Visa, Mastercard and American Express act to tackle contactless card security flaw
Card schemes are taking action to deal with a security flaw which means lost or stolen contactless cards can be used AFTER they've been cancelled – but some of the changes will take months to come in and cards will continue to be usable in some cases.
Following a long-running MoneySavingExpert.com campaign, Visa, Mastercard and American Express are changing the way they handle the majority of payments to ensure they are processed online, so that a retailer will instantly know if a card has been cancelled.
Last month the Financial Conduct Authority chairman John Griffith-Jones admitted to the Treasury Select Committee that the problem was still not fully fixed - 18 months after we began campaigning on the issue.
Visa says it's already tackled the issue for most transactions and Mastercard has pledged to by March, but American Express says it could take up to 18 months to complete the changes.
See our guide for ways to protect yourself from fraudsters.
Why contactless cards are vulnerable
The card schemes are reviewing their payment processes comes after a MoneySavingExpert.com investigation back in September 2016 uncovered a shocking flaw.
We found that crooks can make purchases on lost or stolen contactless cards MONTHS after the cards have been cancelled by their rightful owners. One MoneySaver found five purchases totalling nearly £30 were made on his Halifax debit card eight months after it was stolen and he'd cancelled it.
We discovered that shops sometimes process lower-value transactions 'offline', meaning they don't immediately check with your bank when a payment is made on your card. As a result, cancelled cards may not receive the instruction from the bank to stop working.
MoneySavingExpert understands that Visa, Mastercard and Amex set what's known as a 'floor limit', the payment threshold at which card are forced to go online for authorisation – anything above this limit is checked out immediately with the issuing bank.
When payments are processed 'online', the payment machine immediately communicates with the customer's bank to check if there are enough funds in the customer's bank account. If a card's been cancelled due to being lost or stolen, this will be flagged immediately and a payment won't be allowed.
Contactless cards are particularly at risk of being used after cancellation because you don't need to enter a PIN each time you use them. The cards do stop working eventually, due to a number of industry-wide security measures – but this can be months or even years after cancellation.
What are the card schemes doing to fix the flaw?
Visa, Mastercard and American Express have said they are working to tackle the issue by ensuring the majority of transactions are processed online, though some transactions will have to continue to be processed offline - for example, Transport for London journeys will continue to be processed offline as the price you pay depends on how many trips you take and the final amount won't be known until the end of the day or week.
Here's the latest on what the card schemes are doing:
Visa – says the vast majority of transactions have been online since October last year.
Mastercard – aims to have the majority of transactions online by March, but it says there will continue to be exceptions such as with Transport for London.
American Express – says it will roll out a 'zero floor limit' for most contactless transactions over the next 18 months, which means most contactless transactions will be online. The exceptions will be "unattended terminal transactions for transport and parking".
What should I do if my card's been lost or stolen?
Here's what to do:
Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.
The onus is on your bank to identify fraud, not you, but it's still worth checking your statements if you've cancelled a card.
If your card's used without your permission you are protected by the Lending Code and shouldn't lose money as a consequence, provided you inform the bank within 13 months of the fraudulent transaction and you have not acted fraudulently or without reasonable care (eg, you haven't disclosed your PIN to someone else, or written it down and kept it with the card).
As long as you meet these conditions, your bank or building society will usually reimburse you for your loss.
However, you're liable for up to £35 of any fraudulent spending that happens before you report the card's loss or theft to your bank. So if thieves spend £300 from your account before you warn the bank, you may only get £265 back. That's why it's vital to report a lost or stolen card the moment you realise it's gone.