The UK’s FCA has set out measures to tackle contactless card fraud on contactless cards which have been reported lost or stolen.
In a letter to the Treasury select committee, the Financial Conduct Authority (FCA) said consumer losses on contactless payments were relatively small but in some circumstances cards could be used by a fraudster several months after it had been cancelled.
A Guardian investigation in 2015 revealed that banks do not automatically check contactless payments, allowing thieves to continue to use stolen cards after they have been cancelled. The problem arises because many payments are waived through offline and checked later.
The Guardian found many banks placed the onus on customers to identify rogue payments. As a result, some fraud is going undetected because people who have cancelled their cards wrongly assume they can no longer be used.
In his letter to the committee, the FCA chair, John Griffith-Jones, said it was urging banks to remove “any onus on customers to identify fraudulent transactions”. It was also considering technical fixes as well as providing customers with more clarity on clearing times for contactless payments.
Griffith-Jones pointed out that contactless fraud represented only about 0.5% of overall card fraud. But he conceded: “We agree public confidence could be eroded without further action.” Experts say the true level of losses may be higher.
Committee member Rachel Reeves, the Labour MP who questioned the FCA about the problem in January, said: “The security flaws that allow fraudsters to use contactless cards even after they have been cancelled need to be tackled urgently. Customers are in the unacceptable situation that they are still vulnerable to fraudulent transactions despite reporting their cards lost or stolen.”
When payments are processed online, the card and payment machine immediately communicates with the customer’s bank. If a lost or stolen card has been cancelled, this will be flagged and payments forbidden.
Offline payments are stored in batches by retailers and processed online to the bank at a later point – at some smaller stores this can be a few days later. This delay can allow thieves to go undetected.
But fraudsters can be tripped up if the contactless card has been used the maximum number of times before a pin is required. The limit before identification is required varies between card issuers and account types.
Firms may also set a limit after which payments are forced to go online, meaning anything above a certain amount is checked immediately with the issuing bank. Some cards may always have to go online.