American Express is considering big changes to the way it processes payments in a bid to stop fraud on lost or stolen contactless cards which have been cancelled, MoneySavingExpert.com can reveal.
The card scheme says it's "reviewing options" including one which would force almost all contactless payments made on its cards to happen 'online' - meaning retailers must check immediately with banks to see if a card has been cancelled.
The news comes just days after Visa, the UK's largest card scheme, committed to forcing all its contactless UK card payments online from June.
Why contactless cards are vulnerable
Amex and Visa's decision to review their payment processes comes after a MoneySavingExpert.com investigation last September found fraudsters can make purchases on lost or stolen contactless cards many months after the cards are cancelled by their rightful owners.
Our six-month campaign on the issue resulted in a key victory last week, with the financial regulator finally outlining steps to clamp down on the vulnerability - though it's yet to clarify exactly how its solutions will work.
For a full explanation of how lost or stolen cards can be used by fraudsters after cancellation, read our investigation. But in brief, the issue arises because shops sometimes process lower-value transactions 'offline'. This means they don't immediately check with your bank when a payment is made on your card, so cancelled cards may not receive the instruction from the bank to stop working.
Contactless cards are particularly at risk of being used after cancellation because you don't need to enter a PIN each time you use them. The cards do stop working eventually, due to a number of industry-wide security measures – but this can be months or even years after cancellation.
There are differences between how banks, building societies and credit card companies deal with such fraud – some take proactive steps to warn customers or block payments, while others make it the customer's responsibility to spot the fraud, running the risk it could go undetected.
How stopping offline processing will help
Because 'offline' processing can allow transactions on cancelled cards to slip through the net, the card industry is looking at ways of forcing more payments online.
Last week Visa told us it's planning to force retailers to make all contactless transactions online by reducing its 'floor limit' - the level at which payments are forced online - from the current level of £15 to £0.
Amex now says it's considering the same solution, with a spokesperson telling MoneySavingExpert.com: "American Express takes all types of card fraud very seriously and is currently reviewing options, including a zero floor limit, to ensure those who cancel their cards are protected against contactless fraud."
However Mastercard is tight-lipped about the issue, saying only that it's "continuing to work with the rest of the industry to reduce the low levels of fraud seen on cancelled cards, without impacting the ease and convenience of contactless that consumers enjoy."
Banks and building societies are also able to set a £0 floor limit on cards they issue, and some already do so for debit cards linked to child accounts or basic bank accounts. However the vast majority of contactless cards in the UK currently have a floor limit higher than £0 and so they can be used to make offline payments.
Adjusting the floor limit isn't the only way to ensure more payments happen online. Banking app Monzo issues prepaid Mastercards which contain an inbuilt preference for making payments online, overriding the preference of most card terminals to process them offline. The firm plans to roll this technology out to current account-linked debit cards later this year.
'Banks need to do much more'
Card schemes' efforts to tackle this type of fraud have met with a cautious welcome from Rachel Reeves MP, a leading Treasury Committee member who has repeatedly taken up the issue on behalf of consumers.
Reeves said: "Consumers deserve to know that their contactless cards cannot be used after cancellation. I welcome statements from Visa and now American Express that they are looking to tackle this issue, but would urge a greater sense of urgency as we are seeing huge growth in the use of contactless cards. I hope other providers will follow suit so that all customers can feel safe using contactless cards.
She added that high street banks "need to be doing much more to help their customers feel more confident about being protected against fraud. Most banks are still failing to notify customers if they think their cards are being used fraudulently. This must change. Their complacency on this issue has been disappointing and I have expressed my concerns around this to the Financial Conduct Authority."
In a letter to the FCA on 21 March, seen by MoneySavingExpert.com, Reeves said: "Having consulted the industry, it is my impression that banks are already at liberty to ensure that almost all transactions are online authorised. The reason they choose not to do so is to save time on each transaction. In other words, they are putting their customers at risk of fraud in order to save a few seconds on each transaction."
It's not yet known whether the FCA will choose to focus on this aspect of contactless technology when it outlines its full strategy later this year.