Tap and go is by no means a new technological development, but thanks to the Covid-19 pandemic, it has become increasingly popular as a method of payment since it is ostensibly contactless. It is also a payment method that can be used even without a card, since many wearable devices such as smart watches feature tap and go payment options. With rumours that Apple Pay will be launching in South Africa this year, it is likely to become increasingly available. However, this begs the question, what about security? When no physical card is required and often not even the authentication of a Personal Identification Number (PIN) for smaller transactions, who is responsible? The reality is that banks, merchants and users all need to play their part to minimise fraud and safeguard their money.
Are contactless payments secure?
Tap and go is based on Near-Field Communication (NFC) technology, with a small chip and antenna inside either the card or the wearable device. When you tap your device against the reader, a randomised token is sent via radio waves to complete the transaction. While the concept of contactless payments might seem daunting to some, there are actually a number of inbuilt features that make them as secure as transactions where the card is inserted into the machine.
To start, because each token is randomised, it is unique and distinct to every purchase. This means that even if it is intercepted, it cannot be used again. It is also not directly linked to the card number, so hackers cannot reverse engineer this from an intercepted transaction. In addition, proximity needs to be extremely close, with the card or the wearable needing to be within a few centimeters of the reader in order to complete the payment.
But what about wearables and smart devices?
Many people are becoming more familiar and comfortable with tapping their card to pay, but contactless payments extend beyond the physical card. Some smart watches like Garmin offer Garmin Pay, a wallet where payment information from participating banks can be stored and the wearable used as the payment device. The actual card number is not stored on the device but uses the same NFC technology with randomised tokens as the chip in the card. Apple Pay uses the same principles with the wallet app on iPhone, Apple Watch and iPad devices, and rumour has it that this will be available in South Africa by the end of the year.
So, what does this mean for security? It adds a new element, but at the end of the day, the basic security principles still apply, and everyone involved in the payment chain has a role to play. The Payment Association of South Africa (PASA) has defined R500 as the limit for which no PIN is required, and most banks and merchants will adhere to this limit. However, there are some banks that still require random PINs to provide an additional layer of security. When a PIN is not requested, the user cannot be held liable for a fraudulent transaction, so banks have the responsibility to honour these.
From a merchant perspective, the pad device or reader needs to be protected. This is defined under the Payment Card Industry (PCI) Data Security Standard (DSS), which forms the minimum benchmark requirement for all parties involved in the payment card chain. From a user perspective, it is our responsibility to own and manage PINs and not give them out to anyone. No matter what you use to make a payment, whether it is a bank card, a watch, a phone or another device, it needs to be treated as if it is cash, because that is exactly what it is. We need to do everything we can to protect these devices.
The bottom line
Tap and go payments are safe, secure and convenient, but they are not infallible. Everyone is responsible, as always, for preventing fraud and protecting sensitive data. Users still need to be vigilant, and this now extends beyond safeguarding the card to include wearables and smartphones. Merchants too have a responsibility to provide a safe environment for transactions to take place and ensure the security of the reader device. Finally, banks need to play their part by providing the highest levels security, ensuring valuable transactions are protected by a PIN, and by honouring transactions where a PIN was not requested. As more devices become options to be used for payment, security is increasingly everyone’s responsibility.
Simeon Tassev, MD and QSA at Galix