09 Jan Contactless banking – is user-friendly user-safe?
The Middle East and Africa recorded a 27-fold increase in contactless transactions during 2017. Timothy Compston finds out whether contactless payment adds up security wise
The move to near field communication (NFC) – or radio frequency identification (RFID) – contactless payment methods is proving to be a popular step, especially with younger bank customers in the region.
Today contactless payment can be achieved not just using credit or debit cards but with NFC-enabled smartphones, and wearable technology like watches and even special wristbands. In the race to bring contactless technology to market as a more user-friendly way of paying for items we find out more about the measures that financial institutions are rolling out to ensure that these transactions are as secure as possible.
Taking a closer look at the expanding footprint of contactless payment, a report by MarketsandMarkets is predicting that the global market for this approach will expand from (US) $6.70 billion in 2016 to an impressive (US) $17.56 billion by 2021. This translates to a Compound Annual Growth Rate (CAGR) of 21.2 per cent during the forecast period. In terms of the major drivers for this market uplift, MarketsandMarkets cites factors like: the increased convenience in making low value payments and the ease of technology integration with existing cards.
Over the past few years, where the Middle East is concerned, the adoption of contactless payment technology has certainly gathered pace and last year Apple Pay expanded into the UAE (United Arab Emirates) so allowing debit and credit cards from participating banks to be added to the wallet app for NFC-enabled transactions. Undoubtedly, the story was different at the start of this decade where contactless here was very much in its infancy with few retailers equipped to support it and cash still the order of the day for smaller transactions.
Despite the hurdles, even then, steps were being taken to change the payment landscape with HSBC starting to issue contactless cards; Visa partnering with the UAE’s two largest banks on pilot projects, and Mastercard launching its own contactless payment programmes. Alongside this, passengers on public transport, like the Dubai Metro and buses, were able to save time by paying for tickets with their Nol card.
Designs on wearables
Fast forwarding to 2015 and we saw UAE’s Noor Bank and Yvolv – a joint venture between Alibaba Cloud and Dubai holding company Meraas – launch Yvo, a mobile app, allowing users to make secure in-store payments with their mobile phones and wrist bands. This was a sign of things to come for contactless. More recently, on the wearable front, at the Seamless Middle East (2017) conference in Dubai, UAE Exchange – the global remittance, foreign exchange and payment solutions brand – announced that it was to partner with OT (Oberthur Technologies – now called IDEMIA) to launch the ‘gocash’ pre-paid card to deliver contactless payment via wearable devices. The solution built around Oberthur Technologies’ FlyBuy MiniFOB is, essentially, a mini-contactless card with antenna and chip. In practice, a special piece (keeper) is provided along with the standard Dual Interface gocash card to hold the MiniFOB chip so UAE Exchange customers can attach it to their watch, wristband or any wearable item. Regarding the direction of travel here, Promoth Manghat, ceo at UAE Exchange Group reckons that contactless payment, in the form of wearable devices, is going to become common practice in the region: “It will simplify the whole payment journey.”
Echoing these developments back in March (2018), in a first for Saudi Arabia, we saw Riyad Bank unveil contactless payment wristbands fitted with Gemalto’s contactless MiniTag. Added to this, the bank is to roll out another Gemalto solution – the contactless sticker – that can be fixed to the back of a smartphone to turn it into a secure contactless payment device. Commenting on these developments at the time, Riyadh Al-Zahrani, executive vice president and head of the Retail Banking Division for Riyad Bank said: “The launch of Saudi Arabia’s first ever contactless payment wristband is the latest example of our commitment to an enhanced and distinctive customer experience.” Nassir Ghrous, senior vice president, Banking and Payments for Russia, CIS, Middle East and Africa, at Gemalto – a digital security specialist – believes that right across the Middle East a new generation of consumers is looking for banking solutions that can help facilitate their busy ‘on-the-go’ lifestyles: “Riyad Bank has led the way in introducing Saudi Arabia to the benefits of contactless.”
