How secure are NFC terminals?
WORLDPAY EDITORIAL TEAM
July 30, 2019
Protecting customers’ payment transactions is a top priority for most businesses. Among the secure payment tools and resources available, near-field communication (NFC) technology has emerged as a leader.
But what is NFC, what makes it secure and how secure is it? Let’s take a look.
What is NFC?
NFC is a technology that enables two devices to exchange data when they are within close proximity. The technology allows merchants to accept contactless payments from customers using a mobile wallet stored on their smartphone or a contactless EMV chip card. To complete the transaction, a consumer merely taps or waves their smart device or contactless card on or near the payment terminal.
Where is NFC used?
Though no longer a new technology, not all merchants accept NFC payments. Still, NFC payments can be accepted by any merchant using a terminal that is enabled to do so (terminals that accept NFC payments display the contactless symbol). The push toward EMV chip card acceptance accelerated the availability of NFC because most EMV chip card terminals are also NFC-equipped. However, this feature must be enabled to work.
NFC security features
NFC technology may appear to be more vulnerable to hackers since it facilitates the exchange of sensitive data that could be stolen while being transmitted “through the air.” But in application, NFC actually offers increased protections.
Here are three primary features of NFC security:
- Proximity. NFC has a very small transmission zone – mere inches. This poses a challenge to thieves who would need to stand very close to the terminal in order to intercept the transaction.
- User Initiation. The user must initiate the transaction between their device and the NFC-enabled terminal and usually provide secondary verification like a PIN code, fingerprint or facial recognition in order to complete the transaction.
- Secure element validation. This is similar to the validation process for EMV chip cards. After a connection is established between the NFC terminal and the customer’s device or contactless card, the secure element chip within the device or card must validate the purchase. The transaction can only be completed after validation. Instead of transferring card data between the card/device and the reader, a unique digital signature is assigned to every payment.
What are the risks to NFC security?
As with any payment security technology, shortfalls and associated risks always exist. Therefore, it’s good to be aware of potential security risks with NFC.
The biggest risk to consider may be the vulnerable nature of the NFC technology that relies on a wireless signal without passwords or credential requirements to accept payments. Hacks are possible, and there is always the potential that hackers could access sensitive merchant information stored in the payment terminal by way of an unsecured wireless connection. Hackers can also use malicious code on a consumer’s device or collect information by tapping their device with another NFC device.
The good news is that these types of security attacks are difficult to carry out. All things considered, NFC-enabled card payments are more secure than traditional swiped transactions. And with payment security solutions like encryption and tokenization, there’s a reduced risk of theft of the physical card and actual card numbers.
It’s also important to note the proactive measures consumers take in protecting their devices makes a difference. For example, locking a smartphone with a passcode, PIN code, password, pattern or biometrics before logging in can be very effective. Since mobile wallets reside on a device, when that device is secure, the mobile wallet is secure.
An innovative payments experience
NFC technology presents opportunities for conducting commerce that appeal to consumers and businesses alike. Tapping a payment is no doubt easier and more convenient than a traditional card transaction. As long as consumers are assured of the security of NFC transactions, the technology holds the potential to fundamentally change – and improve – the payments experience.