Jul 29 2020

How Contactless Payments Can Help Federal Agencies Limit Coronavirus Spread

Finally catching on among consumers, tap-to-go cards and mobile wallets offer hygienic alternatives to traditional payment methods at federal sites.

For federal agencies that accept in-person payments, rethinking common touchpoints — including point-of-sale terminals — represents a critical step in curbing the spread of COVID-19.

According to recent data from the National Institutes of Health, the Centers for Disease Control and Prevention and Princeton University, the new coronavirus “is stable for several hours to days in aerosols and on surfaces.” That means that if an infected customer touches a POS system that isn’t properly disinfected between transactions, later customers and even workers are at increased risk of catching and further spreading the virus.

Contactless payment systems have the potential to reduce this risk significantly by enabling agencies to offer no-touch transactions. They also deliver the knock-on benefit of increased transaction security — a feature that in isolation hasn’t been enough to drive mainstream adoption of the technology. The COVID crisis, however, has tipped the scale: CNBC reports that more than 51 percent of Americans now use some form of contactless payment, opening the door for government agencies to follow suit.

How Does Contactless Payment Work?

Unlike swipe-and-signature or even chip-based cards, which exchange payment information upon insertion into a POS system, contactless payment methods such as tap-and-go cards and mobile wallets transfer financial data via near-field communication technology.

With NFC, contactless-enabled POS systems generate a small radio frequency field that powers up a smart chip embedded within the user’s credit card or smartphone; this initiates the transfer of payment information via an encrypted transaction, Business Insider reports.

While this data exchange occurs in just seconds, it can only take place when the card or phone is in very close proximity to the POS reader. “Get within about 1.5 inches of the payment device, and it will let you pay by transmitting cryptographic signals that are very secure,” explains ISACA board member Rob Clyde.

MORE FROM FEDTECH: Find out how the IRS wants to use mobile tech to collect overdue taxes.

Can Contactless Payments Help Slow the Spread of COVID-19?

As government agencies continue to prioritize worker and citizen safety amid the COVID pandemic, implementing or expanding the use of contactless payment technology offers clear benefits.

“Since contactless cards don’t always require a PIN or signature, it eliminates the need for patrons to physically touch the pin pad or signature pen,” says Robert Comer, program executive officer for the Defense Commissary Agency’s Information Technology Group. DeCA is in the process of rolling out key POS upgrades, but the agency already accepts tap-and-go cards, as well as mobile wallet applications such as Apple Pay and Google Pay.

The National Park Service, which adopted contactless technology in 2017, also acknowledges the safety advantages of alternative payment methods. “Cashless transactions allow our staff to maintain social distances while collecting park fees,” says an NPS spokesperson, who added that the change contributes to safe and positive visitor experiences.

Are Contactless Payments Safe?

Despite the increased safety offered by contactless payment transactions, misconceptions about the technology cause some to question its security effectiveness. ISACA’s Clyde cites one myth in which malicious actors place wireless listening devices in a narrow hallway to capture card data as users walk by.

“None of it is true,” Clyde says. “Listening in won’t get you the information, even at the POS.” That’s because contactless payments never send a user’s actual card number over the air to the POS terminal, or over the internet to the bank or credit card company for authorization; instead, they create and send a unique, one-time token that enables secure payment.

“The only place your credit card information is known is at the bank and the credit processor,” says Clyde, explaining why the one-time token is of no use to bad actors, even if they were to intercept it.

According to Clyde, the tokenization process gives contactless payments a significant security advantage over swipe-and-signature credit cards, because “anybody with a strip reader can read that card and commit fraud.” In the case of contactless payment, he adds, “fraud processes would need to occur inside financial firms to compromise transactions.”

DISCOVER: Learn about the basic building blocks of zero-trust security.

How to Combat the Disadvantages of Contactless Payments

Contactless payment isn’t a perfect system, though, as it is still vulnerable to physical loss or theft. Many tap-and-go card users, for example, can make purchases of up to $75 without the need for PIN entry or other authorization, exposing them to potential fraud if cards go missing. Clyde suggests that mobile wallet applications are the more secure option since smartphones are often protected by a combination of PINs, fingerprint sensors and facial recognition tools, making it harder for attackers to access card data if the device falls into the wrong hands.

There’s also the potential that hackers will develop new approaches as no-touch terminals become commonplace. “The new fraud might be pictures of your card rather than physical theft,” Clyde says, explaining that high-quality photos of card numbers and card verification values could allow cybercriminals to create NFC-enabled doppelgangers.

To combat potential threats, government agencies must adopt a due-diligence approach to data protection at the point of sale. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) also play a role in protecting consumer information, as they lay out specific rules for handling financial data.

“DeCA’s POS systems are audited annually to ensure they remain PCI compliant,” Comer says. “Maintaining PCI compliance is our best defense against experiencing a data breach. It also reassures our customers that it’s safe for them to use their credit and debit cards when shopping at a commissary.”

Examining Potential Payment Apps and Options

Beyond safety and security concerns, government agencies will need to think through a laundry list of other considerations before deploying contactless payment. For instance, agencies must identify which mobile wallet applications they’ll accept, and then register with those payment providers, BizTech reports.

On the device front, agencies can choose from either NFC-enabled POS systems or dedicated contactless payment terminals. Software selection is also important, especially for agencies that opt for the latter device type.

According to Clyde, the industry is working to standardize POS and contactless devices to prevent interoperability issues that might otherwise limit adoption. This allows federal agencies to base purchasing decisions on form factors, transaction speed and other characteristics that will contribute to the speed, safety and convenience of contactless payments, and make them a worthwhile investment long after the current crisis has passed.

Ridofranz/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.