Mapping the future
For its part, Mastercard has detailed an ambitious roadmap for contactless payments. The global payments technology company confirms that it intends to ensure that every cardholder across the Middle East, Africa, Europe, Latin America and Asia/Pacific will be able to tap their Mastercard or device in stores by 2023. Mastercard also highlights the fact that the Middle East and Africa recorded a 27-fold increase in contactless transactions during 2017. Looking in more detail at Mastercard’s future roadmap for contactless, from October new acceptance terminals for key regions – including the Middle East – have had EMV [a technical standard for smart payment cards] chip contactless enabled. By next April every card issued is to feature an EMV chip and contactless technology and, crucially, within five years (April 2023) the plan is that all merchant terminals will be EMV and contactless enabled.
In addition, Mastercard stresses that the speed of contactless payment, coupled with its dynamic EMV grade authentication to protect against fraud, is transforming everyday commerce: “Our vision is a world where everyone can simply and safely tap their card or device when paying in a store and be quickly on their way”, says Ajay Bhalla, chief security solutions officer at Mastercard.
A survey conducted as part of Security Week,a consumer campaign to promote safe card usage held in June by Dubai’s Department of Economic Development (DED) in partnership with Visa, the findings serve to underline the way that new payment technologies are gaining traction with consumers. Interestingly, the vast majority of those surveyed were aware of contactless cards (82 per cent) and digital wallets (81 per cent). Alongside this, 78 per cent of those who have a contactless card answered that they were using them at least once a week with the corresponding figure for digital wallets sitting at 80 per cent.
Addressing the topic of the security, the survey found that 64 per cent of contactless card users and 66 per cent of digital wallet users would feel safe using these payment methods even when they are not familiar with the retailer. To coincide withSecurity Week, Visa was keen to underline the high level of security behind digital wallets for contactless payments which, reassuringly, feature multiple layers of protection. A case in point is Visa’s tokenisation technology that replaces card data, including the 16-digit card number, with a ‘token’- a random number – to protect cardholders’ account information. This means, according to Visa, that during a transaction the token is submitted instead of the actual card information. Visa adds that digital wallets like Apple Pay and Samsung Pay are enabled by Visa tokenisation. Nick Fernandes, Visa’s head of risk – Middle East and North Africa – comments: “As digital commerce grows and new payment methods emerge, it’s imperative that we maintain trust and confidence in the ecosystem.”
Addressing concerns
Of course, it must be acknowledged that consumers still have many questions regarding the security of contactless and whether, by its nature, it is more vulnerable to fraud than other payment methods. To an extent this has been fuelled by the reporting of investigations like those of Which? –the largest independent consumer body in the UK – which was able to capture data from cards and then use it for online purchases where vendors did not require a card’s security code.
Not surprisingly, the payments industry has pushed back on such worries by addressing the most common security concerns head on, a case in point being the online guidance published by the UK Cards Association before it was integrated into UK Finance last year. When it comes to capturing details from a contactless card the UK Cards Association noted that a fraudster, with a suitable gadget, would have to be extremely close and, even then, they would only be able to access the same information as could be seen on the front of a card, specifically the card number and expiry date, not the security code, their name and address or bank account details.
Such reassurances regarding physical distance have to be tempered somewhat by the fact that in 2013 researchers at the Department of Computing at the University of Surrey, raised their own concerns about the security of NFC technology – like that found in mobile phones and contactless debit/credit cards – by demonstrating in a study the Journal of Engineering that it was possible to receive a contactless transmission from distances of 45 to 80 centimetres using what was referred to as ‘easily concealable’ equipment, specifically: a pocket-sized cylindrical antenna, a backpack and a shopping trolley. The team at Surrey did go on to emphasise that there was no suggestion that the information obtained could be used to make a fraudulent payment provided, they said, that issuing banks applied the rules and guidelines of card schemes.
Beyond this, the UK Cards Association, points out that even if a card is actually stolen there are limits on the amount of each transaction – this ‘floor limit’ is something which is common in most territories worldwide – and that from time-to-time a user has to enter their PIN to verify that they are the genuine card holder. In terms of the potential to accidentally pay for someone else’s purchases if they are nearby, it was pointed out in the guidance as well that, to work, cards need to be within a few centimetres of a card machine so there is no chance of this happening.