By Robert Lincolne, CEO and founder of Paydock.
Contactless payments have moved beyond innovation to consumer default globally. Cards, phone, terminals and other devices are now more secure than ever, and the uptake has been dramatic. Near Field Communication (NFC) technology is more prolific and accelerating vendor support at all layers means there will be no turning back.
However, contactless payments might not be all upside.
Might there be downsides in terms of security, or are these insignificant compared to the benefits? Our hypothesis is that the benefits far outweigh the downsides and that these early scheme-based initiatives will give way to a broader, sector defining innovation phase which will utilise not just schemes such as Visa and Mastercard but capitalise on the principles established in the contactless payments journey so far. The result will be an increasingly valuable consumer experience and a continued lift in the overall security of the transaction.
83% of consumers in the UK use contactless as their preferred payment method.
With over 83% of consumers in the UK using contactless as their preferred payment method, (UK Finance, 2021), the advent of this method has brought with it substantial changes in consumer behaviour, all rapidly accelerated by coronavirus.
Rather than having cash change many hands or cards change a few, contactless payments enabled payments to be transferred without any physical contact between elements and therefore without any of the ‘undesired side effects’. In more ways than we expected.
Today reaching for a physical card (unable to use my I-whatever to pay) I’m borderline outraged. Maybe not one step short of calling the manager to ask why they don’t care about consumers like me but genuinely confused as to why the default option is not available.
Fumbling through my pockets to find a piece of plastic feels archaic and risky (I can lose my card and rarely use it) and yet behind the scenes of my impatience a complex world of security, identity, authentication and authorisation is whizzing away.
While initial contactless adoption has been driven by schemes, phone and payment terminal manufacturers – the shift in general consumer behaviour has accelerated further innovation from groups beyond these parties. This has included biometric, encryption and other associated hardware parties all keen to join in. The goal, secure payments faster with less risk.
The future of contactless payments won’t be like the past.
On the card scheme front, protocols like Software-Based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) are designed to recognise available capabilities and preferences while stimulating further innovation in a safe and secure manner. (COTS stands for ‘commercial off-the-shelf devices’).
Leveraging the above vendors will enable consumers to (and in certain markets currently are) present their own credit card near an off-the-shelf device to facilitate a secure payment (secure enough for commercial operations at scale). The underlying capabilities however extend even to consumers’ phones – resulting in applications where a consumer can tap their own phone to initiate a PIN-based payment for purchases.
All of this represents a significant improvement to the security status-quo. Credit card fraud is widespread in e-commerce and while merchants seek to capitalise on new technologies to shift liability, they are not all widely adopted largely due to consumer experience and technical implementation drawbacks. In the case of chargeback fraud, advances in contactless technology are starting to make genuine change possible without the high cost of adoption current means require.
Today, if the merchant cannot prove through a complex and confusing dispute process that a disputed transaction was genuinely authorised, then the merchant is forced to cover the chargeback as well as pay a series of administrative fees. A frustrating, slow and expensive process with a very low chance of success.
To provide some relief and increase security, 3D-Secure technology was introduced to minimise fraud and improve the security of e-commerce transactions. While effective (when usable) 3D-Secure has been regarded by many merchants as clunky. The cost of lost revenue and poor brand experiences meant that the economics often didn’t add up- after all risk is an economic decision. More recently 3DS v2, an attempt to resolve these issues has gone some way to improve the experiences of many, but the slow uptake and spotty support through the payments value chain has meant that uptake has been scattered.
To be fair, the schemes and others are still working hard to push all parties to adopt any form of 3DS but many front-line technologies do not support the full suite.
The technologies and security capabilities that enabled contactless payment have provided an interesting alternative to ‘shortcut’ these adoption issues related to the breakup of the payments value chain and the challenges currently faced in the 3DS environment.
PIN entry forms
Secure contactless payments with PIN entry forms are an interesting alternative. In the simplest of terms, a PIN-based payment is regarded as secure as an over-the-counter payment. It is regarded as fully authenticated and cannot be eligible for a chargeback because the consumer has not only provided their payment instrument (the card) but also entered their PIN. This is the same PIN which they would use to pay at the grocery store or in the ATM.
