Once excellent as the future never reached contactless payments mass popularity. Buyers preferred the familiar sweep, dip, PIN code and signature. The Covid-19 pandemic is likely to change that as consumers are now more aware of what they are touching.
In this article, I will discuss NFC (near field communication), the technology that drives almost all contactless payments in the store. I explain how NFC works and how its payments are secured. I will also explore the benefits of NFC along with challenges to overcome before such payments are anything but a novelty.
A contactless payment does not require the customer to touch a retailer's sales equipment. Instead of touching PIN pads and pens to authorize transactions, a contactless payment allows customers to wave their payment method near a payment reader. This is usually called paying to pay, but "printing" is not the best description. A crane is not required. It is enough to move the payment method near the reading unit.
NFC facilitates many contactless devices. The most common are NFC-enabled credit cards and smartphones, but devices that do not pay such as key fobs, watches, fitness trackers, bracelets and other laptops can also contain NFC chips, often referred to as NFC tags.
To check if a device is activated, look for the contactless payment symbol – four curved lines that form a radio signal. Thanks to Covid-19, we see much more of these symbols.
Near field communication is a way for two devices to communicate via radio waves. The term "near field" is used because the signal range is very small – usually no more than two inches. For NFC payments, the two devices are usually a smartphone that stores credit card information and a contactless enabled sales terminal. Almost all new credit cards have also embedded NFC tags.
Communication between NFCs is either passive or active.
Passive NFC transactions require only one unit to supply electric power. The passive device (usually a plastic credit card) gets its power from the radio waves emitted by the reading device. For payments, the NFC sales terminal constantly emits radio waves while waiting for a passive unit to enter its field. When this happens, the credit card information is transmitted to the reader.
Interestingly, if you were to take apart a contactless credit card, you would find a very thin wire antenna wound around the perimeter of the card. It is this little antenna that transmits your credit card information via radio signals to the NFC terminal.
An "active" NFC transaction occurs when each unit provides its own power. A smartphone is a good example of an active device. Apple Pay, Google Pay and many other payment apps use NFC to conduct active transactions. Both units in an active transaction can transmit and read local area information.
3 NFC modes
There are three modes for NFC communication: reader, peer-to-peer, and card emulation. Each can be used for payments.
- Reader mode. A type of passive NFC transaction where the reader supplies power and reads the information on the NFC tags. For payments, contactless activated credit cards are the prime example of passive transactions.
- Peer-to-peer mode. In peer-to-peer mode, two active devices communicate over the radio wave field. Usually, NFC peer-to-peer mode is used to share documents and images and not payments, although there is nothing technical that prevents payments through peer-to-peer connections. It just hasn't taken off. Most peer-to-peer payment services (such as Venmo) rely on cloud-based Internet communications to initiate money transfers, not NFCs.
- Brief Emulation mode. Apple Pay, Google Pay, and most smartphone apps used to pay use NFC card emulation mode where one of the devices emulates a debit card. When Apple Pay is installed and activated, your phone becomes your card. Card emulating devices include an NFC antenna (usually wrapped around the battery on the back of the phone) and an embedded NFC tag that can transmit the card details. Due to security requirements, credit card information is not stored in NFC tags but in protected areas called "secure elements" (see below). Only when the sensitive information must be transmitted does the NFC tag play a role in card emulation.
Several security layers protect NFC contactless payments.
- Near the field. The distance between two units in an NFC transaction is a maximum of two inches. Therefore, it is impossible for someone to scan your contactless card if he is not in your near field, which would be two inches or less from your device or card.
- Cryptography and tokenization. If someone walked into your two-inch near field in an attempt to scan your contactless card (and you did not notice it), the card information remains encrypted and tokenized. He could not use the information because he could not decrypt it.
- No magnetic tape data. Information stored on a credit card's magnetic tape is not secure. Magnetic tapes can be scanned, copied and used elsewhere. Thankfully, NFC payments are secured with a standard called EMV (Europay, Mastercard and Visa, the three companies that created it), which unlike magnetic tape technology always requires card information to be encrypted and tokenized.
- Secure elements. In NFC card emulation mode, credit card information is stored in a secure element, a secure, encrypted and tamper-proof area. Access to the secure element is severely limited and protected by many layers of cryptography. In addition, will try to break into the safe element that it is destroyed itself. (A microscope and highly specialized equipment are required.)
- Spending limits and PIN code. The card brands (eg Visa, Mastercard, American Express, Discover) together with acquirers and merchants may impose additional restrictions on contactless payments. For example, each card brand requires the expense of contactless payments. When a customer tries to pay for an item via contactless payments that exceed the spending limit, the point of sale requires the customer to enter their PIN code.
Merchants and their acquirers (ie merchant account providers) can also configure their contactless terminals to request a PIN if the contactless card is used for multiple purchases over a short period of time.
Benefits and challenges
The Covid-19 pandemic is likely to force brick-and-mortar retailers to reduce congestion, especially around high-traffic cash lines, and to limit physical contacts, such as goods handling, open doors and pushing PIN pads and self-service computer stations. Contactless payments help because they require less touch. An added advantage is faster cash registers in the store.
However, before becoming widely accepted, contactless NFC payments must overcome several challenges, including:
- Pin code. Again, the PIN ensures that the payee owns the contactless device or card. But PIN defeats the purpose of payments without touch. Biometrics as facial recognition can be the next PIN. However, this is unlikely due to the privacy issues with face recognition and the cost of buying and installing the equipment. In the meantime, the trade will probably clean up their PIN pads after every transaction during the pandemic.
- Spending limits. Contactless payments were designed for quick payments with low value and low risk. Buying a cup of coffee is a good example. But what if a consumer wants to buy something more expensive? Current rules do not allow high-quality contactless transactions.
- Bad reputation and fear. NFC has a reputation for being uncertain. However, NFC payments are usually more secure than other methods. (Cash and wallets can be stolen; e-commerce sites and databases can be hacked; identities can be stolen and forged.)
- Lack of merchant acceptance. Despite the convenience and checkout speed, many retailers have not upgraded their point of sale terminals and PIN pads to be NFC enabled. The process is expensive and before the pandemic there was no urgent need. Until physical stores largely accept NFC payments, most consumers are unlikely to pay with their phones or contactless cards.