Andrew Bailey, chief executive of the Financial Conduct Authority, says the regulator is working with card schemes and banks to stamp out post-cancellation contactless card fraud, following MoneySavingExpert.com's investigation last year. Views do not necessarily reflect those of MSE.
Many of you may have seen news reports about the risk of lost or stolen contactless cards being used fraudulently even after they've been cancelled.
This is an issue that we at the Financial Conduct Authority take very seriously. We are aware that, in limited circumstances, it is possible for a cancelled contactless card to be used by fraudsters. While there are controls in place and the overall risk is low, we have been urgently working with card schemes and banks to ensure this issue is fixed.
We know that the use of contactless cards is increasing. There are 102.7 million contactless cards in issue in the UK and currently the average contactless transaction is for £9.52. The scale of contactless fraud is low. In 2015, this type of fraud accounted for just under 0.036% of transactions by value and, over the same period, contactless card fraud represented around 0.5% of total card fraud.
But that is no consolation if you are the victim of fraud, and so it is not enough.
There are a number of controls in place to limit the risk of contactless card fraud and, importantly, customers are entitled to a full and immediate refund from the bank if fraudsters use contactless cards in this way.
There is a limit on the value of each contactless transaction (currently £30) before a chip and PIN transaction is required. There are also limits on the number of times you can use a contactless card consecutively before a PIN is required.
Just over half of all payments made on contactless cards are processed immediately, so the risk of fraud is reduced as the payment is automatically checked against a database of lost or stolen cards.
However, 45% of payments made on contactless cards are not processed immediately; they are processed 'offline', which means the payments are stored and processed later. This is because it can be more cost-effective or convenient for retailers to process payments this way.
Another reason is that some payments can't be processed immediately – this includes in-flight purchases on planes or 'capped daily charging models', such as Transport for London. This increases the risk of fraud because the payment doesn't get checked against the database until after it has been accepted.
Visa and Mastercard have a lower cap on the value of transactions that are allowed to be processed offline.
Later this year, Visa will require that almost all Visa contactless transactions in the UK are processed immediately. This will give issuing banks greater visibility on transactions and will enable them to prevent transactions being completed on cards that have been cancelled.
In addition, some card issuers also have their own controls in place such as a lower cap on total contactless spending before a PIN is required. Some issuers provide only contactless cards which lack an offline capability altogether, eg, children's accounts.
Finally some, but not all, card issuers have systems which identify and block cancelled card transactions before they are debited from customer accounts.
We will continue to work closely with the industry to reduce the risk of this type of fraud. If you believe you are a victim of this type of fraud, contact your bank immediately. If a fraudster has used your card, you will be entitled to a full and immediate refund from the bank.