Until now, card users could use an RFID-enabled card (ones with a wave or field-like icon on them) to make contactless payments only up to Rs 2,000. In the wake of the Covid-19 pandemic, the Reserve Bank of India
(RBI) recently wrote to the country’s payment networks—Visa, Mastercard, and the National Payments Corporation of India—asking them to enable contactless payments for purchases of any amount. This has set the stage for the usage of these cards to grow.
Experts hold conflicting views about whether contactless cards are riskier than contact cards. “These cards are also EMV-chip-based, which, as we know, is the gold standard in terms of security,” says Manish Patel, founder and CEO, Mswipe, a provider of mobile point of sale (PoS) terminals to merchants.
Developers of these cards have incorporated several safeguards to prevent hacking of the data transmitted between the card and the reader. “It is encrypted. Also, it is a single-use message that cannot be used repeatedly,” says Surinder Chawla, head - retail liabilities and wealth management, RBL Bank.
Cyber security experts, however, say there have been cases abroad of electronic pickpocketing. A criminal with a hidden card reader comes very close to the victim and deducts money from his contactless card. “Technologically, anything is possible. But realistically speaking, this is not easy to pull off. The terminal has to be as close as 4 cm from the card,” says Arvind Ronta, head of products - India and South Asia, Visa. Besides, he says, customers will receive an SMS alert immediately if such a thing happens. Withdrawals above Rs 2,000 will require a PIN, which will act as a further safeguard.
The more realistic risk, according to experts, arises is if the owner loses the card and is not aware of it. “If you lose a contact card, you are protected because the criminal does not have your PIN. But in these cards you don’t need a PIN for transactions below Rs 2,000,” says Patel. The important thing hence is not to lose possession. “Do not hand over this card to anyone, such as a waiter in a restaurant. Keep it in your possession at all times,” says Bharat Panchal, chief risk officer - India, West Asia & Africa, FIS, a global provider of financial technology software, services, and solutions. He adds that as with all cards, customers have to be wary about not sharing their PIN, even inadvertently.
These are early days for contactless cards in India, so one does not know what mechanisms hackers will come up with to exploit vulnerabilities. Hence, users need to exercise a few precautions. “The RBI should ask card providers to issue all such cards in cases lined with aluminium foil,” says Prashant Mali, president and founder, Cyber Law Consulting.
Until that happens, you should, on your own, keep such cards wrapped in an aluminium foil. Doing so will prevent transmission of signal and thereby safeguard you against electronic pickpocketing. Mali says RBI should mandate that when such frauds are reported by customers in time, the money should be auto-credited to their account.
“Customers should not be made to run from pillar to post. Only doing so will make them more trustful of this payment mechanism,” he says. Pavan Duggal, a Supreme Court
lawyer and cyber law expert, is of the view that the Information Technology Act of 2000 is an inadequate deterrent for cyber criminals. “Now that the usage of contactless cards is set to grow in India, the government needs to come up with a dedicated cyber security law,” he says.