Is Visa PayWave secure?

The secret of credit card transaction security is that by law (in many jurisdictions) the card issuer is responsible for fraudulent transactions after a certain limit, not the card holder. Since they already assume the bulk of the liability, most (all?) simply make the jump to say that the card holder is not responsible under any circumstances for fraud.

This means that card security is simply a cost-benefit trade-off for the issuer. It's worth the cost for the issuer of writing off a certain amount of fraud if in exchange they get a reasonable return for the policy. Hence the $100 limit; Visa is confident that within that range, they can detect fraud reliably enough to make it worth their while to remove certain security measures.

Therefore, whether or not it's secure is their problem, not yours. Obviously you have to actually report suspicious transactions. This makes it a bad idea to keep an account open that you don't monitor. But that has always been the case.

This is really the way it should be. If the party liable for security is the one in the best position to implement it, then the level of security you get tends to be appropriate for the value of the thing that's being secured.


Visa and other credit card manufacturers use the EMV standard to authenticate credit/debit card transactions. The Wiki article explains it better than I can, but this is a highly technical topic - it will take time to read and understand.

You should also see the answers to similar questions about NFC/RFID/EMV.

Essentially though, the demonstrated cloning attacks get you a single transaction within the no-PIN limit ($80 to $100 in most cases). There are probably significant difficulties involved in wardriving (war-NFC-ing?) amongst the general population - least of all is getting paid without being caught. AFAIK no one has demonstrated the ability to clone a payment terminal.

And finally - we always trade off security for convenience. Do you have two locks on your front door? Three? Eight? Do you walk around in protective padding? Do you wear a bulletproof vest to school?

The tradeoff here is a reduction in transaction time from ~15 seconds to ~2 seconds. Add it up over millions of people and trillions of transactions and you're looking at significant time savings. Is this worth the extra risk? The card issuers seem to think so - and have publicly promised to reimburse customers for losses that are caused by security problems.


This is a marketing document, with a few weasel words:

They carry the same multiple layers of security

What they mean is that:

  • Contactless cards have the same level of tamper-resistance around the chip as direct-contact cards.
  • The data-level communication protocols (EMV) are the same for both physical interfaces.

What they're leaving out is:

  • If you can carry out a transaction without typing a PIN, then anyone can walk around with a portable terminal (e.g. a smartphone with NFC and appropriate software and keys, or a bank-issued terminal) and initiate a transaction.

It's the combination of allowing transactions with a single authentication factor (being in proximity with the physical device), and that authentication factor being weak (it's not even what you have, but what is nearby), that introduce a significant weakness.

Indeed, with PayWave, or any scheme that similarly reduces the strength authentication for the sake of convenience, the burden is on you to contest any charges. Depending on the jurisprudence in your locale, it may be easy or difficult to contest charges (the US is rather favorable to the consumer in this respect, the banks have a lot more clout in European countries).

Before you return your card in anger, consider that just by having a credit card at all, you are already taking a bigger risk. Your credit card can be used online by someone who has never been physically close to it: all that's needed is to find out the 16-digit number, and (for most but not all merchants) the expiration date and the 3- or 4-digit number that are sitting in the databases of every merchant you've made purchases from (they aren't supposed to store these, but many do). Making purchases with a credit card already doesn't require providing any truly confidential data such as a PIN; contactless payments are not new in this respect.