Contactless payments, as implemented by American Express, Discover Network, MasterCard and Visa, are secure. The financial payment networks used to process contactless payments are the same networks that process millions of magnetic stripe transactions securely today.
The primary difference is that the contactless payment device (card, fob or other form factor) uses radio frequency technology (RFID) to send payment account information to the merchant’s point-of-sale terminal instead of requiring the payment card’s magnetic stripe to be physically read.
Contactless payment devices are designed to operate at very short ranges (less than 2-4 inches) with the POS, and can include additional security elements to further enhance security.
The financial payments industry has designed multiple layers of security throughout the traditional credit and debit payment systems to protect all parties involved in a payment transaction. Most of these protective measures are independent of the technology used to transfer the consumer payment account information from the payment card or device to the merchant POS terminal and are used for both magnetic stripe and contactless transactions. For example, for online authorizations, risk management and fraud detection systems are used to detect potential fraudulent activity for any credit or debit card payment transaction. Consumers are further protected by the liability protection programs offered by the various payment brands and their issuing banks for transactions that may have been made fraudulently using their credit or debit accounts.
Radio frequency Identification (RFID) waves are the frequencies within the electromagnetic spectrum associated with radio wave propagation. Contactless smart cards that are used for making payments are designed to operate at a short range (less than 2-4 inches) RFID technology and can support the robust security capabilities of the contact smart cards.
Contactless cards can be used predominately with existing chip-based and EMV technologies infrastructure with modification by the payment brands to make it interoperable at the point-of-sale.
- Contactless card follow Dynamic Data Authentication (DDA)
- Data validation of the card is performed using encryption keys. A key is a numeric value that is used as part of operation to encrypt or decrypt data. To perform offline data authentication, terminals must be loaded with Certification Authority Public Keys (CA PKs) i.e. from VISA, MasterCard, and RuPay etc. Acquirers and Merchants are responsible for registering, managing and updating keys provided by payment Network.
- Existing POS which are used for contactless payment needed to be upgraded to DDA
- Cardholder verification can be completed on the contactless payment device prior to initiating any payment transactions. There is no provision for verify the genuine cardholder.
In order to use contactless payment technology, a card member simply places their contactless-enabled device in close proximity of the American Express contactless payments POS terminal. Contactless POS transactions are processed via the acquirer and American Express network to the issuer, per standard transaction processing. The issuer will be able to identify contactless transactions through specific indicators in authorization and settlement messages.
EMV Mode – Designed for those issuers and acquirers who support EMV data, the terminal sends all of the standard EMV data elements in the authorization and settlement messages, allowing use of EMV security features.
Magstripe Mode – Designed for issuers and acquirers who do not accept EMV data, the terminal sends data for authorization and clearing submissions in a similar format as traditional magnetic stripe transactions. Importantly, the terminal and card interactions are still based on EMV, enabling some EMV security features to be utilized.
EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized.
Contactless card – Transaction Flow
There are two type of transactions on-us or off-us. The accounting procedure for contactless card is as similar to existing Debit card processing/EMV card processing.
- Merchant submit transaction to acquirer
- Acquirer reimburses merchant for amount of transaction less commission
- Acquirer submit transaction to Payment Network provider
- Payment Network provider reimburses acquirer for amount of transaction less acquirer interchange fees
- Transaction submitted to Issuer
- Issuer reimburse the payment network provider for amount of transaction less `interchange fees
- Issuer bills cardholder for amount of transaction
- Cardholder make payment to Issuer Bank