Contactless cards: convenient and secure

EMV chip technology gives Visa cards, including contactless, the highest level of security

WARSAW, 4 June 2013: Visa card security, including contactless security, stays at the highest level on record for the second year running, with Polish Visa cards performing much better than Europe’s average, according to the latest fraud statistics. Following Visa Europe’s investments of more than one billion euro in security technology and infrastructure over the past six years, the Visa fraud index in Europe has fallen to the lowest level ever, registering just 0.04%, or 4 eurocents per €100 euro spend on Visa cards, for the past two years. And the figure for Poland is a tenth of the European average, meaning 4 eurocents per €1,000 spend on Visa cards.

EMV chip standard is supported in Poland by all electronic POS terminals and all ATMs, with Visa chipcards available from all Visa Europe member banks in our country. Among all Polish-issued Visa cards, nearly 90% are chipcards and close to 40% are Visa contactless cards.

The chip embedded in the Visa card keeps some data secret and protected against deciphering, it also makes possible a selective reading of the data stored in its memory — and, most importantly, it generates unique digital code for each transaction based on advanced cryptographic security. These signed transactions are verified by Visa and the issuing bank, and the technologies employed preclude forgery or generating successive transactions.

“We admire and congratulate Visa Europe issuers and acquirers for the adoption of EMV chip solutions which, while providing the highest security level and novel functionalities, have made possible a spectacular growth of Visa contactless payments in Poland,” said Kuba Kiwior, Visa Europe Country Manager for Poland. Poland stands out in Europe with the highest number of Visa contactless transactions.

Visa contactless chipcards, protected by cryptography and the latest fraud-detection technology, are as secure as “standard” Visa cards. Importantly, under Visa guidelines, the issuers of contactless cards are required to predefine for them a limit of contactless transactions, known as the offline transaction counter, which caps the combined value of the instant contactless transactions, conducted in offline mode for up to 50 zloty [€12] each. The counter is stored in the card chip’s memory. When the predefined limit is exceeded an online transaction is forced, involving communication with the issuer bank. This is to ensure that the contactless card should not be used endlessly in offline mode, without communicating with the bank. Banks may set up separate counters for domestic and foreign contactless transactions.

Under Visa guidelines, the mechanisms for contactless security must also be adopted by acquirers, who are certified to process Visa contactless payments and are responsible for the correct configuration of Visa card accepting devices and their connection to the payment system. The security arrangements cover not only cards but also the EMV-enabled POS terminals, which must be provided with appropriate, verified cryptographic keys, authenticated by Visa. Before the Visa chipcard begins exchanging data with the POS terminal – whether by contact (being inserted into a chipcard reader) or in a contactless manner – the devices must undergo mutual two-way authentication, i.e. confirm that both the card and the terminal are legitimate devices. Visa guidelines bar acquirers from accepting a contactless transaction which exceeds the predefined limit for that card, which is stored in its chip — and in particular, acquirers must not allow an above-50 zloty transaction to be completed without PIN confirmation.

Merchants, too, should observe the relevant procedures. Suspecting that an unauthorised person attempts to make use of a card, a merchant should either check that person’s identity or keep the card (if the person refuses to be identified). If the merchant is aware that someone attempts to make a series of contactless transactions one after another, the merchant should immediately report this to their acquirer. Card security is also contingent on cardholder behaviour. The requirement of reporting a card loss as soon as possible is pretty obvious. It is equally important to check bank statements on a regular basis, which may signal unauthorised transactions (if such are made) and help the issuer bank to react quickly. Visa contactless issuance is close to 60 million Europe-wide. The number of Visa contactless transactions in the whole of Europe quadrupled in 2012, with a similar fourfold growth expected this years. In Poland, where contactless has been present since the 2008 debut, issuance exceeds now 9 million.

About Visa Europe

Visa Europe is a payments technology business owned and operated by member banks and other payment service providers from 36 countries across Europe.

Visa Europe works at the forefront of technology to create the services and infrastructure which enable millions of European consumers, businesses and governments to make electronic payments. Its members are responsible for issuing cards, signing up retailers and deciding cardholder and retailer fees.

Visa Europe operates a high volume, low cost business model that provides services to its members. Its surplus is reinvested into the business and used to improve capital and reserves. In the last six years, Visa Europe has invested over €1 billion in new technology and infrastructure.

Since 2004, Visa Europe has been independent of Visa Inc. and incorporated in the UK, with an exclusive, irrevocable and perpetual licence in Europe. Both companies work in partnership to enable global Visa payments. As a dedicated European payment system Visa Europe is able to respond quickly to the specific market needs of European banks and their customers - cardholders and retailers - and to meet the European Commission’s objective to create a true internal market for payments.

For more information:
Follow @visaeuropenews