The Time for Tap-to-Pay is Now!

Almost overnight the coronavirus pandemic has literally changed our world.

Things we touched a couple of weeks ago without a second thought are now scrutinized. A trip to the store has become a monumental endeavor. And don’t even think about paying with cash!

Smart Cards aren't really all that smart. At least not in the U.S.

If only there were a way to pay without touching anything.
Oh wait… there is!

The word “contactless” has entered our collective vocabulary as retailers and restaurants struggle to stay afloat. Drive-up order pickup is now common for everything from liquor to electronics, but how those orders are paid for often involves… contact. Mobile apps offer one solution where consumers can prepay for their goods. What if your business doesn’t already have an app? It’s going to be a challenge to develop one overnight–especially one that offers e-commerce functionality. So most businesses are using their standard pre-coronavirus credit card solutions, which often require physical interaction—a card is handed back and forth. Unfortunately for us, contactless payment isn’t quite as universal as it should be in a COVID-19 world.

Little known and underused hero of our story: Contactless Payments

Tap-to-Pay, tap payments, contactless… it goes by many names. Many consumer credit cards include an NFC tag (near-field communication). You can tell by checking your credit card for the little WiFi-looking thingy. This means instead of poking the card into a machine to read the chip you can place it in close proximity and “scan” the chip. You should be able to use this feature at any terminal with the Tap-to-Pay logo (above). Typically this also indicates you can pay with your smartphone (more on that later).

The convenience of this is immediately obvious. The typical chip card transaction (or “dip” as it’s known in the trade) takes what seems like forever. Tapping seems relatively instant. And truly contactless. Visa states that 40% of face-to-face transactions work this way outside the U.S. In Canada 70% of purchases under $50 are bought with a tap. But Americans have been slow to catch on to the idea of tapping.

It’s not totally our fault. There is a ton of misinformation and horror stories about the security of NFC, and chip cards in general. Urban legends range from paying for someone else’s groceries to being tracked by the NSA. Even though no one has documented a single case of thieves “scanning your pocket,” a booming business exists in RFID-shielded wallets. Sadly, those of us who do dare to use this technology are often thwarted at the point of sale. My personal experience has been many terminals have the capability, but for whatever reason, they do not work.

In Europe almost every credit card terminal offers this feature. If you’re wondering why we’re behind, you have to understand something called EMV ( Europay, Mastercard and Visa). Or more accurately, how EMV is being implemented here in the US.

EMV basically refers to “smart credit cards” that use a chip resembling a SIM card. I used quotes because the implementation of EMV in the US has crippled a good deal of their smartness. Since the Stone Age we have swiped credit cards and a reader gathered plain-vanilla text from a magnetic stripe. The card number, your name, etc. Then, in the Nineties, Europe mandated a new system requiring the user to enter a PIN along with their fancy new chip card (think two-factor authentication).

Infrared Thermometer
Infrared Thermometer
Measure temperatures from afar!

Thus counterfeit credit card fraud (or “card present” as it’s called) is almost unknown in the EU. But American card processors do not require the PIN for card present transactions, and instead allow chip-and-sign (or chip-and-scribble as it’s known). The merchant then authenticates the transaction by confirming your signature (ahem). Unsurprisingly the United States is pretty much the only major market where credit cards still rely on a magnetic stripe to store your data. And skimmers, phishing and counterfeit credit cards are rampant.

If EMV were fully implemented it would stop this madness. The original EMV deadline of 2015 was only enforced for some retailers. But there are so many magnetic swipe readers still in service (most notably at gas stations) the PIN method of payment is still not required. Last week, due to the impact of the coronavirus, gas stations requested the deadline for the implementation of EMV at the pump be pushed back. Again.

Anyway, back to the tap…
Since our chip cards are not chip-and-PIN the contactless card transaction is not really verified. At least, not verified in any meaningful way. You might be surprised it’s probably more secure to pay with the app on your smartphone. Paying with your phone is more closely aligned with the original intent of an EMV transaction:

  1. Physical device (your phone or a card)
  2. Something you know (a PIN)
  3. Then only if they match is the transaction is authenticated.

Google Pay or Apple Pay provide contactless payment methods that are encrypted. So your phone is more secure than your wallet, assuming you lock your phone with something more secure than 1-2-3. With either system your card number is only exposed when you initially set it up. Apple’s solution uses something called “tokenization,” while Google uses a virtual credit card number. I like the Google methodology because the merchant never sees my actual credit card number. Thieves intercepting the transaction data would only gain a useless stand-in card number!

So the next time you’re at the store of filling up, try paying with a tap. If you see the symbol but the card reader doesn’t work… tell them! Now more than ever Tap-to-Pay technology is needed. Heck, you might even save a life.

 Photo by Clay Banks on Unsplash

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d