Davizro Photography - stock.adob

How high can the contactless card limit go without two-factor authentication?

The spending limit for contactless cards has reached an eyebrow-raising triple-digit figure – £100 – raising questions about the need for user authentication

This article can also be found in the Premium Editorial Download: Computer Weekly: Is 3D printing about to hit the mainstream?

UK citizens will be able to make payments of up to £100 using a contactless card from next month, but the three-figure sum has raised a few eyebrows.

The increase, first announced in March, will see the new limit take effect on 15 October.

Contactless payment technology was introduced in 2007 with a £10 spending limit. That limit increased gradually to £30 by 2020, but has seen significant increases during the Covid-19 pandemic. It was increased to £45 in April last year and now, just over 12 months later, it is to more than double.

When the pandemic took hold, people were told to limit physical contact, including reducing their use of cash. Contactless payment technology, as the name suggests, was an ideal replacement for cash because, unlike mobile phone payment apps, most people already used payment cards.

The figures confirmed this. Following the decision to increase the limit on contactless payments to £45, the average value of contactless payments increased by 29% in 2020 to £12.38, up from £9.60 in 2019, according to figures from Barclaycard. The card company also found that 88.6% of total UK card payments in 2020 were contactless.

Following the announcement of the October increase to the three-digit spending limit, Rishi Sunak, chancellor of the exchequer, said: “[This] will make it easier than ever to pay safely and securely – whether that’s at the local shops, or your favourite pub and restaurant.”

However, although the rise has been largely welcomed, it has also raised a few eyebrows.

A question of authentication

Possession of a contactless card is all that is needed to make a payment, with no authentication required to link the user to the card – although, after a few payments are made, the card user will be prompted to enter a PIN.

Payment methods such as Apple Pay, which have no limit on spending, require the presence of the phone associated with a bank account as well as a fingerprint or face ID.

This begs the question: how high can the contactless card limit go before additional authentication is required?

David Bannister, chief analyst at Bloor Research, said the increase was widely anticipated, but that “some people were wary of going to £100 in one go – more than double the current limit”.

“A £100 threshold seemed unthinkable when contactless payments were introduced, but the payments industry and the way it manages risk has evolved since then and the contactless limits have been rising accordingly”
Zilvinas Bareisis, Celent

He said people were wary even of the £10 it started at, and that they would still be wary, “but acceptance is still rising, so confidence is not an obvious problem”.

But he added that some smaller retailers might be more cautious and choose to set a lower limit. “This was once the case with stores setting their own floor limit for credit cards,” he said.

Bannister said he expected two-factor authentication (2FA) of some sort would be needed for the limit to go much higher.

Celent analyst Zilvinas Bareisis agreed. “For transactions over £100, few people will complain if they are asked to enter a PIN code,” he said. “I think the move to allow a higher limit is sensible.”

He said acceptance of contactless payments had increased rapidly. “A £100 threshold seemed unthinkable when contactless payments were introduced, but the payments industry and the way it manages risk has evolved since then and the contactless limits have been rising accordingly,” added Bareisis.

He said that while, in theory, there was no limit to how high it could go, with some countries not setting limits, the challenge was that while it is possible to verify that the card is authentic, without cardholder verification it’s not possible to know if the card is in the right hands. “The higher the limit, the more attractive the card is to thieves and criminals.”

Biometrics could be the answer

Bareisis said it would be interesting to see how consumers react to the new limits. “If they raise concerns about increased risks, banks might be more interested in investigating biometric cards.”

Contactless transactions made via smartphone apps such as Apple Pay benefit from device-based cardholder authentication methods, and already don’t have the same limit as plastic cards, as long as the merchant can handle the transaction. One possible solution is to build cardholder verification mechanisms, such as biometrics, into the cards themselves – the technology is available, but the main issue is additional cost.

Aite-Novarica analyst Ron van Wezel said raising the limit to £100 would make contactless cards more attractive for fraudsters, but added that it was not a straightforward crime to commit. “The criminal would need to steal the card as it is not feasible to forge/copy an EMV card,” he said.

Van Wezel added that card providers also have automated systems to protect customers. “The issuer’s fraud systems will filter fraudulent transactions to a certain extent, and block the card when it is reported as lost or stolen. So the risk for the issuer is limited,” he said.

He added that consumers were protected as most banks operate under a voluntary agreement where cardholders are not responsible for fraud, provided they have not acted negligently.

According to the most recent figures from trade body UK Finance, contactless-only fraud equates to 2.5p in every £100 spent.

Read more about contactless payments

Read more on IT for financial services