PETALING JAYA: Visa has reiterated that its contactless card solution is safe.
They said this in response to recent reports questioning the safety of Visa PayWave and a YouTube video apparently demonstrating the ease with which data could be lifted from contactless cards.
“While there are demonstrations showing how credit card details can be lifted through a contactless card, this scenario is complex to execute in reality,” it said in a statement today.
It said the theft of the card number and expiry date offered in itself very limited potential for fraud because of the many layers of security that protected Visa PayWave transactions.
“Visa PayWave-enabled cards contain an embedded chip that uses advanced cryptography where a unique code is generated for every single card-present transaction, which is used to authenticate the transaction.”
As for concerns that the stolen data could be used for card-not-present transactions, Visa said it had in place enhanced security for the e-commerce channel such as Verified by Visa, which was based on internationally recognised 3D-Secure standards.
“Whenever an online transaction is attempted at a merchant that supports Verified by Visa, cardholders are asked to authenticate themselves to their issuing bank using a one-time-password (OTP), according to bank practices in Malaysia, which are similar to Internet or mobile banking authentication requirements.
“Where merchants choose not to support Verified by Visa for various business reasons of their own, they will always assume the liability for fraud.
“However, these merchants also adopt various other risk mitigation such as the validation of CVV2, a three-digit security code, and fraud detection solutions to minimise the opportunity for fraud.”
It said there had so far been no reports of fraud from card-issuers or law enforcements globally stemming from such electronic pickpocketing.
“To mitigate and secure Visa transactions, all transactions processed by Visa’s global processing network, VisaNet, are analysed in real-time for their fraud potential.
“Visa is able to use a comprehensive view of the global payments system to identify fraud patterns and detect suspicious transactions right at the check-out.”
It said cardholders should notify their issuer promptly of any unauthorised transaction. Should a cardholder provide sufficient evidence to the issuer, the cardholder will not be liable for such transactions.
Visa was responding to the claim by the National Union of Bank Employees (NUBE) that there were devices that could read the information stored magnetically in the new cards, as millions of Malaysian ATM and credit card users are being advised to switch to PayWave-enabled cards.
Bank Negara Malaysia had given ATM, debit and credit card users until the end of December to switch to PayWave-enabled cards, which replaced signatures with a PIN (personal identification number) for verification.
NUBE assistant secretary-general A Karuna said the authorities and banks, especially Bank Negara Malaysia, had yet to guarantee the security of the PayWave system.
“Other people can steal information,” he told FMT, pointing to a YouTube video detailing how information could be stolen from PayWave cards.