Payment cards have been around for decades now and have transitioned from being read on manual imprinters and validated by signature to being read from a microchip and validated (generally) by PIN. They have now moved into the next stage of their development and can now support contactless payments in which customers literally just tap and go. At the same time, mobile operators and handset makers have caught on to the fact that smartphones are an essential part of everyday life and are attempting to use them to get into the payment market. Apple has launched ApplePay and its Android counterpart is known as Android Pay (although Android giant Samsung has its own version of it called Samsung Pay). The basic idea behind them is the same as for contactless payments, consumers just tap and go. While this is indisputably convenient, questions have been asked about whether or not it offers the same sort of level of security as chip-and-PIN (or signature) transactions.
Contactless and mobile payments cannot be as secure as chip-and-PIN payments
In the most basic of terms, the short answer is no. There is simply no way a form of payment, which removes the need to verify the identity of the cardholder can be as secure as one which does. A more relevant question, however, is whether or not contactless and mobile payments offer enough security for their intended purpose.
Contactless and mobile payments are intended for low-value transactions
Contactless and mobile payments are being promoted as a way to speed up high-volume/low-value transactions at places such as fast-food outlets, coffee shops and such like. Basically they are being presented as being a win for both merchants and cardholders neither of whom are likely to enjoy dealing with queues. At current time, the limit for contactless transactions is £30 per transaction and card-issuing banks are able to set their own limits regarding, for example, how many contactless transactions are permitted before the card has to make a chip-and-PIN transaction to confirm that it is being used by the legitimate cardholder. Mobile payments work along similar lines and can offer an additional level of security through the fact that access to the relevant service requires access to the mobile handset, which can be secured through various means, for example Apple now has a level of biometric authentication with fingerprint recognition.
Dealing with accidental payments and deliberate fraud
Whether or not you class accidental payments on contactless cards as a security issue is a matter of opinion but it is a matter of fact that they can happen. Contactless cards and mobile payments essentially broadcast the relevant card details over a very short distance. This means that, in principle, if you happen to have one or more cards in the vicinity of a card reader, their details could be picked up and you could be charged. In this case, it might be possible to have the merchant cancel the transactions or use a chargeback scheme. There are also some wallets available which claim to be able to block the signal between the card and the reader, meaning that users have to take their cards out physically in order for them to work. As yet, it remains to be conclusively proven how efficient these are. This then leaves the issue of deliberate fraud. The consumer association Which? carried out a study, which indicated that it was technically possible to skim data from contactless cards and use them to make online transactions. These kinds of transactions would, in theory at least, probably be a matter for a chargeback scheme.