer is protected by insurances held by banks and merchants for any reimbursements.

All and all, after the extensive research I've done, I believe this technology offers the payment industry a wide variety of opportunities and only a few minor risks.


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

davidcole's profile

davidcole Cole
Lower Hutt
New Zealand

Been thinking it would be nice to have a blog but not sure if I have enough to say.

I'm an I.T worker from Wellington New Zealand.

I like my toys so this will probably have posts about my dealings with those.

My Cellphone is an iPhone 5s

I run a NextPVR based PVR at home to replace my video recorder, DVD player and to host all my music. I'm also really big on Plex, for centralising all my music, videos and I've written a plugin or two for it.

Music is a big thing for me and you can check me out on my Last.FM Profile.

For all your smart DNS needs I use: UnblockUS - Unblock your freedom - smart DNS

Follow me on Twitter