I’ve seen threads about Visa payWave security crop up on my Facebook timeline quite a few times, especially with Malaysia mandating the usage of “Chip-and-PIN” cards to be compulsory January 2017 (last month). Most of these cards come with contactless payment options, most commonly Visa payWave.
I’m pretty sure by now everyone is familiar with contactless payment, Visa payWave being the most common type and NFC phone type payments (not currently supported in Malaysia) like Apple Pay and Google Wallet.
I mean look at my old ass UK Barclays Card, we’ve had contactless payments since 2007 and hardly anyone in the UK uses cash anymore as it’s just so convenient. And no, we don’t have a bunch of security issues, cloned cards and RFID card theft.
So what is the deal with the security of them? For a brief layman’s type overview check out this video first:
A lot of the concerns come from viral-type videos of people in the Subway ‘cloning’ people’s credit or debit cards whilst they are inside their handbags or wallets. It’s a neat trick, but in reality, it’s not so useful and the person reading your card with their RFID reader is actually getting less info than if they just peeked over your shoulder at the shopping mall and looking at the front of your card.
I’m glad to see my Malaysian cards finally getting up to date with Chip-and-PIN implementation + Visa payWave contactless payment, both Debit and Credit.
I use payWave quite a lot, I’ve gotta say the Malaysian implementation of it right isn’t bad, but I’d like to see some improvements. I’ve had no real issues at shopping malls or places like Tesco but I’ve struggled a bit at petrol stations. And more shops needs to rewire/adapt their terminals so we can enter our PIN more easily and securely (UK shops usually have separate permanent terminals solely for contactless payment and PIN entry).
But let’s talk more about the security of it, as that seems to the concern of the majority of people. Let’s start with putting it this way, I’m an information security professional (trained, experienced and certified) and I have no issues with carrying or using contactless payment cards.
And I don’t think you should either.
In theory, if someone managed to scan your card they would have had to get their reader within 4cm of your card, with your card not being near other cards and all they would have got is your card number and your expiry date.
Your name and the most critical of all, the CVV2 code (the 3 digits on the back of your card on the signature strip) are not stored on the card so they can’t be read. Plus the card itself has a unique cryptographically signed chip in to verify it’s original (that’s why chip cards are more secure than magnetic strip cards).
To do an online transaction you need those AND your physical home address and then you’ll be sent to the Verified by Visa page where you will need to enter the code sent to your phone via SMS to proceed with the purchase.
So in reality, its not that straightforward to steal, clone or misuse your card details.
In the absolute worst case scenario, someone stole your phone AND your card, you just need to call the Telco to cancel your SIM card and call the bank to cancel your Credit or Debit card.
If you have any further questions ask below and I’ll do my best to answer you, security is a top priority for Visa so use your cards without worry.
Please note the views express here are my own and do not represent views of Visa and associated companies.