NFC security 101: A guide for businesses using contactless payments


Accept payments online, in person, and around the world with a payments solution built for any business – from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. Key features of NFC payments
  3. How do NFC payments work?
  4. What security measures do NFC payments have?
  5. Threats and risks with NFC payments
    1. Known vulnerabilities and attack vectors
    2. Real-world scenarios of security breaches
  6. NFC security: How to mitigate risks and vulnerabilities
    1. For small businesses
    2. What to look for when choosing a card terminal provider

NFC payments, which rely on near-field communication technology, are a type of contactless payment method. They use a short-range wireless technology that allows two devices, such as a smartphone and a payment terminal, to communicate when they're only a few centimetres apart. This technology is embedded in many modern smartphones and payment cards and has proliferated in recent years: in 2022, 85% of consumers across nine countries used an NFC contactless card or mobile payment wallet.

With their quick tap-and-go process, NFC payments are reshaping the checkout experience. They are also part of a larger shift toward simple payment solutions to meet modern customer expectations for convenience. But they're not just convenient – NFC payment technology is an industry leader in enabling ultra-quick transactions while maintaining high-security standards.

As digital wallets and wearable tech become more prevalent, NFC payments are quickly becoming the default option in a growing number of payment situations. But in the rush to adopt this popular payment method, businesses can't ignore security. For NFC payments, here's what you need to know about creating a secure experience.

What's in this article?

  • Key features of NFC payments
  • How do NFC payments work?
  • What security measures do NFC payments have?
  • Threats and risks with NFC payments
  • NFC security: How to mitigate risks and vulnerabilities

Key features of NFC payments

NFC payments have several key features that make them a popular choice for both customers and businesses. Here's a quick look at these features:

  • Contactless communication
    One of the most prominent aspects of NFC payments is their ability to facilitate transactions without physical contact. The technology enables two devices – an NFC-enabled payment device (such as a smartphone or card) and a payment terminal – to exchange data when they are close to each other.

  • Speed and convenience
    NFC transactions are typically faster than traditional payment methods. The customer simply has to bring their device close to the terminal, and the transaction completes in seconds. This speed contributes to a smoother and more convenient checkout process.

  • Security
    NFC payments are generally considered secure. They often incorporate encryption to protect sensitive information such as credit card numbers. Additionally, many smartphones require authentication (such as a fingerprint scan or a passcode) before the payment is processed, adding another layer of security.

  • Versatility and integration
    NFC technology is versatile and can be integrated into a variety of devices, including smartphones, smartwatches and payment cards. This integration allows customers to pay with the device that best suits their needs and preferences.

  • Widespread compatibility
    As NFC technology becomes more prevalent among customers, an increasing number of businesses are adopting NFC-compatible payment terminals. Contactless payments occur at a variety of locations, from large retailers to small local businesses.

  • Digital wallet support
    NFC technology is a key component in many digital wallets, such as Apple Pay, Google Pay and Samsung Pay. These wallets allow customers to securely store details for multiple cards on their devices, giving them the flexibility to choose between accounts or cards for different transactions.

  • Transaction history and recordkeeping
    Customers can easily keep track of their transactions when conducting NFC payments through their digital wallets, which typically provide a detailed transaction history.

  • Reduced wear and tear
    As NFC payments don't require physical contact, there's less wear and tear on both the customer's payment device (such as a card) and the business's hardware (such as a card reader), potentially increasing the life span for these devices.

How do NFC payments work?

NFC payments use a combination of hardware and software technologies to facilitate secure, convenient transactions. Here's how this process typically works:

  • NFC chip activation
    The process begins when an NFC-enabled device, such as a smartphone or a payment card with an NFC chip, is activated. Activation usually occurs when the customer brings the device near an NFC-enabled payment terminal. In smartphones, this activation might also require user authentication via passcode, fingerprint or facial recognition.

  • Communication establishment
    Once the NFC chip is activated, it starts communicating with the payment terminal. This communication happens through radio waves. NFC operates at a frequency of 13.56 MHz, and the range of communication is typically within 4 cm. This short range is a security feature, as it prevents unwanted interception of the data being transmitted.

  • Data transmission
    During the communication, the NFC device transmits data to the payment terminal. This data includes the payment information needed to process the transaction, such as payment amount, card details and other relevant information. This data transmission is encrypted to protect sensitive information.

  • Payment processor involvement
    Once the payment terminal receives the data, it sends the information to the payment processor, which is responsible for verifying the transaction details with the bank or card issuer associated with the device that made the payment.

  • Authentication and authorisation
    The bank or card issuer receives the transaction request and checks for authenticity and sufficient funds or credit. This includes verifying the card details and ensuring that the transaction adheres to any set limits or restrictions.

  • Transaction approval or decline
    After verification, the bank or card issuer either approves or declines the transaction. This decision is then communicated back through the payment processor to the payment terminal.

  • Completion of transaction
    If the transaction is approved, the payment terminal completes the process and typically displays a confirmation message. If it's a smartphone or similar device, the NFC device may also receive a confirmation notification.

  • Record-keeping
    The transaction details are recorded by the business's payment system and – in the case of smartphones or digital wallets – on the customer's device. This supports easy tracking and management of transaction history.

The NFC transaction process emphasises security and speed. Data encryption and device authentication help ensure that NFC payments are secure, while the simplicity and speed of the process make it a convenient option for both customers and businesses.

What security measures do NFC payments have?

NFC payments incorporate several security measures to protect against fraud and unauthorised access. These measures include:

  • Encryption
    When data is transmitted between the NFC device (such as a smartphone or card) and the payment terminal, it is encrypted. This encryption converts the information into a secure code, which helps prevent unauthorised parties from intercepting sensitive details such as card numbers and transaction amounts.

