Last September the Smart Card Alliance recommended that the use of contactless cards in the US could be a means to improve security and help reduce fraud. The unique cryptogram generated for each contactless transaction adds an additional factor to verify the transaction and also helps avoid skimming and replay attacks.
But, the cryptogram only helps validate the transaction and not that the user is genuine.This is fine for low value transactions (the initial target of contactless cards), as the potential loss to an issuer from a card being stolen or used fraudulently is small, but how are higher value transactions secured? For higher values, US contactless cards would require either a PIN or a signature to authenticate the user.
PIN verification is not necessarily a sensible choice for credit card users as they may never use their cards in an ATM and therefore may not know their PIN. However, contactless PIN debit is an option and, as it is less expensive for merchants than signature debit, it is generally preferred by them. So, if PIN debit were widely available as a means of authenticating higher value contactless card transactions, merchants would be likely to take up contactless card acceptance enthusiastically, particularly since studies have shown that part of the motivation behind offering contactless is additional revenue due to the use of a payment card instead of cash.
Contactless cards have the potential to improve the security of US card transactions as a whole and also offer the prospect of significantly growing card transaction volumes as they displace cash. However, to reap the benefits of this technology the industry must ensure that merchants are fully on board. Offering a system that is not only secure but also attractive to merchants for all transaction values could be one of the critical steps towards achieving this goal.