How secure are NFC terminals?
WORLDPAY EDITORIAL TEAM
July 30, 2019
Among the secure payment tools and resources available, near-field communication (NFC) technology has emerged as a leader. But what is NFC, what makes it secure, and how secure is it? Let’s take a look.
What is NFC?
NFC is a technology that enables two devices to exchange data when they are within close proximity. The technology allows merchants to accept contactless payments from customers using a mobile wallet stored on their smartphone, or a contactless EMV chip card. To complete the transaction, a consumer merely taps or waves their smartphone or contactless card on the payments terminal.
Where is NFC used?
Because it’s still fairly new, not all merchants accept NFC payments. But NFC payments can be accepted by any merchant using a terminal that is enabled to do so (terminals that accept NFC payments display a contactless symbol. Grocery markets, retail stores, quick serve restaurants, and movie theaters are just a few examples of businesses that can make use of NFC payments.
The push toward EMV chip card acceptance has accelerated the availability of NFC because most EMV chip card terminals are also NFC-equipped. However, this feature must be enabled in order to work.
NFC security features
NFC technology may appear to be more vulnerable to hackers since it facilitates the exchange of sensitive data that could be stolen while being transmitted “through the air.” But in application, NFC offers increased protections.
Here are three primary features of NFC security:
- Proximity. NFC has a very small transmission zone, merely inches. This poses a challenge to thieves who would need to stand very close to the terminal in order to intercept the transaction.
- User Initiation. The user must initiate the transaction between their device and the NFC-enabled terminal, and usually provide secondary verification like a PIN code, fingerprint, or facial recognition in order to complete the transaction.
- Secure element validation. This is similar to the validation process for EMV chip cards. After a connection is established between the NFC terminal and the customer’s device or contactless card, the secure element chip within the device or card must validate the purchase. The transaction can only be complete after validation. Instead of transferring card data between the card/device and the reader, a unique digital signature is assigned to every payment.
What are the risks to NFC security?
As with any payment security technology, shortfalls and associated risks always exist. So it’s good to be aware of potential security risks with NFC.
The biggest risk to consider may be the vulnerable nature of the NFC technology that relies on a wireless signal to accept payments. There is always the potential that hackers could access sensitive merchant information stored in the NFC terminal by way of an unsecured wireless connection. Hackers can also use on a consumer’s device, or collect information by tapping their device with another NFC device.
The good news is that these types of security attacks are difficult to carry out. All things considered, NFC-enabled card payments are more secure than traditional swiped transactions. And with payment security solutions like encryption and tokenization, there’s a reduced risk of theft of the physical card and actual card numbers.
It’s also important to note the proactive measures consumers take in protecting their devices makes a difference. For example, locking a smartphone with a passcode, PIN code, password, pattern, or biometrics for logging in, can be very effective. Since mobile wallets reside on a device, when that device is secure, the mobile wallet is secure.
NFC technology presents new opportunities for conducting commerce that appeal to consumers and businesses alike. Tapping a payment is no doubt easier and more convenient than a traditional card transaction. As long as consumers are assured of the security of NFC transactions, the technology holds the potential to fundamentally change — and improve — the payments experience.