What are Contactless Payments?

What Are Contactless Payments?

Contactless payments let you pay by tapping or holding a card, phone, or wearable device near a payment terminal -- no PIN entry, no signature, no swiping. The transaction completes in a fraction of a second using short-range wireless technology called near-field communication (NFC) or, in some cases, radio-frequency identification (RFID).

In the UK, contactless has become the default way to pay in person. The vast majority of in-store card payments are now contactless, and the spending limit has risen steadily -- from the original 20 pounds in 2007 to 100 pounds today. For digital wallet payments through Apple Pay or Google Pay, there is no fixed spending limit because the device provides its own authentication.

How Contactless Payments Work

The Technology

Contactless cards and devices contain a small antenna and a chip that communicate with the payment terminal using NFC. When you tap your card or phone within a few centimetres of the reader, the chip transmits an encrypted, one-time-use token to the terminal. This token authorises the specific transaction without revealing the full card number.

The entire exchange happens in under half a second. The terminal sends the token to the acquirer, which forwards it through the card network (Visa, Mastercard, etc.) to the issuing bank for approval. The response comes back in real time, and the payment is confirmed.

Card vs Device

Physical contactless cards use a static chip that generates a unique cryptogram for each transaction. Digital wallets on phones and watches go further -- they use dynamic device tokens combined with biometric or PIN authentication on the device itself. This makes device-based contactless payments more secure than card-based ones, because the customer actively authenticates before each tap.

Security of Contactless Payments

Contactless payments are often perceived as less secure because they seem too easy -- just tap and go. In reality, multiple security layers protect each transaction:

• One-time cryptograms Each tap generates a unique code. Even if someone intercepted the data, it could not be reused for another transaction.
• Spending limits Physical card contactless is capped at 100 pounds in the UK. After a certain number of consecutive contactless payments, the terminal will require a PIN to verify the cardholder is present.
• Fraud monitoring Card issuers monitor contactless transactions in real time and will block the card if suspicious patterns are detected.
• Limited range NFC works only within a few centimetres, making it extremely difficult for someone to skim your card from a distance -- despite popular myths to the contrary.

For device-based payments (Apple Pay, Google Pay), security is even stronger because biometric authentication or a device PIN is required before each payment. If your phone is stolen, the thief cannot use your wallet without your fingerprint or face.

Contactless Payments and PCI DSS

From a merchant compliance perspective, contactless payments handled through a PCI-compliant terminal generally reduce risk. The terminal manages the encryption and tokenisation, and the merchant never sees the raw card number. However, the terminal itself and its network connection still fall within PCI DSS scope and must meet security requirements.

The compliance picture becomes more complex when a business accepts payments across multiple channels -- contactless in-store, cards over the phone, and payments online. Each channel has its own PCI DSS considerations, and the overall scope depends on how card data flows through each one.

Contactless vs Other Payment Methods

Contactless vs Chip-and-PIN

Chip-and-PIN requires inserting the card and entering a four-digit code. It is more secure for high-value transactions because the PIN confirms the cardholder's identity. Contactless trades a small amount of that verification strength for significantly faster checkout -- particularly effective for low-value, high-frequency payments like coffee shops and public transport.

Contactless vs Phone Payments

Contactless is an in-person technology. Telephone payments are a card-not-present channel where the customer provides their details verbally or by keypad. The security considerations are very different -- contactless relies on hardware encryption and physical proximity, while phone payments require DTMF masking, tokenisation, or payment links to protect card data in the voice channel.

The Growth of Contactless

The UK has been one of the fastest adopters of contactless globally. Transport for London's decision to accept contactless on the Tube in 2014 was a tipping point, proving the technology worked at scale. The COVID-19 pandemic dramatically accelerated adoption, as both consumers and businesses sought to minimise physical contact. Today, many businesses have gone entirely cashless, accepting only card and contactless payments.

Globally, the trend is similar. Markets in Europe, Australia, and parts of Asia have reached very high contactless penetration. The United States has been slower to adopt, partly due to the later rollout of chip cards, but adoption is accelerating rapidly.

Limitations of Contactless

Contactless works brilliantly for quick in-person transactions, but it does not cover every payment scenario. It cannot be used for remote payments -- whether online, over the phone, or via invoice. Businesses that serve customers across multiple channels need complementary payment methods. A retailer might use contactless in-store, payment links for phone orders, and a checkout page for online sales -- each secured appropriately for its channel.