The consumer cannot claim that the transaction ‘was not them’ any more than they could the same of an ATM. And for the merchant, the e-commerce fraud problem evaporates overnight. Genius. Consumer fraud is very difficult in a PIN entry environment.
Therefore, a holy grail is a certified PIN based payment that is not ‘over the counter’ but ‘from the bedroom’ (or anywhere the consumer is). A fully secured, chargeback-proof payment where no third-party technology has to be introduced other than that which the consumer already carries, their phone and their card.
Apple has worked hard to demonstrate that a face-ID is equivalent to a PIN and we see an interesting shift again where contactless secure payments increasingly satisfy the SCA mandate by dual factor authentication. Something you have, and something you are or know. In many cases with our mobile devices and PIN entry all three are satisfied.
The other, not immaterial attack surface is merchant fraud (as opposed to consumer fraud). This is where a party with the ability to accept payments through a contactless device uses these capabilities to skim cards, monies or overcharge non-authorised amounts. If you’ve ever blindly held out your card to a contactless terminal (guilty) without looking at the price, you’ll see how easy it can be. Cash, and a second layer of authentication can resolve this but consumer demand for efficient experiences ensures the delightful ‘ping’ of a processed payment via a contactless device will remain.
Contactless limits are not enough.
Merchants will find ways to skim payments and acquirers and issuers alike are looking at ways to tighten the loop. Contactless limits are part of the means by which significant fraud is compressed, however, claiming ‘well they won’t steal much’ is not taking the high ground.
Without physical contact or a second factor of authentication, the detailed set of links between the payment initiation and money settling provides a range of levers to introduce additional security measures, however none are foolproof. There is an extent of ‘buyer beware’ but the sense that someone can ‘take money out of your wallet’ without you ever knowing is uncomfortable.
But coming back to the technology and consumer experience at the heart of it, the technology is not tied to just the major schemes. Granted, the schemes were first to start but they won’t be last to finish. If we can authenticate a secure exchange of value via a card scheme this way, why not bank to bank, wallet or other payment mechanism? Certainly the industry agrees.
The broad concept of a contactless payment is different from the stricter industry definition. But to the consumer, do we care?
If it’s secure, hands-free, low cost and fast, then it’s no problem.
I feel the future will include many QR initiated payments as well as non-card NFC initiated payments. Now that devices are secure-enough to recognise bank-grade PINs then that same capability can be used to complete a payment passing through other means as well. Not necessarily the card PIN, but an ‘as good as a bank’ PIN related to other payment mechanisms. Account to account payments in the banking system, realtime wallet transfers and other means of exchanging monetary value will begin to increase even while the deep integration between card issuers and device manufacturers will ensure the lion’s share sits with incumbents.
I also think in time merchants will be requesting, or initiating payments directly to devices which consumers have an inherent trust in. The convenience and security attached to these consumer devices mean that merchants will need to ‘go to’ the consumer by supporting this new paradigm rather than forcing the consumer to come to them. The future is less about schemes and networks and more about authentication and rails. Some may suggest there is a slight schism appearing between the layers – and this excites me.
If we can separate contactless authentication from payment authorisation (as we are moving to) we can start creating exciting, secure and consumer-friendly payment experiences whilst keeping different parties on the value chain more honest than ever. I think the rise of fully integrated faster payments via open banking in the UK is a good example of this, where I am just as comfortable paying from my Monzo account via open banking as I am using my MasterCard in ApplePay. The experience is undisruptive, and I know for larger payments cheaper. This is achieved by the separation of the interface (now contactless), authentication (now on device) and authorisation (could be via a range of networks).
The best is yet to come
The future of contactless is bright and I think more varied than we think. The confidence in the ability to control and authenticate through devices the consumer trusts resulting in payments through instruments the consumer prefers sounds like a healthy payment ecosystem. There will be risks (innovation is never risk free) but it’s always a calculated risk.
Looking at where we’ve come from, I think not only are we more secure, safe and convenient today, but I only see this trend continuing and I for one, am thankful for the presence of contactless payments to achieve these goals.