MSE News

Contactless card security flaw largely fixed, in win for MSE's two-year campaign

Contactless card security flaw largely fixed, in win for MSE's two-year campaign

The financial regulator has said that "almost all" contactless transactions from the two biggest card schemes are now processed 'online' to combat a security flaw that meant crooks could use cards months after they'd been cancelled.

The announcement, made by the Financial Conduct Authority's director of strategy and competition in an article written for MoneySavingExpert.com, comes as a key victory for our long-running campaign to highlight the issue. 

In September 2016 our investigation revealed that lost and stolen contactless cards could be used by criminals long after cancellation. One MoneySaver found five purchases totalling nearly £30 were made on his Halifax debit card eight months after it was stolen and he'd cancelled it.

The security flaw arose because some lower-value transactions were being processed 'offline' – meaning the customer's bank wasn't immediately alerted when a transaction was made, so cancelled cards didn't always receive its instruction to stop working.

Now the financial regulator has confirmed that it's stepped in to largely fix the problem, working with banks and card issuers. The two biggest card schemes, Visa and Mastercard, now process "almost all" contactless transactions online, meaning an attempted payment on a cancelled card will be immediately flagged to the bank and blocked. American Express says it's on track to bring most of its contactless transactions online by this August.

For full info on what action the Financial Conduct Authority's taken, see its guest comment. And for more help on how to protect yourself from fraudsters, see our Stop Scams guide.

What's been done to fix the problem?

Last February, we reported that the three main card providers – Visa, Mastercard and American Express – had agreed to bring the majority of contactless transactions online. And the financial regulator's now confirmed that this has happened, and that it took action to help fix the problem.

The Financial Conduct Authority's director of strategy and competition Christopher Woolard writes: "The good news is that, after we engaged with the major card schemes such as Visa and Mastercard, they have made changes so that almost all transactions are now processed 'online'."

He added: "There are some exceptions where transactions still aren't processed online. This is where the slight delay of having the payment checked online might interfere with the customer experience – for example, it could mean significant delays or queues for people paying for a train or bus journey with a contactless card. But these exceptions are few and we expect the number of online transaction processes to continue to rise."

We've checked with the major card schemes and this is what they told us:

  • Visa says most contactless transactions have been online since October 2017. It says there are some exceptions relating to payments for public transport, but "even these are increasingly being processed online as well".

  • Mastercard says most contactless transactions have been online since March 2018. Again, there are a few exceptions such as Transport for London payments. 

  • American Express says it plans to have most contactless transactions online by August. This is in line with the timescale it outlined last February. It says "progress has been good", though again, even after August there will be some transactions that continue to be made offline such as "unattended terminal transactions" for transport and parking. 

'The risk of being a victim of fraud is now much smaller'

Kirsty Good, head of campaigns at MoneySavingExpert.com, said: "In 2016 MoneySavingExpert.com revealed that crooks were using contactless cards months after they'd been cancelled, and started to campaign for better security. Today, the regulator has for the first time confirmed the action it took, and that the two biggest card operators have now substantially increased security measures on their cards.

"Card theft or loss can happen to anyone, so it was a risk to consumers that contactless payments could be made so easily, and it's great to hear this is no longer the case. If you've lost or had a Visa or Mastercard contactless card stolen, you still need to be vigilant, but thankfully the risk of you being a victim of fraud is now much smaller."

How MSE campaigned on contactless card fraud

What should I do if my card's been lost or stolen?

Here's what to do:

  1. Tell your bank or card provider as soon as possible, so it can cancel the card and send a replacement.
  2. Keep an extra-vigilant eye on your account and scrutinise small contactless payments to make sure they're legit.
  3. If you think your card's being used fraudulently, tell your bank or building society immediately and report it to Action Fraud.

The onus is on your bank to identify fraud, not you, but it's still worth checking your statements if you've cancelled a card.

If your card's used without your permission you are protected by the Standards of Lending Practice and shouldn't lose money as a consequence, provided you inform the bank within 13 months of the fraudulent transaction and you have not acted fraudulently or without reasonable care (eg, you haven't disclosed your PIN to someone else, or written it down and kept it with the card).

As long as you meet these conditions, your bank or building society will usually reimburse you for your loss.

However, you're liable for up to £35 of any fraudulent spending that happens before you report the card's loss or theft to your bank. So if thieves spend £300 from your account before you warn the bank, you may only get £265 back. That's why it's vital to report a lost or stolen card the moment you realise it's gone.