2. Contactless payments and security
Contactless payment limits have been raised in 29 European countries, covering most of the region. The new limits vary by country, in part due to the different currencies involved, but most of them have adopted a limit between EUR 40 to EUR 60.
Reasons for the UK and the EU raising the contactless limits
To take the UK as an example, initially, contactless payments were used to buy small items. The pandemic made contactless payments the norm, primarily as a sanitary measure. People needed to buy essentials and avoid contact as much as possible. The government had to adapt to allow customers and merchants access to safe and secure transactions.
Contactless cards were introduced back in 2007, in the UK, with a GBP 10 limit. In 2010, this was raised to GBP 15 and then to GBP 20 in 2012.
According to the UK’s HM Treasury, the proportion of debit card payments made using contactless rose from four out of 10 in 2019 to six out of 10 in September 2020. As of October 2021, there were a total of over 1.3 billion contactless transactions made.
In the wake of COVID-19, the adoption of contactless payment solutions has accelerated globally as consumers prefer low- or no-touch interactions. Visa's Back to Business Study shows that nearly two-thirds (65%) of consumers would prefer to use contactless payments as much as, or even more than, they are currently, and only 16% say they would revert to their old methods of payments, post-pandemic.
Mastercard found that over half of millennial and Gen Z consumers are likely to avoid shopping at stores that don't offer contactless payment at the point of sale. However, even baby boomers are converting - their preference for contactless increased from 45% before the pandemic to 55% today.
Today, it is the preferred choice of payment in many countries, with the contactless market set to reach a global value of USD 6.25 trillion by 2028. According to UK Finance, contactless payments jumped from just 7% to 27% of all payments over the last four years. In the UK, 83% of people now use contactless.
As a result, from 15 October 2021, retailers and merchants saw a further rise in the single payment limit for a contactless card transaction, increasing from GBP 45 to GBP 100 and the cumulative transaction limit before reauthentication will increase from GBP 130 to GBP 300.
Contactless payment limits were raised in 29 European countries, covering most of the region. The new limits vary by country, in part due to the different currencies involved, but most of them are between EUR 40 and EUR 60.
The GBP 100 UK limit is over double the EUR 50 (GBP 42) of that across the Eurozone countries such as Spain, Germany, and Portugal.
Switzerland has the next highest limit in Europe after the UK with a contactless limit of 80 Swiss Francs (GBP 63). Sweden has a contactless limit of GBP 34, while their Scandinavian neighbours Norway have a limit similar to the rest of Europe of GBP 43.
Poland has the lowest contactless limit in Europe at just GBP 18 while North Macedonia is just above at GBP 27.
Stealing cards is a popular criminal activity, with 4 in 10 thefts from 2019 involving stealing cards. Increasing the contactless limit could result in card theft rates rising. The same report advises customers to opt for more secure contactless mobile payments. They require either PIN verification or biometric identification, so they are rendered useless in case of theft. In the UK, more than 90% of citizens use a smartphone.
However, the FCA has fought against the news of the additional customer security risks, mentioning Canada, Singapore, and Australia as examples where raising the contactless payment limit was not followed by an increase in financial crime.
Research has found that the Apple and Visa contactless payment technologies can be vulnerable to fraud. Apparently, fraudsters could hack the lock screen of an iPhone to use its contactless payment features.
Moreover, researchers from ETH Zurich University found that it is possible to bypass PIN codes on Maestro and Mastercard contactless cards.
Consumer spending concerns
Research shows that people spend differently, depending on which payment methods are made available to them. Study from Warwick Business School concluded that contactless payments promote increased purchases and debt use.
However, this does not prove that consumers will purchase more due to the higher contactless payment limit. There are some, in fact, who fear that the new limit will affect their personal finance management.
Contactless payments adoption is hindered by a persistent perception that mobile wallets are not secure enough. Almost half of US consumers believe that if an attacker gets hold of their phone, they would lose their sensitive information. Payment service providers should work harder to reassure consumers that mobile wallets are safer than traditional banking instruments.
Another consumer concern is mobile payments failing when they are needed, with many people (41%) choosing to carry secondary payment options such as cash or physical cards with them.
Finally, a great customer concern is that contactless payments are not accepted where they shop. Better education on mobile payments benefits could persuade small and local businesses to provide a wider acceptance, which includes contactless payments.
How are pain points addressed?
In the UK, contactless card purchases are protected by the Consumer Credit Act. This piece of legislation protects items ranging in price from GBP 100 to GBP 30,000 if they were purchased with a credit card.
Another concern is that customers could get themselves in debt due to impulse buying. To address this, some banking apps allow users to set their own limits to avoid overspending.
Strong Customer Authentication
The limit increase has made opportunistic fraudsters active because now they can swindle people out of GBP 100 worth of goods (per transaction). They can do this simply by stealing a card.
Strong Customer Authentication (SCA) is meant to add a layer of protection to consumers’ online payments. It works by having users confirm their identity whenever they make a transaction. Contactless transactions have consumers go through the SCA process as well. Before this regulatory move, all people had to do was tap their card and make the transaction.
Payment service providers (PSPs) and card issuers have to apply Strong Customer Authentication when a customer initiates a payment, as per PSD2’s requirements. The PSPs initiate the identification either in POS or online payment (this is authentication, the process of determining whether the customer is indeed the person they say they are) Authorisation, (the request made to the card issuer to approve the transaction) comes after this process, right before the transaction is completed.
Strong customer authentication is meant to improve payment safety via two-factor authentication. This authentication method requires two of three factors – knowledge, possession, and inherence – to validate the transaction. For example, using a chip and PIN at the POS, the chip corresponding to possession and the PIN to knowledge.