For quite a few months Subhash Varambhia (Snutch News, Leicester) has been expressing doubts about the security of contactless cards. Now it appears to have been borne out.
He has a trio of eastern European regulars that he knows are up to no good… petty burglary, breaking into cars. Two guys frequently come in, always early in the morning, with contactless cards and spend £27, £28, near the max in other words. Subhash got suspicious and compared his receipts. The numbers didn’t match.
He consulted his friendly bobbies and offered CCTV proof, but they said it was “financial” and were none too interested.
Then Subhash’s wife Rama got a letter from the chargebacks section of Worldpay, saying that the cardholder’s issuing bank had asked for documentation to support a contactless card transaction. She was given 15 days to send the info.
As Subhash says, Worldpay already has as much information as he has. He asks why they are being “leaned on” when he was merely acting as a go-between for the provider and the card user? He also asks why the card wasn’t blocked if it was stolen and wonders whether security can be enhanced to flag up “dodgy” cards. There was also a long time lag between the transaction (Oct 8) and the query (Nov 21), which he also questions.
Worldpay told me it couldn’t comment on individual cases, but says it is usual for chargebacks to take some time, because the cardholder may not query a transaction until they get their bank statement. So far, so straightforward.
It adds: “In the event that a cardholder contacts their bank to query a card transaction, Worldpay may intercede on behalf of their merchant in order to defend the merchant from a potential chargeback. In order to do this we raise a request for information (RFI).
“Worldpay has teams dedicated to defending chargebacks on behalf of our merchants and the more detailed information that a retailer can give in response to an RFI, the more likely it is that Worldpay will be able to answer the query and defend the merchant’s position. Time periods for responding are set by the card issuers and it’s important that merchants respond to these RFIs within the time periods specified to enable Worldpay to respond to the card issuer. Failure to do so could result in chargebacks being automatically applied.”
Apparently, since the widespread use of Chip and PIN, incidents of card fraud for face-to-face transactions have fallen in the UK by 76% since the peak in 2004. And figures from the Financial Fraud Action show that contactless cards and devices accounts for only 0.5% of overall card fraud. “As contactless transactions are processed offline there are additional security mechanisms in place for these types of transactions with the card issuers taking liability up to the £30 contactless transaction limit in order to protect both the consumer and retailers,” says Worldpay.
Looks like the Varambhias will not get stuck - so long as they respond. Subhash reckons the card issuer should pay compensation.