  • Tokenisation
    Many NFC payment systems use tokenisation. Instead of transmitting the actual card number, a unique digital token is used. Though it represents the card number, this token is useless if intercepted, as it cannot be used beyond the specific transaction for which it was generated.

  • Short-range communication
    The very nature of NFC – short-range communication technology – adds a layer of security. As the device must be within a few centimetres of the terminal for the transaction to occur, it reduces the likelihood of unintended or unauthorised devices intercepting the data.

  • Device authentication
    Smartphones and other devices often require authentication to complete an NFC payment. This could be in the form of a passcode, fingerprint or facial recognition, and it guarantees that the rightful owner of the device is initiating the transaction.

  • Dynamic authentication codes
    Each transaction generates a unique authentication code. Even if a transaction detail is intercepted, it cannot be reused for another transaction, reducing the risk of fraudulent repeated transactions.

  • Secure element
    Many smartphones with NFC capabilities have a secure element – a dedicated chip that stores payment information securely. This chip is isolated from the phone's main operating system, adding an extra layer of protection in case of hacking.

  • Transaction limits
    Some banks and financial institutions set limits on NFC transactions to reduce the risk of large fraudulent transactions. If the transaction amount exceeds this limit, traditional methods of authentication, such as a PIN entry, may be required.

  • Real-time fraud monitoring
    Banks and payment processors often monitor transactions in real time for suspicious activity. If they detect unusual patterns, these institutions can take immediate action, such as declining the transaction or contacting the customer.

  • Customer verification requests
    In some cases – especially for large transactions – the payment system might ask for additional customer verification, such as entering a PIN or signing a receipt.

When they work together, these security measures provide a multilayered defence against various types of fraud and unauthorised access.

Threats and risks with NFC payments

While NFC payments provide a strong security buffer, they are not immune to potential threats. Here are some of the vulnerabilities and risks associated with NFC payments.

Known vulnerabilities and attack vectors

  • Eavesdropping
    In the context of NFC payments, eavesdropping means an unauthorised device picks up the NFC signal during a transaction. As NFC is a form of radio communication, it's theoretically possible for someone to intercept the data if they have the right equipment and are within range.

  • Data modification
    During the brief moment of data transmission, a sophisticated attacker could potentially alter the communication between the NFC device and the terminal. This could lead to the wrong amount being charged or the payment being directed to a different recipient.

  • Lost and stolen devices
    If an NFC-enabled device is lost or stolen and the owner has not secured it with a PIN or biometric lock, there is a risk of unauthorised transactions. Even if it is equipped with a secure element, the period of time between losing the device and reporting it could be exploited.

  • Relay attacks
    Relay attacks occur when an attacker uses a device capable of NFC communication to intercept and relay data between a legitimate NFC-enabled device (such as a smartphone or credit card) and a payment terminal. The attacker's device acts as an intermediary, capturing the information from the legitimate device and transmitting it to the payment terminal.

  • Skimming
    Skimmers can create a fraudulent payment terminal or modify an existing one to capture information from any NFC-enabled device that interacts with it. They can then use the collected data to clone cards or conduct unauthorised transactions.

Real-world scenarios of security breaches

  • Fraudulent terminals
    There have been instances where businesses have been defrauded by individuals installing terminals that skim data from customers' NFC payments, leading to information theft.

  • Targeted attacks on individuals
    High-profile individuals or those perceived to have significant funds could be targeted for NFC-related attacks (such as eavesdropping or relay attacks), especially in crowded public spaces.

  • Software vulnerabilities
    In some cases, fraudulent actors could exploit security flaws in the software of NFC-enabled devices or terminals to gain unauthorised access to funds or payment information.

NFC security: How to mitigate risks and vulnerabilities

There are a variety of solutions businesses can use to limit their exposure to fraud and unauthorised access. Small businesses selecting a card terminal provider should especially be aware of how to mitigate risks and vulnerabilities.

Here are some ways to proactively protect your business and your customers.

For small businesses

  • Educate staff
    Teach employees about NFC technology and the common threats. This includes recognising suspicious behaviour or devices that could indicate that card terminals have been tampered with.

  • Maintain regular updates and patches
    Ensure that the payment terminal software is up to date. Software updates can fix vulnerabilities that could be exploited by attackers.

  • Implement secure configuration
    Set up terminals and devices to request a PIN for transactions over a certain amount. This can prevent large fraudulent transactions in case the NFC-enabled device is compromised.

  • Incorporate physical security
    Keep terminals in a location where staff can always see them, reducing the risk of tampering.

  • Monitor transactions
    Keep an eye on transaction records for any irregular activity. Quick detection of unusual patterns can prevent further unauthorised transactions.

  • Use trusted providers
    Choose payment terminals from providers with a good reputation for security and customer service.

What to look for when choosing a card terminal provider

  • Security incidents
    Look into the provider's history with security. Read reviews and case studies to see how it has handled past security issues.

  • Compliance with standards
    Double-check that the provider complies with industry security standards, such as the Payment Card Industry Data Security Standard (PCI DSS).

  • Security features
    Look for providers with terminals that have advanced security features, such as end-to-end encryption and tokenisation.

  • Support and responsiveness
    Choose a provider that provides strong customer support and can respond quickly to any security issues that may arise.

  • Transparent policies
    Providers should have clear policies about data handling, privacy and the measures it takes to protect transaction data.

By following these strategies – and choosing partners that prioritise security as much as you do – you can substantially reduce the risks associated with NFC payments.

If you accept NFC payments using Stripe, learn more about how Stripe makes them more secure.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.