Tap-to-Pay is by no means a new technological development, but thanks to the COVID-19 pandemic, it has become increasingly popular as a method of payment since it is ostensibly contactless. It is also a payment method that can be used even without a card since many wearable devices such as smartwatches feature tap and go payment options.
Read also: Egyptian Healthtech Startup, TakeStep, Raises Seed Round Investment For Operational Expansion
With rumors that Apple Pay will be launching in South Africa this year, it is likely to become increasingly available. However, this begs the question, what about security? When no physical card is required and often not even the authentication of a Personal Identification Number (PIN) for smaller transactions, who is responsible? The reality is that banks, merchants, and users all need to play their part to minimize fraud and safeguard their money.
Are contactless payments secure?
Tap-to-Pay is based on Near-Field Communication (NFC) technology, with a small chip and antenna inside either the card or the wearable device. When you tap your device against the reader, a randomised token is sent via radio waves to complete the transaction. While the concept of contactless payments might seem daunting to some, there are actually a number of inbuilt features that make them as secure as transactions where the card is inserted into the machine.
Read also: Egyptian SaaS startup, Weelo, secures six-figure funding
To start, because each token is randomized, it is unique and distinct to every purchase. This means that even if it is intercepted, it cannot be used again. It is also not directly linked to the card number, so hackers cannot reverse engineer this from an intercepted transaction. In addition, proximity needs to be extremely close, with the card or the wearable needing to be within a few centimeters of the reader in order to complete the payment.
Click here to find out more!
But what about wearables and smart devices?
Many people are becoming more familiar and comfortable with tapping their card to pay, but contactless payments extend beyond the physical card. Some smartwatches like Garmin offer Garmin Pay, a wallet where payment information from participating banks can be stored and the wearable used as the payment device. The actual card number is not stored on the device but uses the same NFC technology with randomised tokens as the chip in the card. Apple Pay uses the same principles as the wallet app on iPhone, Apple Watch and iPad devices, and rumour has it that this will be available in South Africa by the end of the year.
Read also: Uganda fintech startup, Tugende, lands $3.6mn in an equity financing round led by Partech
So, what does this mean for security? It adds a new element, but at the end of the day, the basic security principles still apply, and everyone involved in the payment chain has a role to play. The Payment Association of South Africa (PASA) has defined R500 as the limit for which no PIN is required, and most banks and merchants will adhere to this limit. However, there are some banks that still require random PINs to provide an additional layer of security. When a PIN is not requested, the user cannot be held liable for a fraudulent transaction, so banks have the responsibility to honour these.
From a merchant perspective, the pad device or reader needs to be protected. This is defined under the Payment Card Industry (PCI) Data Security Standard (DSS), which forms the minimum benchmark requirement for all parties involved in the payment card chain. From a user perspective, it is our responsibility to own and manage PINs and not give them out to anyone. No matter what you use to make a payment, whether it is a bank card, a watch, a phone or another device, it needs to be treated as if it is cash, because that is exactly what it is. We need to do everything we can to protect these devices.
The bottom line
Tap-to-Pay payments are safe, secure and convenient, but they are not infallible. Everyone is responsible, as always, for preventing fraud and protecting sensitive data. Users still need to be vigilant, and this now extends beyond safeguarding the card to include wearables and smartphones.
Read also: Insurtech startup, Curacel, raised $450k in a pre-seed funding round
Merchants too have a responsibility to provide a safe environment for transactions to take place and ensure the security of the reader device.
Finally, banks need to play their part by providing the highest levels of security, ensuring valuable transactions are protected by a PIN, and by honoring transactions where a PIN was not requested. As more devices become options to be used for payment, security is increasingly everyone’s responsibility.
Read the original article here
