The Financial Conduct Authority (FCA) has set out measures to tackle contactless card fraud as a security flaw means tricksters can continue to spend on them after they’ve been reported lost or stolen.

Contactless card use is increasing as more than 100 million contactless cards are in issue in the UK, with the average transaction standing at £8.95, according to the UK Cards Association.

However in 2016, of the £25.2bn spent via this payment method, there was £6.9m losses from contactless and mobile device technology. This is the equivalent of 2.7p per £100 spent, down on the 3.6p per £100 reported in the year earlier. In 2015 £7.75bn was spent using contactless technology, with £2.8m fraud reported.

How are tricksters able to commit fraud?

In a letter published today John Griffith-Jones, chairman of the FCA, wrote to Andrew Tyrie MP and chairman of the Treasury Committee, to explain contactless card fraud.

Commenting on the fraud figures, Griffith-Jones said that while the risk to consumers is “relatively low”, the FCA agrees that public confidence in contactless technology “could be eroded without further action”.

He explained that unlike some other forms of fraud, contactless card fraud can be easily identified by card issuers as they can identify transactions made on a card that is reported as lost or stolen.

However the risk of fraud comes when merchants process payments offline – currently 45% of transactions are made offline  – as it may be more cost-effective or because it’s not possible to do so online, such as on flights mid-air. This is where payments are taken in batches and processed later, usually overnight by large retailers, but a few days for smaller retailers.

While the FCA can’t publicise exactly how the fraud is then committed to “avoid fraudsters gaming the controls,” an investigation in 2015 revealed the ease at which sensitive personal information can be decoded after items were purchased via contactless card-reading technology. The data was then used to successfully place orders for expensive items online.

What steps is the FCA taking?

While most card schemes place a £30 limit on the value of a transaction, and consecutive transactions require customers to input their pin, Griffith-Jones said Visa and Mastercard have an unpublished lower cap on the value of transactions that are allowed to be processed offline. Later this year Visa will require all contactless transactions to be authorised online to prevent transactions being completed on cards that are reported lost, stolen or cancelled which should “significantly reduce contactless card fraud”.

The FCA said it wants to see all contactless card issuers identify and block cancelled card transactions before they’re debited from customer accounts.

Griffith-Jones wrote: “These controls explain why fraud and consumer losses in the contactless environment remain relatively small. However it remains that there are currently a limited set of circumstances where a card can be used by a fraudster several months after it has been cancelled.” As a result the FCA is exploring the following:

• Removing any onus on customers to identify fraudulent transactions.
• Technical enhancements to reduce the likelihood of post-cancellation contactless card fraud.
• Making the option of having a non-contactless card more visible during card issuing.
• Improving customer communications at time of cancellation.
• Providing clarity to customers on the clearing times for contactless payments.
• Raising awareness of the Industry Hot Card File which has information on over 7.2 million UK cards that have been reported lost, stolen or compromised. Retailers can check the file to see if there’s a match before processing payments.

‘Package of measures is welcome’

Tyrie responded: “As things stand, in order to mitigate the risk of fraud, customers are expected to comb through their bank statements months after they have instructed their banks to block their lost or stolen cards. That seems unreasonable. The Treasury Committee has urged the FCA to sort this out.

“So the package of measures to resolve this problem, which the FCA proposes in their letter to the Committee, is welcome.

“One of the FCA’s operational objectives is to ‘secure an appropriate degree of protection for consumers’. The Committee will do what it can to hold the FCA to it.”