We had a look at Paywave security a few years ago. The topic presents a few interesting discussion points, namely the security and the cost to the system both in terms of maintening the security and processing payments compared to other payment methods like cash of EFTPOS.
Some consumers would prefer to avoid the new technology in its various iterations, but here and overseas it seems everyone is happily tapping away for the convenience. I visited a parking station just this weekend, and tapping your card accounted for 95% of the payment options, and other districts have gone completely cashless.
What are your thoughts on Paywave/TapNGo and contactless payments? Add your reasons in the comments below.
It saves time and I havenât had any issues
I donât like it and would prefer it if I could opt out
I like some of the convenience it provides but I do use some security to avoid inadvertent and malicious scanning of my cards, not just for the paywave part but the info held on the chips (I have several keyless entry cards).
A bit OT but related. US origin cards are comparatively new to paywave/tapngo. I have one from a US major, only 2 years old and it remains powered by steam rather than technology.
Most US issued cards got chipped comparatively recently, and most do not require PINs except for cash advance features in ATMs. US cards once required signatures but recently they no longer require signatures (at least when used in the US).
Is paywave/tapngo less secure than that? The issuers build in fraud to their costs and we all pay for it. One argument that often holds is that the cost of real fraud prevention is usually far more than writing off the cost of fraud, and the customers pay either way, so there is âless overheadâ by going with the most efficient way.
Writing off fraud is also a tax deduction, so between that and actual costs there is not a lot of impetus to tightn it up if it diminishes card use.
Whether paywave/tapngo affect personal security so far seems the realm of hacker demonstration to sell countervailing protections, not because so many cards are being skimmed compared to how many traditional cards were skimmed. I have no evidence nor citation for that personal opinion.
When it was first introduced, I was concerned about the securityâŠif one loseâs (or oneâs card is stolen), there is no additional level of security to prevent unauthorised use. The unauthorised use would only cease once the card is reported lost/stolen.
I contacted our bank (Suncorp) at the time to see if we could have our visa debit card without the Paywave function to be told that non-Paywave option was not available and also told about the protection provided by the bank/Visa in relation to unauthorised use.
Since there was no other option that to have the card with Paywave (unless we changed banks hoping that the new bank either did not adopt the technology or had a option for a non-Paywave cardâŠwhich at the time after a bit of research seemed unlikely), we started using it.
Initially I was concerned about ease of use, including for potentially unauthorised transactions, but have become accustomed to using it for the purchase of items less than $100. We decided to use it because it makes no difference whether you do or not it the card allows Paywave payments.
On our recent travels overseas to Europe, we found that the technology is embraced there as well. Even to the point where often we would insert the card into the reader, for it only to be removed by the checkout operator and then the operator Paywaving our card.
I also believe that touchless/cashless technologies will become more the norm and it is likely other countries who try and follow China which plans to become cashless in coming years. I can see from a regulatory and corruption point of view, there are benefitsâŠhowever, it also means more data collected and data mining by organisations.
Is this an effective solution to a problem or is it another web myth/snake oil?
Maybe I could trade in my stainless steel colander and get a bucket hat made of the shieldâs materials. My existing hat to protect from extraterrestrial/government satellite mind reading looks a bit like this one:
Itâs good for small transactions, however there is no simple way of changing how a card works.
Iâd prefer one card that has the features that is linked to just one account, with a second card that does not have it as a feature but has multiple accounts and features linked.
Perhaps the solution is to move all else to a mobile bank app, or use Apple Pay and get a card that does not have the contactless payment turned on. Neither seem to be total solutions at present. There are still too many small traders who take your card to tap it on their machine, so we always ask for the receipt and check the details.
The only issue we have had to date is with retailers whose trading or store name is not their business name (trustees note). If we did not get a receipt consistently we always had issues trying to recognise some of the many small transactions from a month prior.
Paywave cards are a thiefâs delight. You see constantly in the news about stolen cards used multiple times under the usual $100 limit. I would like two things. 1) PIN only activation. 2) Your photo to appear on the card. I lived in the USA for a few years and recall that you could then use cheques to pay accounts. However, there was a camera that took a photo of you and your cheque. With the advance of technology, why cant a similar system be brought into operation when using a card?
There was a period where many US card issuers let you send in a photo to add to your card. Over time photos became less popular as cards could be and were often used online rather than in person, no photo match required for ecommerce if that makes a point.
The skills to create a forgery are usually a step ahead of attempts to make it impossible, and as with many things the cost of âdoing it rightâ is reported to be far higher than the âcost of writing fraud offâ. Even chips are not foolproof security because they are only verified when used in physical terminals.
That seems reasonable until one accepts the issuers have different goals from us customers. Their priority is processing volumes and making card use as quick and easy for the merchant as possible. Our convenience is also up there whilst security is secondary. If we notice fraud the issuers are usually happy to write it off after processes are followed, often with new cards issued and old ones deleted as their âanswerâ. How does a secure PIN work with ecommerce in comparison to the CVC code?
How do we know they do not? Excepting when we use our cards on the net how to do? And by phone?
There is also technology for two-step verification, but how many of us would accept being bothered by that for every charge? Make a charge, get an SMS (assuming you had your phone and it was in a service area), use the one time PIN for the transaction - how long, and how reliable, etc?
I have no issues with PayWave et al. I am careful with my wallet. I would like to see our banks being required to permit ApplePay as that is safer than PayWave cards as a fingerprint is needed to close the transaction. Thereâs only a couple of banks that have agreed to ApplePay - the rest want to get your personal spending information via their house cards.
I donât have a problem with flash-your-cash (PayWave/Tap&Go etc.). I have an issue with the fact that itâs always functioning, and I have no way to control it.
I donât like the bank foisting their preferred solutions onto me when I have no choice. These solutions invariably serve the banksâ interests, not ours.
What I want is more security so that it can not be scanned while in my pocket. Yes I know I can take measures to protect it. I shouldnât have to have to buy a wallet with a Faraday cage built into it. Two ideas are:
some sort of slide cover over the cardâs chip (like the metal protector on the old 3.5" floppy drives) that needs to be pulled back to expose the chip to use it. Otherwise the chip is âhiddenâ both visually and electronically. OR
a fingerprint scanner that has to recognise the user before the chip can function.
Step away from the tourist arrows down the pavement and card payment is harder to find. Cash is still King or Queen or?
Added note: Cash is also secure against Card scanning, or misuse of your card details by the staff or merchant you may never see again after travelling.
A good idea on the slide, but one that would need an approach that isnât about covering the chip itself. The antenna the chip uses to get and send the signal is wrapped in the larger plastic surrounding the chip. The idea of the slide in this case would not stop the skimming. It would need a way for the antenna to be disconnected from the chip, so perhaps some sort of slide that makes or breaks the connection is the way to go.
Using the slide then would mean getting into a habit of using it, as it could be very easy to forget to slide it to âoffâ after usage.
Perhaps the way to go would be to have the cards remain in an inactive mode until some physical action is undertaken, such as touching the cards or depressing something on them?
The capacitance of the human finger like some screens use or a micro button on them.
My switch would be permanently in the off position as I prefer the stronger security of âpokingâ or âstrokingâ down the side, rather than just the genteel wave.
Not sure where you got that pic, but we appreciate the suggestion on paywave shields.
