Following a series of fraudulent purchases, a convenience store chain has temporarily halted its contactless payment system. Stewart’s Shops disabled its tap-to-pay technology in mid-October. However, experts suggest the decision may be an overreaction to a software glitch, emphasizing that tap-to-pay remains a secure payment method for consumers.
According to Stewart’s, criminals used tap-to-pay to make sizable purchases, allegedly with stolen or fraudulent credit cards. Although the transactions went through as if they were legitimate, the payments ultimately failed to process.
Stewart’s operates more than 350 stores across upstate New York and Vermont, with the scams reported from stores in Ulster and Orange counties. In response, the company promptly disabled tap-to-pay functionality across all locations but is actively working to restore the service.
According to Don Apgar, Director of Merchant Services at Javelin Strategy & Research, the issue was likely a result of something other than a weakness in tap-to-pay technology. “It is very hard to drive fraud through contactless payments given the security that is built into the interface,” he said.
Compliance Is Key
Apgar noted that, in most cases, stores are not held responsible for fraudulent transactions. Merchants bear no liability for contactless transactions as long as their systems comply with PCI-DSS security standards.
“If these fraud transactions were straight-up stolen cards, then the issuers absorb that fraud,” Apgar said. “If the cards were not stolen, but cloned or fraudulent somehow, they may have had inside knowledge to exploit some non-compliant weakness in Stewart’s contactless terminals. In that case, the merchant would be liable for the fraud if their card platform was not PCI-DSS compliant.”
And that may be the case with what happened at Stewart’s. “It’s a software bug, not a breach,” Stewart’s spokesman Robin Cooper told the Albany Times-Union. “None of our customers’ information is in jeopardy.”
A Safer Method
In general, tap-to-pay is considered a safer alternative to inserting a card at a gas pump. The FBI has even issued a bulletin encouraging consumers to use tap-to-pay for gas and similar purchases, noting that “tap-to-pay transactions are more secure and less likely to be compromised.”
Skimming, however, remains a serious concern for retailers. This crime involves devices illegally installed on or inside ATMs, point-of-sale terminals, or fuel pumps that capture card data and record cardholders’ PINs. According to the FBI, skimming costs financial institutions and consumers more than $1 billion each year.
