Is NFC Payment Safe?

by Sandra Henshaw - , Last Updated on November 20, 2017, How To Guides

Thinking about using your mobile to make payments at shops, online or bricks and mortar? Then you might be wondering just how safe and secure those payments will be. With online identity theft and well publicised hacking of financial firms, payment security should be high on your list of priorities. That’s why we’re taking a look at NFC payments and security so you can decide whether this payment method is appropriate for you or not.

What is NFC?

NFC stands for Near Field Communication, and very basically this is a communication protocol. If your mobile has NFC (you’ll need to dig into the settings menu and switch it on if so), it will be able to “talk to” another device that also has NFC. For the most part this is used in a similar way to how you’d use a contactless credit or debit card. Switch on NFC on your phone, enrol with an online payment company (or “digital wallet”), and once you get to the cash desk at certain stores you can simply tap your phone against an NFC receiver to send payment automatically.

There are plenty of advantages to using NFC. It’s fast, it’s convenient, you don’t need to carry cash or cards around with you, just your phone. However, not a lot of stores are equipped with NFC yet (though that’s changing rapidly), and many people have security concerns, which is what we’re here to address.

What are My NFC Options?

Currently there are three main NFC payment services around. Apple Pay is the big service for iOS users, whether that’s iPhone owners or Mac computer users. Android Pay is the service used by the majority of Android phone users. And finally, if you’re a Samsung owner then that manufacturer also has its own NFC payment service called Samsung Pay. For the most part, which service you use will be dictated by what kind of phone you’re using. But the real question is how safe is each of these services?

Apple Pay and Security

Launched in 2014, Apple Pay is the service used by iOS owners. Like most apps of this kind, Apple Pay uses something called “tokenisation” to ensure privacy and security. This means that the app uses virtual account numbers, rather than your real account number.

Tokenisation is an important concept to understand, though it’s a bit complicated, since most online payment services use it. You enter your credit card number into the app, that number is then encrypted and sent to the Apple servers. The servers decrypt the account number, add your credit card’s payment network to the account number info, and then encrypt that again using a key that can only be unlocked by your credit card network. But we’re not done yet…

Your credit card company receives this encrypted info from Apple, decrypts it, authorises the use of the card with Apple Pay, then produces a DAN (Device Account Number). This DAN is basically a different credit card number (that is still connected to your existing credit card account) that is used only by your specific phone. The credit card company encrypts this DAN, sends it to Apple (who do NOT have the key to decrypt it again), and Apple then adds the encrypted DAN to the Secure Element (SE- a special, ultra secure part of the memory on your mobile) on your phone. Boom. We told you it’s complicated, and that should give you an idea of just how secure it is. Apple do not have the account number necessary to make payments, and only your phone can decrypt the account number needed to make a payment.

Other than tokenisation, Apple Pay also protects you with the “Find My Phone” service, which will allow you to remotely wipe your Apple Pay account and all payment details should your phone be lost or stolen.

Android Pay and Security

Android Pay works in a very similar way and also uses tokenisation. There’s one big difference though. With Apple Pay your encrypted DAN (that special account number only your phone can use) is stored on your phone itself. With Android Pay that DAN is stored instead on the cloud (using something called HCE or Host Card Emulation).

This is important to you for two reasons. Firstly, it means that memory on your phone isn’t being used. Secondly, it means that stronger security measures can be used to keep your info safe (since the cloud can use tons more processing power and memory that your phone can to keep your account number secure). In this respect, Android Pay is slightly safer than Apple Pay.

Samsung Pay and Security

Again, Samsung Pay is very similar to the above versions. Tokenisation is used, and Samsung Pay stores your DAN on your phone (like Apple Pay does). However, it also uses a special security protocol to further protect that DAN once it’s on your phone. So again, we’re looking at something that’s pretty safe.

But What if My Phone is Stolen?

Easy, convenient, sure, but what happens if someone gets their hands on your phone. Can they use it to access your payment service and then go shopping? It’s highly unlikely. All three of these payment services require an additional level of security before a payment can be made. When you’re at the cash desk you’ll not only need to tap your phone against the NFC receiver, you’ll also need to give it permission to send money.

For the most part, there are two options. You can enter a PIN code (which means that NFC payments are as secure as your credit or debit card). Alternatively, and for better security, you can use a biometric lock. This means that you’ll either scan your fingerprint or your face in order to authorise payment.

The bottom line here is that yes, NFC payments are pretty secure. At least as secure as your credit or debit card, and potentially even safer if you use a biometric lock. There’s no need for you to worry about using your phone to make payments. If you’re confident using a card to pay, then using your phone should be no different.