Once touted as the future, contactless payments never achieved mass popularity. Shoppers preferred the familiar swipe, dip, PIN-entry, and signature. The Covid-19 pandemic will likely change that as consumers are now more conscious of what they touch.
In this article, I will discuss NFC (near field communication), the technology that powers almost all in-store contactless payments. I’ll explain how NFC works and how its payments are secured. I’ll also examine the advantages of NFC along with challenges to overcome before such payments are anything other than a novelty.
A contactless payment does not require the customer to touch a merchant’s point-of-sale equipment. Instead of touching PIN-pads and pens to authorize transactions, a contactless payment allows customers to wave their payment method close to a payment reader. This is commonly called tap-to-pay, but “tap” is not the best description. A tap is not required. It’s enough to move the payment method close to the reading device.
NFC facilitates many contactless devices. The most common are NFC-enabled credit cards and smartphones, but non-payment devices such as key fobs, watches, fitness trackers, wristbands, and other wearables can also contain NFC chips, commonly referred to as NFC tags.
To check if a device is enabled, look for the contactless payment symbol — four curved lines forming a radio signal. Thanks to Covid-19, we’ll be seeing a lot more of these symbols.
Near field communication is a way for two devices to communicate over radio waves. The term “near field” is used because the signal range is very small — no more than two inches, typically. For NFC payments, the two devices are usually a smartphone that stores credit card details and a contactless-enabled point-of-sale terminal. Almost all new credit cards have embedded NFC tags, too.
Communication between NFC devices is either passive or active.
Passive NFC transactions require only one device to supply electrical power. The passive device (commonly a plastic credit card) receives its power from the radio waves emitted by the reading device. For payments, the NFC point-of-sale terminal constantly emits radio waves while waiting for a passive device to enter its field. When that occurs, the credit card details are transferred to the reader.
Interestingly, if you were to disassemble a contactless credit card, you would find a very thin wire antenna wrapped around the perimeter of the card. It’s this tiny antenna that transmits your credit card details over radio signals to the NFC terminal.
An active NFC transaction occurs when each device provides its own power. A smartphone is a good example of an active device. Apple Pay, Google Pay, and many other payment apps use NFC to perform active transactions. Both devices in an active transaction can transmit and read information over the near field.
3 NFC Modes
There are three modes of NFC communications: reader, peer-to-peer, and card emulation. Each can be used for payments.
- Reader mode. A type of passive NFC transaction in which the reading device supplies power and reads the information on the NFC tags. For payments, contactless-enabled credit cards are the primary example of passive transactions.
- Peer-to-peer mode. In peer-to-peer mode, two active devices communicate over the radio-wave field. Typically, NFC peer-to-peer mode is used for sharing documents and images and not payments, even though there’s nothing technically that prevents payments over peer-to-peer connections. It just hasn’t caught on. Most peer-to-peer payment services (e.g., Venmo) rely on cloud-based internet communications to initiate money transfers, not NFC.
- Card-emulation mode. Apple Pay, Google Pay, and most of the tap-to-pay smartphone apps use NFC card-emulation mode in which one of the devices emulates a payment card. Indeed, when Apple Pay is installed and activated, your phone becomes your card. Card-emulating devices contain an NFC antenna (usually wrapped around the battery on the back of the phone) and an embedded NFC tag that can transmit the card’s details. Because of security requirements, credit card details are not stored in NFC tags but in protected areas called “secure elements” (see below). Only when the sensitive information needs to be transmitted does the NFC tag play a role in card emulation.
Several layers of security protect NFC contactless payments.
- The near field. The distance between two devices in an NFC transaction is no more than two inches. Thus it’s impossible for someone to scan your contactless card unless he is within your near field, which would be two inches or less from your device or card.
- Cryptography and tokenization. If someone entered your two-inch near field in an attempt to scan your contactless card (and you didn’t notice), the card details remain encrypted and tokenized. He could not use the information as he could not decrypt it.
- No magnetic stripe data. Information stored on a credit card’s magnetic stripe is not secure. Magnetic stripes can be scanned, copied, and used elsewhere. Thankfully, NFC payments are secured by a standard called EMV (Europay, Mastercard, and Visa, the three companies that created it), which, unlike magnetic stripe technology, always requires card details to be encrypted and tokenized.
- Secure elements. In NFC card-emulation mode, credit card details are stored in a secure element, a secure, encrypted, and tamper-proof area. Access to the secure element is highly restricted and protected by many layers of cryptography. Additionally, attempting to break into the secure element will cause it to self-destruct. (A microscope and highly specialized equipment are required.)
- Spending limits and PIN entry. The card brands (e.g., Visa, Mastercard, American Express, Discover) along with acquirers and merchants can implement additional restrictions on contactless payments. For example, each card brand mandates spending limits for contactless payments. When a customer attempts to pay for an item via contactless payments that exceeds the spending limit, the point-of-sale device will require the customer to enter her PIN.
Merchants and their acquirers (i.e., merchant account providers) can also configure their contactless terminals to prompt for a PIN if the contactless card is used for multiple purchases in a short period.
Advantages and Challenges
The Covid-19 pandemic will likely force brick-and-mortar merchants to reduce crowding, especially around high-traffic checkout lines, as well as to limit physical contacts, such as handling merchandise, opening doors, and pressing PIN-pads and self-service computer stations. Contactless payments help as they require fewer touches. An added benefit is faster in-store checkouts.
However, before they become universally accepted, contactless NFC payments must be overcome several challenges, including:
- PIN entry. Again, PIN entry ensures that the payee is the owner of the contactless device or card. But, PIN entry defeats the purpose of no-touch payments. Biometrics such as facial recognition could become the next PIN. That is unlikely, though, because of the privacy issues with facial recognition and the costs of purchasing and installing the equipment. In the meantime, during the pandemic, merchants will likely have to sanitize their PIN-pads after each transaction.
- Spending limits. Contactless payments were designed for quick, low-value, low-risk payments. Buying a cup of coffee is a good example. But, what if a consumer wants to purchase something more expensive? Current rules do not allow high-value contactless transactions.
- Poor reputation and fear. NFC has a reputation for being insecure. NFC payments are usually more secure than other methods, however. (Cash and wallets can be stolen; ecommerce sites and databases can be hacked; identities can be stolen and forged.) NFC must shake its not-for-commerce reputation to go mainstream.
- Lack of merchant acceptance. Despite the convenience and checkout speed, many merchants have not upgraded their point-of-sale terminals and PIN-pads to be NFC-enabled. The process is expensive and, pre-pandemic, there wasn’t an urgent need. Until physical stores broadly accept NFC payments, most consumers will not likely pay with their phones or contactless cards.