Contactless cards explained
In this article
- How do contactless cards work?
- Where can I make contactless payments?
- Contactless and Oyster on Transport for London (TfL)
- Are contactless cards safe?
- Why was my contactless payment rejected?
- Can contactless cards be skimmed?
- How do I avoid contactless card fraud?
- Can I opt-out of having a contactless card?
Banks routinely issue customers with contactless cards, and 57% of all card transactions were contactless in 2022.
While the idea of paying without a Pin might seem risky, fraud rates are very low, equivalent to only 6% of overall card fraud losses.
So, should you be using your contactless cards?
How do contactless cards work?
Contactless debit or credit cards allow you to pay for items without entering your Pin, using wireless near-field communication (NFC) technology that enables one device to communicate with another.
Every contactless card has a small chip in it that emits radio waves. To pay for something, you hold the card near a payment terminal, which picks up a signal and processes the transaction.
You can tell whether your card is contactless by looking for a small logo on it which consists of four small curved lines, similar to the wi-fi symbol. The logo is also displayed on payment terminals that accept contactless payments.
- Find out more: Best banks if you have a disability
Where can I make contactless payments?
The vast majority of shops accept contactless cards and both Mastercard and Visa have set targets for terminals in every UK shop to accept contactless payments.
London commuters can use contactless cards through the entire transport network and Stagecoach has introduced contactless payments on its buses.
Charities have also started using 'tap-and-donate' card readers to boost donations.
The technology behind contactless cards
- A contactless card contains a chip that holds your account information and an antenna (a loop of cooper wire around the edge of the card) which picks up power from the signal sent out by the card reader.
- A card-reading terminal emits an electromagnetic field - when a card enters this field it is powered 'on'.
- The chip and the reader communicate with each other using an encrypted language. The reader can then 'introduce itself' to the card.
- Only when the card recognises the reader will it 'reply' with a coded data transfer.
- The card terminal should then confirm that payment has been accepted - this usually happens instantly.
Contactless and Oyster on Transport for London (TfL)
In London you can travel around by bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and most National Rail services using an Oyster card, a contactless card, or a mobile payments app.
An Oyster is a smartcard that you must either load with money to use as pay-as-you-go credit, or add your Travelcards and Bus & Tram Passes to.
Contactless debit or credit cards will also work on the TfL network, with the money taken directly from your account on a pay-as-you-go basis. At present, you can't add any Travelcards or Bus & Tram passes.
Using a mobile payments app such as Apple Pay or Google Wallet is no different to using contactless payment card, although make sure your default card is the same at the beginning and end of your journey to avoid being charged the maximum fare.
Contactless can be cheaper than Oyster
TfL applies daily capping to all Oyster and contactless pay-as-you-go journeys, which means that when the total cost reaches a pre-determined limit, you won't be charged for further journeys in the same zones for the rest of that day.
But only contactless journeys benefit from a weekly cap as well as a daily cap, calculated from Monday to Sunday.
If you create an online Oyster or contactless account with TfL you can easily report your card as lost, stolen, damaged or failed and apply for refunds if your journey is delayed (by at least 15 minutes on the Underground and DLR, or 30 minutes on the Overground and TfL Rail).
Are contactless cards safe?
Broadly, yes.
The £100-per-transaction limit is one safeguard, and card issuers also restrict the number of consecutive contactless transactions that can be made before the Pin is requested.
Contactless card fraud on payment cards and devices reached £34.9million in 2022. While this is an 82% increase on the level recorded in 2021, it amounts to only 6% of overall card fraud losses.
Year on year comparisons should also be viewed in the context of Covid-19 lockdowns which saw reduced opportunities for fraudsters.
How much could a thief spend on a stolen card?
In the UK, banks broadly follow the EU's second Payment Services Directive (PSD2) which means they must ask you to use chip and Pin for high value purchases, or once your cumulative contactless spend exceeds a certain level – to prove it's you using the card.
These safeguards are known as 'strong customer authentication' which also affects online banking.
The UK's departure from the EU means that we have set our own caps of:
- single contactless payments of up to £100, and
- cumulative contactless payments up to £300.
Digital wallets such as Apple Pay are exempt from the cap on transactions – though some retailers may apply the contactless limit – as are unattended payment terminals eg parking meters and transport systems.
An even safer way to pay
Apple Pay and Google Wallet can be used anywhere contactless cards are accepted.
But they're arguably safer, because retailers never see your card number. Instead, a temporary number is generated.
Your phone (or other device) will also need to be unlocked in order to make payments. And you can remotely lock your phone if it is lost or stolen.
- Find out more: Apple Pay and Google Wallet explained
Why was my contactless payment rejected?
Strong customer authentication rules means that you should be asked to use chip and Pin when your cumulative spend reaches £300.
The problem, however, is that the card machine will simply reject the payment –and as these extra security checks are relatively new, shop staff may think your card has been declined.
Monzo has told customers it will send a notification in the app asking you to retry the payment but for other card providers, it won't be so clear.
If a contactless payment is rejected, it's likely that you're making you have spent £300 across multiple contactless transactions – all you need to do is insert your card and enter your Pin.
Can contactless cards be skimmed?
Banking association UK Finance says there have been no verified reports of contactless fraud on cards still in the possession of the original owner.
In theory, skimming could take place. In 2015, Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
Someone would probably have to be uncomfortably close to you to lift your card details without you knowing - in our tests, the card had to be touched against the mobile card reading device. Other readers might be more powerful, but a criminal would still have to obtain a retail reader and corresponding account.
It is worth noting that despite skimming the card details using the NFC technology in our investigation, this type of crime would be documented as 'remote purchase fraud' and not attributed specifically to contactless fraud, because the victim would not know how the details had been obtained.
If fraud that is directly attributable to the contactless functionality of payment cards cannot always be recorded as such, the industry may not be fully aware of the risks.
How do I avoid contactless card fraud?
You can take simple step to minimise the risk of card fraud:
Never hand over your card
If your card is taken out of your sight someone could run it through a skimming device, which copies the data from its magnetic strip. Avoid keeping cards in pockets or open bags where they are easily accessible.
Ask for a receipt
Contactless users aren't always offered a receipt, so if you want to keep track of spending and make sure you aren't being overcharged, you may need to ask for one.
Check your statements
You should do this as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled.
Can I opt-out of having a contactless card?
Most banks send their customers contactless debit or credit cards by default.
If you don't want a contactless card, your provider may let you opt-out, although some big banks and credit card providers don't.
Firms aren't obliged to offer you a non-contactless card but the biggest high street providers have all previously told Which? they would allow customers to choose chip and Pin debit cards instead, including: Barclays, First Direct, HSBC, Lloyds Banking Group, Nationwide, NatWest Group, The Co-operative Bank, TSB and Virgin Money.