Key Post The security features of debit/credit cards and Google Pay and Apple Pay

These issues come up in different posts from time to time so I want to set out systematically how they work. I am not an expert, so please correct me.

For simplicity I will refer to debit cards and Apple Pay but I assume that the same applies to credit cards and Google Pay.

Freelance has an excellent thread on security here:


Physical debit cards
You can tap for small amounts (<€50?) without entering a PIN.
However, every so often, it will ask you for your PIN to complete the transaction.
If you buy an item over €50, you must enter your PIN.

Security risk: You have to enter your PIN often, so there is a risk that someone might see you entering your PIN and later rob your card, and then they can spend freely.

Security protection: Your card should be linked to your phone, so you get a message every time it is used. So if your card is stolen without you noticing it, and you see a payment coming up, you can freeze your card.

Security protection: If your card is stolen, they can tap it for small items but will require a PIN after a few transactions, so won't rob much from you.

Apple Pay

You add your debit cards to the wallet on your iPhone.
No matter what size the payment is, you must authorise it either through Face ID, your thumb print, or your card's PIN. (Is it the card PIN or the phone PIN?)

Online purchases

If someone has your card information including your CVC code at the back, they can try to make an online purchase.

But most of the time, you will get a message to your phone or by text asking you to confirm the payment.

You get asked for your PIN every so often for transactions under €50 as a security precaution. You may not get asked for a PIN if you use your card overseas (especially in the US) for transactions over €50 and if it is under €50 in the US, you may be able to override the PIN request by pressing the green button on the POS keypad, at least in my experience.

Other risks are obviously if you have your PIN written down (and I know one idiot who had it written on her card) or entered on your contacts or somewhere on your phone so if it gets hacked, a fraudster may see it

If your iPhone is stolen, log onto your Apple account and freeze your phone.

I presume you can do the same with Android phones?

If your cards are stolen, log onto your bank account and freeze the cards. Or call your bank and freeze the cards.

Brendan

Brendan Burgess said:

Apple Pay

You add your debit cards to the wallet on your iPhone.
No matter what size the payment is, you must authorise it either through Face ID, your thumb print, or your card's PIN. (Is it the card PIN or the phone PIN?)

Click to expand...

It is the phone PIN - which is why it's important to have a long one.

Brendan Burgess said:

Online purchases

If someone has your card information including your CVC code at the back, they can try to make an online purchase.

But most of the time, you will get a message to your phone or by text asking you to confirm the payment.

Click to expand...

In Europe Strong Customer Authentication is in place which requires

1. Something the customer knows e.g pin
2. Something the customer has e.g. a phone
3. Something the customer is e.g. fingerprint

All transactions under 30 Euro are exempt from asking for SCA (it might still be asked for). Outside of this limit there are exemptions known as TRA (Transaction Risk Analysis) whereby if the issuer / payment processer can maintain low fraud rates on their transactions they can pass higher value transactions without requesting the SCA step. There are three bands working up to 500 Euro, everything above 500 Euro should go through SCA (additional verification). This is why sometime you may purchase items above 30 euro online and not be asked to do the one time password step.

The same rules don't apply globally and this is why often in the complaints of fraud we see they revolve around transactions made in Asia, South america etc. Also you can find situations in which retailers don't require the CVC to make purchases.

Brendan Burgess said:

Apple Pay

You add your debit cards to the wallet on your iPhone.
No matter what size the payment is, you must authorise it either through Face ID, your thumb print, or your card's PIN. (Is it the card PIN or the phone PIN?)

Click to expand...

Important security features of Apple/Google Pay:

When you add your bank card to Apple/Google Pay a random 16 digit account number is generated and used when you make payments using these systems, so the merchant or a skimmer never gets to see your 'real' card number or expiry date.

All tap payments (Apple/Google Pay or physical card) use a one-time code in-place of the CVV on the back of physical cards. So even if a skimmer got hold of the card details they would not be able to take more money because the CVV they captured would already be invalid.

These two security features together make Apple/Google Pay payments extremely secure and everybody should be trying to use them instead of their physical card at every opportunity, including for making online payments.

There is a setting on Google phones to only use NFC when your phone is unlocked. So, I assume this would prevent someone using your phone for payments under 50 euro if they take your phone and don't know the pin.

It’s possible (and I’m speculating completely) that fraudsters have managed to scan an Apple Pay signal and clone it on another device on another continent. But the cryptographic techniques involved here are very advanced and payments networks’ reputations rest almost entirely on their reliability and security.


Use Occam’s Razor here. What’s more plausible: user stupidity or the hack of highly secure systems ?