How secure are the contactless credit cards

security Pay contactless - how high is the security?


Thanks to smartphones and various banking apps or modern EC cards, you as a customer can now easily pay for your purchase in the supermarket without contact. Thanks to NFC technology, payments can be made in seconds without any cash. It's convenient, but how secure is contactless payment and is your personal data protected from third parties?

How does contactless payment work?

Contactless payment works with Near Field Communication - better known as NFC - what in German as much as Near field communication means. If your card, smartphone or even your smartwatch comes within a few centimeters of a reader, the data is transmitted in encrypted form. This will confirm the payment contactlessly. As a rule, payments of up to 25 or 50 euros (EC card or credit card) can be made without entering a PIN. You can recognize NFC-enabled credit or debit cards by the radio symbol. The technology is based on RFID (R.adio F.requency Identification), a technique for identification using electromagnetic waves.

To make contactless payments as a customer in the shop with your mobile phone, you have to use an app such as Google Pay or Apple Pay. For more information about what NFC is, read our tips + tricks article about it. Contrary to the concern that incorrect or double amounts may be debited, we can reassure you. Contactless payment is reliable. On the other hand, there are manipulated devices that can read your data. Read what this is all about and how you can protect yourself against it in the next sections.

How secure is contactless payment?

NFC is now a standard that is often used in our digital everyday life. Safety concerns arise time and again. We have put together answers for you on the mandatory security risks of contactless payment:

Can third parties use manipulated readers to make a payment from a cell phone or a card from a pocket or handbag?

In theory, you can read data from your debit card or smartphone with a manipulated reader. With devices in public or in the dense crowd in the pedestrian zone - theoretically there is a risk that third parties can illegally debit amounts. In practice, however, this is countered by the following: The perpetrator would have to come very close to you (the distance must be four centimeters or less) and know that you even have NFC-enabled cards. In addition, your device should be unlocked and the payment app open. The effort here is greater than the money ultimately stolen - a simple cost-benefit calculation. That is why this type of theft has rarely occurred in practice - despite the fear that has been conveyed in some cases by the media.

Should the perpetrator still manage to make debits from a smartphone or card, the debits can be digitally tracked using an ID. Another security protection for you: Girocard payments by smartphone can only be transferred to German business accounts. It is unlikely that perpetrators would be able to create a false name account for this effort without verification.

Tip: If you are interested in how the theory of theft would work, we recommend the following c't article including a video: This is how easy it is to fish for money with contactless payments.

Can criminals read the card data using a manipulated reader and then use it in online shops?

The short answer: no. If you save your credit card in a payment app, the original card number is not saved on the smartphone. Therefore, someone cannot read the real data from your Visa or Mastercard with a manipulated reader. During the payment process, a so-called token and "Single Use Key" (Mastercard) or "Limited Use Key" (Visa) are transmitted from your smartphone to the terminal. The token is a kind of pseudo credit card number.

During payment processing, the payment network and your bank check tokens and use keys and assign them to your "real" card and person. If the information is correct, the seller receives approval and a transaction ID. If a criminal now reads your token, he cannot use it to pay in online shops. He also lacks your name. So you don't have to worry about third parties reading your card data.


My smartphone was stolen, what should I do?

Your speed of action is required here: Call your bank and have the stolen cards blocked. At German banks, this is almost always done via the free number (+49) 116 116 of the Sperr-Notrufs e.V .. If you have lost your card and your smartphone is still at hand, the cards can usually be blocked directly via your banking app.

If the criminal opens the payment app (which is also usually PIN-protected), he or she will receive at most the last four digits from your credit card without the CVC or CVV number. If he sees the IBAN of your Girocard, however, this only enables him to make a direct debit, which can be booked back.

Can double bookings be made?

As soon as the transaction has been successfully completed on the payment terminal, the merchant would first have to activate a new transaction. To do this, you would have to hold your smartphone or card up to the reader again. A double booking is therefore not possible.

What safety precautions can you take?

If you want to save data, cash is still the best option. When paying with the card, however, there is considerably less data than when paying with Apple Pay or Google Pay, for example. You should always be aware that you are providing the providers of these services with data about your shopping behavior.

If you are concerned about your personal data being stolen, we have the following tips for you:

  • Inform your bank that you want to deactivate contactless payment. If necessary, justify this and ask for a new card that is not NFC-capable.
  • If not required, deactivate the NFC function on your smartphone. It is no longer possible for your data to be read out contactlessly via a manipulated device.
  • Get special RFID blocking covers or wallets that prevent your data from being read by unauthorized third parties.