Payment technology has rapidly changed over the last several years, especially as the COVID-19 pandemic contributed to the rapid adoption of contactless cards and digital payments. Contactless or “tap-to-pay” cards are credit or debit cards that allow consumers to pay by tapping their card to the payment terminal, rather than swiping or inserting the card.
But such a seemingly simple method of payment has made some people worry about the security of using contactless cards. One such concern is skimming — a method of fraud in which someone steals your credit card information at a gas pump, ATM or payment terminal by attaching a piece of technology to the card reader.
Is tap-to-pay less vulnerable to credit card skimming than swiping or inserting?
Yes, tap-to-pay is less vulnerable to credit card skimming than swiping or inserting.
WHAT WE FOUND
The tap-to-pay method of payment used in contactless card transactions does not put the card in contact with card skimmers, which are typically hidden inside of card readers. Card skimmers record and store credit card information and PINs that can be recovered later to create counterfeit duplicates, which are then used to steal from victims’ accounts, the FBI says. Skimmers will sometimes be attached to the internal wiring of a fuel pump’s card reader or fit over the original card reader at an ATM or point-of-sale terminal.
A majority of these devices are designed to steal information from card swipes, although some are capable of targeting chip payments, the FBI says.
When you tap to pay, your card never makes physical contact with the payment terminal’s card reader, PayPal says. Instead, it sends a one-time code containing your payment information to a payment processor.
The card communicates with the payment terminal through radio waves, says IDX, a consumer privacy company. These radio waves utilize “near field communication” technology that keeps the radio waves within a few inches of the card, ideally just one or two inches, says Thales, a tech company that provides data security for banks and financial transactions.
Even if someone tried to use a radio wave skimmer, it’s unlikely they would be able to access your card’s information.
First, a fraudster would have to get the skimmer close enough to the card, which would mean getting it within just a few inches of the card. Contactless cards will only communicate with a genuine payment terminal provided by a payment or credit card company, Thales says, and they won’t try to communicate with these terminals until the cashier rings up the sale, according to Clover, a company that creates payment systems for businesses.
In the event a fraudster does somehow manage to intercept this communication and skim the data, they still don’t have access to your card information. When you tap your card, it exchanges a unique, encrypted code instead of your credit card number and billing address, PayPal says. U.S. Bank says this code cannot be reused.
In other words, the code is useless to a fraudster, U.S. Bank says.
That makes it extremely difficult, if not impossible, to access someone’s credit card information by skimming a contactless card payment. Fraudsters can access the data skimmed through chip and swipe payments without cracking codes.
Contactless ATMs work the same way as contactless payments and therefore also benefit from the security of unique, encrypted codes, says Chargeback Gurus, a chargeback management and data security company.
However, this security only applies to contactless, tap-to-pay transactions. Many contactless cards still have the magnetic stripe necessary to make swipe payments in case a merchant doesn’t have a tap-to-pay terminal. Swiping these cards exposes them to the same skimming risk as any other card, Clover says.
Experts say that tap-to-pay and chip payments are both more secure than swipe payments.