If you want a new debit or credit card in Australia, you're getting PayWave or PayPass - there's no choice. And Australian police forces, and at least some consumers, don't like it.
Police are bemoaning an increase in contactless credit and debit card fraud arising from stolen tap and go cards, and point to increases in handbag thefts, car break-ins and mail interception as criminals look to grab the cards and quickly spend on as many
sub $100 purchases as possible before the bank gets a stolen card report or puts the card on hold due to suspicious transaction patterns.
On a popular news panel TV show the other night, one of the presenters related the tale of a friend who had lost more than $1000 when a card was stolen. Presumably the bank/card scheme covered this loss. But when they tried to get a new card issued without
the contactless payment functionality, they were told it was not possible. So, the presenter said, they were forced to take a pin (the pointy kind) to the chip to disable it. How true this is, I don't know. I expect this would cause more problems for the cardholder
if they encounter POS devices that don't have working magstripe swipe readers anymore. But forcing contactless payments on consumers does demonstrate a lack of flexibility on the part of the issuing banks.
Why not enable the customer to switch off the contactless capability if they want to, or even change the transaction limit? I'm no expert in MULTOS chip architecture, but I would imagine that certain parameters could be changed when applications are loaded
at the card personalisation stage of issuing.
For the banks, any recent increases in stolen and not-received card fraud are dwarfed by the dramatic rise in card not present fraud. So I can see it's not top of their priority list in terms of minimising their own losses. And with Australia now leading the
world in per-capita adoption of contactless payments (43% of the population regularly using it according to one recent survey), they may be excused for thinking they're on the right track.
But in terms of making a customer feel that they can take responsibility for their own financial security, and that the bank respects their choices, greater flexibility could be a good thing.
I don't envy banks. Don't do contactless and face the charge of being uninnovative. Do contactless and face the charge of being inflexible. But cardwise switchability and limits are good features (assuming they're technically feasible). Banks should be able
to eat the additional costs of supporting them at least on checking accounts that attract fees (assuming free checking is not the norm in Australia).
Guessing they haven't considered using Post-Issuance Script Management solutions to change the Card Floor Limit Parameters for Contactless transactions?
This kind of panic and scaremongering happened in the UK too - but there is a limit to how many consecutive contactless transactions can be performed before the Chip forces a Contact/Dipped transaction with Verification. The maximum exposure in the UK is
£60 which is covered by the Issuer (their liability, not the Cardholders).
There seems to be some confusion between the role of the OS and the role of the application in this post. To be clear, the card operating system has nothing to do with the contactless behaviour of the applications loaded onto it. This is totally down to
how the issuer of the card has chosen to configure these applications during personalisation or thereafter through scripting.
Simply set the limit to 20AUD per transaction and limit the number of consecutive contactless txns until PIN is again required (e.g. 5 in AU, 3 abroad) - and the panic will be over (if contactless limit parameters can be changed, of course). Exactly such
limitations (but in EUR) were introduced in Slovakia in 2010 and it is now (together with Poland) ahead of UK with >50% of contactless-enabled POS and was named by VISA as "hero contactless market" in 06/2013 - see more at http://www.finextra.com/blogs/fullblog.aspx?blogid=9703.
© Finextra Research 2015