February 23, 2011
(From MasterCard’s “The Heart of Commerce” Blog)
MasterCard first introduced PayPass in 2003, and since then it has expanded around the world – securely enabling more than 88 million cardholders in 36 countries to use PayPass to “Tap and Go” at 276,000 merchant locations worldwide.
Unfortunately, there are people who are trying to scare you about using your contactless card, saying that thieves can “electronically pickpocket” you for fraudulent purposes. But you should take comfort knowing there is very little truth to the reports of this kind of fraud. In fact, the people making these allegations in the media often have a product they want you to buy.
The truth is that even in the unlikely event someone was able to fraudulently access your PayPass card details, they would only have a minimal amount of information, which is typically not enough to make a counterfeit card or conduct payment transactions, either in person, on the phone or online.
MasterCard is truly committed to protecting you from fraud, and we want to give you peace of mind and the real facts on these sales “scare tactics”. Let’s take a look at the myths and the realities of contactless payments:
| MYTHS | REALITIES |
| Fraudsters can electronically pickpocket your contactless card/device information to create a counterfeit card for purchases at the point of sale | Due to a microchip that’s embedded inside the PayPass card and because of its advanced encryption technology, it is extremely difficult to copy a PayPass chip and create a functioning counterfeit version of that card.
In addition, it is unlikely that the details from the PayPass chip could be read and then copied onto the magnetic stripe of a counterfeit card. This is because only a minimal amount of information would be accessible – and not the same information that would be be used on a magnetic stripe to conduct payment transactions at the point of sale. A PayPass card only sends the account number and the expiration date of the card to a reader, along with a dynamic, one-time-only number that uniquely and securely identifies each specific transaction. PayPass cards do not send the CVC2 code (the three-digit code on the back of the card) or any billing address or zip code information. Importantly, the PayPass chip doesn’t even have your name on it. |
| Fraudsters can electronically pickpocket your contactless card/device information to make purchases online or by phone | For a purchase to be authenticated and authorized via phone or online, typically several pieces of information must be presented – such as the personal account number (the number on the front of the card), expiration date, the CVC2 code (that three-digit number on the back of a card), and the cardholder’s billing address.
The chip on a PayPass card does not send the CVC2 code or any billing address or zip code information. It doesn’t even have your name on it. This minimal amount of information is typically not enough to conduct payment transactions, either in person, on the phone or online. |
| Fraudsters can electronically pickpocket your card/device information for identity theft | There is a clear distinction between identity theft, where a consumer’s identity is assumed by another individual for criminal purposes, and payment card fraud, where a consumer’s card information is compromised and used to make unauthorized purchases.
Because PayPass cards only send a minimal amount of information, there is very little risk of actual identity theft. PayPass cards do not send any billing address or zip code information. The chip on a PayPass card doesn’t even have your name on it. In addition, no payment card ever has personal information like your Social Security number on it. |
| You are responsible for purchases made with fraudulent contactless cards/devices | You are protected by MasterCard’s Zero Liability Policy, which means you are not held liable for unauthorized fraudulent transactions. |
| Contactless cards/devices are less secure than magnetic stripe cards | In many ways, PayPass cards provide more control, since the card doesn’t actually leave your hands to be swiped by a merchant. Also, the PayPass chip does not contain your name. The authorization process for PayPass transactions differs from that for magnetic stripe transactions – PayPass transactions generate a unique authorization code for each transaction, meaning it cannot be reused or replicated for fraudulent transactions |
Hopefully, knowing all of the facts (and seeing through the fiction) helps ease your mind if you have a PayPass card. Here are some more tips and resources to help you stay fraud free when you use your MasterCard payment cards.
Also, we urge merchants to continue to do their part when they accept MasterCard cards – making sure they require all of the right cardholder details at the point of sale or online, such as the three-digit CVC2 code to be entered. This will also help prevent fraud for their customers and for themselves.
If you have more questions or concerns about PayPass, we urge you to go to http://www.mastercard.us/support/paypass.html.
Oliver Manahan
Vice President of Emerging Payments
Oliver Manahan is the Vice President of Emerging Payments with MasterCard.
In his role, Mr. Manahan is responsible for managing all aspects of MasterCard’s chip programs. Mr. Manahan has been with MasterCard since May 2006 and works closely with customers in defining and executing new payment strategies.
Prior to joining MasterCard, Mr. Manahan was with Visa Canada for nearly a decade in the emerging products area. Mr. Manahan started his career in the Information Technology field, with companies such as Mercedes-Benz and Pepsi.
Mr. Manahan is MasterCard’s Board representative on the Smart Card Alliance and co-chairs its Payments Council.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More