The security technology in contactless cards makes them more resistant to fraud than standard magnetic stripe cards, but banks have been reluctant to tout this improvement to their customers.
Instead of telling customers how potent the contactless technology is in preventing fraud, contactless card issuers have preferred to focus on their reimbursement policies when fraud does occur.
"What we find is that many of our customers … are not that interested in that level of technical detail," Tom O'Donnell, a senior vice president at JPMorgan Chase & Co., said in a recent interview.
JPMorgan Chase has issued nearly 10 million contactless cards since 2005 under the brand name Blink but does not proactively discuss the cards' improved security.
The banking company gives information about the cards' security capabilities to employees and, in more general terms, on its Web site but does not use this information in its marketing. Consumers looking for this information can find it, Mr. O'Donnell said, but the bank does not initiate the discussion.
"Questions around safety and security around contactless, we have found to be very infrequent, statistically insignificant," he said.
Critics have warned that contactless cards, which transmit data to card readers, are vulnerable to portable skimming devices that, for example, could be used to quietly obtain card information in a crowded subway car.
However, Mr. O'Donnell said that very few people have expressed concern. Instead, customers' main worry is that they not be held liable for any fraudulent charge, on any kind of card, so JPMorgan Chase stresses its zero-liability promise, which applies to both contactless and magnetic stripe cards.
"For the most part … safety and security is met by the fact that we have zero liability," Mr. O'Donnell said.
American Express Co. similarly stresses that "card members are not held liable for any fraudulent charges," according to spokeswoman Rosa Alfonso. "It's our practice not to go into those details about security, just as we don't go into the details of our fraud modeling techniques."
The New York financial services company offers some general information about contactless card security features on its Web site, she said, but "it's never prudent to provide these insights into our security practices."
Though it is technically possible to skim data from contactless cards, the cards' chips assign a unique, sequential code to each transaction; anyone who obtained account data from a contactless card would have only one such code and, therefore, could use it only once. And because the codes are generated by the cards in sequence, if the cardholder uses the card before the criminal does, the stolen data would hit the card network out of sequence, sending up a red flag for fraud.
Magnetic stripe cards cannot create such ever-changing codes, though Visa U.S.A. has said it is interested in developing one that could.
Mohammad Khan, the founder and president of ViVOtech Inc., a Santa Clara, Calif., provider of contactless chips and readers, said banks have good reason to be wary of discussing the improvements in contactless security.
"They are in a tough situation, where they cannot talk too much about this," he said, because emphasizing the capabilities of contactless cards "implies that mag-stripe is not secure."
Banks prefer to discuss security methods that apply to both types of cards, like zero liability, because "the idea is not to put down current technology," he said.
Still, banks are not losing potential customers by dancing around the security issue, he said. "The good news about contactless is, it has so many other value propositions," like speed and convenience.
And if security does becomes more important to consumers, banks can still talk it up just as they have emphasized their efforts to improve data security by stressing that these developments make the whole system more secure.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., agreed that people might question the security of magnetic stripe cards if banks stressed the new technology.
For this reason, issuers "don't want to call to consumers' attention any security issues," she said.
James Van Dyke, the principal and founder of Javelin Strategy and Research in Pleasanton, Calif., warned that a successful scam aimed at contactless cards could lead people to question the technology's safety if they have not been educated about its inherent security.
"Where we are right now sort of reminds me of where we were with phishing in 1998," he said. Banks were not proactive, so they were unprepared when consumers began expressing strong concern about the security of banking online.
"They need to expect people to be worried about it," he said. "They need to be leading with … [security] so that they don't get surprised [as] banks were with phishing."
He also said that many customers are interested in hearing about security features. "Issuers often go too quickly to just the guarantee" of zero liability, he said. "Issuers and banks overestimate the exclusive importance of that.
"If the payment method is new … every single time, hands down, the consumer or the business customer will worry about security, so you have to mention it somewhere."
JPMorgan has a frequently asked questions document on ChaseBlink.com that addresses the cards' security capabilities.
Mr. Van Dyke said the section explains contactless cards' enhanced security well, but he said this is not given enough prominence in the document.
The document's mention of zero liability is far more prominently placed, at the top of the document, while its description of the security feature is on the third and final page.
"They did put it pretty far down there," Mr. Van Dyke said. Even so, someone who reads that far will get a good description of the technology, he said.
