NFC payment chips and processing terminals allow users to circumvent many of the most common credit card theft tactics being used by thieves and hackers. Apple Pay, integrated into the newest generation of Apple mobile devices, incorporates NFC technology. If it becomes widely used by an army of iPhone users, perhaps merchants will be encouraged to more quickly adopt NFC technology.
What exactly is NFC and how can I use it to pay for stuff with my mobile device?
Near Field Communication (NFC) is a wireless communication protocol that can be used to send data between devices over a short distance (about 1.6 inches). Unlike Bluetooth that requires time consuming pairing between devices, NFC chips in mobile devices (like Smartphones, Smart Watches, or even credit cards themselves) can communicate with a nearby NFC enabled terminal by simply authorizing the protocol on your device with a passcode or fingerprint authentication.
If your mobile device has an integrated NFC chip, you can use a mobile wallet app like Apple Pay, Google Wallet or Isis’ “SoftCard” to pay for items at retailers that support NFC transactions. Simply load up your credit cards on your mobile device – most applications encrypt the card numbers once they’re loaded so that a thief can’t access your card data – and wave your device near an NFC compatible terminal to pay, no card swiping required.
There are two primary ways that thieves access your credit card data: they either compromise the terminal itself (by, for example, planting a card reader strip in the terminal that captures credit card data as subsequent cards are swiped), or they break into a merchant’s servers where customer data such as card numbers, names, etc.. is stored.
If you don’t swipe a card, you circumvent the first, hard-wired theft method. Recent improvements in NFC technology have allowed some devices and cards to generate a unique card number for each transaction. Those transactions are now also safe from thieves stealing your card number – the number provided to the retailer won’t be good for any future transactions.
Accessing your phone’s Apple Pay app to process a transaction requires a successful fingerprint authentication, making it nearly impossible for a mobile phone thief to gain access to your credit card information. Credit card information and the fingerprint authentication data is stored on a secure chip on the iPhone itself, so a breach at Apple won’t compromise your credit cards. Even if your phone is stolen, credit card numbers don’t appear in the app itself.
Better yet, when you use your Apple mobile device to pay at a merchant that accepts Apple Pay, the chip sends a newly generated, one-time-use number to the merchant’s machine to authorize the charge.
No. Google Wallet and the wireless-carrier backed “SoftCard” are two of the most widely-accepted alternative mobile payment facilitators that allow users with an NFC enabled mobile device to pay with their phone at NFC-equipped retailers.
In addition, many major banks and credit cards are issuing new cards with imbedded NFC chips. This means that you may be able to wave your card at the terminal instead of swiping, no phone required, in the next few years.
Is NFC widely accepted in the U.S.?
There are fewer than 40 major retailers currently accepting NFC transactions, including McDonalds, Foot Locker, Macy’s, PetCo, Subway, Chevron and Office Depot.
While Visa, Mastercard and American Express, as well as nearly all major banks (including Bank of America, Capital One, Wells Fargo, Chase, Citi and many more) are encouraging the adoption of NFC technology – safer credit card processing means less costly fraud prevention and abatement – retailers have other plans. More than 50 major retailers, including Walmart, Best Buy, Kmart and 7-Eleven have banded together in an alliance called Merchant Consumer Exchange (MCX) and intend to launch their own payment processing protocol, CurrentC. In fact, Rite Aid and CVS recently disabled NFC functionality at their credit card terminals so as to stop recognizing NFC transactions and back CurrentC.
The CurrentC app isn’t backed by a single bank. This is because the system is designed to sidestep credit card processing fees by having transactions direct-debit from your checking account (ACH transactions). While the benefit to the merchant is clear: eliminating merchant processing fees would reduce their overhead cost and they can more easily monitor users’ shopping habits, it’s less safe for the consumer. If a CurrentC merchant is successfully attacked (and history shows us that merchant data isn’t particularly safe from security breach), a hacker/thief could gain the ability to drain a user’s bank account with no fraud protection from Visa, Mastercard or American Express.
In fact, MCX data has already been breached: in late October 2014, hackers stole the email addresses of an undisclosed number of CurrentC pilot program participants and individuals who expressed interest in the program.
However, there is hope for the consumer: Visa, Mastercard and American Express have set a 2015 deadline for retailers to upgrade their equipment. Those that fail to migrate to more secure terminals will risk bearing the cost of fraudulent card activity at their retail locations.