To those living in technologically advanced countries it might sound strange. But yes, here in Germany people do have a noticeable fear of PayPass.
I moved here two years ago and during that time I’ve witnessed a huge revolution in the field of payment methods. A revolution that is still way behind where Poland (Poland!) was already five years ago!
Germany has its own plastic cards, EC Karte. They suck, because you can’t use them abroad. For this extraordinary whims I needed to request a special credit card – which had no direct connection to my bank account, but got accounted for after each month. For some it’s a nice feature, but I didn’t really need a credit card, instead it was just messing up with my control of spending. Also, I needed to wait for half a year after moving in before the bank would even consider letting me have it.
When they finally sent me one, the attached leaflet announced very proudly: our awesome card has a super-über-top-notch-new technology – PayPass! Dude, are you kidding me? That’s a technology I was using for as long as I can remember, in a country with a GDP 7 times smaller than Germany!
But yes, it really was a novelty here. The number of shops that accepted Visas and Master Cards, as opposed to only EC Karte, used to be quite low, but slowly went up and up over the last years. Those who did start to accept international cards, are now slowly starting to allow contactless payments with them as well. I switched a bank, this one is very modern, they offer a Visa card as the default and the EC Karte just for the old-fashioned stores. It all goes forwards – but not without problems...
Recently, a cashier who saw me pay with PayPass, started chattering about how she has heard it’s dangerous, but how nice and quick it looks, but how dangerous it is, but how quick, but she would be to too afraid, but...
My boyfriend went one step further and installed a Vodafone Wallet app. When he tries to pay with his phone, he always get a surprised look at least. And once, the cashier even threatened to call the cops, because she was sure it has to be some kind of a swindle!
He works at a reception in a 4-star hotel. Guests from other countries are shocked, now far behind them Germany is when it comes to technology (not only regarding payments, for instance using paper registration forms, instead of just scanning an RFID chip in their photo IDs). Whereas Germans often try to go as far back in time as possible, very often even disabling the standard chips on their credit cards, making the receptionist type its number into the terminal manually. Seriously.
It’s like a huge, nation-wide paranoia.
The truth is, credit cards are insecure by design. Theoretically, all you need to know to charge someone’s card, is a 16-digit number and the expiry date. Not all systems even require the security code.
As a counterexample: if you log in to Facebook, your password gets sent over an encrypted connection using a long cipher and it gets stored as an irreversible hash – so that not even Facebook knows your password! If you log in on some other website using a Facebook account ( OAuth), that website has even less information about your credentials, because it’s totally relying on Facebook to confirm your identity.
With credit cards, however? You can’t be sure, if the terminal some shop is using is an actual terminal, or do they just read your credit card information and store it somewhere. You can’t be sure if a cashier doesn’t just read and memorise your numbers to use them later, do you?
Credit cards rely on some plain-text information that is often stored without any encryption (for instance in hotels or car rental companies). And that super important plain-text information is simply printed out on the plastic you’re using!
PayPass is just a method of providing that information from the card to the terminal. The information that somebody could theoretically just snap a picture of, while you take ages to provide digit by digit. If you think about it – the quicker you get the payment over with, the less you expose your CC information, and the more secure you are.
Except, this whole paranoia is quite baseless. Because apart from just the CC number, you also need a bank that will execute the transaction. They won’t authorise any payment from an anonymous guy using a home-made terminal, no matter how well does he know the numbers on your card. Which shop would risk their reputation and customers’ trust to unlawfully capture more money than they’re entitled to? Especially when the bank can simply revert all such attempts.
In terms of cryptology, credit cards are almost like a door left open. They definitely should get replaced by something more modern and secure soon. But we’re using them anyway, because they’re good enough. It’s the system around them that makes them secure.
So it doesn’t really matter that much, if you’re paying with PayPass or not. You can just let yourself use the more comfortable option without fear.