Is it Safe to Make Contactless Payments?
When your guests sit down to enjoy your hospitality, they should be able to immerse themselves in the experience of good food, ambiance, and friends. The last thing they should be concerned about is the security of their payment information.
Contactless payments allow you to turn “the way it should be” into “the way it is.”
Whether your guests choose to use their credit card, Apple Pay, or Android Pay, their sensitive financial information remains secure via encryption when transactions are made contactless and payments are handled by a reputable processor. The most significant security advantage of contactless and mobile payments is that they do not store credit card details on guests’ smartphones or operators’ POS.
Contrary to common concerns, expert opinion has increasingly claimed mobile payments offer more security than the traditional use of physical cards or cash.
Mobile Payment Myths
Many people misunderstand how mobile payments work, which leads to confusion over assumed security risks. There is a widely held—but incorrect—belief that paying with your phone or using a digital wallet like Apple or Android Pay stores your credit card and sensitive financial information directly on your phone. Understandably, such a misconception may make some guests wary.
Instead of using unsecured credit card numbers, mobile payment options transmit “tokens” to add a layer of contactless transaction security for both customers and vendors.
Tokens—The New Way to Pay
One way to think of tokens is to imagine them as a much more sophisticated and digital version of arcade tickets. You know that the tickets themselves aren’t worth anything outside of the arcade’s premises, but you can trade them in for prizes at the counter based on the value they represent.
Since tokens involve three main parties (i.e., the purchaser, the vendor, and the bank or credit card company) instead of two, the process is a bit more complicated, but the idea remains the same.
How Long Does it Take for a Transaction to Post to My Account?
No one wants to accidentally overdraw their bank account.
So, how long will it be before the money a customer spent on a meal at your place of business actually exits their account?
The short answer is two to four business days.
That average is a little bit higher than chip-and-pin cards which take two to three days to post. The difference stems from the fact that chip-and-pin cards go through an authorization process before finalizing transactions, while contactless payment conducts this process at a later time. This is what the usual authorization process generally entails:
“Tokenization” and Transactions
When customers use mobile payments or digital wallets, their credit card information is “tokenized” for transactions with a randomly generated 16-digit number. Your primary account number (PAN) stays stored on the credit card company’s secure servers while the representative token is processed during the transaction:
- Your credit card company tokenizes your card information.
- The token is passed to the vendor to make a payment.
- The credit card company confirms the token’s veracity.
- The vendor receives payment from the credit card company without any extra effort compared to more traditional transactions.
Another way to think of tokens is as the next evolution and further digitization of fiat currency. Fifty years ago, you wouldn’t have lugged around a sack of gold into every store on your errand run or during a night out on the town. You’d have carried cash representing a government-backed value.
Now, guests can use tokens transmitted via their smartphones.
Legacy POS Vulnerabilities
When it comes to learning how to modernize your business, people often don’t realize that some of the systems used to process their transactions may date back to their early childhood—or even before they were born.
Mag Stripe Vulnerabilities
When someone swipes a physical credit or debit card during transactions, the POS system and payment processing architecture transmits their unencrypted information (i.e., card number, name, CVV/CSC, and expiration date) in text form to several endpoints:
- Guests or servers swipe a card using a reader connected to your POS system, which typically runs on Windows OS as a standard application.
- Payment processing software may be separate from the POS but usually shares the same physical machine or primary (computer) server.
- The card information is sent to a primary (computer) server, which is also connected to any other cash registers or computers running the POS system.
- The credit card information is transmitted to the operator’s main computer.
- If only one computer is in use, the guest’s sensitive financial data and POS still share one storage location.
- The credit card information is transmitted to the payment processor or bank.
- The processor or bank returns the information to the original location where the card was swiped to verify the transaction.
As Jason Oxman, CEO of the Electronic Transaction Association, phrases it:
“You walk out of the store while the transaction continues to ricochet across the country—using technology from the 1970s… What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years… That’s how long magstripe cards have been on the market.”
The security vulnerabilities of swiping credit cards introduced the inclusion of chips as an international standard. EMV stands for “Europay Mastercard Visa” and gained adoption across Europe in conjunction with PIN codes for additional protection, particularly in countries with poor internet security.
While EMV made significant improvements in protecting cardholders from fraud, other vulnerabilities still exist. The development should not be regarded as a security advancement but a fraud protection feature.
EMV Chip Vulnerabilities
EMV’s main advantage is that the chip ensures that a physical credit card is not fraudulent. However, stolen card data may still be used. In 2006, a UK group captured magnetic stripe and PIN code data used at Shell gas stations, resulting in over $1M stolen. In 2008, hundreds of EMV readers across Europe were discovered to have been tampered with shortly after their manufacture, transmitting cardholder data over nine months of operation.
While the malicious activity may seem isolated to over a decade ago in Europe, 2020 witnessed a massive EMV breach of Key Food Stores Co-Operative Inc., which operates primarily in the northeastern U.S. The guilty parties were able to capture EMV data before it reached the POS and without disrupting the legitimate transaction. The culprits then used the EMV data to create fraudulent magstripe cards for use on swipe readers.
