2

I unwittingly made my first contactless card payment a few days ago: the vendor took my bank card [current account debit card] (I assumed so that they could insert it into their "deskbound" payment terminal: I know that you are supposed to never hand over your card, but so many service counter staff still have ingrained old habits from the swipe and sign era, and/or poor quality payment terminals on too-short leashes to be easily accessible to the customer), and I was surprised not to then be given the terminal so that I could enter my PIN to make the payment. The vendor then said that they had processed the payment as a contactless payment.

I am somewhat concerned by this as I had been led to believe by my bank's publicity materials that contactless payment using my card would simply not be possible until I had authorised my first time contactless payment by entering my PIN.

This regrettably seems to confirm my main concern about contactless cards, specifically that a stolen card can indeed be used to spend your money until the thief encounters an occasional PIN security check. I had thought that I would be safe from this risk as long as I did not ever make and authorise a first contactless payment, so I am very concerned that this does not appear to be the case.

I will now be contacting my bank to request a card without contactless payment capability (and asking them to contact the vendor to remind them about card processing practice, as unfortunately I have learned the hard way (albeit without ill-effect) exactly why you should indeed never hand over your card!).

I have now reviewed my bank's website again, where the wording seems different to what I had previously understood: it seems that making any ATM or Chip card transaction is enough to enable contactless functionality (whether you like it or not), giving no protection whatsoever.

Can anyone clarify what the approved situation should be regarding the enabling of contactless cards?

dave559
  • 166
  • 7
  • Why is contactless important here? Can't they just run your card as credit without a PIN using more traditional "contact" methods? – Ben Mar 22 '17 at 15:16
  • 2
    Which country are you in? – Sjoerd Mar 22 '17 at 15:21
  • With the introduction in Germany, most banks offer cards with contactless payment where you first have to add funds specifically for contactless payment. If there are no funds or not sufficient funds on that balance, contactless payment will fail. You can transfer funds onto that balance manually at atm terminals, via online banking or configure automatic supply of funds when they run low. – NineBerry Mar 22 '17 at 15:46
  • 1
    @Ben It is a Chip and PIN card (the norm here for many years), the PIN is always required when making a (non-contactless) in-person purchase. (I am aware that this is a much more recent development in certain countries!) – dave559 Mar 22 '17 at 16:26
  • @Sjoerd In the European Union (I'd rather not be more specific.) – dave559 Mar 22 '17 at 16:26
  • 1
    @NineBerry Sorry, I should have made it clearer in my most that the card is a debit card connected to my current account (where contactless payment can be used for "small" transactions, instead of Chip and PIN), rather than a credit card (original post now updated). – dave559 Mar 22 '17 at 16:28
  • 1
    @dave559 I was also referring to debit cards connected to existing bank accounts. Banks in Germany are currently rolling out new cards to replace the previous cards with contactless payment as a new feature. But as stated earlier, with most German banks you have a separate balance for contactless payment when using the same card that you would use with pin for unlimited payments. – NineBerry Mar 22 '17 at 17:09
  • This really doesn't seem like a security question. This looks like a question for your payment card provider. Each provider will have their own processes. – schroeder Mar 22 '17 at 17:31
  • The behaviour you described seems pretty standard, I have seen it elsewhere. Usually, there is a limit to the amount per contact-less transaction, the number of transactions or the total amount across all ontact-less transactions. Once you reached it, you have to do a regular transaction (with your PIN) to reset the limit. That's the main protection against fraudulent use. – Relaxed Mar 22 '17 at 21:51
  • In case of loss or theft, my bank also promises to waive the relevant rules of their general conditions of use and fully cover all fraudulent transactions happening between the time my card was lost or stolen and the moment I actually report it as lost or stolen. I haven't tested that in practice but that would make the risk nil. – Relaxed Mar 22 '17 at 21:52
  • @NineBerry That is interesting to read that in Germany you have to specifically "transfer funds" to your card for contactless payments, rather than it having direct access to your bank account. That seems rather more secure than the procedure in use here, where some money (directly from your bank account) can be spent without any prior authorisation, until reaching an occasional PIN entry safety check, which puts us at some risk if our card is stolen. – dave559 Mar 23 '17 at 17:05
  • @schroeder I was trying to establish if there was a standard procedure required by Visa (etc), or whether each bank makes its own rules. I would argue that there is a security issue if it is possible for a thief to spend contactlessly using a card and the rightful card owner is not, after all, able to prevent the card from being activated for contactless payments. It seems that the only option then is to demand a non-contactless card from the bank. But if this question is not felt to be on-topic, then I apologise. – dave559 Mar 23 '17 at 17:09
  • @Relaxed Unfortunately, the time period between a card being lost or stolen, a thief being able to spend on it, and the rightful owner being able to report the theft to the bank, could be long enough for a thief to spend (steal) a relatively non-trivial amount of money, and I am not certain quite how willingly a bank would reimburse the stolen money(!). – dave559 Mar 23 '17 at 17:18
  • 1
    @dave559 As I explained, their terms and conditions explicitly state they would, in fact, reimburse the money. – Relaxed Mar 24 '17 at 07:10
  • @Relaxed I was merely commenting based on stories in the media about banks in my country, where banks make similar promises regarding fraudulent transactions, but when people then need to rely on such protections, the banks are rather unwilling to adhere to their side of the bargain (this is understandable to a certain extent, as they do need to be sure that their customer is not trying to defraud the bank, but I think I would prefer to avoid any risk from contactless payments by simply not having the ability to make them on my card). – dave559 Mar 24 '17 at 10:51

0 Answers0