Thankfully, contactless card payments facilitated by encrypted credit card numbers and digital wallets are here.
Additional Digital Wallet Security
Beyond tokenization and encryptions, digital wallets and credit cards offer users additional security measures. These protections include multi-factor or two-factor authentication. Multi-factor authentication (MFA) is a process that requires two or more separate steps for a user to prove their identity when using a digital or mobile wallet or cards over the internet.
The additional authentication step may be a one-time password (OTP) or PIN code sent to the user’s smartphone via SMS or an “authenticator app.” The second step may also be a biometric check, such as fingerprint scanning or facial recognition.
Despite some consumers’ reticence regarding this newer payment technology, many have adopted a contactless payment method without any qualms—even prior to the pandemic-related push to minimize physical touchpoints of any kind.
In March of 2020 alone, 31 million Americans used digital wallets or contactless payments to make a payment with their contactless Visa card. As of 2020’s conclusion, 29.3% of all e-commerce payments were made using a digital wallet, and the number of mobile payment users reached 64 million people. 28% of respondents answered a survey with “I would like to pay with my smartphone all the time” when asked about making payments without a credit or debit card.
Experts expect this trend to continue. Worldwide mobile payments are estimated to exceed $12 trillion by 2027.
Make a Secure Wi-Fi Network Available for Guests
The best thing you can do to ensure your guests’ financial security and peace of mind is to offer the protection of a secure Wi-Fi network over which to complete contactless credit card payments. While encrypted credit card transactions and digital wallets already feature tokenization security that provides the most protection from theft, private Wi-Fi networks shield users much more than public connections do.
One option for sharing secure Wi-Fi network passwords is to print them underneath the printed QR codes that guests scan at each table to access a contactless menu. If you’re interested in learning more about how to create a mobile menu or QR code payment, we’ve written about these topics in detail on our blog.
So, Are Contactless Payments Safe?
You don’t have to have a degree in cybersecurity to offer safe contactless payment options. Operators can continue focusing on their passion for food, drink, and hospitality. At the same time, your guests can enjoy their dining experience without fear of hackers descending through the ceiling above their tables.
If your guests exhibit any concern over their financial security and ask you, “Are contactless payments safe?” you can confidently say yes with GoTab and assure them that none of their credit card information will be stored on their phone or your own systems.
When your guests are ready to close out their tabs, GoTab facilitates payments directly or via digital wallets. With tokenization, digital wallets offer enhanced security to protect users’ sensitive financial data. If your guests would rather enter their card number to pay, all processing is encrypted and protected on GoTab’s secure website to remove any worries for you and your guests.
Processing Fees that Don’t Eat Up Your Revenue
Aside from the security benefits of partnering with GoTab, operators will also see a higher percentage of their guests’ payments reach their bank account. Payment processing fees for traditional methods average around 3.5%. Further, many mobile payment stations may cost operators $300-$1200 to acquire and set up.
In contrast, GoTab’s processing fees sit among the industry’s lowest and our hardware isn’t used to pad our own bottom line.
Put simply, we make money when our operators make money.
- BBC. Petrol fim suspends chip-and-pin. http://news.bbc.co.uk/2/hi/uk_news/england/4980190.stm
- Gemini Advisory. Cracking the Uncrackable: Cybercriminals Deploy EMV-Bypass Cloning. https://geminiadvisory.io/cybercriminals-deploy-emv-bypass-cloning/
- GlobeNewswire. Global Payment Market Size to Grow $12.06 Trillion by 2027, at 30.1% CAGR. https://www.globenewswire.com/en/news-release/2020/11/05/2121173/0/en/Global-Mobile-Payment-Market-Size-to-Grow-12-06-Trillion-by-2027-at-30-1-CAGR.html
- Nayax. Mobile Payment Apps are Safe and are More Secure than Cash. https://www.nayax.com/mobile-payment-security/
- New York Times. Contactless Credit Cards and Payments: The Good, the Bad, and the Ugly. https://www.nytimes.com/wirecutter/money/contactless-payment/
- NPR. The Holidays Bring a New Season for Credit Card Breaches. https://www.npr.org/2014/10/12/355511381/the-holidays-bring-a-new-season-for-credit-card-breaches
- PCI Compliance Guide. EMV is Not a Security Technology. https://www.pcicomplianceguide.org/emv-is-not-a-security-technology/
- The Register. Organized crime tampers with European card swipe devices. https://www.theregister.com/2008/10/10/organized_crime_doctors_chip_and_pin_machines/
- Statista. In which situations would you like to be able to pay with your smartphone (without debit/credit card or cash)? https://www.statista.com/forecasts/997133/mobile-payments-by-situation-in-the-us
- Statista. Mobile payments in the United States – Statistics & Facts. https://www.statista.com/topics/982/mobile-payments/
- Venture Beat. Target, Neiman-Marcus, Michaels: How PCI data security standards are failing us. https://venturebeat.com/2014/02/09/target-neiman-marcus-michaels-pci-data-security-standards-are-failing-us/